docs: Update planning and lessons learned documentation

.gitignore

@@ -1,6 +1,2 @@
-# ---> Ansible
-*.retry
-private
-.vscode
-.ansible
-.git
+
+secrets/

FIREWALL.md

@@ -0,0 +1,9 @@
+# Firewall Configuration
+
+Based on the deployment plan, the following ports need to be opened on the firewall for the host **Scully**:
+
+*   `80/tcp`: For HTTP traffic, primarily used by Let's Encrypt for certificate validation.
+*   `443/tcp`: For HTTPS traffic to access all web services.
+*   `51820/udp`: For the WireGuard VPN tunnel.
+
+No ports need to be opened on the firewall for the host **Mulder**, as Gitea will be accessed through the reverse proxy on Scully.

LESSONS_LEARNED.md

@@ -0,0 +1,12 @@
+# Lessons Learned
+
+*   The `network` role in this repository is a powerful tool that sets up a complete network stack, including Nginx Proxy Manager for reverse proxying and `wireguard-easy` for a WireGuard web UI.
+*   The `gitea` and `postgres` roles use Docker Compose to deploy their respective services.
+*   Properly managing variables, especially secrets like passwords and API keys, is crucial. Using `group_vars` and a `.gitignore`d `secrets` directory is a good practice.
+*   It's important to have a clear plan and get user feedback before making any changes. The "planning mode" and "acting mode" paradigm is a good way to structure the workflow.
+*   The `docker` role proved problematic on Ubuntu 24.04 (`noble`) due to repository issues.
+*   Podman is a viable and simpler alternative to Docker for container management.
+*   Ansible modules designed for Docker (e.g., `community.docker.docker_compose_v2`, `docker_container`) are not directly compatible with Podman.
+*   `podman-compose` can be used with `ansible.builtin.shell` for managing `docker-compose.yml` files with Podman.
+*   `containers.podman.podman_container` is the direct replacement for `docker_container` for managing individual Podman containers.
+*   Ansible Vault is crucial for securely managing sensitive data like passwords in version control.

PLAN.md

@@ -0,0 +1,37 @@
+# Deployment Plan for Home Cloud
+
+## 1. Goal
+
+The goal is to set up a personal cloud environment on your two hosts, Mulder and Scully. This involves deploying Gitea (a self-hosted Git service) on Mulder, and Keycloak (an identity and access management solution) on Scully. All services should be accessible via HTTPS with Let's Encrypt certificates and subdomain-based routing. We will also set up a WireGuard VPN with a web interface for secure access to your network.
+
+## 2. Phased Deployment Plan
+
+### Phase 1: Network Infrastructure on Scully (Current Focus)
+
+*   **Goal:** Deploy the `common` and `network` roles on Scully. The `network` role will set up Nginx Proxy Manager (for HTTPS and subdomain routing) and WireGuard Easy (for VPN with web UI).
+*   **Host and Role Assignments:**
+    *   **Scully:** `common`, `network`
+*   **Configuration Files:**
+    *   `inventory/hosts.yml`: Defines Mulder and Scully, their connection details, and role-specific variables.
+    *   `playbooks/main.yml`: Modified to execute the `common` and `network` roles on Scully.
+    *   `group_vars/all.yml`: Contains common variables like the domain name and service credentials.
+*   **Execution Plan:**
+    1.  Perform a dry run of the playbook to deploy the `common` and `network` roles on Scully.
+    2.  If the dry run is successful, execute the playbook to apply the changes.
+
+### Phase 2: Gitea and Keycloak Deployment (Future)
+
+*   **Goal:** Deploy Gitea on Mulder and Keycloak on Scully, along with their respective PostgreSQL databases.
+*   **Host and Role Assignments:**
+    *   **Mulder:** `common`, `postgres`, `gitea`
+    *   **Scully:** `common`, `postgres`, `keycloak` (in addition to `network`)
+*   **Dependencies:** This phase depends on the successful completion of Phase 1 and the availability of the domain name.
+*   **Next Steps:** Once Phase 1 is complete, we will update the `playbooks/main.yml` and `group_vars/all.yml` to include the `postgres`, `gitea`, and `keycloak` roles.
+
+## 3. What We Still Need
+
+*   **Your Domain Name:** Please provide the domain name you want to use for your personal cloud (e.g., `my-cloud.com`). This is the last piece of information needed to proceed with the dry run for Phase 1.
+
+## 4. Dry-Run
+
+Before executing any changes, a dry run will be performed using the `--check` flag.

REQUIREMENTS.md

@@ -0,0 +1,13 @@
+# Project Requirements
+
+*   Deploy Ansible scripts to two hosts: Mulder and Scully.
+*   Use a Git repository for version control of the Ansible playbooks.
+*   Manage SSH keys securely within the project.
+*   Deploy Gitea on Mulder.
+*   Deploy Keycloak on Scully.
+*   Apply a `common` set of configurations to both hosts.
+*   Set up a reverse proxy with Nginx on Scully.
+*   Secure all web services with HTTPS and Let's Encrypt certificates.
+*   Access services via subdomains (e.g., `gitea.my-url.com`, `keycloak.my-url.com`).
+*   Provide a web interface for managing WireGuard.
+*   The user wants to be involved in the planning process and approve all changes before they are applied.

group_vars/all.yml

@@ -0,0 +1,63 @@
+$ANSIBLE_VAULT;1.1;AES256
+36623161633664656166313034646133383431623938626533653633376333363436306639373463
+6635386137333334613737666163306565333833396133310a646662623264653561393363313237
+39646230626535313963396261356334313931633863666536373332343266353637343338386361
+3732373830666530330a663065363565363536616164393765326663326361373930626330623264
+66383832346561376263323533343434633761393439333363316163316463316361396133663237
+33393038346366653935393766353963353730393762313764663830383635666532386363343133
+38333134363837386565366537636536393731316637346464613234333932386238343266613761
+32353666636135343865613364613632333933653364656330306131653363636132323034623565
+30323764373030316539316331363331636139366339663731333063643864323665346161383937
+32383439363239616165643632303635323964323435353666343332333034663430303437353264
+39366234363865333439656562343631383933636437303932396662363564343636326163323433
+63373036343365633137363137613534313335633337633135346339366137653866356538383835
+61346637643463343365633636663261663033336133613562366439633231313862323662623033
+31616365613034393762383162623361336339313035363831613765336432336233393565646233
+37653863636465626532616232326234326437643662393738326135626438663937623862326261
+65613834646663666134353833316234636530366664613536353339316466356665313164323139
+32663137323530366536623437376434383130353238356335626139383066313464623764326437
+64636666346563303963393737393339313034383239663431613036303934353330373838343036
+64353863333032343034386564373333666231303430383338363639666637623833373663333530
+34623534386361626361633866386132316466653338326237323964333037636234393135396139
+34353030383536383464303030373737396130313666363533363638633433383565613037393362
+65616161386230646234336365356333626463363530326435366464353532323132656437343861
+32623264613733643834646665333638663932386163623265643665633230326164363462636138
+65343364316133646432316566313165353834646263613036633935626336633434336639343661
+36623337346530366263626264653332356436386235633232353030323865313265303461643261
+32343333306164653437333037343635383937643638353536383735356365653761323433363064
+61663537626239303935313033643864353434636332666563346164333032333364316335623933
+62643165366330326636336164393431316538323039383463313031626363346362346633616534
+34343131326230633634363363316464633064626464373665316165646534303634343538393238
+62313262313835303063336237303462626530323961343732303934663837653539616632396537
+62346561623035363963363330663339386262353536383163663431653132643866336631356264
+34636133346364613962383061376636653030626264333539336234326238316131303030303061
+66336233626231363635653332366562306661303231323538313165303333663232616564613461
+64366466383634633039353936353335333738343136616534306161316631613235643062366434
+36356536313966356632303062353332653939356163396433353430303661353634333732323037
+64643434303534316333313764653461376631666530346262373736323637616532313664303863
+38383136636564346632656563646135303438373462626533336464643231353639336161643162
+61306665316333633133323238636530663664653534636262646230626637386561326163653739
+32303834616435313961373764373730393161626530666233373037633433396436663039346334
+35663030316263306537386130313863323636643861663263623639366639353431323738646537
+39363666663030373561666331333165336331653033363831383434653365633262666130303233
+35306564323761356331373231343439323061376466363130616232316438383162343536353064
+31643732363634616337633734386463633736323738303565313233383666363739326230633431
+38396634663834353536313532393461613337663461343866333266613464623735346333313061
+62383735623632353365303365396266653631333232643634356634363535323631376139383366
+36333534633736343830396461393634303537356565313335646338333762326430663937636435
+66663934333437653832626365646539666136616138323832353539316161656133333132633332
+62633466653066376135613962346431303261303361353034393832386632626662333536626363
+38353234323865653264326262653561323635383162643562646333663765326561643330666630
+37333265313963616137303734356461613762343031383436343365373930316666336432613561
+66316234343634613633366666373232313832323862613961306434346166383130353063373937
+61626432353534653561663162663166313564626630356465653637663531303662366334353862
+64306536356165616132353639383932336564656266623261643763306239623933643131636632
+39636261396638313966393438643431393163646131303538386463386265333065303765616461
+34666362386361346534366163323439333464313837356331306561656639653036303965373664
+66653334613566393238623034376531393433366466646134346134613434623837623133656561
+33353837376432396335363737373365393662633464373763376438313564386464333731383233
+34316361396639613237666136313831626637646430303930653361393237353166366262343432
+39653032303135383532646330343331626261313736346532633434376233613031303931356237
+35306565383133653330356633336631386334396262656630663833386561353365353733656334
+36373331316564363537373135643836366232343031383432633739393363616137663236616262
+3235326535633839613263303665323230316433353839396465

inventory/hosts.yml

@@ -1,16 +1,10 @@
 all:
-  children:
-    oracle-cloud-instances:
-      hosts:
-        sublimePorte:
-          ansible_host: 130.162.231.152
-          ansible_user: ubuntu
-          ansible_ssh_private_key_file: ~/.ssh/ora-cloud/sublime-key.key
-        webservices:
-          ansible_host: 79.76.127.110
-          ansible_user: ubuntu
-          ansible_ssh_private_key_file: ~/.ssh/ora-cloud/sublime-key.key
-        yunohost:
-          ansible_host: 141.147.24.166
-          ansible_user: ubuntu
-          ansible_ssh_private_key_file: ~/.ssh/ora-cloud/sublime-key.key
+  hosts:
+    Mulder:
+      ansible_host: 130.162.234.190
+      ansible_user: ubuntu
+      ansible_ssh_private_key_file: "{{ inventory_dir }}/../secrets/sublime-key.key"
+    Scully:
+      ansible_host: 92.5.121.208
+      ansible_user: ubuntu
+      ansible_ssh_private_key_file: "{{ inventory_dir }}/../secrets/sublime-key.key"

playbooks/main.yml

@@ -1,21 +1,6 @@
-- name: Set up reverse Proxy
-  hosts: sublimePorte
+- name: Set up network on Scully
+  hosts: Scully
   become: true
   roles:
-    # - common
-    # - zsh_with_style
-    # - docker
-    # - portainer
-    #- network
-    # - containers
-- name: Set up webservices
-  hosts: webservices
-  become: true
-  roles:
-    - gitea
-    # - authentik
-    # - common
-    # - zsh_with_style
-    # - docker
-    # - portainer
-    # - containers
+    - common
+    - network

playbooks/roles/common/defaults/main.yml

@@ -2,7 +2,6 @@
 common_packages:
   - git
   - nano
-  - tree
   - htop
   - iputils-ping
   - zsh

playbooks/roles/docker/tasks/main.yml

@@ -1,57 +0,0 @@
----
-- name: Ensure all previously installed docker packages are uninstalled
-  apt:
-    name:
-      - docker.io
-      - docker-compose
-      - docker-compose-v2
-      - docker-doc
-      - podman-docker
-    state: absent
-    purge: true
-
-- name: Install dependencies
-  apt:
-    name:
-      - ca-certificates
-      - curl
-    state: present
-
-- name: Download Docker repository key securely
-  become: true
-  get_url:
-    url: https://download.docker.com/linux/ubuntu/gpg
-    dest: /etc/apt/keyrings/docker.asc
-    mode: '0644'
-    force: true  # Ensures updates if the key changes
-
-- name: Add Docker repository
-  become: true
-  apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
-    state: present
-    update_cache: true
-
-- name: Install Docker and related components
-  become: true
-  apt:
-    name:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-      - docker-buildx-plugin
-      - docker-compose-plugin
-    state: present
-
-- name: Add user to the docker group
-  user:
-    name: "{{ ansible_user }}"
-    groups: docker
-    append: true
-  when: ansible_user != "root"
-
-- name: Start and enable Docker service
-  service:
-    name: docker
-    state: started
-    enabled: true

playbooks/roles/gitea/tasks/main.yml

@@ -14,20 +14,20 @@
     mode: '0644'
   become: true
 
-- name: Deploy Gitea container using Docker Compose V2
-  community.docker.docker_compose_v2:
-    project_src: "{{ gitea_data_path }}"
-    state: present
+- name: Deploy Gitea container using Podman Compose
+  ansible.builtin.shell:
+    cmd: podman-compose -f {{ gitea_data_path }}/docker-compose.yml up -d
+    chdir: "{{ gitea_data_path }}"
   become: true
 
 - name: Ensure Gitea container is running
-  community.docker.docker_container_info:
-    name: "{{ gitea_container_name }}"
-  register: container_info
+  ansible.builtin.shell:
+    cmd: "podman ps -a --filter name={{ gitea_container_name }} --format '{{.Status}}'"
+  register: gitea_container_status
+  changed_when: false
 
 - name: Restart Gitea container if not running
-  community.docker.docker_container:
-    name: "{{ gitea_container_name }}"
-    state: started
-    restart: true
-  when: not container_info.container.State.Running
+  ansible.builtin.shell:
+    cmd: "podman restart {{ gitea_container_name }}"
+  when: "'Exited' in gitea_container_status.stdout"
+  become: true

playbooks/roles/network/tasks/main.yml

@@ -77,13 +77,17 @@
   become: true
 
 - name: Deploy Containers
-  community.docker.docker_compose_v2:
-    project_src: /opt/network
-    state: present
-    restart: true
+  ansible.builtin.shell:
+    cmd: podman-compose -f /opt/network/docker-compose.yml up -d
+    chdir: /opt/network
   become: true
 
 - name: Ensure Nginx container is running
-  community.docker.docker_container_info:
-    name: "{{ nginx_proxy_manager_container_name }}"
-  register: nginx_container_info
+  ansible.builtin.shell:
+    cmd: "podman ps -a --filter name={{ nginx_proxy_manager_container_name }} --format '{{.Status}}'"
+  register: nginx_container_status
+  changed_when: false
+
+- name: Display Nginx container status
+  debug:
+    var: nginx_container_status.stdout

playbooks/roles/podman/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Install Podman
+  ansible.builtin.apt:
+    name: podman
+    state: present
+
+- name: Install python3-pip
+  ansible.builtin.apt:
+    name: python3-pip
+    state: present
+
+- name: Install podman-compose
+  ansible.builtin.pip:
+    name: podman-compose
+    state: present
+
+- name: Install podman-docker (optional, for docker command alias)
+  ansible.builtin.apt:
+    name: podman-docker
+    state: present
+
+- name: Install containers.podman collection
+  ansible.builtin.command: ansible-galaxy collection install containers.podman
+  args:
+    creates: ~/.ansible/collections/ansible_collections/containers/podman

playbooks/roles/postgres/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
-- name: Run PostgreSQL Docker container
-  docker_container:
+- name: Run PostgreSQL Podman container
+  containers.podman.podman_container:
     name: "{{ postgres_container_name }}"
     image: postgres
     state: started