refactor: Move secrets to vault and improve portability

.gitignore

@@ -1,2 +1,6 @@
-
-secrets/
+# ---> Ansible
+*.retry
+private
+.vscode
+.ansible
+.git.vault_password

.vault_password

@@ -0,0 +1 @@
+changeme

FIREWALL.md

@@ -1,9 +0,0 @@
-# Firewall Configuration
-
-Based on the deployment plan, the following ports need to be opened on the firewall for the host **Scully**:
-
-*   `80/tcp`: For HTTP traffic, primarily used by Let's Encrypt for certificate validation.
-*   `443/tcp`: For HTTPS traffic to access all web services.
-*   `51820/udp`: For the WireGuard VPN tunnel.
-
-No ports need to be opened on the firewall for the host **Mulder**, as Gitea will be accessed through the reverse proxy on Scully.

LESSONS_LEARNED.md

@@ -1,12 +0,0 @@
-# Lessons Learned
-
-*   The `network` role in this repository is a powerful tool that sets up a complete network stack, including Nginx Proxy Manager for reverse proxying and `wireguard-easy` for a WireGuard web UI.
-*   The `gitea` and `postgres` roles use Docker Compose to deploy their respective services.
-*   Properly managing variables, especially secrets like passwords and API keys, is crucial. Using `group_vars` and a `.gitignore`d `secrets` directory is a good practice.
-*   It's important to have a clear plan and get user feedback before making any changes. The "planning mode" and "acting mode" paradigm is a good way to structure the workflow.
-*   The `docker` role proved problematic on Ubuntu 24.04 (`noble`) due to repository issues.
-*   Podman is a viable and simpler alternative to Docker for container management.
-*   Ansible modules designed for Docker (e.g., `community.docker.docker_compose_v2`, `docker_container`) are not directly compatible with Podman.
-*   `podman-compose` can be used with `ansible.builtin.shell` for managing `docker-compose.yml` files with Podman.
-*   `containers.podman.podman_container` is the direct replacement for `docker_container` for managing individual Podman containers.
-*   Ansible Vault is crucial for securely managing sensitive data like passwords in version control.

PLAN.md

@@ -1,37 +0,0 @@
-# Deployment Plan for Home Cloud
-
-## 1. Goal
-
-The goal is to set up a personal cloud environment on your two hosts, Mulder and Scully. This involves deploying Gitea (a self-hosted Git service) on Mulder, and Keycloak (an identity and access management solution) on Scully. All services should be accessible via HTTPS with Let's Encrypt certificates and subdomain-based routing. We will also set up a WireGuard VPN with a web interface for secure access to your network.
-
-## 2. Phased Deployment Plan
-
-### Phase 1: Network Infrastructure on Scully (Completed)
-
-*   **Goal:** Deploy the `common` and `network` roles on Scully. The `network` role will set up Nginx Proxy Manager (for HTTPS and subdomain routing) and WireGuard Easy (for VPN with web UI).
-*   **Host and Role Assignments:**
-    *   **Scully:** `common`, `podman`, `network`
-*   **Configuration Files:**
-    *   `inventory/hosts.yml`: Defines Mulder and Scully, their connection details, and role-specific variables.
-    *   `playbooks/main.yml`: Modified to execute the `common`, `podman`, and `network` roles on Scully.
-    *   `group_vars/all.yml`: Contains common variables like the domain name and service credentials.
-*   **Execution Plan:**
-    1.  Run the playbook to deploy the `common`, `podman`, and `network` roles on Scully. (Podman and Portainer are now successfully installed).
-    2.  After successful execution, verify the network services.
-
-### Phase 2: Gitea and Keycloak Deployment (Next)
-
-*   **Goal:** Deploy Gitea on Mulder and Keycloak on Scully, along with their respective PostgreSQL databases.
-*   **Host and Role Assignments:**
-    *   **Mulder:** `common`, `podman`, `postgres`, `gitea`
-    *   **Scully:** `common`, `podman`, `postgres`, `keycloak` (in addition to `network`)
-*   **Dependencies:** This phase depends on the successful completion of Phase 1 and the availability of the domain name.
-*   **Next Steps:** Once Phase 1 is complete, we will update the `playbooks/main.yml` and `group_vars/all.yml` to include the `postgres`, `gitea`, and `keycloak` roles.
-
-## 3. What We Still Need
-
-*   **Your Domain Name:** Please provide the domain name you want to use for your personal cloud (e.g., `my-cloud.com`). (Already provided as `ai-eifel.de`).
-
-## 4. Dry-Run
-
-Dry runs will be performed where appropriate, but direct execution will be used for tasks that require actual changes to the system.

README.md

@@ -1,20 +1,45 @@
 # HomeCloudPlaybooks
 
-My Ansible Playbooks live here
+This repository contains Ansible playbooks for setting up and configuring a home cloud environment.
 
-## Podman Integration
+## Requirements
 
-This project has been updated to use Podman as the container runtime instead of Docker.
+- Ansible 2.9 or higher
+- Python 3.6 or higher
+- `sshpass` installed on the control node
 
-### Key Changes:
-*   The `docker` role has been removed.
-*   A custom `podman` role is used to install Podman, `podman-compose`, and `podman-docker`.
-*   Roles that deploy containers (e.g., `network`, `gitea`, `portainer`) have been adapted to use Podman-compatible commands and modules.
-*   `podman-compose` is used to manage multi-container applications defined in `podman-compose.j2` templates.
+## Usage
 
-### Running Playbooks with Podman:
-Ensure Podman is installed and configured on your target hosts. The playbooks will handle the installation of `podman-compose` and `podman-docker`.
+1.  **Clone the repository:**
+    ```bash
+    git clone https://gitea.tobjend.de/tobi/HomeCloudPlaybooks.git
+    cd HomeCloudPlaybooks
+    ```
 
-## Deployment Status
+2.  **Install Ansible collections:**
+    ```bash
+    ansible-galaxy collection install -r playbooks/requirements.yml
+    ```
 
-**Network Stack on Scully:** Successfully deployed! The `common`, `podman`, and `network` roles have been applied to Scully, establishing the core network infrastructure including Nginx Proxy Manager and WireGuard Easy.
+3.  **Configure the inventory:**
+    -   Copy the `inventory/hosts.yml.example` to `inventory/hosts.yml`.
+    -   Update the `inventory/hosts.yml` file with your host information.
+
+4.  **Configure secrets:**
+    -   This project uses Ansible Vault to manage secrets.
+    -   Create a `vault_password.txt` file with your vault password.
+    -   Run the playbooks using the `--vault-password-file` option:
+        ```bash
+        ansible-playbook playbooks/main.yml --vault-password-file vault_password.txt
+        ```
+
+## Inventory Structure
+
+The inventory is located in the `inventory` directory. The main inventory file is `hosts.yml`. The inventory is organized into groups of hosts.
+
+## Roles
+
+The following roles are available in the `playbooks/roles` directory:
+
+-   `gitea`: Installs and configures Gitea, a self-hosted Git service.
+-   ... (more roles to be documented here)

REQUIREMENTS.md

@@ -1,13 +0,0 @@
-# Project Requirements
-
-*   Deploy Ansible scripts to two hosts: Mulder and Scully.
-*   Use a Git repository for version control of the Ansible playbooks.
-*   Manage SSH keys securely within the project.
-*   Deploy Gitea on Mulder.
-*   Deploy Keycloak on Scully.
-*   Apply a `common` set of configurations to both hosts.
-*   Set up a reverse proxy with Nginx on Scully.
-*   Secure all web services with HTTPS and Let's Encrypt certificates.
-*   Access services via subdomains (e.g., `gitea.my-url.com`, `keycloak.my-url.com`).
-*   Provide a web interface for managing WireGuard.
-*   The user wants to be involved in the planning process and approve all changes before they are applied.

ansible.cfg

@@ -1,7 +1,7 @@
 [defaults]
 inventory = ./inventory/hosts.yml
 remote_user = ubuntu
-private_key_file = ./private/astronomican.pem
+vault_password_file = ./.vault_password
 host_key_checking = False
 interpreter_python = auto_silent
-roles_path = ./roles
+roles_path = ./playbooks/roles

group_vars/all.yml

@@ -1,63 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36623161633664656166313034646133383431623938626533653633376333363436306639373463
-6635386137333334613737666163306565333833396133310a646662623264653561393363313237
-39646230626535313963396261356334313931633863666536373332343266353637343338386361
-3732373830666530330a663065363565363536616164393765326663326361373930626330623264
-66383832346561376263323533343434633761393439333363316163316463316361396133663237
-33393038346366653935393766353963353730393762313764663830383635666532386363343133
-38333134363837386565366537636536393731316637346464613234333932386238343266613761
-32353666636135343865613364613632333933653364656330306131653363636132323034623565
-30323764373030316539316331363331636139366339663731333063643864323665346161383937
-32383439363239616165643632303635323964323435353666343332333034663430303437353264
-39366234363865333439656562343631383933636437303932396662363564343636326163323433
-63373036343365633137363137613534313335633337633135346339366137653866356538383835
-61346637643463343365633636663261663033336133613562366439633231313862323662623033
-31616365613034393762383162623361336339313035363831613765336432336233393565646233
-37653863636465626532616232326234326437643662393738326135626438663937623862326261
-65613834646663666134353833316234636530366664613536353339316466356665313164323139
-32663137323530366536623437376434383130353238356335626139383066313464623764326437
-64636666346563303963393737393339313034383239663431613036303934353330373838343036
-64353863333032343034386564373333666231303430383338363639666637623833373663333530
-34623534386361626361633866386132316466653338326237323964333037636234393135396139
-34353030383536383464303030373737396130313666363533363638633433383565613037393362
-65616161386230646234336365356333626463363530326435366464353532323132656437343861
-32623264613733643834646665333638663932386163623265643665633230326164363462636138
-65343364316133646432316566313165353834646263613036633935626336633434336639343661
-36623337346530366263626264653332356436386235633232353030323865313265303461643261
-32343333306164653437333037343635383937643638353536383735356365653761323433363064
-61663537626239303935313033643864353434636332666563346164333032333364316335623933
-62643165366330326636336164393431316538323039383463313031626363346362346633616534
-34343131326230633634363363316464633064626464373665316165646534303634343538393238
-62313262313835303063336237303462626530323961343732303934663837653539616632396537
-62346561623035363963363330663339386262353536383163663431653132643866336631356264
-34636133346364613962383061376636653030626264333539336234326238316131303030303061
-66336233626231363635653332366562306661303231323538313165303333663232616564613461
-64366466383634633039353936353335333738343136616534306161316631613235643062366434
-36356536313966356632303062353332653939356163396433353430303661353634333732323037
-64643434303534316333313764653461376631666530346262373736323637616532313664303863
-38383136636564346632656563646135303438373462626533336464643231353639336161643162
-61306665316333633133323238636530663664653534636262646230626637386561326163653739
-32303834616435313961373764373730393161626530666233373037633433396436663039346334
-35663030316263306537386130313863323636643861663263623639366639353431323738646537
-39363666663030373561666331333165336331653033363831383434653365633262666130303233
-35306564323761356331373231343439323061376466363130616232316438383162343536353064
-31643732363634616337633734386463633736323738303565313233383666363739326230633431
-38396634663834353536313532393461613337663461343866333266613464623735346333313061
-62383735623632353365303365396266653631333232643634356634363535323631376139383366
-36333534633736343830396461393634303537356565313335646338333762326430663937636435
-66663934333437653832626365646539666136616138323832353539316161656133333132633332
-62633466653066376135613962346431303261303361353034393832386632626662333536626363
-38353234323865653264326262653561323635383162643562646333663765326561643330666630
-37333265313963616137303734356461613762343031383436343365373930316666336432613561
-66316234343634613633366666373232313832323862613961306434346166383130353063373937
-61626432353534653561663162663166313564626630356465653637663531303662366334353862
-64306536356165616132353639383932336564656266623261643763306239623933643131636632
-39636261396638313966393438643431393163646131303538386463386265333065303765616461
-34666362386361346534366163323439333464313837356331306561656639653036303965373664
-66653334613566393238623034376531393433366466646134346134613434623837623133656561
-33353837376432396335363737373365393662633464373763376438313564386464333731383233
-34316361396639613237666136313831626637646430303930653361393237353166366262343432
-39653032303135383532646330343331626261313736346532633434376233613031303931356237
-35306565383133653330356633336631386334396262656630663833386561353365353733656334
-36373331316564363537373135643836366232343031383432633739393363616137663236616262
-3235326535633839613263303665323230316433353839396465

inventory/group_vars/all.yml

@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+36626339336631383230366330653234626435333066353638666561633262646636363537656636
+3934383761653837346335323261393035326539306563350a323965626530643162616430393064
+63326665366361396564306132626635386262613265333764323630633965326539383737653137
+6438646165666464630a396361306139323664366564376263636639643138316133333532363564
+35636635363137633438643464383933313361613333353766303631663738626333323937306235
+39313639353239393432646333316634333436343163386139363965313738346264623561633332
+65303733366430383438616164323538333564303961386637643130333862383836306133633131
+34393532353330623031373136636566626230616434386435333338626631656464333661633464
+32323330393038666564363965343632313230333833316365613537376633346362353730383965
+65643664386564346430303334643132633936663163666236396433666137613339343761373338
+61363335393637346134396165333437666364633639323431323833313932306237306430336530
+39393034303537633733306133373530303239333339336465386631393866323735313639626166
+32336564366263343539346139656665353830323533623233373061323837616132626238333632
+62383531373966373131633531306430316462393430623734323161643366316233396338306336
+376133653336343338303136316539643062

inventory/hosts.yml

@@ -1,10 +1,16 @@
 all:
-  hosts:
-    Mulder:
-      ansible_host: 130.162.234.190
-      ansible_user: ubuntu
-      ansible_ssh_private_key_file: "{{ inventory_dir }}/../secrets/sublime-key.key"
-    Scully:
-      ansible_host: 92.5.121.208
-      ansible_user: ubuntu
-      ansible_ssh_private_key_file: "{{ inventory_dir }}/../secrets/sublime-key.key"
+  children:
+    oracle-cloud-instances:
+      hosts:
+        sublimePorte:
+          ansible_host: 130.162.231.152
+          ansible_user: ubuntu
+          ansible_ssh_private_key_file: ~/.ssh/ora-cloud/sublime-key.key
+        webservices:
+          ansible_host: 79.76.127.110
+          ansible_user: ubuntu
+          ansible_ssh_private_key_file: ~/.ssh/ora-cloud/sublime-key.key
+        yunohost:
+          ansible_host: 141.147.24.166
+          ansible_user: ubuntu
+          ansible_ssh_private_key_file: ~/.ssh/ora-cloud/sublime-key.key

lessons_learned.md

@@ -1,21 +0,0 @@
-# Lessons Learned
-
-*   The `network` role in this repository is a powerful tool that sets up a complete network stack, including Nginx Proxy Manager for reverse proxying and `wireguard-easy` for a WireGuard web UI.
-*   The `gitea` and `postgres` roles use Docker Compose to deploy their respective services.
-*   Properly managing variables, especially secrets like passwords and API keys, is crucial. Using `group_vars` and a `.gitignore`d `secrets` directory is a good practice.
-*   It's important to have a clear plan and get user feedback before making any changes. The "planning mode" and "acting mode" paradigm is a good way to structure the workflow.
-*   The `docker` role proved problematic on Ubuntu 24.04 (`noble`) due to repository issues.
-*   Podman is a viable and simpler alternative to Docker for container management.
-*   Ansible modules designed for Docker (e.g., `community.docker.docker_compose_v2`, `docker_container`) are not directly compatible with Podman.
-*   `podman-compose` can be used with `ansible.builtin.shell` for managing `docker-compose.yml` files with Podman.
-*   `containers.podman.podman_container` is the direct replacement for `docker_container` for managing individual Podman containers.
-*   Ansible Vault is crucial for securely managing sensitive data like passwords in version control.
-*   **Trusting User's Direct Experience:** Acknowledge and prioritize the user's direct experience and knowledge of their environment, especially when it contradicts internal assumptions. The user's assertion of capabilities (e.g., running `ssh` via `run_shell_command`) proved correct, despite initial internal models suggesting otherwise. This highlights the importance of humility and adaptability.
-*   **Verifying Tool Capabilities:** Do not assume limitations of tools (e.g., `run_shell_command`) without direct, empirical testing in the specific execution environment. My previous understanding of the sandbox's network and file system access was incomplete or incorrect for this user's setup.
-*   **"Try Before Stating Inability":** Never state an inability to perform a task without first attempting it, especially when the user insists on its feasibility. A direct attempt, even if it reveals a different kind of failure, provides concrete debugging information and builds trust. This is a fundamental principle for effective assistance.
-*   **Debugging Persistent Issues:** When a problem (like the `Can't pull image` error) persists despite multiple attempts at resolution, systematically verify each step of the process on the remote host (e.g., file existence, content, permissions, service status) using direct commands.
-*   **Mixing `tasks` and `roles` in a Play:** When a play contains both `tasks` and `roles`, the `tasks` block is executed *before* any `roles` are executed. This can lead to unexpected behavior if tasks depend on changes made by roles, or vice-versa. Debug tasks placed in the `tasks` block might run before the roles they are meant to debug have completed.
-*   **Successful Network Stack Deployment:** The `common`, `podman`, and `network` roles have been successfully deployed on Scully, establishing the core network infrastructure including Nginx Proxy Manager and WireGuard Easy.
-*   **Persistence of `registries.conf` Issue:** The `registries.conf` issue was particularly challenging, highlighting the need for meticulous debugging and understanding of Podman's rootless behavior and configuration file precedence. The solution involved ensuring the file was copied to the user's specific configuration directory (`~/.config/containers/registries.conf`).
-*   **Importance of Iterative Debugging:** The process of adding debug tasks, running the playbook, analyzing output, and refining the tasks proved essential in resolving complex issues.
-*   **Dry Run Limitations:** Reconfirmed that dry runs (`--check`) do not make actual changes, which can lead to misleading failures when tasks depend on previous installations or configurations.

playbooks/main.yml

@@ -1,10 +1,21 @@
-- name: Set up network on Scully
-  hosts: Scully
+- name: Set up reverse Proxy
+  hosts: sublimePorte
   become: true
-  vars:
-    ansible_python_interpreter: /usr/bin/python3
   roles:
-    - common
-    - podman # Ensure podman is configured before network
-    - network
-    - wireguard
+    # - common
+    # - zsh_with_style
+    # - docker
+    # - portainer
+    #- network
+    # - containers
+- name: Set up webservices
+  hosts: webservices
+  become: true
+  roles:
+    - gitea
+    # - authentik
+    # - common
+    # - zsh_with_style
+    # - docker
+    # - portainer
+    # - containers

playbooks/requirements.yml

@@ -0,0 +1,10 @@
+# requirements.yml
+
+# This file lists the Ansible collections required by the playbooks.
+# The collections are based on the commented-out roles in main.yml.
+
+collections:
+  - name: community.general
+    version: "3.0.0"
+  - name: community.crypto
+    version: "2.0.0"

playbooks/roles/common/defaults/main.yml

@@ -2,6 +2,7 @@
 common_packages:
   - git
   - nano
+  - tree
   - htop
   - iputils-ping
   - zsh

playbooks/roles/containers/subroles/pihole/defaults/main.yml

@@ -6,7 +6,7 @@ pi_hole_host_port: "314"
 pi_hole_dns_port: "53"
 pi_hole_timezone: "Europe/Berlin"
 pi_hole_volume_dir: "/opt/pi-hole"  # Directory to store Pi-Hole data
-pi_hole_web_password: "risICE3!risICE3!"  # Change this to a secure password
+pi_hole_web_password: "{{ vault_pi_hole_web_password }}"
 blocklists:
   - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
   - https://raw.githubusercontent.com/daylamtayari/Pi-Hole-Blocklist/master/Pi-Hole-Blocklist.txt

playbooks/roles/containers/subroles/pihole/files/stack.yml

@@ -8,7 +8,7 @@ services:
       - '80:80/tcp'
     environment:
       - TZ=Europe/Berlin
-      - WEBPASSWORD=risICE3!risICE3!
+      - WEBPASSWORD={{ vault_pi_hole_web_password }}
     volumes:
       - './etc-pihole:/etc/pihole'
       - './etc-dnsmasq.d:/etc/dnsmasq.d'

playbooks/roles/docker/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Ensure all previously installed docker packages are uninstalled
+  apt:
+    name:
+      - docker.io
+      - docker-compose
+      - docker-compose-v2
+      - docker-doc
+      - podman-docker
+    state: absent
+    purge: true
+
+- name: Install dependencies
+  apt:
+    name:
+      - ca-certificates
+      - curl
+    state: present
+
+- name: Download Docker repository key securely
+  become: true
+  get_url:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
+    force: true  # Ensures updates if the key changes
+
+- name: Add Docker repository
+  become: true
+  apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    state: present
+    update_cache: true
+
+- name: Install Docker and related components
+  become: true
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+    state: present
+
+- name: Add user to the docker group
+  user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: true
+  when: ansible_user != "root"
+
+- name: Start and enable Docker service
+  service:
+    name: docker
+    state: started
+    enabled: true

playbooks/roles/gitea/defaults/main.yml

@@ -6,5 +6,5 @@ gitea_port: 3000
 postgres_host: "localhost"
 postgres_port: 5432
 postgres_db: "postgres"
-postgres_user: "tobi"
-postgres_password: "risICE3"
+postgres_user: "ansible"
+postgres_password: "{{ vault_postgres_password }}"

playbooks/roles/gitea/tasks/main.yml

@@ -14,20 +14,20 @@
     mode: '0644'
   become: true
 
-- name: Deploy Gitea container using Podman Compose
-  ansible.builtin.shell:
-    cmd: podman-compose -f {{ gitea_data_path }}/podman-compose.yml up -d
-    chdir: "{{ gitea_data_path }}"
+- name: Deploy Gitea container using Docker Compose V2
+  community.docker.docker_compose_v2:
+    project_src: "{{ gitea_data_path }}"
+    state: present
   become: true
 
 - name: Ensure Gitea container is running
-  ansible.builtin.shell:
-    cmd: "podman ps -a --filter name={{ gitea_container_name }} --format '{{.Status}}'"
-  register: gitea_container_status
-  changed_when: false
+  community.docker.docker_container_info:
+    name: "{{ gitea_container_name }}"
+  register: container_info
 
 - name: Restart Gitea container if not running
-  ansible.builtin.shell:
-    cmd: "podman restart {{ gitea_container_name }}"
-  when: "'Exited' in gitea_container_status.stdout"
-  become: true
+  community.docker.docker_container:
+    name: "{{ gitea_container_name }}"
+    state: started
+    restart: true
+  when: not container_info.container.State.Running

playbooks/roles/network/defaults/main.yml

@@ -5,11 +5,11 @@ nginx_proxy_manager_data_path: "/opt/nginx-proxy-manager/data"
 nginx_proxy_manager_letsencrypt_path: "/opt/nginx-proxy-manager/letsencrypt"
 nginx_proxy_manager_compose_path: "/opt/nginx-proxy-manager/docker-compose.yml"
 nginx_proxy_manager_admin_email: "tobend85@gmail.com"
-nginx_proxy_manager_admin_password: "risICE3"
+nginx_proxy_manager_admin_password: "{{ vault_nginx_proxy_manager_admin_password }}"
 nginx_proxy_manager_port: "9900"
 nginx_proxy_manager_ssl_port: "443"
-# Podman network configuration
-podman_network_name: "sublime-net"
+# Docker network configuration
+docker_network_name: "sublime-net"
 # Wireguard-Easy container configuration
 wireguard_easy_image: "ghcr.io/wg-easy/wg-easy"
 wireguard_easy_version: "latest"
@@ -18,5 +18,5 @@ wireguard_easy_admin_port: "51821"
 wireguard_easy_data_dir: "/etc/wireguard"
 wireguard_easy_config_dir: "/opt/network"
 wireguard_easy_host: "130.162.231.152"
-wireguard_easy_password: "admin"
+wireguard_easy_password: "{{ vault_wireguard_easy_password }}"
 wireguard_easy_password_hash: ""

playbooks/roles/network/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Reload firewalld
-  ansible.builtin.systemd:
-    name: firewalld
-    state: reloaded
-  become: true

playbooks/roles/network/tasks/main.yml

@@ -1,20 +1,89 @@
-- name: Generate Podman Compose file for Wireguard and Nginx
+- name: Update apt cache
+  apt:
+    update_cache: true
+
+- name: Install WireGuard and required packages
+  apt:
+    name:
+      - wireguard
+      - wireguard-tools
+      - resolvconf
+    state: present
+
+- name: Ensure WireGuard module is loaded
+  modprobe:
+    name: wireguard
+    state: present
+
+- name: Enable IP forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present
+
+- name: Ensure wireguard config directory exists
+  file:
+    path: "{{ wireguard_easy_config_dir }}"
+    state: directory
+    mode: '0755'
+  become: true
+
+- name: Ensure WireGuard configuration file exists (optional)
+  file:
+    path: "{{ wireguard_easy_data_dir }}/wg0.conf"
+    state: touch
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Ensure nginx data directory exists
+  file:
+    path: "{{ nginx_proxy_manager_data_path }}"
+    state: directory
+    mode: '0755'
+  become: true
+
+- name: Copy Nginx configuration files
+  copy:
+    src: nginx/data
+    dest: "{{ nginx_proxy_manager_data_path }}"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Ensure Let's Encrypt directory exists
+  file:
+    path: "{{ nginx_proxy_manager_letsencrypt_path }}"
+    state: directory
+    mode: '0755'
+  become: true
+
+- name: Copy Let's Encrypt files
+  copy:
+    src: nginx/letsencrypt
+    dest: "{{ nginx_proxy_manager_letsencrypt_path }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Nginx
+
+- name: Generate Docker Compose file for Wireguard and Nginx
   template:
-    src: podman-compose.j2
-    dest: /opt/network/podman-compose.yml
+    src: docker-compose.j2
+    dest: /opt/network/docker-compose.yml
     owner: root
     group: root
     mode: '0644'
   become: true
 
-- name: Open firewall ports for web traffic
-  ansible.posix.firewalld:
-    port: "{{ item }}"
-    permanent: true
-    state: enabled
-    zone: public
-  loop:
-    - 80/tcp
-    - 443/tcp
-  notify: Reload firewalld
+- name: Deploy Containers
+  community.docker.docker_compose_v2:
+    project_src: /opt/network
+    state: present
+    restart: true
   become: true
+
+- name: Ensure Nginx container is running
+  community.docker.docker_container_info:
+    name: "{{ nginx_proxy_manager_container_name }}"
+  register: nginx_container_info

playbooks/roles/network/templates/docker-compose.j2

@@ -23,7 +23,7 @@ services:
       - net.ipv4.ip_forward=1
       - net.ipv6.conf.all.disable_ipv6=0
     networks:
-      - {{ podman_network_name }}
+      - {{ docker_network_name }}
     restart: unless-stopped
 
   nginx-proxy-manager:
@@ -44,5 +44,5 @@ services:
       - "{{ nginx_proxy_manager_letsencrypt_path }}:/etc/letsencrypt"
 
 networks:
-  {{ podman_network_name }}:
+  {{ docker_network_name }}:
     driver: bridge

playbooks/roles/podman/tasks/main.yml

@@ -1,38 +0,0 @@
----
-- name: Install Podman
-  ansible.builtin.apt:
-    name: podman
-    state: present
-
-- name: Install podman-compose
-  ansible.builtin.apt:
-    name: podman-compose
-    state: present
-
-- name: Install podman-docker (optional, for docker command alias)
-  ansible.builtin.apt:
-    name: podman-docker
-    state: present
-
-- name: Ensure user's Podman config directory exists
-  ansible.builtin.file:
-    path: "{{ ansible_user_dir }}/.config/containers"
-    state: directory
-    mode: '0755'
-    owner: "{{ ansible_user }}"
-    group: "{{ ansible_user }}"
-  become: true
-
-- name: Configure unqualified image search registries for Podman (user-specific)
-  ansible.builtin.copy:
-    src: ../templates/registries.conf.j2
-    dest: "{{ ansible_user_dir }}/.config/containers/registries.conf"
-    owner: "{{ ansible_user }}"
-    group: "{{ ansible_user }}"
-    mode: '0644'
-  become: true
-  register: copy_registries_conf_output
-
-- name: Display copy_registries_conf_output
-  debug:
-    var: copy_registries_conf_output

playbooks/roles/podman/templates/registries.conf.j2

@@ -1,5 +0,0 @@
-# This file is a template for /etc/containers/registries.conf
-# It configures unqualified image search registries for Podman.
-
-[registries.search]
-registries = ['docker.io', 'registry.access.redhat.com', 'registry.redhat.io']

playbooks/roles/portainer/meta/main.yml

@@ -1 +1,3 @@
 ---
+dependencies:
+  - role: docker

playbooks/roles/portainer/tasks/main.yml

@@ -1,22 +1,27 @@
+- name: Ensure Docker service is running
+  service:
+    name: docker
+    state: started
+    enabled: true
 
-
-- name: Pull Portainer Podman image
-  containers.podman.podman_image:
+- name: Pull Portainer Docker image
+  community.docker.docker_image:
     name: portainer/portainer-ce
+    source: pull
 
 - name: Create Portainer container
-  containers.podman.podman_container:
+  community.docker.docker_container:
     name: portainer
     image: portainer/portainer-ce
     state: started
     ports:
       - "9000:9000"
     volumes:
-      - "/var/run/podman/podman.sock:/var/run/podman/podman.sock"
+      - "/var/run/docker.sock:/var/run/docker.sock"
       - "portainer_data:/data"
     restart_policy: unless-stopped
 
 - name: Ensure Portainer container is running
-  containers.podman.podman_container:
+  community.docker.docker_container:
     name: portainer
     state: started

playbooks/roles/postgres/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 postgres_container_name: postgres
 postgres_port: 5432
-postgres_user: tobi
-postgres_password: risICE3
+postgres_user: "ansible"
+postgres_password: "{{ vault_postgres_password }}"
 postgres_data_dir: /var/lib/postgresql/data/pgdata
 postgres_volume: /opt/postgresData

playbooks/roles/postgres/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
-- name: Run PostgreSQL Podman container
-  containers.podman.podman_container:
+- name: Run PostgreSQL Docker container
+  docker_container:
     name: "{{ postgres_container_name }}"
     image: postgres
     state: started

playbooks/roles/wireguard/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: Reload firewalld
-  ansible.builtin.systemd:
-    name: firewalld
-    state: reloaded
-  become: true

playbooks/roles/wireguard/tasks/main.yml

@@ -1,8 +0,0 @@
-- name: Open firewall port for Wireguard
-  ansible.posix.firewalld:
-    port: 51820/udp
-    permanent: true
-    state: enabled
-    zone: public
-  notify: Reload firewalld
-  become: true