Merge branch 'master' of ssh://gitea.mewissen.site:22422/rene/ansible-pull

global_handlers/global_handlers.yml

@@ -32,3 +32,8 @@
   ansible.builtin.service:
     name: rsyslog
     state: restarted
+
+- name: restart_telegraf
+  ansible.builtin.service:
+    name: "telegraf"
+    state: restarted

host_vars/caddy.universe.local.yml

@@ -0,0 +1 @@
+caddy: true

hosts

@@ -52,6 +52,7 @@ mastodon
 nameserver
 printspooler 
 proxyserver
+reverseproxy
 webservers
 
 [auth]
@@ -150,6 +151,9 @@ podman02.universe.local
 [proxyserver]
 tinyproxy.universe.local
 
+[reverseproxy]
+caddy.universe.local
+
 [video_editing]
 endor.universe.local
 endorvm.universe.local

local.yml

@@ -1,7 +1,7 @@
 ---
 - hosts: all
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   connection: local
   vars_files:
     - "{{ lookup('first_found', ['os_vars/' + (ansible_distribution | lower) + '.yml'], errors='ignore') }}"
@@ -12,31 +12,31 @@
 
   pre_tasks:
     - name: pre-run | get status of marker file
-      stat:
+      ansible.builtin.stat:
         path: "{{ ansible_pull_marker_file }}"
       register: marker_file_stat
       tags: always
 
     - name: pre-run | check if last run was within cooldown period
-      meta: end_play
+      ansible.builtin.meta: end_play
       when:
         - marker_file_stat.stat.exists
         - (ansible_date_time.epoch | int) - (marker_file_stat.stat.mtime | int) < (ansible_reboot_cooldown_minutes | int * 60)
       tags: always
 
     - name: pre-run | set marker file path as a cached fact
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_pull_marker_file: "{{ ansible_pull_marker_file }}"
         cacheable: true
       tags: always
 
     - name: pre-run | update apt repository (debian, ubuntu, etc.) # noqa no-changed-when
-      apt: update_cache=yes
+      ansible.builtin.apt: update_cache=yes
       #changed_when: false
       when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
       ignore_errors: True
     - name: pre-run | update pacman repository (arch)
-      pacman: update_cache=yes
+      community.general.pacman: update_cache=yes
       #changed_when: false
       when: ansible_distribution == 'Archlinux'
       ignore_errors: True
@@ -50,19 +50,19 @@
 - hosts: all:!database
   pre_tasks:
     - name: pre-run | upgrade system (debian, ubuntu, etc.)
-      apt: upgrade=dist
+      ansible.builtin.apt: upgrade=dist
       #changed_when: false
       when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
       ignore_errors: True
     - name: pre-run | upgrade system (arch)
-      pacman: upgrade=true
+      community.general.pacman: upgrade=true
       when: ansible_distribution == 'Archlinux'
       ignore_errors: True
 
 # run roles
 - hosts: all
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   tags: base
   become: true
   roles:
@@ -82,18 +82,18 @@
   roles:
     - server
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
 
 - hosts: bastionhost
   tags: server,bastionhost
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - bastionhost
   post_tasks:
     - name: Update AIDE database if changes were made
-      include_role:
+      ansible.builtin.include_role:
         name: bastionhost
         tasks_from: system_setup/aide_update.yml
       when: (aide_db_needs_update is defined and aide_db_needs_update) and (aide_db is defined and aide_db.stat.exists)
@@ -101,7 +101,7 @@
 - hosts: nameserver
   tags: server,nameserver
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - nameserver
@@ -110,7 +110,7 @@
   tags: server,webservers
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - webservers
 
@@ -118,7 +118,7 @@
   tags: server,mailserver
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - mailserver
 
@@ -126,7 +126,7 @@
   tags: server,database
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - database
 
@@ -139,7 +139,7 @@
 - hosts: docker
   tags: server,docker
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - docker
@@ -148,7 +148,7 @@
   tags: server,podman
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - podman
 
@@ -156,7 +156,7 @@
   tags: server,docker,drone
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - drone
 
@@ -169,7 +169,7 @@
 - hosts: mastodon
   tags: server,mastodon
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - mastodon
@@ -183,7 +183,7 @@
 - hosts: jitsimeet
   tags: server,jitsimeet,webservers
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - jitsimeet
@@ -192,7 +192,7 @@
   tags: server,omada_controller
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - omada-controller
 
@@ -200,10 +200,18 @@
   tags: server,backup
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - backup
 
+- hosts: reverseproxy
+  tags: server,reverseproxy
+  become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  roles:
+    - reverseproxy
+
 # - hosts: proxyserver
 #   tags: server,proxyserver
 #   become: true
@@ -216,14 +224,14 @@
   post_tasks:
     - name: cleanup package cache (debian and ubuntu)
       tags: always
-      apt:
+      ansible.builtin.apt:
         autoclean: yes
       changed_when: false
       when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu", "Linux Mint"]
 
     - name: autoremove orphan packages (debian and ubuntu)
       tags: always
-      apt:
+      ansible.builtin.apt:
         autoremove: yes
         purge: yes
       when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu", "Linux Mint"]

os_vars/archlinux.yml

@@ -0,0 +1,2 @@
+aur_helper: "paru"
+aur_build_user: "aur_builder"

roles/backup/files/config/docker01_includes.txt

@@ -1,2 +1 @@
-/opt/docker
 /var/lib/docker/volumes

roles/backup/files/config/podman01_includes.txt

@@ -0,0 +1 @@
+/var/lib/containers

roles/backup/tasks/system_setup/copy_backup_config.yml

@@ -1,5 +1,5 @@
 - name: backup | system setup | create backup config directory
-  file:
+  ansible.builtin.file:
     path: "{{ item }}"
     state: directory
   loop:
@@ -8,24 +8,24 @@
     - "/opt/backup/config"
     
 - name: backup | system setup | create a link to backup script
-  file:
+  ansible.builtin.file:
     path: "/opt/backup/bin/backup_remote.bash"
     state: link
     src: "{{ ansible_user_dir }}/bin/backup_remote.bash"
 
 - name: backup | system setup | copy backup config files
-  copy:
+  ansible.builtin.copy:
     dest: "/opt/backup/config/"
     src: "config/"
 
 - name: backup | system setup | copy backup config files 2
-  template:
+  ansible.builtin.template:
     src: "backup_remote.j2"
     dest: "/opt/backup/config/backup_remote.conf"
     force: Yes
   
 - name: backup | system setup | add entries to ssh_config
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: "{{ ansible_user_dir }}/.ssh/config"
     block: "{{ lookup('template', 'ssh_config.j2') }}"
     marker: "## {mark} ANSIBLE MANAGED BLOCK FOR backup"

roles/backup/vars/main.yml

@@ -1,7 +1,7 @@
 hosts_to_backup:
   - { hostname: "mariadb02", fqdn: "mariadb02.universe.local." }
   - { hostname: "haproxy02", fqdn: "haproxy02.universe.local." }
-  - { hostname: "AdGuard", fqdn: "AdGuard.universe.local." }
+  - { hostname: "mail", fqdn: "mail.universe.local." }
   - { hostname: "owntrack", fqdn: "owntrack.universe.local." }
   - { hostname: "endor", fqdn: "endor.universe.local." }
   - { hostname: "step-ca", fqdn: "step-ca.universe.local." }
@@ -10,36 +10,42 @@ hosts_to_backup:
   - { hostname: "searx", fqdn: "searx.universe.local." }
   - { hostname: "dnspri", fqdn: "dnspri.universe.local." }
   - { hostname: "gs1900-8hp", fqdn: "gs1900-8hp.universe.local." }
+  - { hostname: "librenms", fqdn: "librenms.universe.local." }
   - { hostname: "webserver", fqdn: "webserver.universe.local." }
   - { hostname: "agh01", fqdn: "agh01.universe.local." }
   - { hostname: "mastodon", fqdn: "mastodon.universe.local." }
+  - { hostname: "icinga", fqdn: "icinga.universe.local." }
   - { hostname: "haproxy01", fqdn: "haproxy01.universe.local." }
+  - { hostname: "freeradius", fqdn: "freeradius.universe.local." }
   - { hostname: "dhcp-kea", fqdn: "dhcp-kea.universe.local." }
   - { hostname: "pi-alert-lan", fqdn: "pi-alert-lan.universe.local." }
   - { hostname: "mariadb01", fqdn: "mariadb01.universe.local." }
   - { hostname: "dhcp-stork", fqdn: "dhcp-stork.universe.local." }
+  - { hostname: "paperless", fqdn: "paperless.universe.local." }
   - { hostname: "truenas", fqdn: "truenas.universe.local." }
+  - { hostname: "grafana", fqdn: "grafana.universe.local." }
   - { hostname: "idrac-dell", fqdn: "idrac-dell.universe.local." }
   - { hostname: "docker01", fqdn: "docker01.universe.local." }
   - { hostname: "pi-alert", fqdn: "pi-alert.universe.local." }
-  - { hostname: "tatooine", fqdn: "tatooine.universe.local." }
+  - { hostname: "pixelfed", fqdn: "pixelfed.universe.local." }
   - { hostname: "pve2", fqdn: "pve2.universe.local." }
   - { hostname: "dnssec2", fqdn: "dnssec2.universe.local." }
   - { hostname: "pve", fqdn: "pve.universe.local." }
-  - { hostname: "jitsimeet", fqdn: "jitsimeet.universe.local." }
   - { hostname: "haproxy", fqdn: "haproxy.universe.local." }
   - { hostname: "homeassistant", fqdn: "homeassistant.universe.local." }
   - { hostname: "ns1", fqdn: "ns1.universe.local." }
-  - { hostname: "pve-ha", fqdn: "pve-ha.universe.local." }
   - { hostname: "backup", fqdn: "backup.universe.local." }
   - { hostname: "tinyproxy", fqdn: "tinyproxy.universe.local." }
-  - { hostname: "bastion", fqdn: "bastion.universe.local." }
   - { hostname: "tatooine2", fqdn: "tatooine2.universe.local." }
   - { hostname: "mailcow", fqdn: "mailcow.universe.local." }
   - { hostname: "netbox", fqdn: "netbox.universe.local." }
+  - { hostname: "AdGuard", fqdn: "AdGuard.universe.local." }
   - { hostname: "samba-ad-dc2", fqdn: "samba-ad-dc2.universe.local." }
+  - { hostname: "graylog", fqdn: "graylog.universe.local." }
   - { hostname: "bmc-truenas", fqdn: "bmc-truenas.universe.local." }
+  - { hostname: "shinobi", fqdn: "shinobi.universe.local." }
   - { hostname: "nextcloud", fqdn: "nextcloud.universe.local." }
+  - { hostname: "podman01", fqdn: "podman01.universe.local." }
   - { hostname: "docker02", fqdn: "docker02.universe.local." }
   - { hostname: "dnssec1", fqdn: "dnssec1.universe.local." }
   - { hostname: "samba-ad-dc1", fqdn: "samba-ad-dc1.universe.local." }

roles/base/tasks/software/aur_helper.yml

@@ -0,0 +1,31 @@
+---
+- name: "[Arch] Install base-devel & git"
+  pacman:
+    name:
+      - base-devel
+      - git
+    state: present
+  when: ansible_facts['os_family'] == "Archlinux"
+
+- name: "[Arch] Create AUR build user"
+  user:
+    name: "{{ aur_build_user }}"
+    groups: ['wheel']
+    create_home: yes
+  when: ansible_facts['os_family'] == "Archlinux"
+
+- name: "[Arch] Allow AUR builder to use pacman without password"
+  lineinfile:
+    path: "/etc/sudoers.d/90-aur-builder"
+    line: "{{ aur_build_user }} ALL=(ALL) NOPASSWD: /usr/bin/pacman"
+    create: yes
+    validate: "visudo -cf %s"
+  when: ansible_facts['os_family'] == "Archlinux"
+
+# - name: "[Arch] Install AUR helper"
+#   community.general.aur:
+#     name: "{{ aur_helper }}"
+#     state: present
+#     use: makepkg
+#   become_user: "{{ aur_build_user }}"
+#   when: ansible_facts['os_family'] == "Archlinux"

roles/base/tasks/software/packages_utilities.yml

@@ -1,6 +1,6 @@
 - name: system setup | utilities | install utility packages individually
   tags: packages,system,system setup
-  package:
+  ansible.builtin.package:
     state: latest
     name: "{{ item }}"
   loop:
@@ -32,7 +32,7 @@
 
 - name: system setup | utilities | install cloud-init and gemu guest agent
   tags: packages,system,system setup
-  package:
+  ansible.builtin.package:
     state: latest
     name: "{{ item }}"
   loop:
@@ -46,7 +46,7 @@
 
 - name: system setup | utilities | install utilities (arch)
   tags: packages,system,system setup
-  package:
+  ansible.builtin.package:
     state: latest
     name: "{{ item }}"
   loop:
@@ -64,7 +64,7 @@
 
 - name: system setup | utilities | install man-pages (arch)
   tags: packages,system,settings
-  pacman:
+  community.general.pacman:
     state: latest
     name: "{{ item }}"
   loop:
@@ -76,7 +76,7 @@
 
 - name: system setup | utilities | install utilities (debian)
   tags: packages,system,system setup
-  package:
+  ansible.builtin.package:
     state: latest
     name: "{{ item }}"
   loop:
@@ -89,3 +89,7 @@
     - "{{ python_passlib_package }}"
   when: ansible_distribution in [ "Debian", "Ubuntu" ]
   ignore_errors: true
+
+- name: system setup | utilities | install AUR helper (arch)
+  ansible.builtin.import_tasks: aur_helper.yml
+  when: ansible_facts['os_family'] == "Archlinux"

roles/base/tasks/system_setup/cron.yml

@@ -13,7 +13,17 @@
     enabled: true
   when: ansible_distribution == "Archlinux"
 
-- name: add cronjob for ansible
+- name: system setup | cron | add cronjob for ansible on reboot
+  become: true
+  become_user: root
+  cron:
+    name: "ansible provision"
+    user: "{{ ansible_user_id }}"
+    job: 'ansible-pull --vault-password-file=~/.vaultpass -U "https://gitea.mewissen.site/rene/ansible-pull.git" -d "/opt/ansible-pull" -C master > /var/log/ansible_pull.log || cat /var/log/ansible_pull.log'
+    state: present
+    special_time: reboot
+
+- name: system setup | cron | add cronjob for ansible
   become: true
   become_user: root
   cron:
@@ -24,7 +34,7 @@
     minute: 0
     hour: 1
 
-- name: correct crontab for reboot | remove
+- name: system setup | cron | correct crontab for reboot | remove
   become: true
   become_user: root
   cron:
@@ -32,7 +42,7 @@
     job: '[[ -f /etc/ssh/ssh_host_* ]] | ssh-keygen -A'
     state: absent
 
-- name: correct crontab for reboot | remove
+- name: system setup | cron | correct crontab for reboot | remove
   become: true
   become_user: root
   cron:
@@ -40,23 +50,23 @@
     job: '[[ -f /etc/ssh/ssh_host_* ]] || ssh-keygen -A'
     state: absent
 
-- name: correct crontab for reboot | remove
+- name: system setup | cron | correct crontab for reboot | add
   become: true
   become_user: root
   cron:
     name: "generate SSH key on reboot, if missing"
     job: "[[ -f /etc/ssh/ssh_host_* ]] || ssh-keygen -A && systemctl restart {{ ssh_service }}"
-    state: absent
+    state: present
     special_time: reboot
 
-- name: correct crontab for reboot | add
+- name: system setup | cron | correct crontab for reboot | remove
   become: true
   become_user: root
   cron:
     name: "generate SSH key on reboot, if missing"
     job: >-
       {% raw %}KEYS=(/etc/ssh/ssh_host_*_key); (( ${#KEYS[@]} )) || ( ssh-keygen -A && systemctl restart {% endraw %}{{ ssh_service }}{% raw %} ){% endraw %}
-    state: present
+    state: absent
     special_time: reboot
 
 - name: base | cron | set shell to bash

roles/docker/files/telegraf.d/input_docker.conf

@@ -6,9 +6,7 @@
   container_name_include = []
   container_name_exclude = []
   timeout = "5s"
-  perdevice = false
   perdevice_include = ["cpu", "blkio", "network"]
-  total = false
   total_include = ["cpu", "blkio", "network"]
   docker_label_include = []
   docker_label_exclude = []

roles/docker/tasks/configure_telegraf.yml

@@ -0,0 +1,7 @@
+- name: docker | telegraf | copy basic config
+  ansible.builtin.copy:
+    dest: "/etc/telegraf/telegraf.d/{{ item | basename }}"
+    src: "{{ item }}"
+  with_fileglob:
+    - "telegraf.d/*.conf"
+  notify: restart_telegraf

roles/docker/tasks/install_docker.yml

@@ -1,13 +1,13 @@
 - block:
   - name: docker | install docker | get convenience script
-    get_url:
+    ansible.builtin.get_url:
       url: "https://get.docker.com"
       dest: "~/get-docker.sh"
       mode: "0777"  # not required. The permissions the resulting file or directory should have. For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like C(0644) or C(01777)) or quote it (like C('644') or C('1777')) so Ansible receives a string and can do its own conversion from string into number. Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, C(u+rwx) or C(u=rw,g=r,o=r)). As of Ansible 2.6, the mode may also be the special string C(preserve). When set to C(preserve) the file will be given the same permissions as the source file.
       use_proxy: No
 
   - name: docker | install docker | execute convenience script
-    shell:
+    ansible.builtin.shell:
       cmd: "/tmp/get-docker.sh"
       creates: /usr/bin/docker
 
@@ -18,7 +18,7 @@
   when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
 
 - name: docker | install docker | docker-compose
-  package:
+  ansible.builtin.package:
     name: "{{ item }}"
     state: latest
   loop:
@@ -26,7 +26,7 @@
     - docker-compose
 
 - name: docker | install docker | enable service
-  service:
+  ansible.builtin.service:
     name: docker 
     state: started
     enabled: true

roles/docker/tasks/main.yml

@@ -1,17 +1,20 @@
 ---
 # Load distro specific variables
-- include_vars: "{{ ansible_distribution | lower }}.yml"
+- ansible.builtin.include_vars: "{{ ansible_distribution | lower }}.yml"
   tags: always
   ignore_errors: True
-- include_vars: "{{ ansible_fqdn | lower }}.yml"
+- ansible.builtin.include_vars: "{{ ansible_fqdn | lower }}.yml"
   ignore_errors: True
 
-- import_tasks: install_docker.yml
+- ansible.builtin.import_tasks: install_docker.yml
-- import_tasks: install_portainer.yml
+- ansible.builtin.import_tasks: install_portainer.yml
   when:
     - run_portainer is defined
     - run_portainer == true
-- import_tasks: install_portainer_agent.yml
+- ansible.builtin.import_tasks: install_portainer_agent.yml
   when:
     - run_portainer_agent is defined
     - run_portainer_agent == true
+
+- ansible.builtin.import_tasks: configure_telegraf.yml
+  

roles/drone/tasks/create_app.yml

@@ -1,20 +1,20 @@
 - name: drone | create app | generate shared secret
-  command: openssl rand -hex 16
+  ansible.builtin.command: openssl rand -hex 16
   register: DRONE_RPC_SECRET
 
 - name: drone | create app | create docker dir
-  file:
+  ansible.builtin.file:
     path: "/opt/docker/drone"
     state: directory
 
 - name: drone | create app | create docker-compose.yml
-  template:
+  ansible.builtin.template:
     src: "docker-compose.yml.j2"
     dest: "/opt/docker/drone/docker-compose.yml"
     force: no
     validate: "docker-compose -f %s config" # not required. The validation command to run before copying into place. The path to the file to validate is passed in via '%s' which must be present as in the examples below. The command is passed securely so shell features like expansion and pipes will not work.
 
 - name: drone | create app | start docker container
-  command:
+  ansible.builtin.command:
     cmd: "docker-compose up -d"
     chdir: "/opt/docker/drone"

roles/nameserver/tasks/install_powerdns_server.yml

@@ -101,16 +101,14 @@
     mode: "0644"
     owner: "root"
     group: "root"
-    force: no
+    force: yes
 
 - name: Nameserver | powerdns-server | set listening IPs
   when:
     - powerdns_secondary is defined
     - powerdns_secondary is true
-    - powerdns_recursor is defined
-    - powerdns_recursor is true
   template:
-    src: "powerdns-server-sec-mysql-config.j2"
+    src: "powerdns-server-sec-config.j2"
     dest: "/etc/powerdns/pdns.conf"
     owner: "root"
     group: "root"
@@ -135,3 +133,8 @@
     name: "pdns"
     state: started
     enabled: true
+
+- name: Nameserver | powerdns-server | install python-is-python3 for snmp helper
+  package:
+    name: python-is-python3
+    state: present

roles/nameserver/templates/powerdns-server-sec-config.j2

@@ -0,0 +1,4 @@
+include-dir=/etc/powerdns/pdns.d
+launch=
+local-address={{ ansible_default_ipv4.address }}, [{{ ansible_default_ipv6.address }}], 127.0.0.1:553{% if wg_local_ip is defined %}, {{ wg_local_ip | ansible.utils.ipaddr('address') }}:553{% endif %}
+security-poll-suffix=

roles/nameserver/templates/powerdns-server-sec-mysql-config .j2

@@ -1,4 +0,0 @@
-launch += gmysql
-gmysql-host = {{ pdns_pri_server }}
-gmysql-password = {{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}
-gmysql-dnssec = Yes

roles/nameserver/templates/powerdns-server-sec-mysql-config.j2

@@ -1,4 +1,4 @@
-include-dir=/etc/powerdns/pdns.d
+launch += gmysql
-launch=
+gmysql-host = {{ pdns_pri_server }}
-local-address={{ ansible_default_ipv4.address }}, [{{ ansible_default_ipv6.address }}], 127.0.0.1:553{% if wg_local_ip is defined %}, {{ wg_local_ip | ansible.utils.ipaddr('address') }}:553{% endif %}
+gmysql-password = {{ pdns_db_passwd | default(lookup('password', '/etc/powerdns/pdns.d/.mysqlpw length=20')) }}
-security-poll-suffix=
+gmysql-dnssec = Yes

roles/podman/tasks/main.yml

@@ -8,7 +8,7 @@
     update_cache: yes
 
 - name: Create local mount point for Podman NFS data
-  ansible.builtin.file:
+  ansible.builtin.file: # noqa name[missing]
     path: "{{ podman_data_mount_point }}"
     state: directory
     mode: '0755'
@@ -48,7 +48,7 @@
     update_cache: yes
 
 - name: Create directory for Portainer compose file
-  ansible.builtin.file:
+  ansible.builtin.file: # noqa name[missing]
     path: "{{ podman_data_mount_point }}/compose/portainer"
     state: directory
     mode: '0755'

roles/reverseproxy/tasks/caddy.yml

@@ -0,0 +1,18 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution | lower }}.yml"
+  tags: always
+  ignore_errors: True
+
+- block:
+  - debug:
+      msg: Debug
+
+  # Perform remaining tasks:
+  - ansible.builtin.import_tasks: caddy_install_debian.yml
+    when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+  - ansible.builtin.import_tasks: caddy_config.yml
+  - ansible.builtin.import_tasks: caddy_service.yml
+
+  rescue:
+    - set_fact: task_failed=true
+    

roles/reverseproxy/tasks/caddy_config.yml

@@ -0,0 +1,18 @@
+---
+- name: Create Caddy config dir
+  file:
+    path: /etc/caddy
+    state: directory
+    mode: 0755
+
+- name: Deploy Caddyfile
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+    mode: 0644
+
+- name: Deploy PowerDNS env file
+  template:
+    src: powerdns.env.j2
+    dest: /etc/caddy/powerdns.env
+    mode: 0600

roles/reverseproxy/tasks/caddy_install.yml

@@ -0,0 +1,37 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - curl
+      - unzip
+      - git
+      - build-essential
+    state: present
+    update_cache: yes
+
+- name: Download xcaddy
+  get_url:
+    url: https://github.com/caddyserver/xcaddy/releases/download/v0.9.5/xcaddy_0.9.5_linux_amd64.tar.gz
+    dest: /tmp/xcaddy.tar.gz
+
+- name: Extract xcaddy
+  unarchive:
+    src: /tmp/xcaddy.tar.gz
+    dest: /usr/local/bin/
+    mode: 0755
+    remote_src: yes
+
+- name: Build Caddy with PowerDNS DNS plugin
+  command: >
+    xcaddy build
+    --with github.com/caddy-dns/powerdns
+  args:
+    chdir: /usr/local/bin
+    creates: /usr/local/bin/caddy-custom
+
+- name: Move custom caddy binary
+  copy:
+    src: /usr/local/bin/caddy
+    dest: /usr/local/bin/caddy
+    mode: 0755
+    remote_src: yes

roles/reverseproxy/tasks/caddy_install_debian.yml

@@ -0,0 +1,52 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - curl
+      - unzip
+      - git
+      - build-essential
+      - golang
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+    state: present
+    update_cache: yes
+
+- name: reverseproxy | xcaddy | download key
+  ansible.builtin.uri:
+    url: "https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key"
+    dest: "/tmp/xcaddy_gpg.key"
+    creates: "/tmp/xcaddy_gpg.key"
+
+- name: reverseproxy | xcaddy | verify and import key
+  ansible.builtin.shell:
+    cmd: "gpg --show-keys --with-fingerprint --with-colons /tmp/xcaddy_gpg.key 2>&1 | grep -q '^fpr:\\+65760C51EDEA2017CEA2CA15155B6D79CA56EA34:$' && cat /tmp/xcaddy_gpg.key | gpg --dearmor | tee /etc/apt/keyrings/xcaddy_gpg.gpg > /dev/null"
+    creates: "/etc/apt/trusted.gpg.d/xcaddy_gpg.gpg"
+
+- name: reverseproxy | caddy | add repository
+  ansible.builtin.uri:
+    url: "https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt"
+    dest: "/etc/apt/sources.list.d/xcaddy-stable.list"
+    creates: "/etc/apt/sources.list.d/xcaddy-stable.list"
+
+- name: reverseproxy | xcaddy | install xcaddy
+  ansible.builtin.apt:
+    name: "xcaddy"
+    state: latest
+    update_cache: yes
+
+- name: Build Caddy with PowerDNS DNS plugin
+  command: >
+    xcaddy build
+    --with github.com/caddy-dns/powerdns
+  args:
+    chdir: /usr/local/bin
+    creates: /usr/local/bin/caddy-custom
+
+- name: Move custom caddy binary
+  copy:
+    src: /usr/local/bin/caddy
+    dest: /usr/local/bin/caddy
+    mode: 0755
+    remote_src: yes

roles/reverseproxy/tasks/caddy_service.yml

@@ -0,0 +1,31 @@
+---
+- name: Install systemd service
+  copy:
+    dest: /etc/systemd/system/caddy.service
+    mode: 0644
+    content: |
+      [Unit]
+      Description=Caddy
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      EnvironmentFile=/etc/caddy/powerdns.env
+      ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+      ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+      Restart=on-failure
+      User=root
+      Group=root
+
+      [Install]
+      WantedBy=multi-user.target
+
+- name: Reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: Enable and start Caddy
+  systemd:
+    name: caddy
+    state: started
+    enabled: yes

roles/reverseproxy/tasks/main.yml

@@ -0,0 +1,11 @@
+# Load distro specific variables
+- include_vars: "{{ ansible_distribution | lower }}.yml"
+  tags: always
+  ignore_errors: True
+- include_vars: "{{ ansible_fqdn | lower }}.yml"
+  ignore_errors: True
+
+- include_tasks: caddy.yml
+  when:
+    - caddy is defined
+    - caddy == true

roles/reverseproxy/templates/Caddyfile.j2

@@ -0,0 +1,23 @@
+{
+    email admin@example.net
+
+    acme_dns powerdns {
+        api_url {env.PDNS_API_URL}
+        api_key {env.PDNS_API_KEY}
+        server_id {env.PDNS_SERVER_ID}
+    }
+}
+
+nextcloud.example.net {
+    reverse_proxy 10.10.20.10:443
+    tls {
+        dns powerdns
+    }
+}
+
+gitea.example.org {
+    reverse_proxy 10.10.30.20:3000
+    tls {
+        dns powerdns
+    }
+}

roles/reverseproxy/templates/powerdns.env.j2

@@ -0,0 +1,3 @@
+PDNS_API_KEY="{{ pdns_api_key }}"
+PDNS_API_URL="{{ pdns_api_url }}"
+PDNS_SERVER_ID="{{ pdns_server_id }}"

roles/server/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for server
+telegraf_memory_high: "120M"
+telegraf_memory_max: "150M"
+telegraf_memory_swap_max: "0"
+telegraf_agent_interval: "10s"
+telegraf_agent_flush_interval: "10s"
+telegraf_agent_flush_jitter: "2s"
+telegraf_agent_metric_batch_size: 500
+telegraf_agent_metric_buffer_limit: 1000
+telegraf_agent_collection_jitter: "1s"
+telegraf_agent_round_interval: "true"       # Must be quoted, because Ansible would interpret as boolean and will set it as "True" (capital T). But telegraf needs it with lowercase 'T'.

roles/server/files/sudoers

@@ -1,2 +1,2 @@
-Debian-snmp ALL = NOPASSWD: /etc/snmp/bind, /etc/snmp/fail2ban, /etc/snmp/docker-stats.sh, /etc/snmp/mailcow-dockerized-postfix, /etc/snmp/unbound, /etc/snmp/osupdate, /etc/snmp/distro, /etc/snmp/powerdns-recursor, /etc/snmp/apache-stats.py
+Debian-snmp ALL = NOPASSWD: /etc/snmp/bind, /etc/snmp/fail2ban, /etc/snmp/docker-stats.sh, /etc/snmp/mailcow-dockerized-postfix, /etc/snmp/unbound, /etc/snmp/osupdate, /etc/snmp/distro, /etc/snmp/powerdns-recursor, /etc/snmp/apache-stats.py, /etc/snmp/powerdns.py, /etc/snmp/powerdns-recursor
 Debian-snmp ALL = (postgres) NOPASSWD: /etc/snmp/postgres

roles/server/files/telegraf.d/output_file.conf

@@ -0,0 +1,11 @@
+# --- FALLBACK: Metriken in Datei schreiben (optional, aber SEHR hilfreich) ---
+# Wird aktiviert, wenn du sicherstellen willst, dass keine Daten verloren gehen,
+# selbst wenn die InfluxDB tagelang offline ist.
+#
+# WICHTIG: Der File-Output belegt praktisch KEINEN RAM, da er direkt streamt.
+
+[[outputs.file]]
+  files = ["stdout", "/var/log/telegraf/metrics_backup.out"]
+  rotation_interval = "1h"
+  rotation_max_size = "100MB"
+  rotation_max_archives = 5

roles/server/files/telegraf.d/output_influx.conf

@@ -1,4 +1,14 @@
 [[outputs.influxdb]]
   urls = ["http://grafana.universe.local:8086"]
   database = "linux"
+
+  ## Timeouts BEGRENZEN, damit der Puffer nicht endlos wächst
+  timeout = "3s"
+  username = "telegraf"
+  password = "secret"
+
+  ## Ab Telegraf 1.20+ sinnvoll:
+  http_headers = { "Connection" = "close" }
+
+  ## Fehler schnell melden → verhindert große Warteschlangen
   skip_database_creation = false

roles/server/handlers/main.yml

@@ -1,9 +1,13 @@
+- name: reload_systemd
+  systemd:
+    daemon_reload: yes
+
 - name: restart_snmpd
-  service:
+  ansible.builtin.service:
     name: "snmpd"
     state: restarted
 
 - name: restart_telegraf
-  service:
+  ansible.builtin.service:
     name: "telegraf"
     state: restarted

roles/server/tasks/main.yml

@@ -8,7 +8,7 @@
 
 - block:
   - include_tasks: utilities/mail_transfer_agent.yml
-  # - include_tasks: utilities/telegraf.yml
+  - include_tasks: utilities/telegraf.yml
     when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
   - include_tasks: utilities/netdata.yml
     when: netdata is defined and netdata == true
@@ -21,5 +21,4 @@
   # - include_role:
   #     name: base
   #     tasks_from: users.yml
-
 # vim: ts=2 sw=2

roles/server/tasks/utilities/snmpd.yml

@@ -1,12 +1,12 @@
-- include_vars: snmp_users.yml
+- ansible.builtin.include_vars: snmp_users.yml
 
 - name: server | snmpd | install package
-  package:
+  ansible.builtin.package:
     name: "{{ snmpd_package }}"
     state: present
 
 - name: server | snmpd | install sudoers file
-  copy:
+  ansible.builtin.copy:
     dest: "/etc/sudoers.d/10-debian-snmp"
     src: "sudoers"
     owner: "root"
@@ -16,14 +16,14 @@
   when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
 
 - name: server | snmpd | create /etc/snmp
-  file:
+  ansible.builtin.file:
     path: "/etc/snmp"
     state: directory
     owner: "root"
     group: "root"
 
 - name: server | snmpd | insert anchors to snmpd.conf
-  blockinfile:
+  ansible.builtin.blockinfile:
     path: "{{ snmpd_conf }}"
     create: true
     marker: "# {mark} ANSIBLE MANAGED BLOCK"
@@ -32,24 +32,24 @@
       # SECTION: custom settings
 
 - name: server | snmpd | stop service
-  service:
+  ansible.builtin.service:
     name: "snmpd"
     state: stopped
 
 - name: server | snmpd | setup monitoring user SNMPv3
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_user_file }}"
     create: true
     line: "createuser {{ snmp_user }} {{ snmp_auth_proto }} {{ snmp_auth_pass }} {{ snmp_priv_proto }} {{ snmp_priv_pass }}"
 
 - name: server | snmpd | setup ACLs
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_conf }}" # required. The file to modify. Before Ansible 2.3 this option was only usable as I(dest), I(destfile) and I(name).
     line: "rouser {{ snmp_user }} authpriv"
     insertafter: "# SECTION: custom settings"
 
 - name: server | snmpd | enable service on wireguard interface
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_conf }}"
     regexp: "^agentaddress.*$"
     state: present
@@ -57,34 +57,34 @@
   when: wg_local_ip is defined
 
 - name: server | snmpd | set sysLocation
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_conf }}"
     regexp: '^sysLocation.*$'
     state: present
     line: "sysLocation  {{ snmp_location }}"
 
 - name: server | snmpd | set sysContact
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_conf }}"
     regexp: '^sysContact.*$'
     state: present
     line: "sysContact  {{ snmp_contact }}"
 
 - name: server | snmpd | enable service on all interfaces
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_conf }}"
     regexp: "^agentaddress.*$"
     state: absent
   when: wg_local_ip is not defined
 
 - name: server | snmpd | copy distro script
-  copy:
+  ansible.builtin.copy:
     dest: "/etc/snmp/distro"
     src: "distro"
     mode: "0755"
 
 - name: server | snmpd | get os-updates script
-  get_url:
+  ansible.builtin.get_url:
     url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate"
     dest: "/etc/snmp/osupdate"
     mode: "0755"
@@ -92,7 +92,7 @@
     group: "root"
 
 - name: server | snmpd | configure extends
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "{{ snmpd_conf }}"
     state: present
     line: "extend {{ item.service }} '{{ item.script }}'"
@@ -106,14 +106,14 @@
 
 - block:
   - name: server | snmpd | get proxmox script
-    get_url:
+    ansible.builtin.get_url:
       url: "https://raw.githubusercontent.com/librenms/librenms-agent/master/agent-local/proxmox"
       dest: "/usr/local/bin/proxmox"
       mode: "0755"
       owner: "root"
       group: "root"
   - name: server | snmpd | configure proxmox extends
-    lineinfile:
+    ansible.builtin.lineinfile:
       path: "{{ snmpd_conf }}"
       state: present
       line: "extend proxmox {{ sudo }} /usr/local/bin/proxmox"
@@ -123,7 +123,7 @@
     - is_proxmox == true
 
 - name: server | snmpd start service
-  service:
+  ansible.builtin.service:
     name: "snmpd"
     state: started
     enabled: true

roles/server/tasks/utilities/telegraf.yml

@@ -3,35 +3,157 @@
 #     path: "/etc/apt/sources.list.d/influxdata.list"
 #     state: absent
 
+
+# curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
+# gpg --show-keys --with-fingerprint --with-colons ./influxdata-archive.key 2>&1 \
+#     | grep -q '^fpr:\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' \
+#     && cat influxdata-archive.key \
+#     | gpg --dearmor \
+#     | sudo tee /etc/apt/keyrings/influxdata-archive.gpg > /dev/null \
+#     && echo 'deb [signed-by=/etc/apt/keyrings/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
+#     | sudo tee /etc/apt/sources.list.d/influxdata.list
+# sudo apt-get update && sudo apt-get install telegraf
+
+
+
 - name: server | telegraf | download key
-  uri:
+  ansible.builtin.uri:
-    url: "https://repos.influxdata.com/influxdata-archive_compat.key"
+    url: "https://repos.influxdata.com/influxdata-archive.key"
-    dest: "/tmp/influxdb.key"
+    dest: "/tmp/influxdata.key"
-    creates: "/tmp/influxdb.key"
+    creates: "/tmp/influxdata.key"
 
 - name: server | telegraf | verify and import key
-  shell:
+  ansible.builtin.shell:
-    cmd: "echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c /tmp/influxdb.key' | sha256sum -c && cat /tmp/influxdb.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null"
+    cmd: "gpg --show-keys --with-fingerprint --with-colons /tmp/influxdata.key 2>&1 | grep -q '^fpr:\\+24C975CBA61A024EE1B631787C3D57159FC2F927:$' && cat /tmp/influxdata.key | gpg --dearmor | tee /usr/share/keyrings/influxdata.gpg > /dev/null"
-    creates: "/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg"
+    creates: "/usr/share/keyrings/influxdata.gpg"
 
 - name: server | telegraf | add repository
-  shell:
+  ansible.builtin.shell:
-    cmd: "echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list"
+    cmd: "echo 'deb [signed-by=/usr/share/keyrings/influxdata.gpg] https://repos.influxdata.com/debian stable main' | tee /etc/apt/sources.list.d/influxdata.list"
     creates: "/etc/apt/sources.list.d/influxdata.list"
 
 - name: server | telegraf | install telegraf
-  apt:
+  ansible.builtin.apt:
     name: "telegraf"
     state: latest
     update_cache: yes
 
 - name: server | telegraf | copy basic config
-  copy:
+  ansible.builtin.copy:
-    dest: "/etc/telegraf/{{ item }}"
+    dest: "/etc/telegraf/telegraf.d/{{ item | basename }}"
     src: "{{ item }}"
-  loop:
+  with_fileglob:
-    - telegraf.d/input_basics.conf
+    - "telegraf.d/*.conf"
-    - telegraf.d/output_influx.conf
   notify: restart_telegraf
 
+- name: Configure telegraf agent hostname
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*hostname\s*='
+    line: '  hostname = "{{ ansible_fqdn }}"'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent interval
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*interval\s*='
+    line: '  interval = "{{ telegraf_agent_interval }}"'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent flush_interval
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*flush_interval\s*='
+    line: '  flush_interval = "{{ telegraf_agent_flush_interval }}"'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent flush_jitter
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*flush_jitter\s*='
+    line: '  flush_jitter = "{{ telegraf_agent_flush_jitter }}"'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent collection_jitter
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*collection_jitter\s*='
+    line: '  collection_jitter = "{{ telegraf_agent_collection_jitter }}"'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent metric_batch_size
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*metric_batch_size\s*='
+    line: '  metric_batch_size = {{ telegraf_agent_metric_batch_size }}'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent metric_buffer_limit
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*metric_buffer_limit\s*='
+    line: '  metric_buffer_limit = {{ telegraf_agent_metric_buffer_limit }}'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: Configure telegraf agent round_interval
+  tags: telegraf
+  ansible.builtin.lineinfile:
+    path: /etc/telegraf/telegraf.conf
+    regexp: '^\s*#?\s*round_interval\s*='
+    line: '  round_interval = {{ telegraf_agent_round_interval }}'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart_telegraf
+  when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+
+- name: server | telegraf | create systemd override directory for telegraf
+  ansible.builtin.file:
+    path: /etc/systemd/system/telegraf.service.d
+    state: directory
+    mode: '0755'
+
+- name: server | telegraf | define systemd-limits
+  ansible.builtin.template:
+    src: telegraf-override.j2
+    dest: /etc/systemd/system/telegraf.service.d/override.conf
+  notify:
+    - reload_systemd
+    - restart_telegraf
+
   

roles/server/templates/telegraf-override.j2

@@ -0,0 +1,6 @@
+[Service]
+MemoryHigh={{ telegraf_memory_high }}
+MemoryMax={{ telegraf_memory_max }}
+MemorySwapMax={{ telegraf_memory_swap_max }}
+Restart=on-failure
+RestartSec=5

roles/webservers/tasks/apps/nextcloud/prereq.yml

@@ -1,5 +1,5 @@
 - name: webservers | nextcloud | basic tools
-  package:
+  ansible.builtin.package:
     state: latest
     name:
       - ca-certificates
@@ -10,19 +10,19 @@
   when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
 
 - name: webservers | nextcloud | prereq | get php repo key
-  uri:
+  ansible.builtin.uri:
     url: "https://packages.sury.org/php/apt.gpg"
     dest: "/etc/apt/trusted.gpg.d/php.gpg"
 
 - name: webservers | nextcloud | prereq | add php repo
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "/etc/apt/sources.list.d/php.list"
     state: present
     line: "deb https://packages.sury.org/php/ {{ ansible_distribution_release | lower }} main"
     create: True
   
 - name: webservers | nextcloud | prereq | install php
-  package:
+  ansible.builtin.package:
     state: latest
     name: "{{ item.package }}"
     update_cache: True