inputs.docker does not support perdevice and total

syntax

.vscode/settings.json

@@ -1,4 +1,5 @@
 {
     "editor.fontFamily": "'JetBrains Mono', 'NotoMono NF', 'DejaVuSansMono NF', 'MesloLGS NF', 'Droid Sans Mono', 'monospace', monospace, 'Droid Sans Fallback'",
-    "editor.fontSize": 17
+    "editor.fontSize": 17,
+    "ansible.python.interpreterPath": "/bin/python"
 }

ansible.cfg

@@ -2,6 +2,6 @@
 inventory = /opt/ansible-pull/hosts
 log_path = ~/ansible.log
 retry_files_enabled = False
-deprecation_warnings=False
+deprecation_warnings = True
 [inventory]
 enable_plugins = ini

collections/requirements.yml

@@ -0,0 +1,4 @@
+---
+collections:
+  - name: community.general
+    version: ">=6.0.0" # Es ist eine gute Praxis, eine Mindestversion anzugeben

global_handlers/aide.yml

@@ -0,0 +1,42 @@
+---
+- name: system setup | aide | install aide package
+  tags: aide,hardening,system
+  package:
+    name: aide
+    state: present
+
+- name: system setup | aide | check if aide database exists
+  tags: aide,hardening,system
+  stat:
+    path: /var/lib/aide/aide.db
+  register: aide_db
+
+- name: system setup | aide | initialize aide database if it does not exist
+  tags: aide,hardening,system
+  block:
+    - name: system setup | aide | run aide --init (this may take a while)
+      command: aide --config /etc/aide/aide.conf --init
+      register: aide_init_result
+      changed_when: "'AIDE, version' in aide_init_result.stdout"
+      async: 1800 # Allow up to 30 minutes for initialization
+      poll: 15
+
+    - name: system setup | aide | copy new database to be the active one
+      copy:
+        src: /var/lib/aide/aide.db.new
+        dest: /var/lib/aide/aide.db
+        remote_src: true
+        owner: root
+        group: root
+        mode: '0600'
+      when: aide_init_result.changed
+  when: not aide_db.stat.exists
+
+- name: system setup | aide | schedule daily check
+  tags: aide,hardening,system
+  cron:
+    name: "AIDE daily check"
+    minute: "0"
+    hour: "5"
+    job: "/usr/bin/aide --config /etc/aide/aide.conf --check"
+    cron_file: aide_check # Creates /etc/cron.d/aide_check

global_handlers/global_handlers.yml

@@ -1,9 +1,39 @@
-- name: restart_nginx
+---
+- name: apt_update
+  apt:
+    update_cache: yes
+  when: ansible_os_family == "Debian"
+
+- name: restart_sshd
   service:
-    name: "nginx"
+    name: "{{ openssh_service }}"
     state: restarted
 
-- name: restart_snmpd
+- name: restart_fail2ban
   service:
-    name: "snmpd"
+    name: "fail2ban"
+    state: restarted
+
+- name: restart_logind
+  service:
+    name: "logind"
+    state: restarted
+
+- name: reload ufw
+  command: ufw reload
+  listen: "reload ufw firewall"
+
+- name: restart auditd
+  service:
+    name: auditd
+    state: restarted
+
+- name: restart rsyslog
+  ansible.builtin.service:
+    name: rsyslog
+    state: restarted
+
+- name: restart_telegraf
+  ansible.builtin.service:
+    name: "telegraf"
     state: restarted

group_vars/server

@@ -1 +1,12 @@
-mta_package: "ssmtp"
+$ANSIBLE_VAULT;1.1;AES256
+33393965343936656232313034313838313330336565336265383361373666343366623535353432
+6465366237353937396136613539646634653233376339650a323436313066653566373335643766
+65376439303639363262333537373661656363366561613432643536373637653862356261613739
+3963643534613338300a313634353631373635333435346266613238633831356332633332376362
+30333434663365396639613336636138373964383063393862363531343866386537306664393863
+64653836613864636635346135633630313261623032613161613661303630623462336335366461
+30613366383265656264326432653339323736623933326132323866643939303233646237633936
+65373031386338323463623631656461653163333163666232656664386362663666373039613237
+64383437316463333630646333633162333836633639633564633762653134623430336661366233
+61353861363062616135383936343938663737336233376165336135653930636430346139393536
+663362613262363561376631616138366662

host_vars/LIFEBOOK-U939.yml

@@ -0,0 +1 @@
+lifebook-u939.yml

host_vars/TUXEDO-Book-XP1511.universe.local.yml

@@ -2,6 +2,8 @@
 ssh_port: 22
 ssh_users: rene
 
+copy_ssh_priv_keys: true
+
 # purpose selection
 database: false
 development: true
@@ -38,7 +40,7 @@ broot: true
 chromium: true
 clonezilla: true
 cmatrix: true
-davinci-resolve: true
+davinci_resolve: true
 dbeaver: true
 digikam: true
 dislocker: true

host_vars/adguard.universe.local.yml

@@ -1,3 +1,7 @@
 ---
 netdata: false
 set_hosts: true
+
+agh_cpu: amd64
+agh_os: linux
+agh_channel: release

host_vars/agh01.universe.local.yml

@@ -0,0 +1,3 @@
+---
+netdata: false
+set_hosts: true

host_vars/backup.universe.local.yml

@@ -1,29 +0,0 @@
-hosts_to_backup:
-  - { hostname: "mailcow", fqdn: "mewissen.site", ip: "192.168.3.8" }
-  - { hostname: "jitsi", fqdn: "mewimeet.de", ip: "192.168.3.10" }
-  - { hostname: "mewitoot", fqdn: "mewitoot.de", ip: "192.168.3.11" }
-  - { hostname: "coruscant", fqdn: "coruscant.universe.local" }
-  - { hostname: "ns1", fqdn: "ns1.universe.local" }
-  - { hostname: "docker01", fqdn: "docker01.universe.local" }
-  - { hostname: "pi-alert", fqdn: "pi-alert.universe.local" }
-  - { hostname: "mariadb01", fqdn: "mariadb01.universe.local" }
-  - { hostname: "mariadb02", fqdn: "mariadb02.universe.local" }
-  - { hostname: "mariadb03", fqdn: "mariadb03.universe.local" }
-  - { hostname: "icinga", fqdn: "icinga.universe.local" }
-  - { hostname: "samba-ad-dc", fqdn: "samba-ad-dc.universe.local" }
-  - { hostname: "webserver", fqdn: "webserver.universe.local" }
-  - { hostname: "elk-stack", fqdn: "elk-stack.universe.local" }
-  - { hostname: "netbox", fqdn: "netbox.universe.local" }
-  - { hostname: "haproxy01", fqdn: "haproxy01.universe.local" }
-  - { hostname: "haproxy02", fqdn: "haproxy02.universe.local" }
-  - { hostname: "librenms", fqdn: "librenms.universe.local" }
-  - { hostname: "pi-hole", fqdn: "pi-hole.universe.local" }
-  - { hostname: "adguard", fqdn: "adguard.universe.local" }
-  - { hostname: "grafana", fqdn: "grafana.universe.local" }
-  - { hostname: "nextcloud", fqdn: "nextcloud.universe.local" }
-  - { hostname: "dhcp-kea", fqdn: "dhcp-kea.universe.local" }
-  - { hostname: "dhcp-stork", fqdn: "dhcp-stork.universe.local" }
-  - { hostname: "unbound01", fqdn: "unbound01.universe.local" }
-  - { hostname: "unbound02", fqdn: "unbound02.universe.local" }
-  - { hostname: "mail", fqdn: "mail.universe.local" }
-  - { hostname: "graylog", fqdn: "graylog.universe.local" }

host_vars/caddy.universe.local.yml

@@ -0,0 +1 @@
+caddy: true

host_vars/dnspri.universe.local.yml

@@ -0,0 +1,2 @@
+powerdns_server: True
+powerdns_primary: True

host_vars/dnssec1.universe.local.yml

@@ -0,0 +1,4 @@
+powerdns_server: True
+powerdns_primary: False
+powerdns_secondary: True
+pdns_pri_server: "192.168.1.190"

host_vars/dnssec2.universe.local.yml

@@ -0,0 +1 @@
+dnssec1.universe.local.yml

host_vars/docker01.universe.local.yml

@@ -1,2 +1,2 @@
 ---
-run_portainer: true
+run_portainer: false

host_vars/docker02

@@ -0,0 +1,3 @@
+---
+run_portainer: false
+run_portainer_agent: true

host_vars/docker02.universe.local.yml

@@ -1,2 +1,3 @@
 ---
 run_portainer: false
+run_portainer_agent: true

host_vars/drone.universe.local.yml

@@ -0,0 +1 @@
+---

host_vars/graylog.universe.local.yml

@@ -0,0 +1 @@
+---

host_vars/learningdjango.universe.local.yml

@@ -0,0 +1,3 @@
+---
+netdata: true
+set_hosts: true

host_vars/lifebook-u939.universe.local.yml

@@ -0,0 +1,71 @@
+---
+ssh_port: 22
+ssh_users: rene
+
+copy_ssh_priv_keys: true
+
+# purpose selection
+database: false
+development: false
+dhcpserver: false
+fileserver: false
+mailserver: false
+mobile: true
+nameserver: false
+photo_editing: false
+printspooler: false
+proxyserver: false
+video_editing: false
+webserver: false
+
+# shell selection
+zsh: true
+
+# desktop environment selection
+cinnamon: true
+deepin: false
+gnome: false
+kde: false
+mate: false
+xfce: false
+
+# application selection
+alacritty: true
+alsa: true
+autofs: true
+bashtop: true
+borgbackup: true
+brave: true
+broot: true
+chromium: true
+clonezilla: true
+cmatrix: true
+davinci_resolve: false
+dbeaver: false
+digikam: false
+dislocker: true
+docker: false
+exa: true
+filelight: true
+firefox: true
+games: true
+gimp: false
+google_chrome: false
+joplin: true
+keepass: false
+keepassxc: true
+libreoffice: true
+midnightcommander: true
+nextcloud_client: true
+nvidia: false
+obs: false
+pacaur: false
+ranger: true
+screenkey: true
+syncthing: true
+thunderbird: true
+vifm: true
+virtualbox: false
+vivaldi: false
+yay: false
+yubikey: true

host_vars/lifebook-u939.yml

@@ -0,0 +1 @@
+lifebook-u939.universe.local.yml

host_vars/mail.mewissen.site.yml

@@ -1,17 +1,22 @@
----
+$ANSIBLE_VAULT;1.1;AES256
-branch: master
+36303665633161336631373965373436653433326630666234393137316361616636396238303139
-
+3731666534646135346536663965306164383361333566350a666337353564643066646366643961
-#ansible_cron_minute: "40"
+32353636396134396531333939363338393331353735663363653636383333336333666361623330
-#ssh_port: 22
+6662663864633664390a383033343563623732333064376331303536666633306139623865353539
-#ssh_users: "user1 user2"
+33613262316161653364326433303263616665316261323965336263313064656433383331653432
-copy_ssh_priv_keys: false
+36666461306437316137633261663062633734353130386432623463613366326363383431343433
-
+38633564646635666162353736643966656537313531336365303762663562623064316333303131
-# platform-specific
+61643439323238373837633566636563646537343533613262383832353338643934333939383464
-linode_instance: false
+65303636613638643065303337316662373538653230363764633534656365356563393462333964
-microcode_amd_install: false
+39336464666337653263353434663039326663353638313161396439303733383265653961666361
-microcode_intel_install: false
+62366333373237643732303533326166353534303066303664613532666331646665643763323966
-proxmox_instance: false
+38623730326630306536343530653234663864386662653130353334343363323232323966393363
-raspberry_pi: false
+38353465643434613837653939376665303933376437346161656231313832643264653830663535
-
+63333165623036653566616266373162303035366632316135626131376162636637643334356131
-# server
+36636166366234343966343231366361383162633236626665653365393661346235626161333861
-unattended_upgrades: true
+32316465663465653933356561616366373735636664373962323939653234393661663834613136
+66383463626632333432343164333963373065373831656438616133326436646437326565356334
+32663262376163623530653363666331333838643764383661313935643935386463393037633439
+39613635623866396439613137376262393433306565336432343933306437346561653434313336
+30306262653833623739626534646162643537343666343735336138613661623461326664363561
+38636566613363303631643637613535316366636137376364613562646236333838

host_vars/mewimeet.com.yml

@@ -1,25 +1,26 @@
----
+$ANSIBLE_VAULT;1.1;AES256
-branch: master
+61306233663762613238316535386561663239336432623063636665373333373834376462323062
-hostname: mewimeet.com
+3262653861663137323539363633333263343132396564320a393939356234303136353832343266
-
+33336563613932646332356663386537633132323062643838363763616533396332666238323435
-ansible_cron_minute: "40"
+6430633233333631300a313637636265303831613363333330336265336330636231643666643634
-ssh_port: 22
+31346662646634346138353231326534656438343033333363313132326165376536393264653335
-ssh_users: "user1 user2"
+34363835303430353838366538626363636336323831306334373933303164633466613862333936
-
+30396238356438373235316137333439346238643939393330313236353666656635356632343561
-# platform-specific
+37316537663466653234363938313138353235356466386230323735646234653465393130636531
-linode_instance: true
+38396631333365373632366563336538353163636235346638363439366338636266373836316236
-microcode_amd_install: false
+30373165643236306630323432643363613662376637353537633230356537343666656639616432
-microcode_intel_install: false
+30346539393034626538623362636665643630643666636135336463616130383530616135393366
-proxmox_instance: false
+31356535313932313264386631313062353436653764653330353837326663353137386236386234
-raspberry_pi: false
+63363331373736336538353331326531663262313330626636643061666561333566623635313836
-preinstalled: true
+63306462363961396639326435666633633532326635356430386436336666343766626530333232
-
+36366466303666393262336334353935346433336633373035663433356561303766353930643736
-# server
+32633762393136393039653365626165636233323838303364666436393663656362343033363534
-set_hosts: true
+38653832333063323765383036626563316637383636633339366235613439616138366633323636
-unattended_upgrades: true
+31356333363931613230393934356261633965393464336135333238616131333564343235633233
-web_server: true
+34643863393962336461386439343333383763613730346661346430336133316262643939383065
-netdata: true
+39633261313732653063336161383033323231626337663237323063656230366663366538306534
-
+36643665386234643138646636663537623262373839383731353866383562643363666561646630
-# VPN
+38313331653962613864323737613530353938663962636663396563356166643766626335396361
-wireguard: true
+66323230336333303730323730393532353562303636626330616336646635623662656462666430
-wg_local_ip: 192.168.3.6/32
+30613664346135653065623537646130323238333463393535343136373461653637613637663736
+3837

host_vars/mewimeet.de.yml

@@ -1,27 +1,30 @@
----
+$ANSIBLE_VAULT;1.1;AES256
-branch: master
+37623231323337643262313535353365666336346530326262633831333230303838343639623239
-hostname: mewimeet.de
+6236376565363635633362626465383334323966303930340a363162386161653035363264313861
-
+31616565633638633531623932303264386638363161363366386265333661373965666564306461
-ansible_cron_minute: "40"
+6565613533343734350a393330306162626633666531326334613764313162323833646235396361
-ssh_port: 22
+66386564373561366364663239613566303238333735633362663936636566643033656331646266
-ssh_users: "user1 user2"
+35636462393831663933353535373732373862383739613930393665616138313263383766343738
-
+38383431636461636139363436663962656131363239303134396632323838653362353738653733
-# platform-specific
+30643435346565303463653035656637653030636564303736393962333230633935306237366231
-linode_instance: true
+30653331346335373931666632346466643266633561663830643739353530633131393163656138
-microcode_amd_install: false
+31613061633633646130646339386561386539356533393966316433353030626463363532663764
-microcode_intel_install: false
+65363965303538303161306666373462356336643832343138636663616436356635653464333233
-proxmox_instance: false
+38303938393665353562343436626338333934303162643063623862323534393262343432336634
-raspberry_pi: false
+39353639626337373331616261303762333938386366633634393961626135613837303435313164
-preinstalled: true
+37333230313466373831373738313131666631613234383165333931336565646635306136363238
-
+33386433323561353838353063653034613933636665333734343133623261626263313631336434
-# server
+35386262623733666364633366626630353835376131663535316666633363346565303433623061
-set_hosts: true
+36663165633039326230356538336265666336346132383935663963633661336431313830316666
-unattended_upgrades: true
+32623430333433633266323437626630613461313764383230666230343963306266306138333436
-web_server: true
+38656631336232356461343362663533386165633763366136376330316330303530336538643739
-netdata: true
+65336333383363343839366536643835353235613665636530393565633234633930653030313830
-bind: true
+66656439636166656364356130333761333634386130353636646464346464373239616637623963
-unbound: true
+32316330393330346133613763636237656463656363386439623964633564356564663132346233
-
+34373138663065303363666466333638376561613838646164373334383630323032386165613234
-# VPN
+62636530356665336333376263346130653637373665303136333437363062633831323433643432
-wireguard: true
+33643238383230373461333735623833336134383233663630363431613366306533393164626666
-wg_local_ip: 192.168.3.10/24
+37643334313965333461636433343331366639353838386630623533383864353663646433363430
+65393437353031393235613933393236356637646334656261616135323533313238306536366561
+35346531346431643038383431336463653165656230346265373463383462396437623563626438
+65653432336538346237383461386336636665303866613664653765393539656134

host_vars/mewitoot.de.yml

@@ -1,30 +1,33 @@
----
+$ANSIBLE_VAULT;1.1;AES256
-branch: master
+35316331613562646337303937613236363263393739626530333265356566623430316533383031
-hostname: mewitoot.de
+3166386236376266336664313737633436303634383034630a653739323136393865343961306161
-set_hosts: True
+33656165646637343532643131653536363561313535653665666234656332633266333835353239
-
+6336303531636138390a656339653330316566663231383065643866333861653333663463363764
-ansible_cron_minute: "40"
+38363833383133303966633764396436393138633435356164363365646439373835393236313961
-ssh_port: 22
+66666366643863313962636135646266333938663532353061663865313131646132336637386431
-ssh_users: "user1 user2"
+66396236646633386465386333343564346163363437313433626361366565653533653536363865
-
+31643837663339336562303464333834626336323231663238613437306262663463633866343131
-# platform-specific
+32393534616265393439383035393132326430313432393832663335626536323261313336653732
-linode_instance: true
+61303537353933363534343234373962623463613836393336333261643234393838653666333233
-microcode_amd_install: false
+37326133356231316634643263316366353065343433653030333339663832646537386631663531
-microcode_intel_install: false
+63306162616632343833356361666433323031376463316138336438643133313932346162633134
-proxmox_instance: false
+62306337623064323533326562316232633334353761383336336662393664653839653335646466
-raspberry_pi: false
+66633431316436626137643562336662653763396232333434303734613931623634356438313331
-
+36663236646162633030663766376639666538306132353863613563336530323765643665656466
-# server
+36643332626166353432313661313330366161626334353831323034323766363266653762346362
-unattended_upgrades: true
+30656337383638623038313838323462316132383430383337636638366239323731666235623663
-web_server: true
+36303963613365633233653031353436363636333965356462353130303066303861316436363330
-netdata: true
+36383735333439663433356366643430306333656433643539346632663064323636373731633230
-bind: true
+31303663613138396531623463306131636430366630626331313665323761396561386636353562
-unbound: true
+34663430333661333765613235383231366264353564333031333966356338653135616637616363
-
+34323930613136643433363861636630313233613763653765643238343839353930336235613032
-# VPN
+64356361646639343763643166626632353663363561656638643731396563363639353466386533
-wireguard: true
+35343262666564383964353631363038363235643531663830313263633661303161323166643237
-wg_local_ip: 192.168.3.11/24
+66396166336362323137353839396165333936376265316461663630636532633632326336393565
-
+38613330383064626233306166383435346531643638323563336139653537643033376434666164
-# Application
+30643933366631373461393533343364343266366161363961316162386236356231656662653366
-migration: true
+62333765326262653463323131666161663334633337663431383836363962656664643033636564
-mastodon_host: "{{ hostname }}"
+61643230353764346236393664336232623636643030356339643466356566336638626536643161
+34643465376633616538366332386135623764313433326262363564663332346162306136656235
+65353264623239663735346166653633356333373464616433333364326530373263343231346530
+37363761623535623534

host_vars/pixelfed.universe.local.yml

@@ -0,0 +1,3 @@
+---
+run_portainer: false
+run_portainer_agent: true

host_vars/pve-ha.universe.local.yml

@@ -0,0 +1,2 @@
+---
+is_proxmox: true

host_vars/pve2.universe.local.yml

@@ -0,0 +1,2 @@
+---
+is_proxmox: true

host_vars/truenas.universe.local.yml

@@ -0,0 +1 @@
+---

hosts

@@ -6,22 +6,44 @@ glustertest
 
 [server]
 AdGuard.universe.local
-pve.universe.local
+agh01.universe.local
-netbox.universe.local
+dhcp-stork.universe.local
-samba-ad-dc.universe.local
+elk-stack.universe.local
-librenms.universe.local
 grafana.universe.local
+graylog.universe.local
 haproxy01.universe.local
 haproxy02.universe.local
-elk-stack.universe.local
+learningdjango.universe.local
+librenms.universe.local
+netbox.universe.local
+ntfy.universe.local
+paperless.universe.local
+pi-alert.universe.local
+pi-alert-lan.universe.local
+pi-hole.universe.local
+pixelfed.universe.local
+pve.universe.local
+pve2.universe.local
+pve-ha.universe.local
+samba.universe.local
+samba-ad-dc1.universe.local
+samba-ad-dc2.universe.local
+shinobi.universe.local
+step-ca.universe.local
+truenas.universe.local
+wazuh.universe.local
+zoneminder.universe.local
 
 [server:children]
 auth
 backup
+bastionhost
 cluster
 database
 dhcpserver
 docker
+domaincontroller
+drone
 fileserver
 icinga
 jitsimeet
@@ -30,16 +52,20 @@ mastodon
 nameserver
 printspooler 
 proxyserver
-webserver
+reverseproxy
+webservers
 
 [auth]
 freeradius.universe.local
 
+[bastionhost]
+bastion.universe.local
+newbastion.universe.local
+
 [backup]
 backup.universe.local
 
 [database]
-coruscant.universe.local
 mariadb01.universe.local
 mariadb02.universe.local
 mariadb03.universe.local
@@ -50,16 +76,22 @@ endorvm.universe.local
 tuxedo-book-xp1511.universe.local
 
 [dhcpserver]
-coruscant.universe.local
 dhcp-kea.universe.local
 
 [docker]
 docker01.universe.local
-docker02.universe.local
+docker02
+
+[domaincontroller]
+samba-ad-dc.universe.local
+samba-ad-dc1.universe.local
+samba-ad-dc2.universe.local
+
+[drone]
+drone.universe.local
 
 [fileserver]
-coruscant.universe.local
+nfs-server.universe.local
-samba-ad-dc.universe.local
 
 [glustertest]
 glustertest01.universe.local
@@ -79,7 +111,6 @@ icinga_satellite
 mewimeet.de jitsi_fqdn=mewimeet.de
 
 [mailserver]
-coruscant.universe.local
 mail.mewissen.site
 mailcow.universe.local
 mail.universe.local
@@ -90,34 +121,47 @@ ubuntu-test.universe.local
 
 [mobile]
 tuxedo-book-xp1511.universe.local
+lifebook-u939.universe.local
+LIFEBOOK-U939
 
 [nameserver]
-coruscant.universe.local
+dnspri.universe.local
+dnssec1.universe.local
+dnssec2.universe.local
 mewimeet.de
 mewitoot.de
 ns1.universe.local
 unbound01.universe.local
 unbound02.universe.local
 
+[omada_controller]
+omada.universe.local
+
 [photo_editing]
 endor.universe.local
 endorvm.universe.local
 tuxedo-book-xp1511.universe.local
 
+[podman_servers]
+podman01.universe.local
+podman02.universe.local
+
 [printspooler]
-coruscant.universe.local
 
 [proxyserver]
-coruscant.universe.local
+tinyproxy.universe.local
+
+[reverseproxy]
+caddy.universe.local
 
 [video_editing]
 endor.universe.local
 endorvm.universe.local
 tuxedo-book-xp1511.universe.local
 
-[webserver]
+[webservers]
-coruscant.universe.local
 nextcloud.universe.local 
+searx.universe.local 
 webserver.universe.local 
 
 [workstation:children]

local.yml

@@ -1,39 +1,76 @@
 ---
 - hosts: all
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   connection: local
   vars_files:
-    - "os_vars/{{ ansible_distribution | lower }}.yml"
+    - "{{ lookup('first_found', ['os_vars/' + (ansible_distribution | lower) + '.yml'], errors='ignore') }}"
   become: true
+  vars:
+    ansible_reboot_cooldown_minutes: 15 # Cooldown in Minuten
+    ansible_pull_marker_file: /var/tmp/ansible_pull.last_run
 
   pre_tasks:
-    - name: pre-run | update apt repository (debian, ubuntu, etc.)
+    - name: pre-run | get status of marker file
-      apt: update_cache=yes
+      ansible.builtin.stat:
-      changed_when: false
+        path: "{{ ansible_pull_marker_file }}"
-      when: ansible_distribution in ["Debian", "Ubuntu"]
+      register: marker_file_stat
-    - name: pre-run | upgrade system (debian, ubuntu, etc.)
+      tags: always
-      apt: upgrade=dist
+
-      changed_when: false
+    - name: pre-run | check if last run was within cooldown period
-      when: ansible_distribution in ["Debian", "Ubuntu"]
+      ansible.builtin.meta: end_play
+      when:
+        - marker_file_stat.stat.exists
+        - (ansible_date_time.epoch | int) - (marker_file_stat.stat.mtime | int) < (ansible_reboot_cooldown_minutes | int * 60)
+      tags: always
+
+    - name: pre-run | set marker file path as a cached fact
+      ansible.builtin.set_fact:
+        ansible_pull_marker_file: "{{ ansible_pull_marker_file }}"
+        cacheable: true
+      tags: always
+
+    - name: pre-run | update apt repository (debian, ubuntu, etc.) # noqa no-changed-when
+      ansible.builtin.apt: update_cache=yes
+      #changed_when: false
+      when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+      ignore_errors: True
     - name: pre-run | update pacman repository (arch)
-      pacman: update_cache=yes
+      community.general.pacman: update_cache=yes
-      changed_when: false
+      #changed_when: false
       when: ansible_distribution == 'Archlinux'
+      ignore_errors: True
     - name: pre-run |update portage repository (gentoo)
       portage:
         sync: yes
       when: ansible_distribution == 'Gentoo'
       ignore_errors: True
 
+
+- hosts: all:!database
+  pre_tasks:
+    - name: pre-run | upgrade system (debian, ubuntu, etc.)
+      ansible.builtin.apt: upgrade=dist
+      #changed_when: false
+      when: ansible_distribution in ["Debian", "Ubuntu", "Linux Mint"]
+      ignore_errors: True
+    - name: pre-run | upgrade system (arch)
+      community.general.pacman: upgrade=true
+      when: ansible_distribution == 'Archlinux'
+      ignore_errors: True
+
 # run roles
 - hosts: all
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   tags: base
   become: true
   roles:
     - base
 
 # - hosts: workstation
+#   handlers:
+#     - import_tasks: global_handlers/global_handlers.yml
 #   tags: workstation
 #   become: true
 #   roles:
@@ -44,28 +81,52 @@
   become: true
   roles:
     - server
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+
+- hosts: bastionhost
+  tags: server,bastionhost
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  become: true
+  roles:
+    - bastionhost
+  post_tasks:
+    - name: Update AIDE database if changes were made
+      ansible.builtin.include_role:
+        name: bastionhost
+        tasks_from: system_setup/aide_update.yml
+      when: (aide_db_needs_update is defined and aide_db_needs_update) and (aide_db is defined and aide_db.stat.exists)
 
 - hosts: nameserver
   tags: server,nameserver
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - nameserver
 
-- hosts: webserver
+- hosts: webservers
-  tags: server,webserver
+  tags: server,webservers
   become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
-    - webserver
+    - webservers
 
 - hosts: mailserver
   tags: server,mailserver
   become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - mailserver
 
 - hosts: database
   tags: server,database
   become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - database
 
@@ -77,10 +138,28 @@
 
 - hosts: docker
   tags: server,docker
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - docker
 
+- hosts: podman_servers
+  tags: server,podman
+  become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  roles:
+    - podman
+
+- hosts: drone
+  tags: server,docker,drone
+  become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  roles:
+    - drone
+
 # - hosts: fileserver
 #   tags: server,fileserver
 #   become: true
@@ -89,6 +168,8 @@
 
 - hosts: mastodon
   tags: server,mastodon
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - mastodon
@@ -100,17 +181,37 @@
 #     - printspooler
 
 - hosts: jitsimeet
-  tags: server,jitsimeet,webserver
+  tags: server,jitsimeet,webservers
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - jitsimeet
 
+- hosts: omada_controller
+  tags: server,omada_controller
+  become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  roles:
+    - omada-controller
+
 - hosts: backup
   tags: server,backup
   become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - backup
 
+- hosts: reverseproxy
+  tags: server,reverseproxy
+  become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  roles:
+    - reverseproxy
+
 # - hosts: proxyserver
 #   tags: server,proxyserver
 #   become: true
@@ -120,21 +221,26 @@
 # end of roles; cleanup and reporting
 - hosts: all
   become: true
-  tasks:
+  post_tasks:
     - name: cleanup package cache (debian and ubuntu)
       tags: always
-      apt:
+      ansible.builtin.apt:
         autoclean: yes
       changed_when: false
-      when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]
+      when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu", "Linux Mint"]
 
     - name: autoremove orphan packages (debian and ubuntu)
       tags: always
-      apt:
+      ansible.builtin.apt:
         autoremove: yes
         purge: yes
-      when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu"]
+      when: ansible_distribution in ["Debian", "Pop!_OS", "Ubuntu", "Linux Mint"]
 
+    - name: post-run | update marker file timestamp on successful run
+      file:
+        path: "{{ ansible_pull_marker_file }}"
+        state: touch
+      tags: always
     # - name: send completion alert
     #   include_tasks: playbooks/send_completion_alert.yml
     #   tags: always

os_vars/archlinux.yml

@@ -0,0 +1,2 @@
+aur_helper: "paru"
+aur_build_user: "aur_builder"

os_vars/debian.yml

@@ -1,4 +1,4 @@
-snmp-user: Debian-snmp
+snmp_user: Debian-snmp
 mta_package: ssmtp
 
 redis_pkgs:

os_vars/linux mint.yml

@@ -0,0 +1 @@
+ubuntu.yml

os_vars/ubuntu.yml

@@ -1,4 +1,4 @@
-snmp-user: Debian-snmp
+snmp_user: Debian-snmp
 mta_package: ssmtp
 
 redis_pkgs:

roles/backup/files/config/adguard_excludes.txt

@@ -0,0 +1 @@
+querylog.json

roles/backup/files/config/adguard_includes.txt

@@ -1,3 +1 @@
-/etc
 /opt/AdGuardHome
-/var/spool/cron/crontabs

roles/backup/files/config/agh01_excludes.txt

@@ -0,0 +1 @@
+querylog.json

roles/backup/files/config/agh01_includes.txt

@@ -0,0 +1 @@
+/opt/AdGuardHome

roles/backup/files/config/backup_remote.conf

@@ -1,28 +0,0 @@
-mailcow;/opt/backup/config/mailcow_includes.txt;/opt/backup/config/mailcow_excludes.txt
-jitsi;/opt/backup/config/jitsi_includes.txt;/opt/backup/config/jitsi_excludes.txt
-mewitoot;/opt/backup/config/mewitoot_includes.txt;/opt/backup/config/mewitoot_excludes.txt
-coruscant;/opt/backup/config/coruscant_includes.txt;/opt/backup/config/coruscant_excludes.txt
-ns1;/opt/backup/config/ns1_includes.txt;/opt/backup/config/ns1_excludes.txt
-docker01;/opt/backup/config/docker01_includes.txt;/opt/backup/config/docker01_excludes.txt
-pi-alert;/opt/backup/config/pi-alert_includes.txt;/opt/backup/config/pi-alert_excludes.txt
-mariadb01;/opt/backup/config/mariadb01_includes.txt;/opt/backup/config/mariadb01_excludes.txt
-mariadb02;/opt/backup/config/mariadb02_includes.txt;/opt/backup/config/mariadb02_excludes.txt
-mariadb03;/opt/backup/config/mariadb03_includes.txt;/opt/backup/config/mariadb03_excludes.txt
-icinga;/opt/backup/config/icinga_includes.txt;/opt/backup/config/icinga_excludes.txt
-samba-ad-dc;/opt/backup/config/samba-ad-dc_includes.txt;/opt/backup/config/samba-ad-dc_excludes.txt
-webserver;/opt/backup/config/webserver_includes.txt;/opt/backup/config/webserver_excludes.txt
-elk-stack;/opt/backup/config/elk-stack_includes.txt;/opt/backup/config/elk-stack_excludes.txt
-netbox;/opt/backup/config/netbox_includes.txt;/opt/backup/config/netbox_excludes.txt
-haproxy01;/opt/backup/config/haproxy01_includes.txt;/opt/backup/config/haproxy01_excludes.txt
-haproxy02;/opt/backup/config/haproxy02_includes.txt;/opt/backup/config/haproxy02_excludes.txt
-librenms;/opt/backup/config/librenms_includes.txt;/opt/backup/config/librenms_excludes.txt
-pi-hole;/opt/backup/config/pi-hole_includes.txt;/opt/backup/config/pi-hole_excludes.txt
-adguard;/opt/backup/config/adguard_includes.txt;/opt/backup/config/adguard_excludes.txt
-grafana;/opt/backup/config/grafana_includes.txt;/opt/backup/config/grafana_excludes.txt
-nextcloud;/opt/backup/config/nextcloud_includes.txt;/opt/backup/config/nextcloud_excludes.txt
-dhcp-kea;/opt/backup/config/dhcp-kea_includes.txt;/opt/backup/config/dhcp-kea_excludes.txt
-dhcp-stork;/opt/backup/config/dhcp-stork_includes.txt;/opt/backup/config/dhcp-stork_excludes.txt
-unbound01;/opt/backup/config/unbound01_includes.txt;/opt/backup/config/unbound01_excludes.txt
-unbound02;/opt/backup/config/unbound02_includes.txt;/opt/backup/config/unbound02_excludes.txt
-mail;/opt/backup/config/mail_includes.txt;/opt/backup/config/mail_excludes.txt
-graylog;/opt/backup/config/graylog_includes.txt;/opt/backup/config/graylog_excludes.txt

roles/backup/files/config/coruscant_excludes.txt

@@ -6,8 +6,6 @@
 /root/backup/
 files_versions/
 files_trashbin/
-lost\+found
-*.bak
 .local/share/Steam/Steamapps
 grav.log
 

roles/backup/files/config/coruscant_includes.txt

@@ -2,8 +2,6 @@
 /Daten/ossn
 /Daten/owncloud
 /Daten/tdps
-/etc
-/home
 /opt/docker-compose-projects/available/Rocket.Chat
 /opt/docker-compose-projects/available/docker-matrix-data-v0.9
 /opt/docker-compose-projects/available/docker-matrix-data-v1.0
@@ -21,12 +19,10 @@
 /opt/docker-compose-projects/available/searx
 /opt/librenms
 /opt/tdps/tdps.config
-/root
 /usr/share/icingaweb2
 /var/git
 /var/lib/docker/volumes
 /var/lib/icinga2
 /var/lib/samba
-/var/spool/cron
 /var/svn
 /var/www

roles/backup/files/config/dhcp-kea_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/dhcp-stork_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/docker01_includes.txt

@@ -1,4 +1 @@
-/etc
-/opt/docker
 /var/lib/docker/volumes
-/var/spool/cron/crontabs

roles/backup/files/config/docker02_excludes .txt

@@ -0,0 +1 @@
+peertube.test

roles/backup/files/config/docker02_includes.txt

@@ -0,0 +1,2 @@
+/opt/docker
+/var/lib/docker/volumes

roles/backup/files/config/elk-stack_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/generic_excludes.txt

@@ -0,0 +1,3 @@
+lost\+found
+*.bak
+.debug

roles/backup/files/config/generic_includes.txt

@@ -0,0 +1,4 @@
+/etc
+/home
+/root
+/var/spool/cron

roles/backup/files/config/grafana_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/graylog_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/haproxy01_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/haproxy02_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/icinga_includes.txt

@@ -1,4 +1,8 @@
-/etc
+/usr/share/icinga-L10n
-/usr/share/icinga*
+/usr/share/icinga-php
+/usr/share/icinga2
+/usr/share/icinga2-ido-mysql
+/usr/share/icingadb
+/usr/share/icingadb-redis
+/usr/share/icingaweb2
 /usr/lib/icinga2
-/var/spool/cron/crontabs

roles/backup/files/config/jitsi_excludes.txt

@@ -1 +0,0 @@
-*.bak

roles/backup/files/config/jitsimeet_includes.txt

@@ -1,6 +1,3 @@
-/etc
-/home
-/root
 /usr/share/jicofo
 /usr/share/jitsi-meet
 /usr/share/jitsi-meet-prosody
@@ -8,5 +5,4 @@
 /usr/share/jitsi-meet-web-config
 /usr/share/jitsi-videobridge
 /var/lib/prosody
-/var/spool/cron
 /var/www

roles/backup/files/config/librenms_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/mail_includes.txt

@@ -1,4 +1 @@
-/etc
-/home
-/var/spool/cron/crontabs
 /var/spool/postfix

roles/backup/files/config/mailcow_includes.txt

@@ -1,6 +1,3 @@
-/etc
-/home
 /opt/backup
 /opt/mailcow-dockerized
 /var/lib/docker/volumes
-/var/spool/cron/crontabs

roles/backup/files/config/mariadb01_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/mariadb02_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/mariadb03_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/mewitoot_excludes.txt

@@ -1 +0,0 @@
-*.bak

roles/backup/files/config/mewitoot_includes.txt

@@ -1,7 +1,3 @@
-/etc
-/home
-/root
 /var/backups/postgresql
 /var/cache/bind
 /var/lib/bind
-/var/spool/cron

roles/backup/files/config/netbox_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/nextcloud_includes.txt

@@ -1,2 +1 @@
-/etc
+/var/www/nextcloud
-/var/spool/cron/crontabs

roles/backup/files/config/ns1_includes.txt

@@ -1,3 +1 @@
-/etc
 /var/named
-/var/spool/cron/crontabs

roles/backup/files/config/paperless_includes.txt

@@ -0,0 +1,5 @@
+/opt/paperless
+/opt/paperless-consume
+/opt/paperless-data
+/opt/paperless-media
+/opt/paperless-static

roles/backup/files/config/pi-alert_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/pi-hole_includes.txt

@@ -1,2 +0,0 @@
-/etc
-/var/spool/cron/crontabs

roles/backup/files/config/pixelfed_includes.txt

@@ -0,0 +1 @@
+/srv/http/pixelfed

roles/backup/files/config/podman01_includes.txt

@@ -0,0 +1 @@
+/var/lib/containers