bitwarden: bump to 1.34.3, helm chart 2.0.40

peertube: bump to 7.2.3, helm chart 0.4.5

mastodon: bump to v4.4.2, helm chart 6.5.1

gitea-act-runner: bump to 0.2.12, helm chart 0.1.13

.gitignore

@@ -0,0 +1 @@
+.venv

inventory/ghp/sample/group_vars/all/all.yaml

@@ -1,4 +1,5 @@
 # Common #
+k8s_cluster_name: mycluster
 namespace: ghp
 docker_registry: gitea.geekhome.org/ghp
 domain: example.com

inventory/ghp/sample/group_vars/all/versions.yaml

@@ -1,5 +1,5 @@
 # MetalLB balancer
-metallb_version: 0.14.5
+metallb_version: 0.14.9
 
 # NFS provisioners
 nfs_client_provisioner_hdd_version: 4.0.18
@@ -12,7 +12,7 @@ ceph_csi_rbd_version: 3.8.0
 ceph_csi_cephfs_version: 3.8.0
 
 # Cert-manager
-cert_manager_version: 1.14.5
+cert_manager_version: 1.18.2
 
 # External-DNS
 external_dns_version: 6.31.0
@@ -21,13 +21,13 @@ internal_dns_version: 6.31.0
 service_dns_version: 6.31.0
 
 # Ingress Nginx
-external_ingress_nginx_version: 4.2.3
+external_ingress_nginx_version: 4.12.1
-internal_ingress_nginx_version: 4.2.3
+internal_ingress_nginx_version: 4.12.1
-local_ingress_nginx_version: 4.2.3
+local_ingress_nginx_version: 4.12.1
 
 # PostgreSQL operator
-postgres_operator_version: 1.11.0
+postgres_operator_version: 1.13.0
-postgres_operator_ui_version: 1.11.0
+postgres_operator_ui_version: 1.13.0
 
 # OpenLDAP
 openldap_version: 1.2.7
@@ -36,42 +36,42 @@ openldap_version: 1.2.7
 minio_version: 5.0.13
 
 # Adguard Home
-adguard_version: 2.3.26
+adguard_version: 2.3.33
 
 # Bitwarden (aka Vaultwarden)
-bitwarden_version: 2.0.25
+bitwarden_version: 2.0.40
 
 # Gitea
-gitea_ingress_nginx_version: 4.2.3
+gitea_ingress_nginx_version: 4.12.1
 gitea_dns_version: 6.31.0
-gitea_version: 10.1.4
+gitea_version: 12.1.2
 
 # Gitea Act Runner
-gitea_act_runner_version: 0.1.10
+gitea_act_runner_version: 0.1.13
 
 # Docker and Helm chart registries
 harbor_version: 1.12.4
 
 # Mastodon
-mastodon_version: 4.0.1
+mastodon_version: 6.5.1
 
 # Nextcloud
-nextcloud_version: 4.6.4
+nextcloud_version: 5.0.2
 
 # Email
-dovecot_version: 0.1.6
+dovecot_version: 0.1.8
-postfix_version: 0.1.5
+postfix_version: 0.1.7
-roundcube_version: 0.4.2
+roundcube_version: 0.4.6
-rspamd_version: 0.5.2
+rspamd_version: 0.5.7
 
 # Pypi server
 pypiserver_version: 2.5.0
 
 # WikiJS
-wikijs_version: 2.3.15
+wikijs_version: 2.3.19
 
 # PeerTube
-peertube_version: 0.3.4
+peertube_version: 0.4.5
 
 # Playmaker android APK repository
 playmaker_version: 0.1.3

inventory/ghp/sample/group_vars/knot_dns.yaml

@@ -12,20 +12,14 @@ knot_conf: |
       any: debug
   
   key:
-    - id: k8s
+    - id: k8s-{{ k8s_cluster_name }}-{{ namespace }}
       algorithm: hmac-sha512
       secret: {{ k8s_tsig }}
   
-    - id: vps
+    - id: ddclient-{{ k8s_cluster_name }}-{{ namespace }}
       algorithm: hmac-sha512
       secret: {{ ddclient_tsig }}
   
-  remote:
-  #  - id: slave
-  #    address: 192.168.1.1@53
-  #
-  #  - id: master
-  #    address: 192.168.2.1@53
   remote:
     - id: dns_server
       address: 127.0.0.1@53
@@ -34,24 +28,15 @@ knot_conf: |
     - id: dns_zone_sbm
       parent: [dns_server]
   
-  
   acl:
     - id: deny_all
       deny: on # no action specified and deny on implies denial of all actions
   
     - id: key_rule
-      key: [vps, k8s]                # Access based just on TSIG key
+      key: [k8s-{{ k8s_cluster_name }}-{{ namespace }},ddclient-{{ k8s_cluster_name }}-{{ namespace }}] # Access based just on TSIG key
       address: 192.168.0.0/16
       action: [transfer, notify, update]
   
-  #  - id: acl_slave
-  #    address: 192.168.1.1
-  #    action: transfer
-  
-  #  - id: acl_master
-  #    address: 192.168.2.1
-  #    action: notify
-  
   template:
     - id: default
       storage: "/var/lib/knot"
@@ -73,14 +58,3 @@ knot_conf: |
       dnssec-signing: on
       dnssec-policy: rsa
       zonefile-load: difference
-  
-  #    # Master zone
-  #  - domain: example.com
-  #    notify: slave
-  #    acl: acl_slave
-  
-  #    # Slave zone
-  #  - domain: example.net
-  #    master: master
-  #    acl: acl_master
-

playbooks/ghp/vps.yaml

@@ -1,15 +1,18 @@
 ---
 - hosts: web_proxy
+  become: true
   roles:
     - nginx
   tags: web-proxy
 
 - hosts: mail_proxy
+  become: true
   roles:
     - haproxy
   tags: mail-proxy
 
 - hosts: ddclient
+  become: true
   roles:
     - { role: docker, when: ddclient_container_engine == "docker" }
     - { role: podman, when: ddclient_container_engine == "podman" }

roles/cert-manager/defaults/main.yaml

@@ -3,4 +3,5 @@ cert_manager_namespace: "cert-manager"
 cert_manager_lets_encrypt_mailbox: "admin@{{ domain }}"
 cert_manager_base64_tsig_key: "{{ k8s_tsig | b64encode }}"
 cert_manager_default_values:
-  installCRDs: true
+  crds:
+    enabled: true

roles/cert-manager/tasks/main.yaml

@@ -50,7 +50,7 @@
               rfc2136:
                 nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
                 tsigAlgorithm: HMACSHA512
-                tsigKeyName: k8s
+                tsigKeyName: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
                 tsigSecretSecretRef:
                   key: tsig-secret-key
                   name: tsig-secret
@@ -81,7 +81,7 @@
               rfc2136:
                 nameserver: "{{ external_dns_ip | default(dns_ip) }}:53"
                 tsigAlgorithm: HMACSHA512
-                tsigKeyName: k8s
+                tsigKeyName: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
                 tsigSecretSecretRef:
                   key: tsig-secret-key
                   name: tsig-secret

roles/external-dns/defaults/main.yaml

@@ -1,4 +1,6 @@
 external_dns_chart_ref: "bitnami/external-dns"
+external_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
+external_dns_tsigSecretAlg: "hmac-sha512"
 external_dns_default_values:
   fullnameOverride: "{{ external_dns_name | default(namespace + '-external-dns') }}"
   ingressClassFilters: ["{{ external_ingress_class }}"]
@@ -9,8 +11,8 @@ external_dns_default_values:
     port: 53
     zone: "{{ external_domain | default(domain) }}"
     tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ external_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ external_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ external_dns_tsigKeyname | default('k8s') }}"
+    tsigKeyname: "{{ external_dns_tsigKeyname }}"
     tsigAxfr: true
     ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
     minTTL: "30s"

roles/gitea/defaults/main.yaml

@@ -32,7 +32,7 @@ gitea_default_values:
         hosts:
           - "{{ gitea_short_name }}.{{ domain }}"
   
-  redis-cluster:
+  valkey-cluster:
     enabled: false
 
   postgresql-ha:
@@ -153,6 +153,8 @@ gitea_ingress_nginx_default_values:
 
 
 gitea_dns_chart_ref: "bitnami/external-dns"
+gitea_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
+gitea_dns_tsigSecretAlg: "hmac-sha512"
 gitea_dns_default_values:
   fullnameOverride: "{{ gitea_dns_name | default(namespace + '-gitea-internal-dns') }}"
   ingressClassFilters: ["{{ gitea_ingress_class }}"]
@@ -163,8 +165,8 @@ gitea_dns_default_values:
     port: 53
     zone: "{{ domain }}"
     tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ gitea_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ gitea_dns_tsigKeyname | default('k8s') }}"
+    tsigKeyname: "{{ gitea_dns_tsigKeyname }}"
     tsigAxfr: true
     ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
     minTTL: "30s"

roles/haproxy/tasks/package.yml

@@ -13,6 +13,13 @@
       - restart haproxy
     when: haproxy_config is defined
   
+  - name: set haproxy_connect_any flag on and keep it persistent across reboots
+    ansible.posix.seboolean:
+      name: haproxy_connect_any
+      state: yes
+      persistent: yes
+    when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
+
   - name: start haproxy service
     systemd:
       name: haproxy

roles/internal-dns/defaults/main.yaml

@@ -1,4 +1,6 @@
 internal_dns_chart_ref: "bitnami/external-dns"
+internal_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
+internal_dns_tsigSecretAlg: "hmac-sha512"
 internal_dns_default_values:
   fullnameOverride: "{{ internal_dns_name | default(namespace + '-internal-dns') }}"
   ingressClassFilters: ["{{ internal_ingress_class }}"]
@@ -9,8 +11,8 @@ internal_dns_default_values:
     port: 53
     zone: "{{ internal_domain | default(domain) }}"
     tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ internal_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ internal_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ internal_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ internal_dns_tsigKeyname }}"
     tsigAxfr: true
     ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
     minTTL: "30s"

roles/knot/tasks/main.yaml

@@ -29,6 +29,7 @@
     owner: "root"
     group: "knot"
     validate: "knotc -c %s conf-check"
+    backup: true
   notify: Restart knot
 
 - name: Enable and start knot

roles/local-dns/defaults/main.yaml

@@ -1,4 +1,6 @@
 local_dns_chart_ref: "bitnami/external-dns"
+local_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
+local_dns_tsigSecretAlg: "hmac-sha512"
 local_dns_default_values:
   fullnameOverride: "{{ local_dns_name | default(namespace + '-local-dns') }}"
   ingressClassFilters: ["{{ local_ingress_class }}"]
@@ -9,8 +11,8 @@ local_dns_default_values:
     port: 53
     zone: "{{ local_domain }}"
     tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ local_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ local_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ local_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ local_dns_tsigKeyname }}"
     tsigAxfr: true
     ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
     minTTL: "30s"

roles/mastodon/defaults/main.yaml

@@ -26,42 +26,25 @@ mastodon_default_values:
           - "{{ mastodon_short_name }}.{{ domain }}"
 
   mastodon:
-    # create an initial administrator user; the password is autogenerated and will
-    # have to be reset
     createAdmin:
       enabled: true
       username: "{{ mastodon_admin_user | default(mastodon_admin_username) | default('mastodon') }}"
       password: "{{ mastodon_admin_pass | default(mastodon_admin_password) }}" 
       email: "{{ mastodon_admin_email }}"
     
-    # available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
     locale: en
     local_domain: "{{ mastodon_short_name }}.{{ domain }}"
     
-    cron:
-      # run `tootctl media remove` every week
-      removeMedia:
-        enabled: true
-        schedule: "0 0 * * 0"
-    
-    web:
-      port: 3000
-    streaming:
-      port: 4000
-      # this should be set manually since os.cpus() returns the number of CPUs on
-      # the node running the pod, which is unrelated to the resources allocated to
-      # the pod by k8s
-      workers: 2
-    sidekiq:
-      concurrency: 25
-    
-    # these must be set manually; autogenerated keys are rotated on each upgrade
     secrets:
       secret_key_base: "{{ mastodon_vapid_public_key_base64 | hash('sha256') }}"
       otp_secret: "{{ mastodon_vapid_public_key_base64 | hash('sha256') | hash('sha256') }}"
       vapid:
         private_key: "{{ mastodon_vapid_private_key_base64 | b64decode }}"
         public_key: "{{ mastodon_vapid_public_key_base64 | b64decode }}"
+      activeRecordEncryption:
+        primaryKey: "{{ mastodon_primary_key_secret }}"
+        deterministicKey: "{{ mastodon_deterministic_key_secret }}"
+        keyDerivationSalt: "{{ mastodon_key_derivation_salt_secret }}"
 
     smtp:
       auth_method: login
@@ -95,11 +78,6 @@ mastodon_default_values:
             storage: "{{ mastodon_system_size | default('100Gi') }}"
   
   elasticsearch:
-    # `false` will disable full-text search
-    #
-    # if you enable ES after the initial install, you will need to manually run
-    # RAILS_ENV=production bundle exec rake chewy:sync
-    # (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
     enabled: "{{ mastodon_enable_elasticsearch }}" 
     master:
       name: master
@@ -116,20 +94,14 @@ mastodon_default_values:
       ##
       replicas: 1
 
-  # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
   postgresql:
-    # Disable for external PostgreSQL
     enabled: false
     postgresqlHostname: "{{ namespace }}-postgres.{{ postgres_db_namespace | default(namespace) }}.svc.cluster.local"
-    # you must set a password; the password generated by the postgresql chart will
-    # be rotated on each upgrade:
-    # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
     auth:
       database: mastodon
       username: "{{ mastodon_db_username }}"
       password: "{{ mastodon_db_password }}"
 
-  # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
   redis:
     architecture: standalone
     enabled: true

roles/mastodon/tasks/main.yaml

@@ -15,38 +15,3 @@
     chart_ref: "{{ mastodon_chart_ref }}"
     chart_version: "{{ mastodon_version | default(omit) }}"
     release_values: "{{ mastodon_combined_values | from_yaml }}"
-
-
-- name: Search for mastodon web pod
-  kubernetes.core.k8s_info:
-    kind: Pod
-    namespace: "{{ mastodon_namespace | default(namespace) }}"
-    label_selectors:
-      - app.kubernetes.io/component=web
-      - app.kubernetes.io/instance=mastodon
-  register: mastodon_web_pod_name
-
-- name: Remove mastodon web pod for restart 
-  kubernetes.core.k8s:
-    state: absent
-    api_version: v1
-    kind: Pod
-    namespace: "{{ mastodon_namespace | default(namespace) }}"
-    name: "{{ mastodon_web_pod_name.resources[0].metadata.name }}"
-
-- name: Search for mastodon streaming pod
-  kubernetes.core.k8s_info:
-    kind: Pod
-    namespace: "{{ mastodon_namespace | default(namespace) }}"
-    label_selectors:
-      - app.kubernetes.io/component=streaming
-      - app.kubernetes.io/instance=mastodon
-  register: mastodon_streaming_pod_name
-
-- name: Remove mastodon streaming pod for restart 
-  kubernetes.core.k8s:
-    state: absent
-    api_version: v1
-    kind: Pod
-    namespace: "{{ mastodon_namespace | default(namespace) }}"
-    name: "{{ mastodon_streaming_pod_name.resources[0].metadata.name }}"

roles/nginx/tasks/install.yml

@@ -10,3 +10,17 @@
     register: install_nginx_result
     tags:
       - nginx-install
+
+  - name: set httpd_can_network_connect flag on and keep it persistent across reboots
+    ansible.posix.seboolean:
+      name: httpd_can_network_connect
+      state: yes
+      persistent: yes
+    when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
+
+  - name: set httpd_can_network_relay flag on and keep it persistent across reboots
+    ansible.posix.seboolean:
+      name: httpd_can_network_relay
+      state: yes
+      persistent: yes
+    when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'

roles/postgres/defaults/main.yaml

@@ -20,6 +20,7 @@ postgres_operator_ui_default_values:
   envs:
     # IMPORTANT: While operator chart and UI chart are idendependent, this is the interface between
     # UI and operator API. Insert the service name of the operator API here!
+    appUrl: "https://{{ postgres_operator_ui_short_name }}.{{ domain }}"
     operatorApiUrl: "http://postgres-operator:8080"
     operatorClusterNameLabel: "cluster-name"
     resourcesVisible: "False"

roles/pwgen/defaults/main.yaml

@@ -20,6 +20,9 @@ default_accounts:
 secret_keys:
   - { name: peertube }
   - { name: harbor }
+  - { name: mastodon_primary_key }
+  - { name: mastodon_deterministic_key }
+  - { name: mastodon_key_derivation_salt }
 
 htpasswd_accounts:
   - { name: pypiserver_admin }

roles/pwgen/tasks/dkim.yaml

@@ -1,47 +1,36 @@
-- name: Test if DKIM private key exists
+- name: Generate DKIM keys
-  shell: grep -c "dkim_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords['dkim_public_key_base64'] is not defined or passwords['dkim_private_key_base64'] is not defined
-  register: dkim_private_key_test_grep
+  block:
+    - name: Create DKIM keys
+      docker_container:
+        name: ddclient
+        image: "{{ docker_registry }}/pwgen"
+        cleanup: true
+        detach: false
+        container_default_behavior: no_defaults
+        command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
+      register: dkim_container_output
     
-- name: Test if DKIM public key exists
+    - name: Set dkim_keys
-  shell: grep -c "dkim_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      set_fact:
-  register: dkim_public_key_test_grep
+        dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
     
-- name: Create DKIM keys
+    - name: Show DKIM private key
-  docker_container:
+      debug:
-    name: ddclient
+        msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
-    image: "{{ docker_registry }}/pwgen"
+        verbosity: 2
-    cleanup: true
-    detach: false
-    container_default_behavior: no_defaults
-    command: "sh dkim-key.sh {{ mail_domain | default(domain) }}"
-  register: dkim_container_output
-  when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
     
-- name: Set ddclient_key
+    - name: Show DKIM public key
-  set_fact:
+      debug:
-    dkim_keys: "{{ dkim_container_output.container.Output | from_yaml }}"
+        msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
-  when: dkim_private_key_test_grep.stdout == '0' or dkim_public_key_test_grep.stdout == '0'
+        verbosity: 2
     
-- name: Show DKIM private key
+    - name: Write DKIM private key
-  debug:
+      lineinfile:
-    msg: "ddclient private key: {{ dkim_keys['dkim'][0]['default.private'] | b64decode }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
-  when: dkim_private_key_test_grep.stdout == '0' 
     
-- name: Show DKIM public key
+    - name: Write DKIM public key
-  debug:
+      lineinfile:
-    msg: "ddclient public key: {{ dkim_keys['dkim'][0]['default.txt'] | b64decode }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
-  when: dkim_public_key_test_grep.stdout == '0' 
-
-- name: Write DKIM private key
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "dkim_private_key_base64: \"{{ dkim_keys['dkim'][0]['default.private'] }}\""
-  when: dkim_private_key_test_grep.stdout == '0' 
-
-- name: Write DKIM public key
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "dkim_public_key_base64: \"{{ dkim_keys['dkim'][0]['default.txt'] }}\""
-  when: dkim_public_key_test_grep.stdout == '0' 

roles/pwgen/tasks/htpasswd.yaml

@@ -1,46 +1,36 @@
-- name: Test if password exists in file for {{ item.name }}
+- name: Generate htpasswd for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_password'] is not defined or passwords[item.name + '_htpasswd_hash'] is not defined
-  register: password_test_grep
+  block:
+    - name: Create password for {{ item.name }}
+      shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
+      register: password
     
-- name: Test if password htpasswd hash exists in file for {{ item.name }}
+    - name: Show password json for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_htpasswd_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      debug:
-  register: htpasswd_hash_test_grep
+        msg: "{{ password }}"
+        verbosity: 2
     
-- name: Create password for {{ item.name }}
+    - name: Create bcrypt hash from password for {{ item.name }}
-  shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
+      docker_container:
-  register: password
+        name: slappasswd
-  when: password_test_grep.stdout == '0'
+        image: "{{ docker_registry }}/pwgen"
+        cleanup: true
+        detach: false
+        container_default_behavior: no_defaults
+        command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
+      register: docker_container_output
     
-- name: Show password json for {{ item.name }}
+    - name: Show docker_container_output for {{ item.name }}
-  debug:
+      debug:
-    msg: "{{ password }}"
+        msg: "{{ docker_container_output }}"
-    verbosity: 2
+        verbosity: 2
-  when: password_test_grep.stdout == '0'
     
-- name: Create bcrypt hash from password for {{ item.name }}
+    - name: Write password for {{ item.name }}
-  docker_container:
+      lineinfile:
-    name: slappasswd
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    image: "{{ docker_registry }}/pwgen"
+        line: "{{ item.name }}_password: \"{{ password.stdout }}\""
-    cleanup: true
-    detach: false
-    container_default_behavior: no_defaults
-    command: "htpasswd -B -n -i -b -C 16 {{ item.name }} {{ password.stdout | default(item.name + '_password') }}"
-  register: docker_container_output
-  when: htpasswd_hash_test_grep.stdout == '0'
     
-- name: Show docker_container_output for {{ item.name }}
+    - name: Write htpasswd hash for {{ item.name }}
-  debug:
+      lineinfile:
-    msg: "{{ docker_container_output }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
-
-- name: Write password for {{ item.name }}
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_password: \"{{ password.stdout }}\""
-  when: password_test_grep.stdout == '0'
-
-- name: Write htpasswd hash for {{ item.name }}
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_htpasswd_hash: \"{{ docker_container_output.container.Output.split('\n')[0].split(':')[1] }}\""
-  when: htpasswd_hash_test_grep.stdout == '0'

roles/pwgen/tasks/main.yaml

@@ -1,7 +1,22 @@
-- name: Create passwords.yaml file
+- name: Check that passwords.yaml exists
+  stat:
+    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+  register: passwords_file
+
+- name: Create passwords.yaml file if not exists
   file: 
     name: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
     state: touch
+  when: not passwords_file.stat.exists
+
+- name: Read passwords.yaml file
+  slurp:
+    src: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+  register: passwords_b64
+
+- name: Set facts about passwords
+  set_fact:
+    passwords: "{{ passwords_b64['content'] | b64decode | from_yaml }}"
 
 - name: Create files directory for ddclient tsig
   file: 

roles/pwgen/tasks/passwords.yaml

@@ -1,49 +1,34 @@
-- name: Test if password exists in file for {{ item.name }}
+- name: Generate password for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_password" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_password'] is not defined
-  register: password_test_grep
+  block:
+    - name: Create password for {{ item.name }}
+      shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
+      register: password
     
-- name: Test if password pbkdf2-sha512 hash exists in file for {{ item.name }}
+    - name: Show password json for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_pbkdf2_sha512_hash" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      debug:
-  register: pbkdf2_sha512_hash_test_grep
+        msg: "{{ password }}"
+        verbosity: 2
 
-- name: Create password for {{ item.name }}
+    - name: Write password for {{ item.name }}
-  shell: "< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-64};echo;"
+      lineinfile:
-  register: password
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-  when: password_test_grep.stdout == '0'
+        line: "{{ item.name }}_password: \"{{ password.stdout }}\""
 
-- name: Show password json for {{ item.name }}
+- name: Generate password for {{ item.name }}
-  debug:
+  when: passwords[item.name + '_pbkdf2_sha512_hash'] is not defined
-    msg: "{{ password }}"
+  block:
-    verbosity: 2
+    - name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
-  when: password_test_grep.stdout == '0'
+      docker_container:
+        name: slappasswd
+        image: "{{ docker_registry }}/pwgen"
+        cleanup: true
+        detach: false
+        container_default_behavior: no_defaults
+        command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
+      register: docker_container_output
     
-- name: Create PBKDF2-SHA512 hash from password for {{ item.name }}
+    - name: Write PBKDF2-SHA512 hash for {{ item.name }}
-  docker_container:
+      lineinfile:
-    name: slappasswd
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    image: "{{ docker_registry }}/pwgen"
+        line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
-    cleanup: true
-    detach: false
-    container_default_behavior: no_defaults
-    command: "slappasswd -o module-load=pw-pbkdf2 -h {PBKDF2-SHA512} -s {{ password.stdout | default(item.name + '_password') }}"
-  register: docker_container_output
-  when: pbkdf2_sha512_hash_test_grep.stdout == '0'
-
-- debug:
-    msg: "{{ docker_container_output }}"
-
-- name: Show docker_container_output for {{ item.name }}
-  debug:
-    msg: "{{ docker_container_output }}"
-    verbosity: 2
-
-- name: Write password for {{ item.name }}
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_password: \"{{ password.stdout }}\""
-  when: password_test_grep.stdout == '0'
-
-- name: Write PBKDF2-SHA512 hash for {{ item.name }}
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_pbkdf2_sha512_hash: \"{{ docker_container_output.container.Output.split('\n')[0] }}\""
-  when: pbkdf2_sha512_hash_test_grep.stdout == '0'

roles/pwgen/tasks/secrets.yaml

@@ -1,20 +1,16 @@
-- name: Test if secret exists in file for {{ item.name }}
-  shell: grep -c "^{{ item.name }}_secret" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
-  register: secret_test_grep
-  
 - name: Create secret for {{ item.name }}
-  shell: "openssl rand -hex 32"
+  when: passwords[item.name + '_secret'] is not defined
-  register: secret
+  block:
-  when: secret_test_grep.stdout == '0'
+    - name: Create secret for {{ item.name }}
+      shell: "openssl rand -hex 32"
+      register: secret
     
-- name: Show secret json for {{ item.name }}
+    - name: Show secret json for {{ item.name }}
-  debug:
+      debug:
-    msg: "{{ secret }}"
+        msg: "{{ secret }}"
-    verbosity: 2
+        verbosity: 2
-  when: secret_test_grep.stdout == '0'
     
-- name: Write secret for {{ item.name }}
+    - name: Write secret for {{ item.name }}
-  lineinfile:
+      lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
+        line: "{{ item.name }}_secret: \"{{ secret.stdout }}\""
-  when: secret_test_grep.stdout == '0'

roles/pwgen/tasks/tsig.yaml

@@ -1,99 +1,78 @@
-- name: Test if k8s TSIG key exists
+- name: Generate K8s TSIG for Knot DNS
-  shell: grep -c "k8s_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords['k8s_tsig'] is not defined
-  register: k8s_tsig_test_grep
+  block:
+    - name: Generate k8s TSIG key for Knot DNS
+      docker_container:
+        name: keymgr
+        image: "{{ docker_registry }}/tsig"
+        cleanup: true
+        detach: false
+        container_default_behavior: no_defaults
+        command: "keymgr -t k8s-{{ k8s_cluster_name }}-{{ namespace }} hmac-sha512"
+      register: knot_container_output
     
-- name: Test if ddclinet TSIG key exists
+    - name: Set k8s_key
-  shell: grep -c "ddclient_tsig" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      set_fact:
-  register: ddclient_tsig_test_grep
+        k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
     
-- name: Test if ddclinet TSIG key exists
+    - name: Show k8s TSIG key
-  shell: grep -c "ddclient_tsig_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      debug:
-  register: ddclient_tsig_public_key_test_grep
+        msg: "Knot k8s key for k8s-{{ k8s_cluster_name }}-{{ namespace }}: {{ k8s_key['key'][0]['secret'] }}"
     
-- name: Test if ddclinet TSIG key exists
+    - name: Write TSIG for Kubernetes
-  shell: grep -c "ddclient_tsig_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      lineinfile:
-  register: ddclient_tsig_private_key_test_grep
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+        line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
 
-- name: Generate k8s TSIG key for Knot DNS
+- name: Generate ddclient private and public TSIG keys for Knot DNS
-  docker_container:
+  when: 
-    name: keymgr
+    - passwords['ddclient_tsig_public_key_base64'] is not defined or passwords['ddclient_tsig_private_key_base64'] is not defined
-    image: "{{ docker_registry }}/tsig"
+  block:
-    cleanup: true
+    - name: Generate TSIG key for ddclient
-    detach: false
+      docker_container:
-    container_default_behavior: no_defaults
+        name: ddclient
-    command: "keymgr -t {{ namespace }} hmac-sha512"
+        image: "{{ docker_registry }}/tsig"
-  register: knot_container_output
+        cleanup: true
-  when: k8s_tsig_test_grep.stdout == '0'
+        detach: false
+        container_default_behavior: no_defaults
+        command: "bash tsig-key.sh ddclient-{{ k8s_cluster_name }}-{{ namespace }}"
+      register: ddclient_container_output
     
-- name: Set k8s_key
+    - name: Set ddclient_key
-  set_fact:
+      set_fact:
-    k8s_key: "{{ knot_container_output.container.Output | from_yaml }}"
+        ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
-  when: k8s_tsig_test_grep.stdout == '0'
     
-- name: Show k8s TSIG key
+    - name: Show ddclient TSIG public key file
-  debug:
+      debug:
-    msg: "Knot k8s key: {{ k8s_key['key'][0]['secret'] }}"
+        msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
-  when: k8s_tsig_test_grep.stdout == '0'
+        verbosity: 2
     
-- name: Write TSIG for Kubernetes
+    - name: Show ddclient TSIG private key file
-  lineinfile:
+      debug:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+        msg: "ddclient key for ddclient-{{ k8s_cluster_name }}-{{ namespace }}: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
-    line: "k8s_tsig: \"{{ k8s_key['key'][0]['secret'] }}\""
+        verbosity: 2
-  when: k8s_tsig_test_grep.stdout == '0'
     
-- name: Generate TSIG key for ddclient
+    - name: Write ddclient TSIG public key file in base64
-  docker_container:
+      lineinfile:
-    name: ddclient
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    image: "{{ docker_registry }}/tsig"
+        line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
-    cleanup: true
-    detach: false
-    container_default_behavior: no_defaults
-    command: "bash tsig-key.sh {{ namespace }}"
-  register: ddclient_container_output
-  when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
     
-- name: Set ddclient_key
+    - name: Show ddclient TSIG key
-  set_fact:
+      debug:
-    ddclient_key: "{{ ddclient_container_output.container.Output | from_yaml }}"
+        msg: "{{ ddclient_tsig_key }}"
-  when: ddclient_tsig_public_key_test_grep.stdout == '0' or ddclient_tsig_private_key_test_grep.stdout == '0'
+        verbosity: 2
     
-- name: Show ddclient TSIG public key file
+    - name: Write ddclient TSIG key
-  debug:
+      lineinfile:
-    msg: "ddclient key: {{ ddclient_key['tsig'][0]['key'] | b64decode }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
-  when: ddclient_tsig_public_key_test_grep.stdout == '0'
 
-- name: Show ddclient TSIG private key file
+    - name: Write ddclient TSIG private key file in base64
-  debug:
+      lineinfile:
-    msg: "ddclient key: {{ ddclient_key['tsig'][0]['private'] | b64decode }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
-  when: ddclient_tsig_private_key_test_grep.stdout == '0'
 
-- name: Write ddclient TSIG public key file in base64
+    - name: Set ddclient TSIG key
-  lineinfile:
+      set_fact:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
+        ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
-    line: "ddclient_tsig_public_key_base64: \"{{ ddclient_key['tsig'][0]['key'] }}\""
-  when: ddclient_tsig_public_key_test_grep.stdout == '0'
     
-- name: Write ddclient TSIG private key file in base64
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "ddclient_tsig_private_key_base64: \"{{ ddclient_key['tsig'][0]['private'] }}\""
-  when: ddclient_tsig_private_key_test_grep.stdout == '0'
-
-- name: Set ddclient TSIG key
-  set_fact:
-    ddclient_tsig_key: "{{ ddclient_key['tsig'][0]['private'] | b64decode | from_yaml }}"
-  when: ddclient_tsig_test_grep.stdout == '0'
-
-- name: Show ddclient TSIG key
-  debug:
-    msg: "{{ ddclient_tsig_key }}"
-    verbosity: 2
-  when: ddclient_tsig_test_grep.stdout == '0'
-
-- name: Write ddclient TSIG key
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "ddclient_tsig: \"{{ ddclient_tsig_key['Key'] }}\""
-  when: ddclient_tsig_test_grep.stdout == '0'

roles/pwgen/tasks/vapid.yaml

@@ -1,47 +1,36 @@
-- name: Test if VAPID private key exists
+- name: Generate VAPID keys
-  shell: grep -c "^{{ item.name }}_vapid_private_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+  when: passwords[item.name + '_vapid_public_key_base64'] is not defined or passwords[item.name + '_vapid_private_key_base64'] is not defined
-  register: vapid_private_key_test_grep
+  block:
+    - name: Create VAPID keys
+      docker_container:
+        name: vapid
+        image: "{{ docker_registry }}/pwgen"
+        cleanup: true
+        detach: false
+        container_default_behavior: no_defaults
+        command: "/vapid"
+      register: vapid_container_output
     
-- name: Test if VAPID public key exists
+    - name: Set VAPID keys fact
-  shell: grep -c "^{{ item.name }}_vapid_public_key_base64" "{{ inventory_dir }}/group_vars/all/passwords.yaml" || true
+      set_fact:
-  register: vapid_public_key_test_grep
+        vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
     
-- name: Create VAPID keys
+    - name: Show VAPID private key
-  docker_container:
+      debug:
-    name: vapid
+        msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
-    image: "{{ docker_registry }}/pwgen"
+        verbosity: 2
-    cleanup: true
-    detach: false
-    container_default_behavior: no_defaults
-    command: "/vapid"
-  register: vapid_container_output
-  when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
     
-- name: Set VAPID keys fact
+    - name: Show VAPID public key
-  set_fact:
+      debug:
-    vapid_keys: "{{ vapid_container_output.container.Output | from_yaml }}"
+        msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
-  when: vapid_private_key_test_grep.stdout == '0' or vapid_public_key_test_grep.stdout == '0'
+        verbosity: 2
     
-- name: Show VAPID private key
+    - name: Write VAPID private key
-  debug:
+      lineinfile:
-    msg: "vapid private key: {{ vapid_keys['vapidPrivateKey'] }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
-  when: vapid_private_key_test_grep.stdout == '0' 
     
-- name: Show VAPID public key
+    - name: Write VAPID public key
-  debug:
+      lineinfile:
-    msg: "vapid public key: {{ vapid_keys['vapidPublicKey'] }}"
+        path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    verbosity: 2
+        line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
-  when: vapid_public_key_test_grep.stdout == '0' 
-
-- name: Write VAPID private key
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_vapid_private_key_base64: \"{{ vapid_keys['vapidPrivateKey'] | b64encode }}\""
-  when: vapid_private_key_test_grep.stdout == '0' 
-
-- name: Write VAPID public key
-  lineinfile:
-    path: "{{ inventory_dir }}/group_vars/all/passwords.yaml"
-    line: "{{ item.name }}_vapid_public_key_base64: \"{{ vapid_keys['vapidPublicKey'] | b64encode }}\""
-  when: vapid_public_key_test_grep.stdout == '0' 

roles/roundcube/defaults/main.yaml

@@ -77,7 +77,7 @@ roundcube_default_values:
             'ssl' => array(
               'verify_peer'       => false,
               'allow_self_signed' => true,
-              'ciphers' => 'TLSv1.3+HIGH:!aNull:@STRENGTH',
+              'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
             ),
         );
         // For STARTTLS SMTP
@@ -85,7 +85,7 @@ roundcube_default_values:
             'ssl' => array(
               'verify_peer'       => false,
               'allow_self_signed' => true,
-              'ciphers' => 'TLSv1.3+HIGH:!aNull:@STRENGTH',
+              'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
             ),
         );
       ?>

roles/service-dns/defaults/main.yaml

@@ -1,4 +1,6 @@
 service_dns_chart_ref: "bitnami/external-dns"
+service_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
+service_dns_tsigSecretAlg: "hmac-sha512"
 service_dns_default_values:
   fullnameOverride: "{{ service_dns_name | default(namespace + '-service-dns') }}"
   domainFilters: ["{{ service_domain | default(domain) }}"]
@@ -9,8 +11,8 @@ service_dns_default_values:
     port: 53
     zone: "{{ service_domain | default(domain) }}"
     tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ service_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ service_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ service_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ service_dns_tsigKeyname }}"
     tsigAxfr: true
     ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
     minTTL: "30s"