heavy restart in docker role

dry run on PR

.ansible-lint

@@ -3,4 +3,6 @@ profile: production
 strict: true
 exclude_paths:
   - "**/*docker-compose.yaml"
+  - "**/*docker-compose.yml"
   - .github/
+  - .pre-commit-config.yaml

.github/workflows/deploy.yml

@@ -14,11 +14,8 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v5.2.0
         with:
-          # Version range or exact version of Python or PyPy to use, using SemVer's version range syntax. Reads from .python-version if unset.
           python-version: 3
-          # Used to specify a package manager for caching in the default directory. Supported values: pip, pipenv, poetry.
           cache: pip
-          # Set this option if you want the action to check for the latest available version that satisfies the version spec.
           check-latest: true
       - name: Run ansible
         env:
@@ -28,6 +25,7 @@ jobs:
           ANSIBLE_INVENTORY: inventories/github.yaml
           ANSIBLE_VAULT_PASSWORD_FILE: vault.pass
           ANSIBLE_FORCE_COLOR: "true"
+          ANSIBLE_ROLES_PATH: "./roles"
         run: |
           echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}' > $ANSIBLE_VAULT_PASSWORD_FILE
           ls $ANSIBLE_VAULT_PASSWORD_FILE

.github/workflows/dry-run.yml

@@ -0,0 +1,32 @@
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  ansible:
+    name: dry-run ansible
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v5.2.0
+        with:
+          python-version: 3
+          cache: pip
+          check-latest: true
+      - name: Run ansible
+        env:
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_PORT: ${{ secrets.DEPLOY_PORT }}
+          DEPLOY_USERNAME: ${{ secrets.DEPLOY_USERNAME }}
+          ANSIBLE_INVENTORY: inventories/github.yaml
+          ANSIBLE_VAULT_PASSWORD_FILE: vault.pass
+          ANSIBLE_FORCE_COLOR: "true"
+          ANSIBLE_ROLES_PATH: "./roles"
+        run: |
+          echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}' > $ANSIBLE_VAULT_PASSWORD_FILE
+          ls $ANSIBLE_VAULT_PASSWORD_FILE
+          export KEY_FILE=$(mktemp)
+          echo "${{ secrets.DEPLOY_KEY }}" > $KEY_FILE
+          ansible-playbook playbooks/all.yaml --check

.gitignore

@@ -1,2 +1,3 @@
 vault.pass
 .idea
+.cache_ggshield

.mise.toml

@@ -1,3 +1,4 @@
 [env]
 ANSIBLE_INVENTORY = "{{config_root}}/inventories/local.yaml"
 ANSIBLE_VAULT_PASSWORD_FILE = "{{config_root}}/vault.pass"
+ANSIBLE_ROLES_PATH = "{{config_root}}/roles"

.pre-commit-config.yaml

@@ -5,6 +5,7 @@ ci:
     # build of https://github.com/ansible/ansible-lint:ansible@v24.9.2 for python@python3 exceeds tier max size 250MiB: 405.6MiB
     - ansible-lint
     - ggshield
+    - caddy-fmt
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -37,3 +38,10 @@ repos:
     rev: v1.32.1
     hooks:
       - id: ggshield
+  - repo: local
+    hooks:
+      - id: caddy-fmt
+        name: caddy fmt
+        language: system
+        entry: caddy fmt --overwrite
+        files: Caddyfile

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+callbacks_enabled = timer, profile_tasks
+pipelining = True

new-app

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+echo "creating directories for '$1'"
+mkdir -p "playbooks/apps/files/$1"
+mkdir -p "playbooks/apps/templates/$1"
+cp playbooks/apps/template.yaml.dist "playbooks/apps/$1.yaml"
+sed -i '' "s/==APP==/$1/g" "playbooks/apps/$1.yaml"
+echo "done"

playbooks/apps/all.yaml

@@ -1,8 +1,14 @@
 ---
+- import_playbook: bin.yaml # noqa: name[play]
 - import_playbook: caddy.yaml # noqa: name[play]
+- import_playbook: charasheet.yaml # noqa: name[play]
+- import_playbook: checkout.yaml # noqa: name[play]
+- import_playbook: code.yaml # noqa: name[play]
+- import_playbook: collabora.yaml # noqa: name[play]
 - import_playbook: ghost-update.yaml # noqa: name[play]
 - import_playbook: gitea.yaml # noqa: name[play]
 - import_playbook: goatcounter.yaml # noqa: name[play]
 - import_playbook: lyon-transports.yaml # noqa: name[play]
+- import_playbook: manuels.yaml # noqa: name[play]
 - import_playbook: test_headers.yaml # noqa: name[play]
 - import_playbook: wallabag.yaml # noqa: name[play]

playbooks/apps/bin.yaml

@@ -0,0 +1,65 @@
+---
+- name: Bin files & scripts
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Write bin files
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: /mnt/data/bin/
+        mode: preserve
+      with_fileglob:
+        - files/bin/*
+    - name: Template bin files
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: /mnt/data/bin/{{ item | basename | regex_replace('\.j2$', '') }}
+        mode: preserve
+      with_fileglob:
+        - templates/bin/*.j2
+  vars:
+    ghost_db_password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      35343430343439653064613033383830396264306538376535346637613166376663393062353132
+      6537386534656239333731313938653539643165323532380a336162663839303339623266383662
+      39346464306261633239363665666334613064393432663335313431326463376637356437653262
+      3161633364303839300a366135653466313836376361326165303465396438333962386230336133
+      34643963356538356464366433373464316337636337386430373265633336636537
+    healthcheck_webhook_token: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      61303433666361376638353034323834623935393834346362623538663936303764363866636164
+      3364306166303430343532623935373838333632323032360a373330376464376438613764326662
+      32653135316361636163356363623364323537396236333233313933336565373530313363303536
+      3339613565313033360a346438376336386638653534356333633439613530396139383635643439
+      33313266373566376162643536386365386132346261623733343762356639396436
+    hetrixtools_token: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      38663431333361643538646361353237613930646135633962386639376333366230343131633562
+      6531646235333565656266613236313133653563323737340a643931643366396236393935363038
+      34613661373863623033616431363531633136303830363434393135613365353938656337353936
+      6563353164313363380a613039623761613632306364616365316332333563306636356238636532
+      34333035346534383064346561316665343233373031353238383864386365393234356137396332
+      3363323336613962386638633539393636663461323035333065
+    ovh_app_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      30646561656638353734373835386238383365393064656439646437326432383663666263623431
+      3639346366646538336333323161656562646266373233320a356136386234646234363732376266
+      33316461326132336534326266636239386532656262353034333434653933333637616332616632
+      6562643965353037660a656631656563633136356565323536363738663461653736303864383630
+      38346637396239316163666661373439656462623861653063393464616530323633
+    ovh_app_secret: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      32396331666132363362313331633832303562633932353963636533663132353465636331653134
+      6466613637373933623063623563663331373764393262360a643030663036366335646234646335
+      38393036626139653733313362323866336164343335656635343564366439663264363866336137
+      6464346632396630610a303337316535326633376235383963313865373064363064306134323231
+      39633061336366393563366636656339623134323531613462636334636264353934303963633437
+      6161656465303732373366386134666234363636613832333166
+    ovh_consumer_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      33623537363436363139346132353336383930333133643535383465373163636266356262306466
+      6563363661353337626462313338633465333865626162350a306332313233356366386236393066
+      66363735386566623335613966353462613963386435636537663235366134336461363837336638
+      3466633264626636620a613634653933333332386365393639343030616234376537373635343237
+      37373364303732343264623239353837613435363363393862383765376435376166343237333664
+      3330623266383462666564376166373032393361653234633863

playbooks/apps/charasheet.yaml

@@ -0,0 +1,29 @@
+---
+- name: Charasheet
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: charasheet
+    secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      35666131616231643064336266303061326534356131666364633932373330663637343836353837
+      3438356431373434613435613165313631333133396133360a363335326135613537633132306530
+      33623239356433393361393737386461626230613561326632623736303038303130396530353538
+      3561613065623130620a306631393062613161333335366261386534623539646361663736306432
+      30636239663263623938383137363034633061343163393665363932376662663063336634316261
+      63363166656462343763343263373535353763303939316430613335653033303036313864616234
+      313763346663393432323132386536326636
+    mailgun_api_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      38613137366132646234316137646431373839343530316536326230643035643635643431663064
+      6531316662373736656230336361353261633862323939310a353637366466643334333436373464
+      34616564303465396333326333393462343339643636653231623536613431623135373836626261
+      6632633330383265350a316632303961643363393332636635313333643561653031313038396535
+      37666334346634306263613063383061393264366163633939373165616461383831383364353364
+      33383366326138373862323166653531363233643861363132336363306137363737356633643235
+      393863373065633639656232373732383632

playbooks/apps/checkout.yaml

@@ -0,0 +1,28 @@
+---
+- name: Checkout
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: checkout
+    secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      33393761643061393863616663323863663033313865383135663939636433393730643831616231
+      6661313965396164373665663063653461336230313762640a643763346132663238613362336563
+      35643862643139306333346163646161323031376237623661333434326639303233666135616635
+      3135333138336164380a396666363830316237643432366237626431616565376261336534346366
+      64656461343037323137643235373836633766366465373335653162623564653235623362303732
+      34313332316165643437613737663461656231326530356334353237643633303133306561303762
+      643439313139613931313630636333626532
+    mailgun_api_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      34656232613133373865613436623261656331663632666334626664366238636564633931613534
+      3137313234343739333738386664333532613066383533610a613337383462393432303235366132
+      30333433353362653765343638346639333735356631633633633633663863396139646431393463
+      3031346139393432390a336235363635653461303762393731313034393566333031356434386362
+      37333861343838623338663062303539616331323262643031613130363766626261653130373631
+      3063393236333239363366333338303665363930303031373965

playbooks/apps/code.yaml

@@ -0,0 +1,19 @@
+---
+- name: Visual Studio Code
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: code
+    password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      65333933333436616332666161653932633431333334636364346239346530336337303939643435
+      3935336230623135343638646130313936363034396665650a653066313862326632333130656164
+      38346631366162393833333361633663636362653530666466376162643534303866363261373033
+      6339303930656638660a626635313736663065373535613132326531343737396662626434373039
+      38646136383662346264613534373663326136393361323933383062346336346264643731303333
+      6132373439346165313066353334353532393262346435306134

playbooks/apps/collabora.yaml

@@ -0,0 +1,19 @@
+---
+- name: Collabora
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: collabora
+    password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      64396634656334643030623536313236663438653730663266346530326233353836656339356631
+      3762666139313164663236323936626530623334356663620a336232383763333039643834636131
+      66396663393662316535346530656636343931383833313234653338623934346265363563366138
+      3838653135306563340a656661343434663230336566396335633165356663633030383065626233
+      34633162303534353231636537613262653865646231313464316164653239376166316266663963
+      6163643335386535366239363637613066306661343866393433

playbooks/apps/files/bin/clean-old-backups

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+find /mnt/data/backups/hass/* -mtime +5 -delete

playbooks/apps/files/bin/cron2bash

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euo pipefail
+script_name=$1
+cp .template $script_name
+chmod +x $script_name
+shift
+echo "$@" >> $script_name
+echo $(realpath $script_name)

playbooks/apps/files/bin/docker-system-prune

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker system prune -af

playbooks/apps/files/bin/dump-manuels

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker compose -f /mnt/data/manuels/docker-compose.yaml exec -T db pg_dump -Fc -U manuels manuels > /mnt/data/manuels/db_export/backup.dump

playbooks/apps/files/bin/dump-miniflux

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker compose -f /mnt/data/miniflux/docker-compose.yaml exec -T db pg_dump -Fc -U miniflux miniflux > /mnt/data/miniflux/db_export/backup.dump

playbooks/apps/files/bin/dump-nextcloud

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker compose -f /mnt/data/nextcloud/docker-compose.yaml exec -T db pg_dump -Fc -U nextcloud nextcloud > /mnt/data/nextcloud/db_export/backup.dump
+/usr/bin/docker compose -f /mnt/data/nextcloud/docker-compose.yaml exec -T db pg_dumpall --globals-only -U nextcloud > /mnt/data/nextcloud/db_export/roles.sql

playbooks/apps/files/bin/failure

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euxo pipefail
+exit 1

playbooks/apps/files/bin/nextcloud-auto-update

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker compose -f /mnt/data/nextcloud/docker-compose.yaml exec -T --user www-data nextcloud php occ app:update --all

playbooks/apps/files/bin/nextcloud-cron

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker compose -f /mnt/data/nextcloud/docker-compose.yaml exec -dT --user www-data nextcloud php cron.php

playbooks/apps/files/bin/nextcloud-preview

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/docker compose -f /mnt/data/nextcloud/docker-compose.yaml exec -dT --user www-data nextcloud php occ preview:pre-generate

playbooks/apps/files/bin/restic-backup

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+killall restic || true
+source /mnt/data/bin/resticenv
+/usr/bin/restic unlock
+/usr/bin/restic backup --exclude-file /mnt/data/bin/restic-excludes /mnt/data/ /var/spool/cron/ $@

playbooks/apps/files/bin/restic-check

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+source /mnt/data/bin/resticenv
+/usr/bin/restic check --read-data-subset=700M

playbooks/apps/files/bin/restic-excludes

@@ -0,0 +1,24 @@
+db_data
+mysql_data
+redis_data
+*venv*
+deluge_data
+plex_data
+shared_media
+media/data
+deluge
+plex
+prowlarr
+radarr
+sonarr
+transmission
+nextcloud_data/lib
+nextcloud_data/data/appdata_ocw94g5hjk8b/preview
+source_code
+sources
+.cache
+.mozilla
+prometheus_data
+.es_temp_file
+timemachine
+elastic_data

playbooks/apps/files/bin/restic-prune

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+killall restic || true
+source /mnt/data/bin/resticenv
+/usr/bin/restic unlock
+/usr/bin/restic forget --prune --keep-within-hourly 1d --keep-within-daily 7d --keep-within-weekly 1m --keep-within-monthly 6m

playbooks/apps/files/bin/resticenv

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+34643931646634623466323636613561313364633364663034363863353162323266343166363632
+3334363465393362393631356631666161653066663032350a613763383934376138646134313234
+66656436353737333138346133623261356137633066663937646565326439336532616436666336
+3137626464343636650a653064383038363231656136353532396436316363643235653739666631
+33316437333131636434383130376231366562323765343763343164303234386562333962346235
+61333865313138313462613738363231333536386639313433396533636433663432633236366232
+33643137306536626164353338623234393461373339333763356232376431363062373233303762
+38326239306535623237623634363439383838306263343964636637333865346261653639313030
+63353437343237346461313364336461633466383832363637643662633633633665383565623062
+34346338363936336163336431613634616136333163353961653436396332636332323832656338
+37653364366235636663626231636462663836343566343337346461633562663262626135303633
+36333366613033623836623064323238626661323037343266613530306439653535333032636336
+61316133383962353530383133323237333562336463623963613330373762636230616130633738
+31363232353937333536313266346266393233376236373834393232353362646266666336646134
+33323239636464313561646238656337333633366161336266353130343061323963356531356563
+62643136343535346538613738373561313362323833303739636637323366356430376135326132
+6666

playbooks/apps/files/bin/smartlong

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+/usr/sbin/smartctl -t long /dev/sda
+/usr/sbin/smartctl -t long /dev/sdb
+/usr/sbin/smartctl -t long /dev/sdc
+/usr/sbin/smartctl -t long /dev/sdd

playbooks/apps/files/bin/smartshort

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+/usr/sbin/smartctl -t short /dev/sda
+/usr/sbin/smartctl -t short /dev/sdb
+/usr/sbin/smartctl -t short /dev/sdc
+/usr/sbin/smartctl -t short /dev/sdd

playbooks/apps/files/bin/z.sh

@@ -0,0 +1,267 @@
+# Copyright (c) 2009 rupa deadwyler. Licensed under the WTFPL license, Version 2
+
+# maintains a jump-list of the directories you actually use
+#
+# INSTALL:
+#     * put something like this in your .bashrc/.zshrc:
+#         . /path/to/z.sh
+#     * cd around for a while to build up the db
+#     * PROFIT!!
+#     * optionally:
+#         set $_Z_CMD in .bashrc/.zshrc to change the command (default z).
+#         set $_Z_DATA in .bashrc/.zshrc to change the datafile (default ~/.z).
+#         set $_Z_MAX_SCORE lower to age entries out faster (default 9000).
+#         set $_Z_NO_RESOLVE_SYMLINKS to prevent symlink resolution.
+#         set $_Z_NO_PROMPT_COMMAND if you're handling PROMPT_COMMAND yourself.
+#         set $_Z_EXCLUDE_DIRS to an array of directories to exclude.
+#         set $_Z_OWNER to your username if you want use z while sudo with $HOME kept
+#
+# USE:
+#     * z foo     # cd to most frecent dir matching foo
+#     * z foo bar # cd to most frecent dir matching foo and bar
+#     * z -r foo  # cd to highest ranked dir matching foo
+#     * z -t foo  # cd to most recently accessed dir matching foo
+#     * z -l foo  # list matches instead of cd
+#     * z -e foo  # echo the best match, don't cd
+#     * z -c foo  # restrict matches to subdirs of $PWD
+#     * z -x      # remove the current directory from the datafile
+#     * z -h      # show a brief help message
+
+[ -d "${_Z_DATA:-$HOME/.z}" ] && {
+    echo "ERROR: z.sh's datafile (${_Z_DATA:-$HOME/.z}) is a directory."
+}
+
+_z() {
+
+    local datafile="${_Z_DATA:-$HOME/.z}"
+
+    # if symlink, dereference
+    [ -h "$datafile" ] && datafile=$(readlink "$datafile")
+
+    # bail if we don't own ~/.z and $_Z_OWNER not set
+    [ -z "$_Z_OWNER" -a -f "$datafile" -a ! -O "$datafile" ] && return
+
+    _z_dirs () {
+        [ -f "$datafile" ] || return
+
+        local line
+        while read line; do
+            # only count directories
+            [ -d "${line%%\|*}" ] && echo "$line"
+        done < "$datafile"
+        return 0
+    }
+
+    # add entries
+    if [ "$1" = "--add" ]; then
+        shift
+
+        # $HOME and / aren't worth matching
+        [ "$*" = "$HOME" -o "$*" = '/' ] && return
+
+        # don't track excluded directory trees
+        if [ ${#_Z_EXCLUDE_DIRS[@]} -gt 0 ]; then
+            local exclude
+            for exclude in "${_Z_EXCLUDE_DIRS[@]}"; do
+                case "$*" in "$exclude"*) return;; esac
+            done
+        fi
+
+        # maintain the data file
+        local tempfile="$datafile.$RANDOM"
+        local score=${_Z_MAX_SCORE:-9000}
+        _z_dirs | awk -v path="$*" -v now="$(date +%s)" -v score=$score -F"|" '
+            BEGIN {
+                rank[path] = 1
+                time[path] = now
+            }
+            $2 >= 1 {
+                # drop ranks below 1
+                if( $1 == path ) {
+                    rank[$1] = $2 + 1
+                    time[$1] = now
+                } else {
+                    rank[$1] = $2
+                    time[$1] = $3
+                }
+                count += $2
+            }
+            END {
+                if( count > score ) {
+                    # aging
+                    for( x in rank ) print x "|" 0.99*rank[x] "|" time[x]
+                } else for( x in rank ) print x "|" rank[x] "|" time[x]
+            }
+        ' 2>/dev/null >| "$tempfile"
+        # do our best to avoid clobbering the datafile in a race condition.
+        if [ $? -ne 0 -a -f "$datafile" ]; then
+            env rm -f "$tempfile"
+        else
+            [ "$_Z_OWNER" ] && chown $_Z_OWNER:"$(id -ng $_Z_OWNER)" "$tempfile"
+            env mv -f "$tempfile" "$datafile" || env rm -f "$tempfile"
+        fi
+
+    # tab completion
+    elif [ "$1" = "--complete" -a -s "$datafile" ]; then
+        _z_dirs | awk -v q="$2" -F"|" '
+            BEGIN {
+                q = substr(q, 3)
+                if( q == tolower(q) ) imatch = 1
+                gsub(/ /, ".*", q)
+            }
+            {
+                if( imatch ) {
+                    if( tolower($1) ~ q ) print $1
+                } else if( $1 ~ q ) print $1
+            }
+        ' 2>/dev/null
+
+    else
+        # list/go
+        local echo fnd last list opt typ
+        while [ "$1" ]; do case "$1" in
+            --) while [ "$1" ]; do shift; fnd="$fnd${fnd:+ }$1";done;;
+            -*) opt=${1:1}; while [ "$opt" ]; do case ${opt:0:1} in
+                    c) fnd="^$PWD $fnd";;
+                    e) echo=1;;
+                    h) echo "${_Z_CMD:-z} [-cehlrtx] args" >&2; return;;
+                    l) list=1;;
+                    r) typ="rank";;
+                    t) typ="recent";;
+                    x) sed -i -e "\:^${PWD}|.*:d" "$datafile";;
+                esac; opt=${opt:1}; done;;
+             *) fnd="$fnd${fnd:+ }$1";;
+        esac; last=$1; [ "$#" -gt 0 ] && shift; done
+        [ "$fnd" -a "$fnd" != "^$PWD " ] || list=1
+
+        # if we hit enter on a completion just go there
+        case "$last" in
+            # completions will always start with /
+            /*) [ -z "$list" -a -d "$last" ] && builtin cd "$last" && return;;
+        esac
+
+        # no file yet
+        [ -f "$datafile" ] || return
+
+        local cd
+        cd="$( < <( _z_dirs ) awk -v t="$(date +%s)" -v list="$list" -v typ="$typ" -v q="$fnd" -F"|" '
+            function frecent(rank, time) {
+              # relate frequency and time
+              dx = t - time
+              return int(10000 * rank * (3.75/((0.0001 * dx + 1) + 0.25)))
+            }
+            function output(matches, best_match, common) {
+                # list or return the desired directory
+                if( list ) {
+                    if( common ) {
+                        printf "%-10s %s\n", "common:", common > "/dev/stderr"
+                    }
+                    cmd = "sort -n >&2"
+                    for( x in matches ) {
+                        if( matches[x] ) {
+                            printf "%-10s %s\n", matches[x], x | cmd
+                        }
+                    }
+                } else {
+                    if( common && !typ ) best_match = common
+                    print best_match
+                }
+            }
+            function common(matches) {
+                # find the common root of a list of matches, if it exists
+                for( x in matches ) {
+                    if( matches[x] && (!short || length(x) < length(short)) ) {
+                        short = x
+                    }
+                }
+                if( short == "/" ) return
+                for( x in matches ) if( matches[x] && index(x, short) != 1 ) {
+                    return
+                }
+                return short
+            }
+            BEGIN {
+                gsub(" ", ".*", q)
+                hi_rank = ihi_rank = -9999999999
+            }
+            {
+                if( typ == "rank" ) {
+                    rank = $2
+                } else if( typ == "recent" ) {
+                    rank = $3 - t
+                } else rank = frecent($2, $3)
+                if( $1 ~ q ) {
+                    matches[$1] = rank
+                } else if( tolower($1) ~ tolower(q) ) imatches[$1] = rank
+                if( matches[$1] && matches[$1] > hi_rank ) {
+                    best_match = $1
+                    hi_rank = matches[$1]
+                } else if( imatches[$1] && imatches[$1] > ihi_rank ) {
+                    ibest_match = $1
+                    ihi_rank = imatches[$1]
+                }
+            }
+            END {
+                # prefer case sensitive
+                if( best_match ) {
+                    output(matches, best_match, common(matches))
+                    exit
+                } else if( ibest_match ) {
+                    output(imatches, ibest_match, common(imatches))
+                    exit
+                }
+                exit(1)
+            }
+        ')"
+
+        if [ "$?" -eq 0 ]; then
+          if [ "$cd" ]; then
+            if [ "$echo" ]; then echo "$cd"; else builtin cd "$cd"; fi
+          fi
+        else
+          return $?
+        fi
+    fi
+}
+
+alias ${_Z_CMD:-z}='_z 2>&1'
+
+[ "$_Z_NO_RESOLVE_SYMLINKS" ] || _Z_RESOLVE_SYMLINKS="-P"
+
+if type compctl >/dev/null 2>&1; then
+    # zsh
+    [ "$_Z_NO_PROMPT_COMMAND" ] || {
+        # populate directory list, avoid clobbering any other precmds.
+        if [ "$_Z_NO_RESOLVE_SYMLINKS" ]; then
+            _z_precmd() {
+                (_z --add "${PWD:a}" &)
+                : $RANDOM
+            }
+        else
+            _z_precmd() {
+                (_z --add "${PWD:A}" &)
+                : $RANDOM
+            }
+        fi
+        [[ -n "${precmd_functions[(r)_z_precmd]}" ]] || {
+            precmd_functions[$(($#precmd_functions+1))]=_z_precmd
+        }
+    }
+    _z_zsh_tab_completion() {
+        # tab completion
+        local compl
+        read -l compl
+        reply=(${(f)"$(_z --complete "$compl")"})
+    }
+    compctl -U -K _z_zsh_tab_completion _z
+elif type complete >/dev/null 2>&1; then
+    # bash
+    # tab completion
+    complete -o filenames -C '_z --complete "$COMP_LINE"' ${_Z_CMD:-z}
+    [ "$_Z_NO_PROMPT_COMMAND" ] || {
+        # populate directory list. avoid clobbering other PROMPT_COMMANDs.
+        grep "_z --add" <<< "$PROMPT_COMMAND" >/dev/null || {
+            PROMPT_COMMAND="$PROMPT_COMMAND"$'\n''(_z --add "$(command pwd '$_Z_RESOLVE_SYMLINKS' 2>/dev/null)" 2>/dev/null &);'
+        }
+    }
+fi

playbooks/apps/files/charasheet/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  django:
+    image: crocmagnon/charasheet:latest
+    env_file:
+      - .env
+    volumes:
+      - ./db:/app/db
+      - ./data:/app/data
+    ports:
+      - "8001:8000"
+    user: 1000:1000
+    restart: always
+    init: true
+    tty: true
+    mem_limit: 512m

playbooks/apps/files/charasheet/update

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euxo pipefail
+pushd /mnt/data/charasheet
+docker compose --ansi never pull --quiet
+docker compose --ansi never up -d
+docker compose exec django python manage.py migrate
+popd
+docker image prune -f

playbooks/apps/files/checkout/docker-compose.yml

@@ -0,0 +1,14 @@
+services:
+  django:
+    image: crocmagnon/checkout:latest
+    env_file:
+      - .env
+    volumes:
+      - ./db:/app/db
+      - ./media:/app/media
+    ports:
+      - "8002:8000"
+    restart: always
+    init: true
+    tty: true
+    mem_limit: 512m

playbooks/apps/files/checkout/generate_data

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euxo pipefail
+pushd /mnt/data/checkout
+docker compose exec django python manage.py clear_all_data
+docker compose exec django python manage.py generate_dummy_baskets
+popd

playbooks/apps/files/checkout/update

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euxo pipefail
+pushd /mnt/data/checkout
+docker compose --ansi never pull --quiet
+docker compose --ansi never up -d
+docker compose exec django python manage.py migrate
+docker compose exec django python manage.py refresh_cache
+popd
+docker image prune -f

playbooks/apps/files/code/docker-compose.yaml

@@ -0,0 +1,11 @@
+services:
+  code:
+    image: ghcr.io/linuxserver/code-server
+    env_file: code.env
+    restart: always
+    volumes:
+      - ./code_data:/config
+    mem_limit: 3g
+    cpus: 3
+    ports:
+      - "9002:8443"

playbooks/apps/files/manuels/update

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euxo pipefail
+pushd /mnt/data/manuels
+docker compose --ansi never pull
+docker compose --ansi never up -d
+popd
+docker image prune -f

playbooks/apps/ghost-update.yaml

@@ -3,14 +3,13 @@
   hosts: servers
   gather_facts: false
   tasks:
-    - name: Start update on gabnotes.org
+    # Run the first task synchronously to download dependencies.
+    - name: Update gabnotes.org
       ansible.builtin.command:
         chdir: /mnt/data/gabnotes.org
         cmd: ghost update
-      register: gabnotes_async
-      changed_when: false
-      async: 300
-      poll: 0
+      register: gabnotes
+      changed_when: '"Restarting Ghost" in gabnotes.stdout'
     - name: Start update on voyages-lois.augendre.info
       ansible.builtin.command:
         chdir: /mnt/data/voyages-lois.augendre.info
@@ -27,14 +26,6 @@
       changed_when: false
       async: 300
       poll: 0
-    - name: Check gabnotes.org
-      ansible.builtin.async_status:
-        jid: "{{ gabnotes_async.ansible_job_id }}"
-      register: gabnotes
-      until: gabnotes.finished
-      changed_when: '"Restarting Ghost" in gabnotes.stdout'
-      retries: 100
-      delay: 10
     - name: Check voyages-lois.augendre.info
       ansible.builtin.async_status:
         jid: "{{ voyages_lois_async.ansible_job_id }}"

playbooks/apps/gitea.yaml

@@ -1,23 +1,11 @@
 ---
-- name: Setup gitea
+- name: Gitea
   hosts: servers
   gather_facts: false
   tasks:
-    - name: Create dir
-      ansible.builtin.file:
-        path: "{{ dir }}"
-        state: directory
-        mode: "0775"
-    - name: Write env file
-      ansible.builtin.copy:
-        src: files/gitea/gitea.env
-        dest: "{{ dir }}/gitea.env"
-        mode: "0644"
-    - name: Write docker-compose.yaml
-      ansible.builtin.copy:
-        src: files/gitea/docker-compose.yaml
-        dest: "{{ dir }}/docker-compose.yaml"
-        mode: "0644"
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
     - name: Write app.ini
       ansible.builtin.template:
         src: templates/gitea_app.ini.j2
@@ -25,19 +13,10 @@
         mode: "0600"
       notify:
         - Restart service
-    - name: Ensure service is started
-      community.docker.docker_compose_v2:
-        project_src: "{{ dir }}"
-        state: present
-
-  handlers:
-    - name: Restart service
-      community.docker.docker_compose_v2:
-        project_src: "{{ dir }}"
-        state: restarted
 
   vars:
-    dir: /mnt/data/git
+    docker_app_name: git
+    dir: /mnt/data/{{ docker_app_name }}
     lfs_jwt_secret: !vault |
       $ANSIBLE_VAULT;1.1;AES256
       34656631616165623233353835386162343837363230366136303764613334323262313233616462

playbooks/apps/goatcounter.yaml

@@ -17,8 +17,6 @@
         url: https://github.com/arp242/goatcounter/releases/download/{{ release.tag }}/goatcounter-{{ release.tag }}-linux-amd64.gz
         dest: "{{ dir }}/goatcounter-{{ release.tag }}.gz"
         mode: "0644"
-        owner: gaugendre
-        group: gaugendre
     - name: Uncompress
       ansible.builtin.command: gunzip {{ dir }}/goatcounter-{{ release.tag }}.gz
       args:
@@ -26,7 +24,7 @@
     - name: Make executable
       ansible.builtin.file:
         path: "{{ dir }}/goatcounter-{{ release.tag }}"
-        mode: "0775"
+        mode: "0755"
     - name: Symlink
       ansible.builtin.file:
         src: "{{ dir }}/goatcounter-{{ release.tag }}"
@@ -37,7 +35,7 @@
       ansible.builtin.template:
         src: templates/goatcounter.service.j2
         dest: /etc/systemd/system/goatcounter.service
-        mode: "0644"
+        mode: "0600"
         owner: root
         group: root
       notify:

playbooks/apps/lyon-transports.yaml

@@ -8,7 +8,7 @@
       ansible.builtin.template:
         src: templates/lyon-transports.service.j2
         dest: /etc/systemd/system/lyon-transports.service
-        mode: "0644"
+        mode: "0600"
         owner: root
         group: root
       notify:

playbooks/apps/manuels.yaml

@@ -0,0 +1,34 @@
+---
+- name: Manuels
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: manuels
+    secret_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      64306561643134653031316464326531643532383663343665326331626132313930633031636435
+      6663383862663966333161356563323035643434303263640a393638393336346138313566663165
+      63373662376364353335313234396161646466336439306463633238326536643838633735653661
+      6430346530313939310a363233663934373433656634646335623336353964666539346534393931
+      39343066343736343831313430346537346437366430643465303130393734646238323465356231
+      3931363962306337613030663239623536316339303836343530
+    mailgun_api_key: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      33656537666436376336653161333165306265623161333430626333633039383433613135383435
+      6234316438616462663834383363626363643232386363620a323465653063346432303965663831
+      65396230336134376264303166626638333265633139333230353731363964333434666338386336
+      3965653834656536340a396239363339663231626635323364636331386330643030346132343035
+      35623961373734616264636666376464346430613137613438316337636361336434613064366435
+      3331306630663536343162346235383338366234666333633563
+    pg_password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      62323036653035616437353636363339323162646135613434306366386362643466663163356461
+      3163613832333865663564373439333866383638643137390a323364616536313465306138666463
+      65356437313031373736396133383236383763376138383031633365633730646439643863383037
+      6133316535373830620a373162656264376164396434373064636235613762666361326231653237
+      35323539613232633037643465636338376531656230646632313533656364653566

playbooks/apps/template.yaml.dist

@@ -0,0 +1,11 @@
+---
+- name: ==APP==
+  hosts: servers
+  gather_facts: false
+  tasks:
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
+  vars:
+    docker_app_name: ==APP==

playbooks/apps/templates/bin/dump-gabnotes.org.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/mysqldump --no-tablespaces -u root --password={{ ghost_db_password }} gabnotes_org_prod > /mnt/data/gabnotes.org/db_export/backup.sql

playbooks/apps/templates/bin/dump-voyages.coccomagnard.fr.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+set -euo pipefail
+/usr/bin/mysqldump --no-tablespaces -u root --password={{ ghost_db_password }} voyages_coccomagnard_fr_prod > /mnt/data/voyages.coccomagnard.fr/db_export/backup.sql

playbooks/apps/templates/bin/healthcheck.j2

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -uo pipefail
+RID=`uuidgen`
+BASE_URL="https://hc-ping.com/{{ healthcheck_webhook_token }}/$1"
+START_URL="$BASE_URL/start?rid=$RID"
+shift
+
+curl -A "ubuntu-vm" -fsS --retry 5 -o /dev/null $START_URL
+logs=$($@ 2>&1)
+status=$?
+curl -A "ubuntu-vm" -fsS --retry 5 --data-raw "$logs" -o /dev/null "$BASE_URL/$status?rid=$RID"

playbooks/apps/templates/bin/maintenance.j2

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+# https://api.hetrixtools.com/v2/<API_TOKEN>/maintenance/<UPTIME_MONITOR_ID>/<MAINTENANCE_MODE>/
+# Modify the maintenance status of any of your Uptime Monitors.
+# <API_TOKEN> - Your API Access Token, in your particular case it's: {{ hetrixtools_token }}
+# <UPTIME_MONITOR_ID> - You can find the ID of any of your Uptime Monitors by using the API Call 'v1 List Uptime Monitors', it is listed for every uptime monitor as 'ID'
+# <MAINTENANCE_MODE> - The type of maintenance. Accepted values (numbers): 1, 2, or 3.
+# 1 - no maintenance mode (normal) - use this to exit maintenance mode
+# 2 - maintenance mode with notifications
+# 3 - maintenance mode without notifications
+
+API_TOKEN="{{ hetrixtools_token }}"
+mode=$1
+if [ "$mode" == "on" ]; then
+    mode=3
+elif [ "$mode" == "off" ]; then
+    mode=1
+else
+    echo "usage $0 <on|off>"
+    exit 1
+fi
+
+ids=$(curl -sSL https://api.hetrixtools.com/v1/$API_TOKEN/uptime/monitors/0/5000/ | jq -r '.[0][] | .ID')
+
+for id in $ids; do
+    curl -sSL https://api.hetrixtools.com/v2/$API_TOKEN/maintenance/$id/$mode/ > /dev/null
+done
+
+echo "Done"

playbooks/apps/templates/bin/new_domain.py.j2

@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+import json
+import sys
+
+import ovh
+
+# Instantiate an OVH Client.
+# You can generate new credentials with full access to your account on
+# the token creation page (https://api.ovh.com/createToken/index.cgi?GET=/*&PUT=/*&POST=/*&DELETE=/*)
+# List of available endpoints: https://github.com/ovh/python-ovh#2-configure-your-application
+client = ovh.Client(
+	endpoint='ovh-eu',
+	application_key='{{ ovh_app_key }}',
+	application_secret='{{ ovh_app_secret }}',
+	consumer_key='{{ ovh_consumer_key }}',
+)
+
+if len(sys.argv) != 2:
+    print(f"usage: {sys.argv[0]} <subdomain>")
+    print(f"example: {sys.argv[0]} testing")
+    print("no need to include '.augendre.info'")
+    sys.exit(1)
+
+subdomain = sys.argv[1].removesuffix(".augendre.info")
+res = client.get("/domain/zone/augendre.info/record", fieldType="CNAME", subDomain=subdomain)
+if len(res) > 0:
+    print("CNAME already exists")
+    sys.exit(0)
+
+print("creating domain:")
+res = client.post("/domain/zone/augendre.info/record",
+	fieldType="CNAME",
+	subDomain=subdomain,
+	target="nginx.augendre.info.",
+	ttl=86400,
+)
+print(json.dumps(res, indent=4))
+
+print("refreshing zone:")
+res = client.post("/domain/zone/augendre.info/refresh")
+print(json.dumps(res, indent=4))

playbooks/apps/templates/charasheet/.env.j2

@@ -0,0 +1,7 @@
+SECRET_KEY='{{ secret_key }}'
+DEBUG=false
+ALLOWED_HOSTS=charasheet.augendre.info,localhost
+MAILGUN_API_KEY={{ mailgun_api_key }}
+MAILGUN_SENDER_DOMAIN=mg.augendre.info
+REGISTRATION_OPEN=true
+CSRF_TRUSTED_ORIGINS=https://charasheet.augendre.info

playbooks/apps/templates/checkout/.env.j2

@@ -0,0 +1,7 @@
+SECRET_KEY='{{ secret_key }}'
+DEBUG=false
+HOSTS=checkout.augendre.info
+ADMINS=Gabriel Augendre|gabriel@augendre.info
+MAILGUN_API_KEY={{ mailgun_api_key }}
+MAILGUN_SENDER_DOMAIN=mg.augendre.info
+MPLCONFIGDIR=/app/.matplotlib

playbooks/apps/templates/code/code.env.j2

@@ -0,0 +1,7 @@
+PUID=1000
+PGID=1000
+TZ=Europe/Paris
+PASSWORD={{ password }}
+SUDO_PASSWORD={{ password }}
+PROXY_DOMAIN=code.augendre.info
+DOCKER_MODS=linuxserver/mods:code-server-python3|linuxserver/mods:code-server-golang

playbooks/apps/templates/collabora/docker-compose.yaml.j2

@@ -0,0 +1,14 @@
+services:
+  code:
+    image: collabora/code
+    restart: always
+    environment:
+      server_name: 'cloud.augendre.info'
+      aliasgroup1: 'https://cloud.augendre.info:443'
+      DONT_GEN_SSL_CERT: '1'
+      username: admin
+      password: "{{password}}"
+      extra_params: '--o:ssl.enable=false --o:ssl.termination=true'
+    mem_limit: 2g
+    ports:
+      - "8007:9980"

playbooks/apps/templates/manuels/.env.j2

@@ -0,0 +1,10 @@
+SECRET_KEY='{{ secret_key }}'
+DEBUG=true
+HOSTS=fournitures.augendre.info,manuels.augendre.info
+ADMINS=Gabriel Augendre|gabriel@augendre.info
+MAILGUN_API_KEY={{ mailgun_api_key }}
+MAILGUN_SENDER_DOMAIN=mg.augendre.info
+SERVER_EMAIL=Fournitures et manuels scolaires CDI LPHB <manuels@mg.augendre.info>
+LIBRARIAN_EMAILS=sandrine.augendre@ac-lyon.fr
+EMAIL_REPLY_TO=Sandrine Augendre <sandrine.augendre@ac-lyon.fr>
+DATABASE_URL=postgres://manuels:{{ pg_password }}@db:5432/manuels

playbooks/apps/templates/manuels/docker-compose.yaml.j2

@@ -0,0 +1,24 @@
+services:
+  django:
+    image: crocmagnon/manuels-scolaires:latest
+    env_file:
+      - .env
+    volumes:
+      - ./media:/app/media
+    depends_on:
+      - db
+    restart: always
+    init: true
+    tty: true
+    mem_limit: 512m
+    ports:
+      - "8012:8000"
+  db:
+    image: postgres:15
+    restart: always
+    environment:
+      POSTGRES_PASSWORD: "{{ pg_password }}"
+      POSTGRES_USER: "manuels"
+      POSTGRES_DB: "manuels"
+    volumes:
+      - ./db_data:/var/lib/postgresql/data

playbooks/apps/test_headers.yaml

@@ -1,37 +1,11 @@
 ---
-- name: Setup test_headers
+- name: Test headers
   hosts: servers
   gather_facts: false
   tasks:
-    - name: Create dir
-      ansible.builtin.file:
-        path: "{{ dir }}"
-        state: directory
-        mode: "0775"
-    - name: Write app.py
-      ansible.builtin.copy:
-        src: files/test_headers/app.py
-        dest: "{{ dir }}/app.py"
-        mode: "0644"
-        owner: gaugendre
-        group: gaugendre
-      notify:
-        - Restart service
-    - name: Write docker-compose.yaml
-      ansible.builtin.copy:
-        src: files/test_headers/docker-compose.yaml
-        dest: "{{ dir }}/docker-compose.yaml"
-        mode: "0644"
-        owner: gaugendre
-        group: gaugendre
-    - name: Ensure service is started
-      community.docker.docker_compose_v2:
-        project_src: "{{ dir }}"
-        state: present
-  handlers:
-    - name: Restart service
-      community.docker.docker_compose_v2:
-        project_src: "{{ dir }}"
-        state: restarted
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
   vars:
-    dir: /mnt/data/test_headers
+    docker_app_name: test_headers

playbooks/apps/wallabag.yaml

@@ -1,29 +1,14 @@
 ---
-- name: Setup wallabag
+- name: Wallabag
   hosts: servers
   gather_facts: false
   tasks:
-    - name: Create dir
-      ansible.builtin.file:
-        path: "{{ dir }}"
-        state: directory
-        mode: "0775"
-    - name: Write env file
-      ansible.builtin.template:
-        src: templates/wallabag.env.j2
-        dest: "{{ dir }}/wallabag.env"
-        mode: "0644"
-    - name: Write docker-compose.yaml
-      ansible.builtin.copy:
-        src: files/wallabag-docker-compose.yaml
-        dest: "{{ dir }}/docker-compose.yaml"
-        mode: "0644"
-    - name: Ensure service is started
-      community.docker.docker_compose_v2:
-        project_src: "{{ dir }}"
-        state: present
+    - name: Docker
+      ansible.builtin.include_role:
+        name: docker
+
   vars:
-    dir: /mnt/data/wallabag
+    docker_app_name: wallabag
     secret_key: !vault |
       $ANSIBLE_VAULT;1.1;AES256
       31346432623062383331306633383230376264326530643236393838356166346563653637376666

roles/docker/defaults/main.yaml

@@ -0,0 +1,3 @@
+---
+docker_app_name: some-app
+docker_dir: /mnt/data/{{ docker_app_name }}

roles/docker/handlers/main.yaml

@@ -0,0 +1,11 @@
+---
+- name: Stop service
+  community.docker.docker_compose_v2:
+    project_src: "{{ docker_dir }}"
+    state: stopped
+  listen: Restart service
+- name: Start service
+  community.docker.docker_compose_v2:
+    project_src: "{{ docker_dir }}"
+    state: present
+  listen: Restart service

roles/docker/tasks/main.yaml

@@ -0,0 +1,32 @@
+---
+- name: Create dir
+  ansible.builtin.file:
+    path: "{{ docker_dir }}"
+    state: directory
+    mode: "0775"
+- name: Write files
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ docker_dir }}/"
+    mode: "0600"
+  with_fileglob:
+    - files/{{ docker_app_name }}/*
+    - files/{{ docker_app_name }}/.*
+  notify:
+    - Restart service
+- name: Write templates
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "{{ docker_dir }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+    mode: "0600"
+  with_fileglob:
+    - templates/{{ docker_app_name }}/*.j2
+    - templates/{{ docker_app_name }}/.*.j2
+  notify:
+    - Restart service
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+- name: Ensure service is started
+  community.docker.docker_compose_v2:
+    project_src: "{{ docker_dir }}"
+    state: present