From a4629430659f9c09d42b1322c7352a8ed5668d29 Mon Sep 17 00:00:00 2001
From: LH <me@lholota.com>
Date: Fri, 29 Dec 2023 12:34:11 +0100
Subject: [PATCH 01/51] Clean rke2 cluster working

---
 .../lab/group_vars/gluster_nodes/ca.sops.yml  |  43 ---
 .../lab/group_vars/gluster_nodes/mounts.yml   |   8 -
 .../lab/group_vars/gluster_nodes/version.yml  |   4 -
 .../lab/group_vars/gluster_nodes/volumes.yml  | 131 --------
 .../argocd.sops.yml                           |   0
 .../{k8s_nodes => k8s_cluster}/argocd.yml     |   0
 .../lab/group_vars/k8s_cluster/rke2.sops.yml  |  24 ++
 .../lab/group_vars/k8s_cluster/rke2.yml       |  25 ++
 .../group_vars/k8s_nodes/k3s-cluster.sops.yml |  41 ---
 .../lab/group_vars/k8s_nodes/k3s-cluster.yml  |  18 --
 environments/lab/host_vars/kube1.yml          |   6 -
 environments/lab/host_vars/kube2.yml          |  12 -
 environments/lab/host_vars/kube3.yml          |  11 +-
 environments/lab/host_vars/pve1.yml           |   6 -
 environments/lab/host_vars/pve2.yml           |   6 -
 environments/lab/host_vars/pve3.yml           |  10 +-
 environments/lab/hosts.yml                    |  27 +-
 .../prod/group_vars/gluster_nodes/ca.sops.yml |  43 ---
 .../prod/group_vars/gluster_nodes/mounts.yml  |   8 -
 .../prod/group_vars/gluster_nodes/version.yml |   4 -
 .../prod/group_vars/gluster_nodes/volumes.yml | 121 --------
 .../argocd.sops.yml                           |   0
 .../{k8s_nodes => k8s_cluster}/argocd.yml     |   0
 .../k3s-cluster.sops.yml                      |   0
 .../k3s-cluster.yml                           |   0
 environments/prod/host_vars/kube1.yml         |   6 -
 environments/prod/host_vars/kube2.yml         |  10 +-
 environments/prod/host_vars/kube3.yml         |  11 +-
 environments/prod/host_vars/pve1.yml          |   6 -
 environments/prod/host_vars/pve2.yml          |   6 -
 environments/prod/host_vars/pve3.yml          |   6 -
 environments/prod/hosts.yml                   |  27 +-
 playbooks/_all.yml                            |   3 +-
 playbooks/gluster.yml                         |  23 --
 playbooks/kubernetes.yml                      |  11 +-
 requirements.yml                              |   4 +-
 roles/gluster_client/tasks/hosts.yml          |   8 -
 roles/gluster_client/tasks/install.yml        |  10 -
 roles/gluster_client/tasks/main.yml           |  27 --
 roles/gluster_server/tasks/cluster.yml        |   8 -
 .../tasks/create-volume-quota.yml             |  36 ---
 roles/gluster_server/tasks/create-volume.yml  | 117 --------
 roles/gluster_server/tasks/exporter.yml       |  21 --
 roles/gluster_server/tasks/hosts.yml          |   6 -
 roles/gluster_server/tasks/install.yml        |  17 --
 roles/gluster_server/tasks/main.yml           |  45 ---
 .../templates/create-volume-command.j2        |   6 -
 .../templates/set-volume-clients-command.j2   |   8 -
 roles/gluster_shared/apt.yml                  |  35 ---
 roles/gluster_shared/tls.yml                  |  84 ------
 roles/gluster_shared/volume-mount.yml         |  15 -
 roles/gluster_shared/volume-subdir.yml        |  42 ---
 roles/k3s_cluster/defaults/main.yml           |   3 -
 roles/k3s_cluster/handlers/main.yml           |  16 -
 .../tasks/cis-hardening-runtime.yml           |  47 ---
 roles/k3s_cluster/tasks/kubeconfig-load.yml   |   3 -
 .../tasks/kubeconfig-store-local.yml          |  23 --
 roles/k3s_cluster/tasks/main.yml              |  31 --
 roles/k3s_cluster/tasks/setup-coredns.yml     |   6 -
 roles/k3s_cluster/tasks/setup-helm.yml        |  20 --
 roles/k3s_cluster/tasks/setup-k3s.yml         | 103 -------
 roles/k3s_cluster/tasks/setup-pip-modules.yml |   5 -
 roles/k3s_cluster/tasks/setup-sysctls.yml     |   5 -
 roles/k3s_cluster/templates/audit.yml.j2      |   4 -
 roles/k3s_cluster/templates/coredns.yml.j2    | 284 ------------------
 .../k3s_cluster/templates/k3s-config.yaml.j2  |  59 ----
 roles/k3s_cluster/templates/k3s.service.j2    |  26 --
 roles/k3s_cluster/templates/kubelet.conf.j2   |   5 -
 roles/k3s_cluster/templates/namespace.yml.j2  |   4 -
 .../templates/network-policy-default.yml.j2   |  12 -
 70 files changed, 90 insertions(+), 1712 deletions(-)
 delete mode 100644 environments/lab/group_vars/gluster_nodes/ca.sops.yml
 delete mode 100644 environments/lab/group_vars/gluster_nodes/mounts.yml
 delete mode 100644 environments/lab/group_vars/gluster_nodes/version.yml
 delete mode 100644 environments/lab/group_vars/gluster_nodes/volumes.yml
 rename environments/lab/group_vars/{k8s_nodes => k8s_cluster}/argocd.sops.yml (100%)
 rename environments/lab/group_vars/{k8s_nodes => k8s_cluster}/argocd.yml (100%)
 create mode 100644 environments/lab/group_vars/k8s_cluster/rke2.sops.yml
 create mode 100644 environments/lab/group_vars/k8s_cluster/rke2.yml
 delete mode 100644 environments/lab/group_vars/k8s_nodes/k3s-cluster.sops.yml
 delete mode 100644 environments/lab/group_vars/k8s_nodes/k3s-cluster.yml
 delete mode 100644 environments/prod/group_vars/gluster_nodes/ca.sops.yml
 delete mode 100644 environments/prod/group_vars/gluster_nodes/mounts.yml
 delete mode 100644 environments/prod/group_vars/gluster_nodes/version.yml
 delete mode 100644 environments/prod/group_vars/gluster_nodes/volumes.yml
 rename environments/prod/group_vars/{k8s_nodes => k8s_cluster}/argocd.sops.yml (100%)
 rename environments/prod/group_vars/{k8s_nodes => k8s_cluster}/argocd.yml (100%)
 rename environments/prod/group_vars/{k8s_nodes => k8s_cluster}/k3s-cluster.sops.yml (100%)
 rename environments/prod/group_vars/{k8s_nodes => k8s_cluster}/k3s-cluster.yml (100%)
 delete mode 100644 playbooks/gluster.yml
 delete mode 100644 roles/gluster_client/tasks/hosts.yml
 delete mode 100644 roles/gluster_client/tasks/install.yml
 delete mode 100644 roles/gluster_client/tasks/main.yml
 delete mode 100644 roles/gluster_server/tasks/cluster.yml
 delete mode 100644 roles/gluster_server/tasks/create-volume-quota.yml
 delete mode 100644 roles/gluster_server/tasks/create-volume.yml
 delete mode 100644 roles/gluster_server/tasks/exporter.yml
 delete mode 100644 roles/gluster_server/tasks/hosts.yml
 delete mode 100644 roles/gluster_server/tasks/install.yml
 delete mode 100644 roles/gluster_server/tasks/main.yml
 delete mode 100644 roles/gluster_server/templates/create-volume-command.j2
 delete mode 100644 roles/gluster_server/templates/set-volume-clients-command.j2
 delete mode 100644 roles/gluster_shared/apt.yml
 delete mode 100644 roles/gluster_shared/tls.yml
 delete mode 100644 roles/gluster_shared/volume-mount.yml
 delete mode 100644 roles/gluster_shared/volume-subdir.yml
 delete mode 100644 roles/k3s_cluster/defaults/main.yml
 delete mode 100644 roles/k3s_cluster/handlers/main.yml
 delete mode 100644 roles/k3s_cluster/tasks/cis-hardening-runtime.yml
 delete mode 100644 roles/k3s_cluster/tasks/kubeconfig-load.yml
 delete mode 100644 roles/k3s_cluster/tasks/kubeconfig-store-local.yml
 delete mode 100644 roles/k3s_cluster/tasks/main.yml
 delete mode 100644 roles/k3s_cluster/tasks/setup-coredns.yml
 delete mode 100644 roles/k3s_cluster/tasks/setup-helm.yml
 delete mode 100644 roles/k3s_cluster/tasks/setup-k3s.yml
 delete mode 100644 roles/k3s_cluster/tasks/setup-pip-modules.yml
 delete mode 100644 roles/k3s_cluster/tasks/setup-sysctls.yml
 delete mode 100644 roles/k3s_cluster/templates/audit.yml.j2
 delete mode 100644 roles/k3s_cluster/templates/coredns.yml.j2
 delete mode 100644 roles/k3s_cluster/templates/k3s-config.yaml.j2
 delete mode 100644 roles/k3s_cluster/templates/k3s.service.j2
 delete mode 100644 roles/k3s_cluster/templates/kubelet.conf.j2
 delete mode 100644 roles/k3s_cluster/templates/namespace.yml.j2
 delete mode 100644 roles/k3s_cluster/templates/network-policy-default.yml.j2

diff --git a/environments/lab/group_vars/gluster_nodes/ca.sops.yml b/environments/lab/group_vars/gluster_nodes/ca.sops.yml
deleted file mode 100644
index b2b1e21..0000000
--- a/environments/lab/group_vars/gluster_nodes/ca.sops.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-gluster_ca:
-    public_key: ENC[AES256_GCM,data:5inaYDOmoQ+kaOkU2JmzGsbt0y3sAR1jCHt80p7PpiiUuXBlCL8b2mVJyPDHCwUJEmQNvjfKBjVPvJ4etOm9zufUxBkaDWLvPD674LdG2Wizf/BMNMs/AEGZdW1mhWpG7Iv3w/LaJN21A44m3sJi2B0nXZlh8MCYkdjJ0o0A0nAEG8hGgY2Q5VLFshScDEcUQVdR7Z7NkpzUqHWEMJnE9Ge8BB7GW63F0ScfE9Dmla8cLp6SggF3BWWlSSDfFSx/PpgiOhZgPVrpENeYpGalQMu172xKOl3CYmqT/00n8nYOPjkfYVMxSthlvkNTwcbZDBKe//P7Nb5+Dyjeaec1dKN3Gd3p9W4g/f4XZERFJucht6Yq7RGFzA7WPnuvffxeO5ctGaRx2AeliT7mHwAooNuZL4Md12tB0uGfvbByNKRjvQpDFustobYOV4QpzcfqHe0vjG40TSgzsAXlUqC0rUnDAm55VVK8DfjRxt165EBoZ4KUIVGiLPF2PsVpvW833z/tIjSnVAlvIoPfzXaBChPZYaQpI7CZPwdJSweRVy44fiGVvZ4vf0cXKIesbytzUXYTj7i/EJ0KeZVjgB91bIi4kf/edMYTTj2tVX/2qh0KK3q515J06AUBsbVKcSFV+tLAKkCwCXcN1xUCioVgUyHbA8MJ0TGfaq1nLyB3UzL1jGA/cgkdSJUqzQY6aMkIuisOFm9wvamqpqcj3X3a+wXEgiphTQSQKOCAiKPw+jY/lQjZNZ056elEer5CTa4vZkC9ZNA2ogj6adGF392yjyUQSNsPh2Y6FyFvmFVyKEefa6jp8HB049KLxMQUUz1q6mR8FWbvTCRYj2HVxzU7dbS2Bw8N+o62EU4XXm5CgdDwd+3jcf4GLw2XX1gFKziLHf6VUrvbAI/k4eWIFWszKJZuS9MXvzXqhWyBH5wE+ZZzcjA5G2ZIegBoR4+EWB94DnnY5ltrCqZpG/rrQOuYZTC/AuCkSBE/14aoNllTdal4hLcIC8UBv/3uatJPmHYub293JWpfD+HGAu8iYcD4zrOVWmVmTBfJQXsRoOIa9NgAYwFfZwcJo8/JzbByfbcbg99TThhO3u38tP+W5sjdXZ7jHffPPSCxuhtTZhaUZutwwe14y3PQ7hz+tDLJquKUUq1fxejX5k8ssnPvUr/I0nkbchp5zosXIeEyv3hoXa7cI14WqBZOF+hLpYK2PtSNfaX4Sk3Jvt17pOcVjPSE0XK8GsNukafk/MWa9BfY24hqAB4laGRa0arZZBt2Z8BSAxD1XUnMZ2UtfVx504cCS3NQQfEy0Yo4xgoDPgiarqZEk6JnaH1J/hw/wAROIoPW3D6uoenDbLEtyFvdzhhcL52K7LEFlPTY3XWEVaU7NZt46vlkYelAibzJdpM6U9HnzD3pWiCF0G4mEnuamyf1sLyZ/K5jZEKD651cqEin67pzy9iGKvFbdpSjhj6YmKw5jj8z1DO71ebIkIlUiVf5EupoL8qoQRsYy9XXczo9PKCOrpc6qonBMk7nW3zQPuozFAQpzNdtICD+eU8Cfh+D+17IweWbRdqZqpfZ0yAWV9JexAZsw070mDfu1rR0JALOuAbjenHoD3WbzWL3SCrsjPz09AlRA1XVK46xR+fqlWd8u79YiKNSx0/SBQ2b2P/Fp7eOBekAdeC4NsyA+NPAuZ8HlNCpf9WgJenF6tAz0XSlX8axyzCiGSLe20tZ7vxykb2JQqK/kWvcGU+IIhWzMYJX5o2eeblrzWHIvDYk6/woQag75zA9M9guvOdBXsYBzNdng7jbICGdWATlnjwJrlutnklvjkbzxpWeOVaJ40Z6vQzfhFEli7p6lSzEzOiPKRQVFj9Ybf+xEh8TcA9afVm2YbKnfTYeexh0YQZAA1AUla1cTJIjkg++8hE2kmvlW5bvMYAY3VfLMUCtCBmBzwDEP3JpYHn4jWuNOvMmCPuYqq73PAkuYJ6UhBkNxlbjxJ4sCZ5wuTGx9tReLAaa3R+kQDXUO1yhfgC2ZOYwZT/dBeJh/DJQHqUmuwZ7DwISImj7XKJt3u/nUqK/RUp4Tp3Ut5B0A86h0FBlGRLRDYuJkuu5MxAunZ0DdLFqTmh6rimmW/vjkg85PIAHPxEsosRjcRxsjm835NlkRR5FtCWHov4dBFp7s6aCISUV1TU77YT5RybqT4MAyaEYiAhc2g1+5hrkZBc/zNJa02oPcfytwGKlF1UNynHEQAJffqRTEB7xF27mjVivcNsH6ZN31IL1OTTVIErzF4+IB8jur5gAGdVgkJJ3wQ714dG5lyUk+l+tAh1IJOcWatU9TdEaducomUra4kvh9JLCzsdbYeJeEWrPBvLghQPesJ1hVdzkrRjq/+JX+MDhvorFQ56NTA5c5KMh37Dlg6Z8wZL4bDgIJxBdo1FIikfQjVO+6LAOkR6nUcY39lXy4WPv98rabCnPHW/knBMnZfdYB93h9RSfHs94hDTZ3hxpD/PoTzz3Rs2hVmaYoPGyHZnTSE7+fv+nJgWQLOfZqQ6fhUfPzh3cdHhuBDbD+3tKtP9vqClZcOku81US7OJakp6qbpAR1e6XELmPge5C9MqmpUeEP2Z8bd0pCSMrqfCpG6T2xbDJmCVNPSFdX/j4QrhsgBwm19qz15pGjzRcFgy7zYd3GgzYzzjSCV+Ryw0RaOfWT3P+PTUhhFo=,iv:ia4AuHwoD+dHnWmscYFiMf4xWWcSEmjQ4j60L148xQM=,tag:/PFbhCqV0wLm3WUYnKs5tQ==,type:str]
-    private_key: ENC[AES256_GCM,data:10MSuMa2Ja7U3JQMQXhArQ2tCO4htMo38omQxLbYyhFGcF3EoALYdvLy3vT/88r7tGApyUr3yBzQgPiFqLyxvpnxeoZFbOLynxSD6bZGEEbkNgBtkymYEgKh0GaIKTvFkj44/itQfwB38Ct8OG2SbeaKsqnXhsp8d9uD2H22F7YlA19xNZIquNkRqxZLDgJioiJzT90GRWSxrGqzFwtfNOUdFfQE6SoSJ6dMWIsBY1FVLXLvNY45280U3xzWH9hWRpF46Uus3OAn/quOM2nXhnDbCXj6LbQJ6Ie25irkcbUDr9b2OP/cjp4uGazfqY3ykTzL1L386sJwCdq0ffw8wLGTPFVgkXgcyYQBl2YxDX6paWiFe/LZSHSKRdqi+yrMIS7CuEa1/3PagobTqNYQL+A5At73nQcbcqxpnHBMXAaAjxiiJrISRJiv4NM37AZ9E5RJ0oITWtMUqqW0I+7eAD6LmYuYS0v8DE3gJLBc4TWo1Xmjt49uvFIcngbiRMLjcRyBCgaWxAjWrASsBEeTD3g4UmxsqQj7NwotHcpLhKDvGcVptI2hGRvlwKTCLd9gG55uQ24PF4c8MwMVQBdFULwFp60I30y/z3PnFYudc1/umn1TQeRkpK/6cvZdZ5Y9Ts1wiYO7iR0cvzJY8INJMPfDUKkc1rR+LSSWo8VQTiCHcwe2di/O6+64R4Df2AY9e1Fc1d8N1SD6l/HgeAsYy3AN5l0S+R0hAEvVqp/MYKkecpLyTIrrvri/pVlPD/QIpuUZCaUE3niAaWmy4dHgB6bdERSvFq9dgYTyiYOGQqXhHXrYlFPYfmEfKWrSX6fCUGFCZENBC/ajKullbtxtw0u7Va5lnL4eimI/CCQWJRYOuvsL4jrybOhHbURKVoCXTSYaj346WqOOwxGZpc9MN/8qoCJ0XSPvQBaIcIVEleaiwbIovcAG37jSxHDTs8QUrz/rmv+bGLxAzIopYsrWM3tVfMYlekoo6mxReDMI32rf54nvtlnAPdV/EI3U+QUKhGZs3We0d34oyWLSC5Dw10IOM4687ztHtghtI9eAyaOUKbvAy84ck1FwjJVqa8eHInlyjzBCUrc/d1Z1o/X6S/uDPiaeIFnf/0HHWY71YASLTcbs0J49v/F94VIf6wzngvcXUWUQrPBBb4cu5aNhEp8kOJkHZGAAFrgIQKSyBdQZqsReS4njn2ei0MssKoe2dO7jXMCnEkXnlzZ4GWj7brh8ZbIlddiltwTUxdSc8dq59mmLTkB/l4W8GNX+UZy7OaLZf5CR4OHOUQ9lHt0T1gksBrFk0Rt8GVy6iJgf/t10exjjbosETgke7WpYlv4h+nB25RCYKUr1ExLxSowKex7TDsAZj19Xn2itb9lGfJYyySku6C4PAXtfMvoxezM0s/bdvbJOwf3b0BbdXG5Am+cd0RNdkyN3tF1mkwJRxxOs1jlR3sro9gzS2IXHbdU3EEMJ6R/1iBZHn20fY9iY0Ygv742exSivgPoylalq/c2VcVgBjNz8Erehmj2PItVFore6EMATTT8w/ege0spQs9aNQdwB0GP16UEPAHBMt51V3d+/V4NRYfNe5vMhFJEfcg+KW5aAfkjzkoMIGCICDGqmap7BgT0gELeB9CHqZchPcG+u41aMd3JDagQkObCmaxUUw/R0IaCzX886I3BQFaVTnO85MXmmIiHkU600uWA8DPOX5a2NCUHfcXl4Rab4CxtGz/YOqsU0SAX5yA0L66JVFzKnud7GMaxoInvBUV5tef5hAQstz2m1RXkHKOFE0qL62cP5gUV9Ac05r5j9qiWnHmV1EPikk4aTq9N//Hky7XSw2kxztJOVzAwMItt/8zjoVkSEuU/KYczQ6l1RR6jvefrcHJVHqnkLDGOqTK6GA6zpe/1wk+E2ooHH5c0nHVbsFIWvRusDwwXOhmMUNyTOt/Jhm4JJmCmJ7jzlxp6q4yL9Q4B9iu1P/n2G+iQuS4LW8243E9HO46V8/eCZpNMfX4J/3DyBcgHhfhtS2SA5zxxgkoS+exd3wqkNDgvXxf3xYSZ0T82NSijIg1k30FlhJjQrMASV5nC8VtRhjwovxrTBeFXL3YGuLoOlLZTKHDmVCEQhWCCY6kBXIczWwDY2tVBN6zBK0zCSI3mK5KZ5L3CHDZt2VACtvQptjGJoXvm1myEz68wOTk40G79Zlmzd5K8ylKqEAKJ1ofBL5fCZNE7rOB1E1vP0KhiP9mLEAWjLrYldMLx3cZDvGdCb5jQol9+h11gN1xHI9S7cFlFojnkdOnh4caRrCgrZCEeBJ8OBXaS+uvYvVTchRKFvoCOPTH0+Pt3s3dzlqIBAJQb+H57oT3q/7E7qIAvvix5zIPEQlSrRzURhlRfqCUoKWaR7WzUMJMgk8hTuZFt8Mc5eVdNmYa2iSproOrrI/nZR73KbD39xbvJIhmlhglxtnYS0fS5Z5Ci4cwfUFIG6gznvbXoxYcNL5CGyJi+d6/FY5n6e9Im/zwXkM1PisZuxRhz/tYTJwzqxfPtkcGa9Kla2r1DqDJkdtsY0TFmqOxnerxOT7wOKeWAFPNLHYps0oo2NJLZbL7hoFhFJzLn3FR/O6rMucT4I/i4UfM4yK2HFtGq3k+FgU5C65wU0ht/is4GJU3b0GPW20URK8kpq7MfvDxtvPAxeP38crT8eSnEg6LNAf49/WZdR7qciYF4IuvujzCeMOIEyhefyMgWQcw/+OQEIId/iugHUs9kCw7yms/zNpTeWA+WJaHIDOWtRqDztPERea/1PTCZzMkCBaybbyBP+nWjBLen0v6DI8BZR9MdiVRpD7Ln82q7WGPeGqVVPcw6dG7iOVfDouJEUb8CPnVzLpV6bF7iJUE9y2t3ZH4InN7wPzancw8Phi0w97PhgJn0igMumbjUls0W7lWw20NoBcs54cMi7sGFnVH4bCMPeEDAl+oY5KfCLdCPPS+RzguDqjyA8+p/rXWdCAMvU3GvqWV2HBqeXku6gyUoCUvP+6iM+LMmPIY6SFc1nhDYZvVAiDhmwFg+g7DS30GQb48y1iL8B95xrbRDdTiab+49LEs9UFevoI70Mk2LxzccxLmbawieFHHJc/0mTMp55JaWPmBZYAnGLEUBZH9/h2dnGAIP+AD+HsP+4oiWcfHalrHYp/Ue8HpLPPuMaelLV1eLmJRKhfAPi5VhbOoNAdU8mlos4Tl6+OlZYEpVB9RxMjVOg4GS0+7btkAZQxjpG8AtR+Og3yesgH3//refDVaoJP7uwKuzVEzJm63V4bOtp+J0u+b60l37tpc/ikfCauKH3f6rO2JXEeytZ5cw7DbyInRbJoNIic9b+HS50JahJSaNIQs7fbeYcKwofgFlTUMrfGYPlIakrqAcxyklrU6P7bFv18/CwVZZaCKDz9ghwitfWDKKfCyi7R6IpI6q5Au2Ymnb6Pru4xNCcixYYCvXpIM3erLurprb8hJEctbcdJCoMscPqqt7Db6XCOqwaU2wxXEKRMtCGgm5VNMyDmYfo/c2y8BHfih0BlztKKQTtq/GoEArVnnWSOXOmqD8hKSf3dd/Jvvw+ec6yQn/8mmhCHHoGQhay51k3Za1BezGEiR+ayh1BDXtM5Dznccc0f9KnT12MqjjAf/DHETGy9+PFV8nXJVSZ5C+xa7M3PNy+I/bmWaMC2vbzjsgEG468sKYHIbC+AmAeuQ82Ctii1QkISIpZ09ESkyJbDYuJ38Lvb1TR+3m7qsZP1/JRDy88AO93W+ssSbK4euu9ga2RW/HbfK3Tn9srh6SDMcYCGEtu+3z0LCLVtd5at34jD/Iy5GsFEUFqNoHAHM/ML6LmIPY05xU6+5DVgDrgzjKCFmHyAieP4m+9jg3vkOmbCvuW3ODxw5FdCEBoRXSGwcE8LdbirQrMa6edwy8P17YWM/2Ot2fbLFfbUY22uk6tgUicgdhjYIbcbbr4UGsI/rUshgMwaYLRPXx50iXziZTpByLhTSN08KC8xTIRVAdYWCZ3tt+r43oP85g0UFOi20rZHG6rnmA1icipn+ROf4uk3eN2iHE0bQOumggyzQkDG+fYzrlBxVqSe6VEzK78jTgbq44RwMbbFx1Ej44PtmhgHjCSdR/H/TbgbssmmIDOvC1T+6TIT0I4WhUk/LDpZaX8vVOBgqk9zQ0HF3BAoid6HnN4GSrXgKSZei5nvRg9BD77Cw/x99wgjTmQiiI/Ku23dbcMOjeaZEfZ4Xf0TWhvKdzdV6m+w3KbjmsSrFiMqs3p+oUJjYtnfHjUcE8wthUCAmsFUrUWSzufKdxvMj1puCqhlwOdrdlkiZsH58XbEFRbYMoa7GitX9NZQAFNI4TSfzafnpdlo0z7Xixs,iv:p7K9hUBHibcbn3qOn6kdHmNd5s+5rvs532eFRRTCIIk=,tag:vyRHAtVc5QfHGC7/lWNziw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVEphMXhMY1pVQlVHbHc0
-            SGh5QW1qSndkTHBUTjhTR2p4SjBBMHRkY1NzCkkycXZNaS9zTUJmU215WlBSK2Jm
-            OHBBOERRbzAxMmVFU1VMUVdKUXkwUW8KLS0tIFpMT3E2dmV6VVZ2WmxpRkFzVitS
-            OC9uaTl5ckRXL1B3UU5vWUwrS1R5RzAKSNdPlKuyBRXQ5yHin4F9ZoDNP4I1WK8E
-            UUSPMonJqbi3ao9b1fuJjtcSr7E9CyFfqNxwoswaCYeIVytucXYWrg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-30T11:27:50Z"
-    mac: ENC[AES256_GCM,data:e9doej7ganU8X3pMghIJTI5RWTFMHbo/gcFM6/afjr3DsIz6mKxp/IX6RnPgcJ/RLDMzRI883hNCBP8vfz85FVUv9cNQDu5bCs6zx14KUvDGrEaLme6eGFRCuh6BcTv+nMLILcrFLcrJEZiWnH9zQk3zLoDczWCN6dUfiZ3LxaA=,iv:3jhQpdNDwpyuCLfo5SEGO3ZHs4WX45AwR6yoelvujUs=,tag:qV4QZiMtvf1yNOdQe931Gw==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:55Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//Y6VhFxPrGGyRcRTALrjJViOcME7vwwZIk+Ug466rt1JH
-            w0VjgxHFQvl/PZBtv+h0p1RCqcFecZq/SWmuFz3istqh6gcowKHOIA644G3yB63g
-            qLFGrGWfB49oKQ9nIHnzruVSEJLQ85hWm9+NoEalOt0q9SOZ8pOXj48jc/N3DlTe
-            StVy4/x/X6/IeWHGAgrTCDXGHvHQ39jj6VyVFj9Wxmu/QEZF2NEndByjeaBdA7LK
-            O7SzKk4Nfrg8H1gBhBOWz3fqMal4K1refoSHsNEZJPVDuFl21VTqeImWNU5tYCZX
-            Ztw4Rm6QE2SQIFCxAVqLbtBq0Q8QX923lnUqjpumPyj66VYZXjUHC50UcSmxQ66V
-            SUZqua597XUioLE2zNONrxY8OGtySVc8lOAhbgGi+FwAgGgXqrysg1ujvCld1G6d
-            E8MtbiF1qH3spsTT3u7GdXPnVigx0JWR1F6pz7F3ANsKhM980TR+OMxyjGxy2iMS
-            jRYPYZh94tS7fNGIEWDlLYdpu6JLbfcZ9u4UEywQx3wgUWJiTskwqpMarfWzi4aL
-            S5MbOYQkRHAH96J1ekh0o0xiq8kDmVfSasBAJADhVgJ1AW8Jp/YxVFGDfW2Tnq9E
-            XKNpGM57UsbvktM09qjFf/JwkH237/SXXgnaS0sFpExIawwcPZr3jxE/+ezZtMfS
-            XgFLBFF1VWZ+Nc+2WezDPSVkWqvAIiMuBFFo0dMStPz+VbcDdiCuOQYX2D57XL2V
-            JGbEg+n2lEBQBpySvAU9z45I0ApOln6ApsmQstcmBRIUId0JnXxIITixXXfcfwg=
-            =ji+t
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/gluster_nodes/mounts.yml b/environments/lab/group_vars/gluster_nodes/mounts.yml
deleted file mode 100644
index 51e260e..0000000
--- a/environments/lab/group_vars/gluster_nodes/mounts.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-gluster_node_tls_key_size: 4096
-gluster_tls_certificate_validity_days: 7300
-
-gluster_volume_mounts:
-  - k8s-services
-  - k8s-services-db
-  - k8s-monitoring
-  - k8s-nvr
diff --git a/environments/lab/group_vars/gluster_nodes/version.yml b/environments/lab/group_vars/gluster_nodes/version.yml
deleted file mode 100644
index 0a35559..0000000
--- a/environments/lab/group_vars/gluster_nodes/version.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-gluster_major_version: 10
-gluster_minor_version: 4
-
-gluster_exporter_version: 0.4.2
diff --git a/environments/lab/group_vars/gluster_nodes/volumes.yml b/environments/lab/group_vars/gluster_nodes/volumes.yml
deleted file mode 100644
index d6445b8..0000000
--- a/environments/lab/group_vars/gluster_nodes/volumes.yml
+++ /dev/null
@@ -1,131 +0,0 @@
-gluster_volumes:
-  - name: k8s-services
-    mount_path: /mnt/gfs/k8s-services
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-services/brick0
-          - host: pve2
-            path: /usr/local/gfs/k8s-services/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-services/brick1
-          - host: pve2
-            path: /usr/local/gfs/k8s-services/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services/brick1
-    replicas: 2
-    arbiters: 1
-    quota: 10.0GB
-    force: true
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
-
-  - name: k8s-services-db
-    mount_path: /mnt/gfs/k8s-services-db
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-services-db/brick0
-          - host: pve2
-            path: /usr/local/gfs/k8s-services-db/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services-db/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-services-db/brick1
-          - host: pve2
-            path: /usr/local/gfs/k8s-services-db/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services-db/brick1
-    replicas: 2
-    arbiters: 1
-    quota: 10.0GB
-    force: true
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
-    option_groups:
-      - db-workload
-
-  - name: k8s-monitoring
-    mount_path: /mnt/gfs/k8s-monitoring
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-monitoring/brick0
-          - host: pve2
-            path: /usr/local/gfs/k8s-monitoring/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-monitoring/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-monitoring/brick1
-          - host: pve2
-            path: /usr/local/gfs/k8s-monitoring/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-monitoring/brick1
-
-    replicas: 2
-    arbiters: 1
-    quota: 10.0GB
-    force: true
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
-
-  - name: k8s-nvr
-    mount_path: /mnt/gfs/k8s-nvr
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-nvr/brick0
-          - host: pve2
-            path: /usr/local/gfs/k8s-nvr/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-nvr/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /usr/local/gfs/k8s-nvr/brick1
-          - host: pve2
-            path: /usr/local/gfs/k8s-nvr/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-nvr/brick1
-    replicas: 2
-    arbiters: 1
-    quota: 10.0GB
-    force: true
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
diff --git a/environments/lab/group_vars/k8s_nodes/argocd.sops.yml b/environments/lab/group_vars/k8s_cluster/argocd.sops.yml
similarity index 100%
rename from environments/lab/group_vars/k8s_nodes/argocd.sops.yml
rename to environments/lab/group_vars/k8s_cluster/argocd.sops.yml
diff --git a/environments/lab/group_vars/k8s_nodes/argocd.yml b/environments/lab/group_vars/k8s_cluster/argocd.yml
similarity index 100%
rename from environments/lab/group_vars/k8s_nodes/argocd.yml
rename to environments/lab/group_vars/k8s_cluster/argocd.yml
diff --git a/environments/lab/group_vars/k8s_cluster/rke2.sops.yml b/environments/lab/group_vars/k8s_cluster/rke2.sops.yml
new file mode 100644
index 0000000..bc06c9d
--- /dev/null
+++ b/environments/lab/group_vars/k8s_cluster/rke2.sops.yml
@@ -0,0 +1,24 @@
+rke2_token: ENC[AES256_GCM,data:kdpp824ygSpOO3j3Js5wXbq3,iv:c0wxTRa1T2Z//w1/ZAnODAUEC67YAL+MVEbkVlDQYWE=,tag:/Wbub9wame0HT/PJcF1nHA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZERVZGphN1puNlo0d2hX
+            QnlnQ0o1Z3JYenFhcnFJNCszTVZKVGJNakZJClo2bEFWbzNCc3FVNFROaU1ObFNi
+            NHBSSnFNNFo3d2ZVMEtaUy9qTkdMMzQKLS0tIEFOL0Q1azA1Q2U0OGowMWRnUTN3
+            Y014N1NGREJiWVN3MDlxZVdDK1Q4WUEKD8rt4RY4sj7BnspGhp7Uqcpl9bkobFU9
+            kjicIjpMCRI5Dnmr2BhtW1SORYNXGj91PFgjNskdk/TnXLzMHFGasw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-22T08:53:07Z"
+    mac: ENC[AES256_GCM,data:IVw4bh0IUuqxOtcb7aZFTkHNzpSQu2sgE56+Kmszlagt/lF/rOVaE2HJbG1A3VFK30pFDxyVzY4XwgbzcQ+gnjcP6iLYH5oPBBtAs5tuiWZhRGdFZjZnobRjrjmTS9Wx6yAufFBlJgMG3MA8QMm74tef8ApLSk4zjD2FhExjEZ0=,iv:hJm0V3Bhvp+nNoKlux8NqQ04HrbejwoO8OsdcoXZE0s=,tag:psjALFHs0vbCajx1kGyo5A==,type:str]
+    pgp:
+        - created_at: "2023-12-22T08:52:37Z"
+          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//UgusaM/iMVwbAJGDEANTaPE1joy2905k0f/j4RD/9k6X\r\ntC17eEIdIyuGxpSUqzMHmyF3TdHDeiCd7AE8bvy3FCcBNRX9NSsbhrKUKgAN/Y0x\r\naaByf+PUBpG5yD/5uIX2iv0fcnyS5bC1KTt7xjpwVSv7oRLHMiM+ABC3GcWmOFdZ\r\nzxbQJthIuEWMClaytYMrJQFdnDDJmiS2UWwnQBj5hm1DqAHy4zz2xmaYFa+8oEjw\r\n3uELjwmPa17GGU+bmI2Uq+YT8sIt+E/Gpc25kTaLzRw5xA26Hqq57TL3rpTVktVr\r\nzuesMGmJCtjppXoRQkRnIHMctj15pEYBy5xczEzyMr7+lKRoRxWuWDnb9iPYZJoo\r\nEoB8c1N8lmdtLDaGB5yp9nIwqRJY2jOcILFs99BNF27qhfzx+eKKA0u6O00ULoal\r\nWq9HvzDX4a+rEFBjWkm+MzUcBcad8aNdOiK3H48UOyLASsdaIULE30R84Z6TbIby\r\nUIotcka96I6VCJIt/HznpDB271SHxJQ/sFndBzlUKTBPfLcLoovj0oRmdiUgVvt2\r\n6Iv0oWDFZLq5UtYpm1cEPQRgRTQoS6GpZjs862RxnHgIQT8469LA2jx2txw0szM3\r\na+Loq8Rz1oCPIzVVt//WT/U7ysWmpKLrU8675K0NudJ7bTkiR5chaWoJtK2vR//S\r\nXgHejSEdTK6HMhKHBufVkg6OEPIjDgggodfU9ct2dtuk7H8JhTBNQI9dPdxwP+wV\r\nc0+shEuQz4LNUSC0y8ak4RMWmxGLdPFYLJYuNjeZvorTG8rR6plSCIKFE6c3H3E=\r\n=8c17\r\n-----END PGP MESSAGE-----\r\n"
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
new file mode 100644
index 0000000..0eacd42
--- /dev/null
+++ b/environments/lab/group_vars/k8s_cluster/rke2.yml
@@ -0,0 +1,25 @@
+rke2_type: server # All nodes are servers
+
+rke2_ha_mode: true
+rke2_ha_mode_kubevip: true
+rke2_ha_mode_keepalived: false
+rke2_kubevip_cloud_provider_enable: true
+rke2_kubevip_svc_enable: true
+rke2_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.6.4
+rke2_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.4
+
+rke2_api_ip: 10.1.8.200 # TBA: Assign a different IP
+rke2_api_cidr: 24
+
+rke2_version: v1.28.4+rke2r1
+rke2_drain_node_during_upgrade: true
+
+rke2_disable:
+  - rke2-ingress-nginx
+  - rke2-metrics-server
+
+rke2_server_options:
+  - "cluster-cidr: 172.16.0.0/16" # Pod internal IP addresses
+  - "service-cidr: 172.17.0.0/16" # Services internal IP addresses
+
+# TODO: etcd snapshot backup to S3 ?
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_nodes/k3s-cluster.sops.yml b/environments/lab/group_vars/k8s_nodes/k3s-cluster.sops.yml
deleted file mode 100644
index 8618976..0000000
--- a/environments/lab/group_vars/k8s_nodes/k3s-cluster.sops.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-k3s_cluster_secret: ENC[AES256_GCM,data:NYOhQtH2m5M=,iv:C4H7Di3H7kU452ZoH0YpHrua0ZXuSiWI/c+BqClvhNg=,tag:OpyNVvWkK41HVyi51snoaA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTWczQUxnYU85a0s1MXJz
-            aWFCSTZ1UHUwM2lsSlJNK1pqd0hsUmtubWh3CmhxRWNqOUtnVk5aOUFRVTZuNzVh
-            VVRBWFc5cDBsbElyL3BJWkhyZXRDdkUKLS0tIGwxRlVZVXluZlMyTHVMdGkyMmh2
-            YkdVTGFpR2xEVXREVUxHTkFsYjRnWEEKZI5ANJZ+2ypkYEPHPUp++sf1GHuBdFXg
-            Nt36AgRIucv76FIUCs7txyXlPa9c0qGCuERtszlUC+PTwbjz5fgBYw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-30T11:27:05Z"
-    mac: ENC[AES256_GCM,data:Ce9zPHz2jRrITP54LDRZyFixCPMxJAqTzsb5HOf7ljT1APSKMbWCGljGG/CF7O6EHm5J06c9ymbUhahoex45EQwmOfTi3gib+b+sfy8pXyX/aDW+qBKMYCzSTwyaWvPy+AdIME30bt1qNfzBYN5op1EObihyMV0a/Yl/07HeUtg=,iv:Jup/+wQe+KBiNUzws1PSLFGqkeKrAA3ht1Ug/dwiQgM=,tag:QE6MnFzLylwnpKEaTmPJOg==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:57Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ/+PRvu2ELg+HaWL7mt3GruFMWp1c3ef/QM5l84j4yBGaVk
-            YTGr1w36roPyH/rNAFs2bJGbh7fNOgVlWn5NrmukakLsk/1bLt75+auNZwXWlGQz
-            /wHVA5deHePR8jUIJtwk5xDsZVmcZYPMPNrm3fzFvKHLudrsQAIlLgow2fJmvRGs
-            oXhH8QkiPOxTsqOyITy0Nrza1dixGhzx+X6Z0uG6o5ZcGy6vir56Iy4dcNB952Z9
-            WrlK6GA9xZ2pyN8H3ZNqm6xXvaukwjFmKR7NkLhu38yYxvfRjDKpbyAHsQbh5PoF
-            KVYcn6YnS+0BGihY8eWkx3Q9Wpv8I3zPx2kG0DRXAQUfQtxdHF6+5i2GMbgvuLL/
-            lXt2RgR4LDsjAbXR1IpajMzYPkmTSp1vnYum1MKP3wIWP6TJzm4gf3+yVTqtBr50
-            1VnPdpi2fDsGfhjgpsgvP+9MXbGHSDLSQtX0QgZVNnYbQF9dOVRDmovljY+WhY0o
-            Xi+XNCiP1b97gJk364ENi6in4if4mMKXcQ1icf0gVaY1y4Wg4kaRLWjlHf8c9guQ
-            z3YKtBoCPEvu/eZ7FVeRCzbBLeobPGTAFMDcX53wfNhDm4HudYboUhFpnpPwpYDI
-            t2DE//ORhxsY5cQMP9ToawsAuYn9jofLn8ROaCLw6Y+c8+ls/tF0XEIo1sVvVsXS
-            XgFsUSDB4mE8rV1Y5mqvoNygtMMk4RaiIa1YT+6Z+YqlLTh2ahQx6YnZoPK7fY0i
-            59M/zOkaYdCdcAKwkjeSoULEoVcvg2Swp+0Qwo+6aiWmiPaiGsmSLH7OIEx7mOY=
-            =DI0N
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/k8s_nodes/k3s-cluster.yml b/environments/lab/group_vars/k8s_nodes/k3s-cluster.yml
deleted file mode 100644
index 4c33376..0000000
--- a/environments/lab/group_vars/k8s_nodes/k3s-cluster.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-k3s_cluster_version: "v1.27.3+k3s1"
-k3s_cluster_helm_version: 'v3.8.1'
-k3s_cluster_cidr: 172.16.0.0/16
-k3s_cluster_services_cidr: 172.17.0.0/16
-k3s_cluster_dns_internal_ip: 172.17.0.10
-
-k3s_cluster_coredns_version: 1.10.0
-k3s_cluster_coredns_replicas: 2
-k3s_cluster_coredns_memory_request: 100Mi
-k3s_cluster_coredns_memory_limit: 256Mi
-k3s_cluster_coredns_cpu_request: 250m
-k3s_cluster_coredns_cpu_limit: 750m
-k3s_cluster_coredns_forwarders:
-  - 1.1.1.1
-  - 1.0.0.1
-k3s_cluster_coredns_forwarders_tls_servername: cloudflare-dns.com
-
-k3s_restart_allowed: true
diff --git a/environments/lab/host_vars/kube1.yml b/environments/lab/host_vars/kube1.yml
index da3274b..54cf9f9 100644
--- a/environments/lab/host_vars/kube1.yml
+++ b/environments/lab/host_vars/kube1.yml
@@ -3,11 +3,5 @@ ansible_host: 10.1.8.21
 ansible_hostname: kube1-lab
 fqdn: kube1-lab.homecentr.one
 
-# Gluster
-gluster_mount_host: pve1
-
-# Kubernetes
-k3s_cluster_init: true
-
 # nVidia drivers
 nvidia_drivers_install_containers: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/kube2.yml b/environments/lab/host_vars/kube2.yml
index 2f228a8..de91418 100644
--- a/environments/lab/host_vars/kube2.yml
+++ b/environments/lab/host_vars/kube2.yml
@@ -3,17 +3,5 @@ ansible_host: 10.1.8.22
 ansible_hostname: kube2-lab
 fqdn: kube2-lab.homecentr.one
 
-# Gluster
-gluster_mount_host: pve2
-
-# Kubernetes
-k3s_cluster_join: https://kube1-lab:6443
-
-k3s_cluster_node_labels:
-  - name: homecentr.one/tpu
-    value: "true"
-  - name: homecentr.one/gpu
-    value: "true"
-
 # nVidia drivers
 nvidia_drivers_install_containers: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/kube3.yml b/environments/lab/host_vars/kube3.yml
index 019d23e..a0b701f 100644
--- a/environments/lab/host_vars/kube3.yml
+++ b/environments/lab/host_vars/kube3.yml
@@ -3,13 +3,6 @@ ansible_host: 10.1.8.23
 ansible_hostname: kube3-lab
 fqdn: kube3-lab.homecentr.one
 
-# Gluster
-gluster_mount_host: pve3
-
 # Kubernetes
-k3s_cluster_join: https://kube1-lab:6443
-
-k3s_cluster_node_taints:
-  - name: homecentr.one/critical-only
-    value: "true"
-    effect: NoSchedule
+rke2_server_node_taints:
+  - 'CriticalAddonsOnly=true:NoSchedule'
diff --git a/environments/lab/host_vars/pve1.yml b/environments/lab/host_vars/pve1.yml
index a4ed8cc..1c3e25c 100644
--- a/environments/lab/host_vars/pve1.yml
+++ b/environments/lab/host_vars/pve1.yml
@@ -12,12 +12,6 @@ network_interfaces:
 # UPS
 ups_name: dummy-ups1
 
-# Gluster
-gluster_ip: 192.168.7.11
-gluster_hostname: gfs-pve1-lab
-gluster_fqdn: gfs-pve1-lab.homecentr.one
-gluster_mount_host: pve1
-
 # PVE
 pve_pci_passhthrough_enabled: false
 
diff --git a/environments/lab/host_vars/pve2.yml b/environments/lab/host_vars/pve2.yml
index 4efe9ba..2507bf1 100644
--- a/environments/lab/host_vars/pve2.yml
+++ b/environments/lab/host_vars/pve2.yml
@@ -12,12 +12,6 @@ network_interfaces:
 # UPS
 ups_name: dummy-ups1
 
-# Gluster
-gluster_ip: 192.168.7.12
-gluster_hostname: gfs-pve2-lab
-gluster_fqdn: gfs-pve2-lab.homecentr.one
-gluster_mount_host: pve2
-
 # PVE
 pve_pci_passhthrough_enabled: false
 
diff --git a/environments/lab/host_vars/pve3.yml b/environments/lab/host_vars/pve3.yml
index 5387576..d392cac 100644
--- a/environments/lab/host_vars/pve3.yml
+++ b/environments/lab/host_vars/pve3.yml
@@ -12,12 +12,6 @@ network_interfaces:
 # UPS
 ups_name: dummy-ups1
 
-# Gluster
-gluster_ip: 192.168.7.13
-gluster_hostname: gfs-pve3-lab
-gluster_fqdn: gfs-pve3-lab.homecentr.one
-gluster_mount_host: pve3
-
 # PVE
 pve_vm_machines:
   - vmid: 301
@@ -30,9 +24,9 @@ pve_vm_machines:
     os_storage: local-zfs
     os_disk_size: 32G
     cpu_count: 1
-    cpu_cores_per_cpu: 8
+    cpu_cores_per_cpu: 6
     min_memory: 8192
-    max_memory: 15360
+    max_memory: 8192
     nic_ipv4_address: 10.1.8.23
     nic_ipv4_subnet: 255.255.255.0
     nic_ipv4_gateway: 10.1.8.1
diff --git a/environments/lab/hosts.yml b/environments/lab/hosts.yml
index f6283cb..f7a3c17 100644
--- a/environments/lab/hosts.yml
+++ b/environments/lab/hosts.yml
@@ -5,28 +5,23 @@ all:
         pve1:
         pve2:
         pve3:
-    k8s_nodes:
-      hosts:
-        kube1:
-        kube2:
-        kube3:
-    bare_metal_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
-    gluster_nodes:
+    k8s_cluster:
       children:
-        gluster_servers:
+        masters:
           hosts:
-            pve1:
-            pve2:
-            pve3:
-        gluster_clients:
+            kube1:
+            kube2:
+            kube3:
+        workers:
           hosts:
             kube1:
             kube2:
             kube3:
+    bare_metal_nodes:
+      hosts:
+        pve1:
+        pve2:
+        pve3:
     nvidia_gpu_nodes:
       hosts:
         pve1:
diff --git a/environments/prod/group_vars/gluster_nodes/ca.sops.yml b/environments/prod/group_vars/gluster_nodes/ca.sops.yml
deleted file mode 100644
index 8cf93b3..0000000
--- a/environments/prod/group_vars/gluster_nodes/ca.sops.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-gluster_ca:
-    public_key: ENC[AES256_GCM,data:6eaIH+uR+o2A3figXidRChD4rdUPL27prjFx/c8kOM5gNedqwIkubXcaCF9nHZ4E96V+EipUXy3SIjprI0aDjlsW9LswLhfLE37Eeeq3vefnNIOqgo5fPAk2RBQgqSCMYxc79uWFzFio9kDTMDHsiu73tr/ocDeE5ClbP9H/DFcNGmXWz9wxDsgnUqVn3S7ZPo7aS677rDLNXXkScd+XaUPiCWGghDqdiF3wrOCH+60xVYYzf8SFPVZ80VsHXcRsf03idviJAcuT4QRLVth9+cfGxINlygOFXaKLkkAd1huSakvIF4u9NXNn3oFjNsZUTCEvxjbkBgUmYx/IiezoCGvEjkdUQRrS9FbTT9BQpZU7Dbsvsh5W7tD1qoq4BTWg7aSnsxlQHa0u6l7w7GkUroaGVKLYECfVIGVOpFDWTBC/dyPaz1fYJ6TGik5bZfSe0YBIoYOwrGyi4BYEzGSwpGua0j7ocmB6lyyS7lUMpdKsjdWmZFSPRYFQALD8lHeJhRTcnByW4oCOWIcDBWjQUjFw5+/N6iD2eJBSTxAB1Yq0LVokuwLwCCCatlkL9deUqPbxRCiEqTSd2oF69iaZpztL30GHtmwvRfBKx/AB6rB7vq1Rokx8Qm5iCL7FJOrlXL64YSJEllnHmlH1yDK19w8qLJCNBmFWLFIfgtK9wWuFRv7xbHEq4u8CGqT5TbbpmEoQKdvvd6EgF3Vmc+fN6kObreS61pMPrlrmDCR/nra1fykkHE4u80Cv3HAJjuRne7Lbn39ypDvWQgZYhEbk8QI2z+Z1g0G5jVaAo7DtaxTRJ8C+F/OhUaqAq2OiToj0u15SvV3DYvl2nxCc8U/+hjwv7BFsPRj7oAXn/dHtmOEijdJulBg0K+voiH8NdQ+QWBKAD+ihhRI+brRjoeORSGm3pbBODu+hYeTTuQA9tNeCqp/nObPGrosRQOKYMSkB/2SM9vS0dB2RZi8mNby81JcDDe4sXgFW2OYGqLOMcKPks0QeN8oirA5FNH1L0whGLPgR6ZJEt+0vjSzqGvPkaoaQ16aG2eSt+8J/GbOk3sXmpifRS7jPO9tErumCxmWMZT747WYe4SyzEML4L0nqUCpF4vDgIL4OHzo/UgAOK/o5n/IYoxoI7IOXPi9tEMk+1ptn0HvJ8Zpc/ugB3eW/HoiGL8neI1OUwCRUeu6N3A2wPqf7zJpNX9sLJMMMN+QlGaNL5DYASLqITK7gMXU+IbPRJhYSW8pO3f4G1lZlkH9dOpXsuZ+rBTJbfhwqNcMYGnwY0TvxxtXomi0BMJuHq3/T1Kg6zmmsTT9TWrCuN25IdKfGludHKbau4T8QEfc+RJChSummChazoOvIcAj+fl3/vtmwOP8AjlJR7M1KDdYfAAuQkJQ/E7JOJjcTLA8eusr+udv9kc6/Gbd/rdm2bSD4YxPCDX13nxtSn9F9TgVcCBn6yeWPX1A+osXDYdxJmiz7X0VW4Sp3zO2N5Vr7LG4K1N5Msu74D4BtoZ1jbKSelosY4ZVgm6xsSkLXerMX9SC73O3KRcl3PzGNydcIGWzhhSc3TjSDMZYIXiLzgHuchTfdgzJmLuCJPHIjUgvIwVUcnt191cmGbvryHoPT5X9pgXgX626CxnEh3dXn3tkc9q3zm70AweMUF9VroK54q3G83VQXIT8PRSMY6Z4AljHjAOkmp7Ib0CFs6CU3GAGByNGjknPUCkg/+gkxvDIZgp5NM8Nrg86sGNeC6iIGOrFzU85ZenEjxis2elGbeGBzXZ8ftn2ZwLkrtA4hpzTc4975yoq1Ly/4DglXb7uNMBCGdA21mm+wXBJH+1ws4Z1r+9G0UJiSvySNwk7tkXN8LBogzLi78Z/Mx+nVP1dSW+Om2OFv3rZgK1xqTDAcZ5LZR5DRELpOyWBtE69iGxpPNRk5vTDJ3J2Y4zeNxvQn4uQDEhj48b55ih69WSjA+uZlUudzFAudCwecswst3ahyHIQ+e8EVpaz76QhzpMgyA6ThDGEdsYDdtTaGJEhk2jdKiAPAbJQY6yOGrdWKduxF1IdY5YLiI4aOuJs976VjUNys6fYAvgBFJnslsJsoKUc5a1T7KxYZ2a771c0W2X2a0UMAopfr8l0PvmjQkN9UZzu8d9baQLBaPfBUq31vfygEC3CgUkxuude8xCiL8siVoT4J6P+KKqSwfgaSno2TPrFLhNnEvfsFqiu9JnET8kStCgAu6TPkyL5tzyecX4zqjZ9FmmL9uLsZdfl4mYAlxh9JrNsW5sNfFZpM5l8S9xV1nG8AOm71zlY6+y6BvomeKRTFU8cVds/rovou/FLYZyMl5OpItn4N4Z3+edeNFTt4HbT3Qop/aiKQ2JqAmfmi63HHoVn9ki17eIBMzXk4DCnyjjDOvhN/mPpZDlFKWetMylKcfip8zOSpYx0i2tMhPTf0rlbbsS6URN2HlN0w/fF/6g078/ystepmsQ2oCK/VEyxPMC4jADjjCvJDAM+Rc+vYBHJgLXtpq+cOWM1Os+1mtY3XEuKFXcLmR9ONr8Ues1tp7buYmSav6rMbKE6/5Dh2aDPLfuGW90S+0bL6Sh8Fb1eu0m8lYAJTbe3Eyc8dvljdnsrhsFm42r8pBoK3bNlR82iA6I/GBg7RMRv9iV8QCTB0pWsgK4dTC28fWYnSmue8DY+DXp0KdLhZM1uwk//auOfdEYpbKtYnYeKPVzQ/lqEynt1i5AOMkSVt5Ql0Lh24qaaNSx7bErjmrMUC0eJ1eCdTjaOgVg==,iv:moqr+tBeoD7jSZDvP5mZgBtZcboBI194LEaedXvTzxI=,tag:iECGo3iAth7qbhOH1UMJRQ==,type:str]
-    private_key: ENC[AES256_GCM,data:cnHG2lJObaowClzJP7w/T2t+sKoTAx5p+4wk5h770xQvw5kLTNgZk3HFtWX3Gu09ziLp+/Z57YV+u6eMi96iIL4LT6SWqELD3WhWDBmWsBy76D3vrnm5/uyDo8taAOFrJ9npLwRhRd3WTkm4D3kb4vzGTbnldPaQ3pP3CjYPZ/yDMrV6vR6UlhIVoKmrDATNoeB1JLdYNobBzfV0PuTEKl2EZH31sW3dgYDhJQ/BHyDH4a6c3vJAAdWV/BCg6Di7neFlTsCqtJ6BPYsH0mFiCIJPUVfM9wdmqEv/nXMvYrSS2Yl3ayRsO8m4HE3Ps488EiZkUORTjB94ikhoxOUhYg3i9aMkh2dQhyTm4bpU/DzXQ5JpD8SgDi7fn7M+ydIJwHkcHLJyBwB9cvVhChKbQQZH8tPtkzIkf6UiLmhGP5cql4Ugs8tF9Ph4BquaZSloQ1EQNWzZfP+j3ksrkTwkEPhxKwwl4CinGB63979qklpvn3dSf6sD1B6EXAALGDe6b6YWcySZb6nrod3beyL5n6nBFyFnjkMbUip5y//Q0YPfKXidWg2rVZZzyVff7wpwhRUIE2nZztN1snBu1Rh35PaQ9DLEBFC8OSbwl1kG55huU7INbPbC+68rnqyoQ1iL9fN4krHOxzDG3cAYCtHBBz9pVNQ9qAo216Uw05792KvmWZSvroHQ6PBYVn9ZCKdunaUGJSR9Td5hH1sKaxXXbiNamFvCOD9rX0uCMzexA8mUqVruHXrAaHrJw1axveP/FJjKv1JCOE8qKVvJQbED5786cQtsiSADPBX07vpT46/Xf9oXmtkatGnEx9/puy9E9H0vbCtV4TY+wm5YtmQKMA8wXrUWaz+qevfrc0CR3No5XBRO5F+WMA+a9I43iiUlcH+TfLy9SoIdunxa2dbId19EzmNneuicfo/f8djFMUWuQkLdudQKKDRCgerXcnqMJpawKSbLGYOoFq+znXrDtsNE3p7vxUhQRPSlPLoTSzojt3EwsKfJjAFHrMpYi1XlgEqs2ZmFUDasXytfm6meb7xuzgPz5NXpiz6QMZYglmX0e5oxcwxMkT92FNUa0wlpxsQNFBEG6eNi1FsGAC3bAdQYKB+fJITup4Yz9+g7nG+gBYIupx7gbkLKklQoGtmdc8RX/SuxOtfHsZyKB22NB9F5KFCRiLC4Wf8m2DEeHV71mxKPC56GaAOKwcY2oWRG6D8TH2hfeDP7FRb3hiiWNodrOol9TKgLT2YjlKESpCRMXKdJxybYmyqiITVHc+hwxBYWqzIpzA8dIKBepC1S70WWNJ3ykI3Nl0VQjOzES/KmvuwRN11AyaTW79Lk98tlyz15cfnvTv6gBold594hE2vyg3ir/aKsX0wYjwX+yVqWWX6uENgXlkDWiHuZXeDm2HwtHPayk7xOjGMGAsoXHJEUBYqucp3m1gQ/pHIeNn/hyfQgZZBDVVJkJk6ubQsSCpkEX7koJC/EMR5PCzCXeC7Bv0c8V4LonbkqCarEM85xcVZAWSLQOU9GnikL6/7PnuUNWR1C+eXUlPGPzb5sav/QQs4QU7kMF6bGzx0mYRb8f2gKDXY+mdSrwxxdsKJ7oRYAHARPiURvj+tFSYMkNW3GtycG6G6idRNc8wC4AllKtTnJ2Gmofkzdr7FYi1Fx2LJw2wVsQ/R4Q+YB4+k0QoG2YtSUFCUorum+INXGd5H0fb50tFmmhLXtU/mWICBMb0pujACpB3W7tXsaGxde7mcX6jW/XIE95gFQhSPqRPxdF6mNznx+ISG2rAk0h5WF+rr4e2/qWGCujRO92dQKIQ8HhqHKOYIpe1ZjPaVBSaHbwWKTViDzmbD9t4cKGR6E+zkI8z+eLQuUSeRYRcRT+y/yQ76dU77ktnOCvUe/0Z4ByMecOxJjj/iSgzQbyquhX2g+l8va3UJOJOpq/powPx/xBcEc8cE2I0CCLcfWleZvW6z/Eq7PyR869NKrbHmVHq0ca34EFj3zWAsrxP/mFrvQOc7ezXLqh6OYhkOHjsD4yV7lhTD/R9Z6IrNUcArm7e3yEXbLivPRCgLQtWunA6Kbw3VdcVFfvLbT0TjMkhWO0Q5j3TAZMYc4r2B6x7Rj8BBVLGK2S0y5DUASGVSii5RtGLN9vmYub4byL6lnTT9U9WNBeeu4v6HWWGm1+frZBh9hB2GZaSjzQMDbwy0l1aspoQ8kSqS6qlEPJGv4RVyyzCIrSfMgbEXsl+baOv7N3QUUVRpmrGx47F4Fys9RBRkNQ4tkz7yD8UsKpcEMCGa3Huf22eUoB694NF+9xMtWkBsv60YBZG7IXarJ8CWxIDI8M7Wgs1cdM/PcDJ2UZfToOupuf9vB6+nBmYo6wj+E01TdHZjUhE4dSbB3Q+tlDJtOZZ785WIpA09aFJiojaJpJpGpyxS3ioc8rJKrTAA7crLkX9zTyuEyFa4KnW+Ocxq8emb85lrNc5oQTIwJqlaqUQtKBPOiBLba6XnRHV9Vq6d7O7L+XjoxiQQ7XPEHhpdGZMZbHLAiC9PLbpbhQWBlFkJWDhr63Iea6FnVl+yOtN+NKvAFu3UvFV9pzXCXPzFFPm51/hH4mi+2HQyrb4DEskHF7BKjQuyfYFy96nvzYyDZQU4kYS6st1TvG1vRnkTr+hSBl8xKmT13L/ibFhESOr6fCdPyt2Z6AivtcrcQqTUvsyaaWSyqwj9DWK4qGIOZGhH/1tGc8sXT1/GCtjEqBz+n34M6QmaLQuCsMlNUh4PmpB+qjfoTimSWPA5+6f/dfRt6Cd5NoLKf95536typPDQBUvbKMMaOGWhmv1JYCkEfDzL4lMKpo0Nbzc+xVd1Kx9Zn+SaoiBYsD7E/FiTBn8+bh08Vuy9Ul4dpC9/HfN2U7h6SvOYbrnaAyPa+Z0nCi5vU7lDTboyHS9p3DUeDc1014JiLKlgudSsSLvOB9up9vwxsQCrzk52rCvCL/sMulmx6jAlJ8p6iauwFULS9VqXOT/DyTgd6NBXi5N1hyvzZK16Df+q6de1IbXeV2vJk3fRVN1SrtP7Is894YytNxTgzIxlkiN9jmABwdQA1xg5zhnBQQ2WiTueFTp73KpoaGA+7XoF6u7hGkrr+6KJy40bOqJg8Y1lvJbITRWixUIuv9oZYgh1Wc2xNk+9vVOidXup+9gFobC64aI6YtLOmzTDbz6xOlx4seX7VFXjSvBEXUB0GESIjEq/o4Nbh0DtM+84vsuYBh8t9NBsBKRBG1jHygQWmxek1UgPitCSnbpR1WkB84ZZEpMqmQSDbJ0pe94uxfHpsOWmVtVLzB4HXrG+TMOAr0x7KsBkBy03oYdiURRGVyo56UI6fiFt8p3jXU/V8EYh+wjYVpDY/iEwD8P8+TPGvGQXfuZNGiiND1eHioW1xfE0Y1DxDVD4jrA6EQw2D43UFpiqBwmTAkWWJP5k4CtpSK5Um3iY2b7m7aFtAowPkfx7HBP69sn434teKMZ4Jfg6qNyUHtQ4Pw9f3i9w9tCyKGQpAdnMFTkKrPyGRU+aUcTgZfNpreunzBTi0KN8Wyq99nhxuhqxxDf9HvufKwQg2P+d2RFnI/sWPkWAzdtVOkxgNgwL7clYDLOqWq4eL4z8gY/tigLUC6PPAw/x8BnJUrVNnhr64Ehr0r2jwpg6npg57wuiiE0o3Cw1flJcn+B+f40Uq1OkSDeLqCCmk/xXqSpAdgJBE9D79IXZNZ9+8E4+7N/NoPFPFzCoE8wjN0jUy3Om6+oUwzD0o8iXsrlOB38yRbJDyuwVqQOEr9KjY1+O8xx2+WzzuNr3OF457JVdvoKkEkjWEyKrnMxy4JCufqy1ZzGT2yJpGBqR8R/kmKdsN7DHQxnmYRRagc+J8nNt3fs/vZIKZUfXYF2sP59Ox7iu6nVskPgpe+/hapuwkilg/3DZ6ItjOj0Zp0esiSGZgimt6ueCW6Uf9KFvZFtY/KJPMqxsHOCPjc7NWXJ7oSo84QAJnT/Q7o22LGPKmuGkxc1XDVUkYmkR8KnL2uTxOWFa8z94rmTVSUEpJA3z/cQPyAGcpKbbYbs86qrkvsPc4uA/MfGnwdoV5BFUiydmjEd9HuFtsyyaDmORJgtXviKea97GjqJGIP2mDTx/j3cCMDN1wKvMR59OPSNE/TVD73aBh2b/g1BqZHlaeZVBarN6sZfCyW5UdPQo72sBqjWRY9nv1sgic0vrjiSN6msNI6/27V+qh6g65IXvE+pHHE+++vXCWcHeMmtZvrHWNqh4UNEsBSnuNjaP9T41qXBSh/c/IrFhCdPGYJ4LiA60pKD+2+6IuZwHHiDSWaDJRjO7fVyQtxXY9NRer4MaQp9pNBcpfuV+UkzQqQnIO7OmYjA==,iv:M1SsqiES5Abj2yn4pJ9hSF18tSZbaVS3/xqg+M0S+SI=,tag:J+F+c+7aVLRJuiRS81mqEQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvREVmY3VnNXhxZUtUTUVS
-            eU0yVy8xc0RBWjJoa25jZSs4NmNrR1E0QkVBClI4Y0l1VTZRaXVvOTBrVXdxek9B
-            enB3OXhxWkc3Y3pQcTk4a1pQWTJ5dnMKLS0tIHVJcnYrTTN3T01CSkFvOUNxa2M0
-            VTZzZ0w4V0xEbTZ1Z2prUUJGdXozRHcKyFLpYX1lyISCQBr2eigo/xVHzjNYMGy0
-            ap8qj7x2UEQnnJdHiYMw+x9XM4a7/eG64Cch8MRS1eL9j9tZJDUOpA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-09T14:23:01Z"
-    mac: ENC[AES256_GCM,data:sav4ay/WCBOLgGMP9IVUqsACJ3m2TKE5iV/pyg1HvB3sOkWUWP00A2CzJhkOzPMysWujIn7X5QVe/zgHuAFAiumtsc0oEojJx/mIsr7RSLQMazQq5w508mPdBYK0nzW2Llh1E7czaMeYpwDcAvnGYuT/dw2tZyDEvelf5K++/sQ=,iv:3X5xSQ/2rA1JPsKUGAvyTJLtACU/KrJCPVAYtIUGOsE=,tag:jATn0ZC9zf7CT/PnKZUgqg==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:02:00Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CARAAnEg8m6zyDYKgYmnFhQXi9btopV2Qw50YTS/knR0SuYPV
-            Lwg5JBC0bwEJ3LZGAuLhpEIBHjdSLglu2fh75Vix5OZhvuEh5WNrl1HiwJWeKgte
-            s0ljqm9s/ATWe3Htr4AHa8NYBVdSmhRaunQbprPiEOqMiAIk7EQ0pPiHn72W8CkO
-            AYDvyoNyHC9RLowtskvj/54Xff4e/H1bk4n5MbJ6RzhP0j8Jpz4R98ZwHD68cctK
-            C/Xs6HvPptQylvheljCarFG+JRMmy6DQ8Ayk70xvPUbkFGCyTUBXG9V5Nsf5wO+t
-            L5UGQMYAfI+dLO+mMFT+uGzNji2yG5P8XXft++nOyYz90NT8NKyxVZaUoAWZaZQo
-            JQMJal4z8lhscQcHRjGmzpML5b1P4j08D2TAeKAoRl5pO/fMNP/r8N2KkiSEeK48
-            GsnpiiF/V9o7FXhpt2Jspor21aoLmotaHb3a5SYgf0DEUXAmOcrUZl5wMP3xlEBt
-            eYFfg1Tk84PEMCMnAUJgCo0bsD/VA4weVH3+jljtBvn7na5SlOUcrXaPmxA9t/tY
-            UzGKYQMSx6+AXg9zy7bdEd5otv8htkRfAzBctqMdy47EV+5VPOgbbHGRwUInNWe/
-            eyLvnQy6ntcFy+ZkYXiaIGXz5kpOQMPMkbzO1PxDcqGZ6Imu+zcloyTBqOz5iwrS
-            XgFBfiu73IjYXnXYMlQWEllKZdL9jQmbWTrQQx0HdZtZPdm4d8tt0DClweprBB7R
-            qTIl6XcVoiVL24b7MkHEivsxeEbG4X+tYa4JboSgIQVnudr0kxl2k97NJtUsyqM=
-            =lQUH
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/prod/group_vars/gluster_nodes/mounts.yml b/environments/prod/group_vars/gluster_nodes/mounts.yml
deleted file mode 100644
index 51e260e..0000000
--- a/environments/prod/group_vars/gluster_nodes/mounts.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-gluster_node_tls_key_size: 4096
-gluster_tls_certificate_validity_days: 7300
-
-gluster_volume_mounts:
-  - k8s-services
-  - k8s-services-db
-  - k8s-monitoring
-  - k8s-nvr
diff --git a/environments/prod/group_vars/gluster_nodes/version.yml b/environments/prod/group_vars/gluster_nodes/version.yml
deleted file mode 100644
index 0a35559..0000000
--- a/environments/prod/group_vars/gluster_nodes/version.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-gluster_major_version: 10
-gluster_minor_version: 4
-
-gluster_exporter_version: 0.4.2
diff --git a/environments/prod/group_vars/gluster_nodes/volumes.yml b/environments/prod/group_vars/gluster_nodes/volumes.yml
deleted file mode 100644
index 3044d1b..0000000
--- a/environments/prod/group_vars/gluster_nodes/volumes.yml
+++ /dev/null
@@ -1,121 +0,0 @@
-gluster_volumes:
-  - name: k8s-services
-    mount_path: /mnt/gfs/k8s-services
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /user-data0/k8s-services/brick0
-          - host: pve2
-            path: /user-data0/k8s-services/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /user-data1/k8s-services/brick1
-          - host: pve2
-            path: /user-data1/k8s-services/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services/brick1
-    replicas: 2
-    arbiters: 1
-    quota: 1.4TB
-    force: true # Required because node 3 which has only one disk
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
-
-  - name: k8s-services-db
-    mount_path: /mnt/gfs/k8s-services-db
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /user-data0/k8s-services-db/brick0
-          - host: pve2
-            path: /user-data0/k8s-services-db/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services-db/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /user-data1/k8s-services-db/brick1
-          - host: pve2
-            path: /user-data1/k8s-services-db/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-services-db/brick1
-    replicas: 2
-    arbiters: 1
-    quota: 0.3TB
-    force: true # Required because node 3 which has only one disk
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
-    option_groups:
-      - db-workload
-
-  - name: k8s-monitoring
-    mount_path: /mnt/gfs/k8s-monitoring
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /user-data0/k8s-monitoring/brick0
-          - host: pve2
-            path: /user-data0/k8s-monitoring/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-monitoring/brick0
-
-      - storage_bricks:
-          - host: pve1
-            path: /user-data1/k8s-monitoring/brick1
-          - host: pve2
-            path: /user-data1/k8s-monitoring/brick1
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-monitoring/brick1
-    replicas: 2
-    arbiters: 1
-    quota: 400GB
-    force: true # Required because node 3 which has only one disk
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
-
-  - name: k8s-nvr
-    mount_path: /mnt/gfs/k8s-nvr
-    replica_sets:
-      - storage_bricks:
-          - host: pve1
-            path: /nvr/brick0
-          - host: pve2
-            path: /nvr/brick0
-        arbiter_bricks:
-          - host: pve3
-            path: /usr/local/gfs/k8s-nvr/brick0
-    replicas: 2
-    arbiters: 1
-    quota: 2.8TB
-    force: true # Required because node 3 which has only one disk
-    allowed_clients:
-      - kube1
-      - kube2
-      - kube3
-      - pve1
-      - pve2
-      - pve3
diff --git a/environments/prod/group_vars/k8s_nodes/argocd.sops.yml b/environments/prod/group_vars/k8s_cluster/argocd.sops.yml
similarity index 100%
rename from environments/prod/group_vars/k8s_nodes/argocd.sops.yml
rename to environments/prod/group_vars/k8s_cluster/argocd.sops.yml
diff --git a/environments/prod/group_vars/k8s_nodes/argocd.yml b/environments/prod/group_vars/k8s_cluster/argocd.yml
similarity index 100%
rename from environments/prod/group_vars/k8s_nodes/argocd.yml
rename to environments/prod/group_vars/k8s_cluster/argocd.yml
diff --git a/environments/prod/group_vars/k8s_nodes/k3s-cluster.sops.yml b/environments/prod/group_vars/k8s_cluster/k3s-cluster.sops.yml
similarity index 100%
rename from environments/prod/group_vars/k8s_nodes/k3s-cluster.sops.yml
rename to environments/prod/group_vars/k8s_cluster/k3s-cluster.sops.yml
diff --git a/environments/prod/group_vars/k8s_nodes/k3s-cluster.yml b/environments/prod/group_vars/k8s_cluster/k3s-cluster.yml
similarity index 100%
rename from environments/prod/group_vars/k8s_nodes/k3s-cluster.yml
rename to environments/prod/group_vars/k8s_cluster/k3s-cluster.yml
diff --git a/environments/prod/host_vars/kube1.yml b/environments/prod/host_vars/kube1.yml
index 38af19c..b5390ff 100644
--- a/environments/prod/host_vars/kube1.yml
+++ b/environments/prod/host_vars/kube1.yml
@@ -3,11 +3,5 @@ ansible_host: 10.1.2.21
 ansible_hostname: kube1
 fqdn: kube1.homecentr.one
 
-# Gluster
-gluster_mount_host: pve1
-
-# Kubernetes
-k3s_cluster_init: true
-
 # nVidia drivers
 nvidia_drivers_install_containers: true
diff --git a/environments/prod/host_vars/kube2.yml b/environments/prod/host_vars/kube2.yml
index 7fbd421..ad78dc8 100644
--- a/environments/prod/host_vars/kube2.yml
+++ b/environments/prod/host_vars/kube2.yml
@@ -3,15 +3,9 @@ ansible_host: 10.1.2.22
 ansible_hostname: kube2
 fqdn: kube2.homecentr.one
 
-# Gluster
-gluster_mount_host: pve2
-
 # Kubernetes
-k3s_cluster_join: https://kube1:6443
-
-k3s_cluster_node_labels:
-  - name: homecentr.one/tpu
-    value: "true"
+k8s_node_label:
+  - homecentr.one/coral=true
 
 # nVidia drivers
 nvidia_drivers_install_containers: true
\ No newline at end of file
diff --git a/environments/prod/host_vars/kube3.yml b/environments/prod/host_vars/kube3.yml
index 82ae4b5..f918ed4 100644
--- a/environments/prod/host_vars/kube3.yml
+++ b/environments/prod/host_vars/kube3.yml
@@ -3,13 +3,6 @@ ansible_host: 10.1.2.23
 ansible_hostname: kube3
 fqdn: kube3.homecentr.one
 
-# Gluster
-gluster_mount_host: pve3
-
 # Kubernetes
-k3s_cluster_join: https://kube1:6443
-
-k3s_cluster_node_taints:
-  - name: homecentr.one/critical-only
-    value: "true"
-    effect: NoSchedule
+rke2_server_node_taints:
+  - 'CriticalAddonsOnly=true:NoSchedule'
diff --git a/environments/prod/host_vars/pve1.yml b/environments/prod/host_vars/pve1.yml
index ff4d52a..f9788ee 100644
--- a/environments/prod/host_vars/pve1.yml
+++ b/environments/prod/host_vars/pve1.yml
@@ -6,12 +6,6 @@ fqdn: pve1.homecentr.one
 # UPS
 ups_name: ups1
 
-# Gluster
-gluster_ip: 10.1.7.11
-gluster_hostname: gfs-pve1
-gluster_fqdn: gfs-pve1.homecentr.one
-gluster_mount_host: pve1
-
 # PVE
 pve_pci_passhthrough_enabled: true
 
diff --git a/environments/prod/host_vars/pve2.yml b/environments/prod/host_vars/pve2.yml
index 49b2552..0c44299 100644
--- a/environments/prod/host_vars/pve2.yml
+++ b/environments/prod/host_vars/pve2.yml
@@ -6,12 +6,6 @@ fqdn: pve2.homecentr.one
 # UPS
 ups_name: ups2
 
-# Gluster
-gluster_ip: 10.1.7.12
-gluster_hostname: gfs-pve2
-gluster_fqdn: gfs-pve2.homecentr.one
-gluster_mount_host: pve2
-
 # PVE
 pve_pci_passhthrough_enabled: true
 
diff --git a/environments/prod/host_vars/pve3.yml b/environments/prod/host_vars/pve3.yml
index 84471f3..511b6fa 100644
--- a/environments/prod/host_vars/pve3.yml
+++ b/environments/prod/host_vars/pve3.yml
@@ -6,12 +6,6 @@ fqdn: pve3.homecentr.one
 # UPS
 ups_name: ups1
 
-# Gluster
-gluster_ip: 10.1.7.13
-gluster_hostname: gfs-pve3
-gluster_fqdn: gfs-pve3.homecentr.one
-gluster_mount_host: pve3
-
 # PVE
 pve_vm_machines:
   - vmid: 301
diff --git a/environments/prod/hosts.yml b/environments/prod/hosts.yml
index f6283cb..f7a3c17 100644
--- a/environments/prod/hosts.yml
+++ b/environments/prod/hosts.yml
@@ -5,28 +5,23 @@ all:
         pve1:
         pve2:
         pve3:
-    k8s_nodes:
-      hosts:
-        kube1:
-        kube2:
-        kube3:
-    bare_metal_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
-    gluster_nodes:
+    k8s_cluster:
       children:
-        gluster_servers:
+        masters:
           hosts:
-            pve1:
-            pve2:
-            pve3:
-        gluster_clients:
+            kube1:
+            kube2:
+            kube3:
+        workers:
           hosts:
             kube1:
             kube2:
             kube3:
+    bare_metal_nodes:
+      hosts:
+        pve1:
+        pve2:
+        pve3:
     nvidia_gpu_nodes:
       hosts:
         pve1:
diff --git a/playbooks/_all.yml b/playbooks/_all.yml
index abe2cc0..cad4d87 100644
--- a/playbooks/_all.yml
+++ b/playbooks/_all.yml
@@ -1,5 +1,4 @@
 - import_playbook: proxmox.yml
 - import_playbook: common.yml
 - import_playbook: nvidia.yml
-- import_playbook: gluster.yml
-- import_playbook: kubernetes.yml
+# - import_playbook: kubernetes.yml
diff --git a/playbooks/gluster.yml b/playbooks/gluster.yml
deleted file mode 100644
index c93b1d8..0000000
--- a/playbooks/gluster.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-- name: Set up gluster cluster
-  hosts: gluster_servers
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tags:
-    - server
-  tasks:
-    - name: Install and configure Gluster servers
-      ansible.builtin.import_role:
-        name: ../../roles/gluster_server
-
-- name: Set up gluster clients
-  hosts: gluster_clients
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tags:
-    - client
-  tasks:
-    - name: Install and configure Gluster clients
-      ansible.builtin.import_role:
-        name: ../../roles/gluster_client
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index 6148850..5972d52 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -1,14 +1,17 @@
 - name: Set up Kubernetes cluster
-  hosts: k8s_nodes
+  hosts: k8s_cluster
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tasks:
-    - name: Install and configure k3s
+    # TODO: Kube nodes will need ZFS (later)
+
+    - name: Install Kubernetes cluster (RKE 2)
       ansible.builtin.import_role:
-        name: ../../roles/k3s_cluster
+        name: lablabs.rke2
       tags:
-        - k3s
+        - k8s
+        - rke2
 
     - name: Install and configure Argo CD
       ansible.builtin.import_role:
diff --git a/requirements.yml b/requirements.yml
index 83b1d1d..c8b89a7 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -20,7 +20,7 @@ collections:
     version: master
   - name: https://github.com/homecentr/ansible-collection-proxmox
     type: git
-    version: master
+    version: fix/proxmoxer
 
 roles:
   - name: geerlingguy.pip
@@ -31,3 +31,5 @@ roles:
   - name: geerlingguy.helm
   - name: geerlingguy.node_exporter
     version: 2.0.0
+  - name: lablabs.rke2
+    version: 1.28.0
\ No newline at end of file
diff --git a/roles/gluster_client/tasks/hosts.yml b/roles/gluster_client/tasks/hosts.yml
deleted file mode 100644
index 54f3f05..0000000
--- a/roles/gluster_client/tasks/hosts.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: Add host entries for glusterfs servers (for clients)
-  # Other clients must access the volumes with the same hostname which is used to register the bricks
-  # This all clients must be able to resolve the gfs specific hostnames to the external ip (i.e. the one that's accessible from the switch)
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    regexp: "^{{ hostvars[item].ansible_host | replace('.', '\\.') }}\\W+{{ hostvars[item].gluster_hostname | replace('.', '\\.') }}\\W+{{ hostvars[item].gluster_fqdn | mandatory | replace('.', '\\.') }}\\W*$"  # noqa yaml[line-length]
-    line: "{{ hostvars[item].ansible_host }} {{ hostvars[item].gluster_hostname }} {{ hostvars[item].gluster_fqdn }}"
-  with_items: "{{ groups['gluster_servers'] }}"
diff --git a/roles/gluster_client/tasks/install.yml b/roles/gluster_client/tasks/install.yml
deleted file mode 100644
index 0fe4867..0000000
--- a/roles/gluster_client/tasks/install.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Install Gluster client
-  ansible.builtin.apt:
-    name: glusterfs-client # Implicitly depends on fuse
-    state: present
-    update_cache: true
-
-- name: "Load fuse kernel module if not present"
-  community.general.modprobe:
-    name: fuse
-    state: present
diff --git a/roles/gluster_client/tasks/main.yml b/roles/gluster_client/tasks/main.yml
deleted file mode 100644
index b0056ed..0000000
--- a/roles/gluster_client/tasks/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-- name: Configure apt repository
-  ansible.builtin.include_tasks:
-    file: ../../gluster_shared/apt.yml
-
-- name: Add host entries for glusterfs servers
-  ansible.builtin.include_tasks:
-    file: hosts.yml
-
-- name: Install Gluster
-  ansible.builtin.include_tasks:
-    file: install.yml
-
-- name: Configure TLS identity for the node
-  ansible.builtin.include_tasks:
-    file: ../../gluster_shared/tls.yml
-  vars:
-    gluster_node_hostname: "{{ ansible_hostname }}"
-    gluster_node_additional_names:
-      - "{{ fqdn }}"
-
-- name: Mount GlusterFS volumes
-  ansible.builtin.include_tasks:
-    file: ../../gluster_shared/volume-mount.yml
-  vars:
-    gluster_volume: "{{ gluster_volumes | selectattr('name', 'equalto', item) | first }}"
-  when: gluster_volume_mounts is defined
-  with_items: "{{ gluster_volume_mounts }}"
diff --git a/roles/gluster_server/tasks/cluster.yml b/roles/gluster_server/tasks/cluster.yml
deleted file mode 100644
index 1995b73..0000000
--- a/roles/gluster_server/tasks/cluster.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: Probe servers
-  run_once: true
-  retries: 15
-  delay: "{{ gluster_server_daemon_start.changed | ternary(10, 0) }}"
-  gluster.gluster.gluster_peer:
-    state: present
-    # Current node has to be removed from the list because probing self throws an error
-    nodes: "{{ groups['gluster_servers'] | map('extract', hostvars) | map(attribute='gluster_hostname') | difference([gluster_hostname]) }}"
diff --git a/roles/gluster_server/tasks/create-volume-quota.yml b/roles/gluster_server/tasks/create-volume-quota.yml
deleted file mode 100644
index 461badf..0000000
--- a/roles/gluster_server/tasks/create-volume-quota.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-- name: Check if quota is enabled
-  ansible.builtin.shell:
-    # pipefail is ignored by design - it's a valid case
-    cmd: gluster volume info {{ gluster_volume_config.name }} | grep 'features.quota:' | cut -d' ' -f2
-  args:
-    executable: /bin/bash
-  register: gluster_volume_quota_enabled
-  changed_when: false
-
-- name: Enable quota
-  retries: 10
-  delay: 5
-  ansible.builtin.command:
-    cmd: "gluster volume quota {{ gluster_volume_config.name }} enable"
-  changed_when: "gluster_volume_quota_enabled.stdout != 'on'"
-  when: "gluster_volume_quota_enabled.stdout != 'on'"
-
-- name: Check if volume level quota is set
-  retries: 15
-  delay: 15
-  until: gluster_volume_quota_set.rc == 0
-  register: gluster_volume_quota_set
-  throttle: 1
-  changed_when: false
-  ansible.builtin.command:
-    cmd: "gluster volume quota {{ gluster_volume_config.name }} list /"
-
-- name: Set volume level quota
-  retries: 5
-  delay: 5
-  register: gluster_volume_quota_limit_set
-  until: "'Failed to start aux mount' | string not in gluster_volume_quota_limit_set.stdout"
-  ansible.builtin.command:
-    cmd: "gluster volume quota {{ gluster_volume_config.name }} limit-usage / {{ gluster_volume_config.quota }}"
-  changed_when: "'N/A' | string in gluster_volume_quota_set.stdout"
-  when: "'N/A' | string in gluster_volume_quota_set.stdout"
diff --git a/roles/gluster_server/tasks/create-volume.yml b/roles/gluster_server/tasks/create-volume.yml
deleted file mode 100644
index 0b90015..0000000
--- a/roles/gluster_server/tasks/create-volume.yml
+++ /dev/null
@@ -1,117 +0,0 @@
-# Note: this role is not using the existing gluster.gluster modules because the module for managing volumes is poorly designed
-# (doesn't for example support allow specifying individual brick paths). Another reason is that this way ansible creates the volume(s)
-# if they don't exist but doesn't touch them if they already do. This isn't ideal but it's safer because it can never corrupt a volume containing data.
-
-- name: Validate storage bricks count
-  run_once: true
-  ansible.builtin.assert:
-    quiet: true
-    that:
-      - gluster_validation_item.0.storage_bricks | count == gluster_validation_item.1
-    msg: |-
-      Storage bricks for volume {{ gluster_volume_config.name }} do not match.
-      Found {{ gluster_validation_item.0.storage_bricks | count }} bricks, expected {{ gluster_validation_item.1 }}
-  loop: "{{ gluster_volume_config.replica_sets | product([gluster_volume_config.replicas]) }}"
-  loop_control:
-    loop_var: gluster_validation_item
-
-- name: Validate arbiter bricks count
-  run_once: true
-  ansible.builtin.assert:
-    quiet: true
-    that:
-      - gluster_validation_item.0.arbiter_bricks | count == gluster_validation_item.1
-    msg: |-
-      Arbiter bricks for volume {{ gluster_volume_config.name }} do not match.
-      Found {{ gluster_validation_item.0.arbiter_bricks | count }} bricks, expected {{ gluster_validation_item.1 }}
-  loop: "{{ gluster_volume_config.replica_sets | product([gluster_volume_config.arbiters]) }}"
-  loop_control:
-    loop_var: gluster_validation_item
-
-- name: Check if volume exists
-  ansible.builtin.command:
-    cmd: "gluster volume info {{ gluster_volume_config.name }}"
-  failed_when: false
-  changed_when: false
-  register: gluster_volume_exists
-
-- name: Create storage bricks directories if they do not exist
-  ansible.builtin.file:
-    path: "{{ brick.path }}"
-    state: directory
-    owner: root
-    group: root
-    mode: 0770
-  loop: "{{ gluster_volume_config.replica_sets | map(attribute='storage_bricks') | flatten | selectattr('host', 'equalto', inventory_hostname) }}"
-  loop_control:
-    loop_var: brick
-  when: gluster_volume_exists.rc != 0
-
-- name: Create arbiter bricks directories if they do not exist
-  ansible.builtin.file:
-    path: "{{ brick.path }}"
-    state: directory
-    owner: root
-    group: root
-    mode: 0770
-  loop: "{{ gluster_volume_config.replica_sets | map(attribute='arbiter_bricks') | flatten | selectattr('host', 'equalto', inventory_hostname) }}"
-  loop_control:
-    loop_var: brick
-  when: gluster_volume_exists.rc != 0
-
-- name: Create volume if does not exist
-  run_once: true
-  ansible.builtin.command:
-    cmd: "{{ lookup('template', 'create-volume-command.j2') }}"
-  changed_when: gluster_volume_exists.rc != 0
-  when: gluster_volume_exists.rc != 0
-
-- name: Enable server tls
-  run_once: true
-  ansible.builtin.command:
-    cmd: "gluster volume set {{ gluster_volume_config.name }} server.ssl on"
-  changed_when: true
-
-- name: Enable client tls
-  run_once: true
-  ansible.builtin.command:
-    cmd: "gluster volume set {{ gluster_volume_config.name }} client.ssl on"
-  changed_when: true
-
-- name: Set allowed clients
-  run_once: true
-  ansible.builtin.command:
-    cmd: "{{ lookup('template', 'set-volume-clients-command.j2') }}"
-  changed_when: true
-
-- name: Apply option groups
-  run_once: true
-  changed_when: true
-  ansible.builtin.command:
-    cmd: "gluster volume set {{ gluster_volume_config.name }} group {{ group_name }}"
-  loop: "{{ gluster_volume_config.option_groups }}"
-  loop_control:
-    loop_var: group_name
-  when: "'option_groups' in gluster_volume_config"
-
-- name: Check volume status
-  ansible.builtin.shell:
-    cmd: |
-      set -o pipefail
-      gluster volume info {{ gluster_volume_config.name }} | grep 'Status:' | cut -d' ' -f2
-  args:
-    executable: /bin/bash
-  changed_when: false
-  register: gluster_volume_status
-
-- name: Start the volume
-  run_once: true
-  ansible.builtin.command:
-    cmd: "gluster volume start {{ gluster_volume_config.name }}"
-  changed_when: gluster_volume_status.stdout != "Started"
-  when: gluster_volume_status.stdout != "Started"
-
-- name: Configure quota
-  run_once: true
-  ansible.builtin.include_tasks:
-    file: create-volume-quota.yml
\ No newline at end of file
diff --git a/roles/gluster_server/tasks/exporter.yml b/roles/gluster_server/tasks/exporter.yml
deleted file mode 100644
index 3051107..0000000
--- a/roles/gluster_server/tasks/exporter.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-- name: Download exporter binary
-  ansible.builtin.get_url:
-    url: "https://github.com/kadalu/gluster-metrics-exporter/releases/download/{{ gluster_exporter_version }}/gluster-metrics-exporter-amd64"
-    dest: /usr/sbin/gluster-metrics-exporter
-    owner: root
-    group: root
-    mode: '0550'
-
-- name: Download systemd service file
-  ansible.builtin.get_url:
-    url: "https://github.com/kadalu/gluster-metrics-exporter/releases/download/{{ gluster_exporter_version }}/gluster-metrics-exporter.service"
-    dest: /etc/systemd/system/gluster-metrics-exporter.service
-    owner: root
-    group: root
-    mode: '0440'
-
-- name: Start exporter
-  ansible.builtin.systemd:
-    name: gluster-metrics-exporter.service
-    state: started
-    daemon_reload: true
diff --git a/roles/gluster_server/tasks/hosts.yml b/roles/gluster_server/tasks/hosts.yml
deleted file mode 100644
index f40b813..0000000
--- a/roles/gluster_server/tasks/hosts.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-- name: Add host entries for glusterfs servers (for servers)
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    regexp: "^{{ hostvars[item].gluster_ip | replace('.', '\\.') }}\\W+{{ hostvars[item].gluster_hostname | replace('.', '\\.') }}\\W+{{ hostvars[item].gluster_fqdn | mandatory | replace('.', '\\.') }}\\W*$" # noqa yaml[line-length]
-    line: "{{ hostvars[item].gluster_ip }} {{ hostvars[item].gluster_hostname }} {{ hostvars[item].gluster_fqdn }}"
-  with_items: "{{ groups['gluster_servers'] }}"
diff --git a/roles/gluster_server/tasks/install.yml b/roles/gluster_server/tasks/install.yml
deleted file mode 100644
index 0cb8871..0000000
--- a/roles/gluster_server/tasks/install.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Install Gluster server
-  register: gluster_server_install
-  ansible.builtin.apt:
-    name: glusterfs-server
-    state: present
-    update_cache: true
-
-- name: Start the Gluster daemon
-  register: gluster_server_daemon_start
-  until: gluster_server_daemon_start.status.ActiveState == "active"
-  delay: 20
-  retries: 15
-  throttle: 1
-  ansible.builtin.service:
-    name: glusterd
-    state: started
-    enabled: true
diff --git a/roles/gluster_server/tasks/main.yml b/roles/gluster_server/tasks/main.yml
deleted file mode 100644
index ae36dad..0000000
--- a/roles/gluster_server/tasks/main.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-- name: Configure apt repository
-  ansible.builtin.include_tasks:
-    file: ../../gluster_shared/apt.yml
-
-- name: Add host entries for glusterfs servers
-  ansible.builtin.include_tasks:
-    file: hosts.yml
-
-- name: Install Gluster
-  ansible.builtin.include_tasks:
-    file: install.yml
-
-- name: Configure TLS identity for the node
-  ansible.builtin.include_tasks:
-    file: ../../gluster_shared/tls.yml
-  vars:
-    gluster_server_restart: true
-    gluster_node_hostname: "{{ gluster_hostname }}" # Servers must use their gluster specific identity
-    gluster_node_additional_names:
-      - "{{ gluster_fqdn }}"
-      - "{{ ansible_hostname }}"
-      - "{{ fqdn }}"
-
-- name: Turn Gluster nodes into a cluster
-  ansible.builtin.include_tasks:
-    file: cluster.yml
-
-- name: Install and configure Prometheus exporter
-  ansible.builtin.include_tasks:
-    file: exporter.yml
-
-- name: Create Gluster volumes
-  ansible.builtin.include_tasks:
-    file: create-volume.yml
-  vars:
-    gluster_volume_config: "{{ item }}"
-  loop: "{{ gluster_volumes }}"
-
-- name: Mount Gluster volumes
-  ansible.builtin.include_tasks:
-    file: ../../gluster_shared/volume-mount.yml
-  vars:
-    gluster_volume: "{{ gluster_volumes | selectattr('name', 'equalto', item) | first }}"
-  when: gluster_volume_mounts is defined
-  loop: "{{ gluster_volume_mounts }}"
diff --git a/roles/gluster_server/templates/create-volume-command.j2 b/roles/gluster_server/templates/create-volume-command.j2
deleted file mode 100644
index 1dbd613..0000000
--- a/roles/gluster_server/templates/create-volume-command.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-gluster volume create {{ gluster_volume_config.name }} replica {{ gluster_volume_config.replicas }} arbiter {{ gluster_volume_config.arbiters }} 
-{%- for replica_set in gluster_volume_config.replica_sets %}
-{%- for brick in replica_set.storage_bricks %} {{ hostvars[brick.host].gluster_hostname }}:{{ brick.path }}{% endfor -%}
-{%- for brick in replica_set.arbiter_bricks %} {{ hostvars[brick.host].gluster_hostname }}:{{ brick.path }}{% endfor -%}
-{%- endfor %}
-{%- if "force" in gluster_volume_config and gluster_volume_config.force %} force{% endif %}
\ No newline at end of file
diff --git a/roles/gluster_server/templates/set-volume-clients-command.j2 b/roles/gluster_server/templates/set-volume-clients-command.j2
deleted file mode 100644
index 0230e26..0000000
--- a/roles/gluster_server/templates/set-volume-clients-command.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-gluster volume set {{ gluster_volume_config.name }} auth.ssl-allow '
-{%- for client in gluster_volume_config.allowed_clients -%}
-    {%- if "gluster_hostname" in hostvars[client] -%}
-        {{ hostvars[client].gluster_hostname }},
-    {%- endif -%}
-    {{ hostvars[client].ansible_hostname }},
-{%- endfor -%}
-127.0.0.1'
\ No newline at end of file
diff --git a/roles/gluster_shared/apt.yml b/roles/gluster_shared/apt.yml
deleted file mode 100644
index cfdcfc9..0000000
--- a/roles/gluster_shared/apt.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-- name: Get Debian version ID
-  ansible.builtin.shell:
-    cmd: |
-      set -o pipefail
-      grep 'VERSION_ID=' /etc/os-release | cut -d '=' -f 2 | tr -d '"'
-  args:
-    executable: /bin/bash
-  register: gluster_debid
-  changed_when: false
-
-- name: Get Debian version
-  ansible.builtin.shell:
-    cmd: |
-      set -o pipefail
-      grep 'VERSION=' /etc/os-release | grep -Eo '[a-z]+'
-  args:
-    executable: /bin/bash
-  register: gluster_debver
-  changed_when: false
-
-- name: Get architecture
-  ansible.builtin.command:
-    cmd: "dpkg --print-architecture"
-  register: gluster_debarch
-  changed_when: false
-
-- name: Add GlusterFS apt repository key
-  ansible.builtin.apt_key:
-    url: https://download.gluster.org/pub/gluster/glusterfs/{{ gluster_major_version }}/rsa.pub
-    state: present
-
-- name: Add Gluster repository into sources
-  ansible.builtin.apt_repository:
-    repo: deb https://download.gluster.org/pub/gluster/glusterfs/{{ gluster_major_version }}/{{ gluster_major_version }}.{{ gluster_minor_version }}/Debian/{{ gluster_debid.stdout | trim }}/{{ gluster_debarch.stdout | trim }}/apt {{ gluster_debver.stdout | trim }} main # noqa yaml[line-length]
-    state: present
diff --git a/roles/gluster_shared/tls.yml b/roles/gluster_shared/tls.yml
deleted file mode 100644
index 70429e3..0000000
--- a/roles/gluster_shared/tls.yml
+++ /dev/null
@@ -1,84 +0,0 @@
-- name: Install python modules
-  ansible.builtin.apt:
-    name:
-      - python3-passlib
-      - python3-cryptography
-
-- name: Get certificates default directory
-  ansible.builtin.shell:
-    cmd: |
-      set -o pipefail
-      openssl version -d | cut -d'"' -f2
-  args:
-    executable: /bin/bash
-  register: gluster_openssl_dir
-  changed_when: false
-
-- name: Copy CA certificate
-  register: gluster_tls_ca
-  ansible.builtin.copy:
-    dest: "{{ gluster_openssl_dir.stdout }}/glusterfs.ca"
-    content: "{{ gluster_ca.public_key }}"
-    owner: root
-    group: root
-    mode: 0600
-    force: true
-
-- name: Generate private key
-  register: gluster_tls_private_key
-  community.crypto.openssl_privatekey:
-    path: "{{ gluster_openssl_dir.stdout }}/glusterfs.key"
-    size: "{{ gluster_node_tls_key_size }}"
-
-- name: Create certificate signing request
-  community.crypto.openssl_csr:
-    path: "{{ gluster_openssl_dir.stdout }}/glusterfs.csr"
-    privatekey_path: "{{ gluster_openssl_dir.stdout }}/glusterfs.key"
-    common_name: "{{ gluster_node_hostname }}"
-    subject_alt_name: "{{ gluster_node_additional_names | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }}"
-
-- name: Generate a node certificate
-  register: gluster_tls_cert
-  community.crypto.x509_certificate:
-    path: "{{ gluster_openssl_dir.stdout }}/glusterfs.pem"
-    privatekey_path: "{{ gluster_openssl_dir.stdout }}/glusterfs.key"
-    csr_path: "{{ gluster_openssl_dir.stdout }}/glusterfs.csr"
-    ownca_not_after: "+{{ gluster_tls_certificate_validity_days }}d"
-    ownca_content: "{{ gluster_ca.public_key }}"
-    ownca_privatekey_content: "{{ gluster_ca.private_key }}"
-    provider: ownca
-
-- name: Enable Gluster TLS (Create dir)
-  ansible.builtin.file:
-    path: /var/lib/glusterd
-    state: directory
-    owner: root
-    group: root
-    mode: 0744
-
-- name: Enable Gluster TLS
-  register: gluster_tls_enabled
-  ansible.builtin.file:
-    path: /var/lib/glusterd/secure-access
-    access_time: preserve # to avoid changing the file when it already exists (causes additional daemon restarts)
-    modification_time: preserve
-    state: touch
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Restart server daemon # noqa no-handler include_tasks cannot notify a handler
-  register: gluster_restart
-  until: "gluster_restart.status is defined and gluster_restart.status.ActiveState == 'active'"
-  delay: 20
-  retries: 15
-  throttle: 1
-  when: (gluster_tls_enabled.changed
-    or gluster_tls_cert.changed
-    or gluster_tls_private_key.changed
-    or gluster_tls_ca.changed)
-    and (gluster_server_restart | default(false))
-  ansible.builtin.service:
-    name: glusterd
-    state: restarted
-    enabled: true
diff --git a/roles/gluster_shared/volume-mount.yml b/roles/gluster_shared/volume-mount.yml
deleted file mode 100644
index c516bd9..0000000
--- a/roles/gluster_shared/volume-mount.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-- name: Create mount directory
-  ansible.builtin.file:
-    path: "{{ gluster_volume.mount_path }}"
-    state: directory
-    owner: root
-    group: root
-    mode: 0770
-
-- name: Mount volume
-  ansible.posix.mount:
-    path: "{{ gluster_volume.mount_path }}"
-    src: "{{ hostvars[gluster_mount_host].gluster_hostname }}:/{{ gluster_volume.name }}"
-    fstype: glusterfs
-    opts: defaults,_netdev
-    state: mounted
diff --git a/roles/gluster_shared/volume-subdir.yml b/roles/gluster_shared/volume-subdir.yml
deleted file mode 100644
index b784148..0000000
--- a/roles/gluster_shared/volume-subdir.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-- name: Validate input
-  assert:
-    that:
-      - "subdir_name is defined"
-      - "subdir_name | length > 0"
-    msg: "Variable 'subdir_name' is not defined or empty"
-
-- name: Select gluster host
-  set_fact:
-    gluster_executor: "{{ groups['gluster_servers'] | random }}"
-
-- name: Load gluster server host
-  ansible.builtin.add_host:
-    name: '{{ gluster_executor }}'
-    groups: gluster_servers
-
-- name: Create directory (executed on gluster server)
-  delegate_to: "{{ gluster_executor }}"
-  file:
-    path: "{{ gluster_volumes | selectattr('name', 'equalto', subdir_volume_name) | map(attribute='mount_path') | first }}/{{ subdir_name }}"
-    state: directory
-    owner: root
-    group: root
-    mode: 0777
-
-- name: Set quota
-  delegate_to: "{{ gluster_executor }}"
-  when: subdir_quota_gigabytes is defined
-  shell:
-    cmd: "gluster volume quota {{ subdir_volume_name }} limit-usage /{{ subdir_name }} {{ subdir_quota_gigabytes }}GB"
-
-- name: Remove quota
-  delegate_to: "{{ gluster_executor }}"
-  when: subdir_quota_gigabytes is not defined
-  register: subdir_remove_quita
-  failed_when: "'Reason : No data available' not in subdir_remove_quita.stderr"
-  shell:
-    cmd: "gluster volume quota {{ subdir_volume_name }} remove /{{ subdir_name }}"
-
-- name: Set fact
-  set_fact:
-    gluster_volume_subdirs: "{{ gluster_volume_subdirs | default({}) | combine({ subdir_name: (gluster_volumes | selectattr('name', 'equalto', subdir_volume_name) | map(attribute='mount_path') | first) + '/' + subdir_name }) }}" # noqa yaml[line-length]
diff --git a/roles/k3s_cluster/defaults/main.yml b/roles/k3s_cluster/defaults/main.yml
deleted file mode 100644
index 1836963..0000000
--- a/roles/k3s_cluster/defaults/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-k3s_cluster_init: false
-k3s_cluster_server_location: "/var/lib/rancher/k3s"
-k3s_cluster_systemd_dir: "/etc/systemd/system"
diff --git a/roles/k3s_cluster/handlers/main.yml b/roles/k3s_cluster/handlers/main.yml
deleted file mode 100644
index 9d1e2d7..0000000
--- a/roles/k3s_cluster/handlers/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-- name: Restart k3s
-  register: k3s_restart
-  ansible.builtin.service:
-    name: k3s
-    state: restarted
-    enabled: true
-  until: k3s_restart.status.ActiveState == "active"
-  delay: 20
-  retries: 15
-  throttle: 1
-  when: k3s_restart_allowed
-
-- name: Apply kubelet.conf
-  ansible.builtin.command:
-    cmd: sysctl -p /etc/sysctl.d/90-kubelet.conf
-  changed_when: true # Handler only called when the source file is changed
diff --git a/roles/k3s_cluster/tasks/cis-hardening-runtime.yml b/roles/k3s_cluster/tasks/cis-hardening-runtime.yml
deleted file mode 100644
index 19ff491..0000000
--- a/roles/k3s_cluster/tasks/cis-hardening-runtime.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-- name: Update kernel parameters
-  register: k3s_cluster_kernel_parameters
-  ansible.posix.sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    sysctl_set: true
-  with_items:
-    - name: vm.panic_on_oom
-      value: 0
-    - name: vm.overcommit_memory
-      value: 1
-    - name: kernel.panic
-      value: 10
-    - name: kernel.panic_on_oops
-      value: 1
-
-- name: Reboot machine  # noqa no-handler (Must happen immediately)
-  when: k3s_cluster_kernel_parameters.changed
-  throttle: 1
-  ansible.builtin.reboot:
-
-- name: Create kubelet.conf
-  notify: Apply kubelet.conf
-  ansible.builtin.copy:
-    dest: /etc/sysctl.d/90-kubelet.conf
-    owner: root
-    group: root
-    mode: 0640
-    content: "{{ lookup('template', 'kubelet.conf.j2') }}"
-    force: true
-
-- name: Create audit log directory
-  ansible.builtin.file:
-    path: /var/lib/rancher/k3s/server/logs
-    owner: root
-    group: root
-    mode: 0700
-    state: directory
-
-- name: Create audit policy
-  ansible.builtin.copy:
-    dest: /var/lib/rancher/k3s/server/audit.yaml
-    owner: root
-    group: root
-    mode: 0644
-    content: "{{ lookup('template', 'audit.yml.j2') }}"
-    force: true
diff --git a/roles/k3s_cluster/tasks/kubeconfig-load.yml b/roles/k3s_cluster/tasks/kubeconfig-load.yml
deleted file mode 100644
index f3bb64a..0000000
--- a/roles/k3s_cluster/tasks/kubeconfig-load.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: Set kubeconfig path to facts
-  ansible.builtin.set_fact:
-    k3s_cluster_kubeconfig_path: "/etc/rancher/k3s/k3s.yaml"
diff --git a/roles/k3s_cluster/tasks/kubeconfig-store-local.yml b/roles/k3s_cluster/tasks/kubeconfig-store-local.yml
deleted file mode 100644
index a9083e2..0000000
--- a/roles/k3s_cluster/tasks/kubeconfig-store-local.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-- name: Load kube config
-  ansible.builtin.slurp:
-    src: "{{ k3s_cluster_kubeconfig_path }}"
-  register: k3s_cluster_kubeconfig
-
-- name: Create .kube directory
-  become: false
-  delegate_to: localhost
-  run_once: true
-  ansible.builtin.file:
-    path: "$HOME/.kube"
-    state: directory
-    mode: 0700
-
-- name: Store kubeconfig on local workstation
-  become: false
-  delegate_to: localhost
-  run_once: true
-  ansible.builtin.copy:
-    dest: "$HOME/.kube/config"
-    content: "{{ k3s_cluster_kubeconfig.content | b64decode }}"
-    mode: 0600
-    force: true
diff --git a/roles/k3s_cluster/tasks/main.yml b/roles/k3s_cluster/tasks/main.yml
deleted file mode 100644
index bc8f6ca..0000000
--- a/roles/k3s_cluster/tasks/main.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-- name: Install required pip modules
-  ansible.builtin.include_tasks:
-    file: setup-pip-modules.yml
-
-- name: Apply CIS hardening recommendations
-  ansible.builtin.include_tasks:
-    file: cis-hardening-runtime.yml
-
-- name: Set up sysctl options
-  ansible.builtin.include_tasks:
-    file: setup-sysctls.yml
-
-- name: Set up helm
-  ansible.builtin.include_tasks:
-    file: setup-helm.yml
-
-- name: Set up k3s cluster
-  ansible.builtin.include_tasks:
-    file: setup-k3s.yml
-
-- name: Set up Core DNS (required for Argo CD to clone the git repository)
-  ansible.builtin.include_tasks:
-    file: setup-coredns.yml
-
-- name: Load kubeconfig
-  ansible.builtin.include_tasks:
-    file: kubeconfig-load.yml
-
-- name: Save kubeconfig to localhost
-  ansible.builtin.include_tasks:
-    file: kubeconfig-store-local.yml
diff --git a/roles/k3s_cluster/tasks/setup-coredns.yml b/roles/k3s_cluster/tasks/setup-coredns.yml
deleted file mode 100644
index cb32db4..0000000
--- a/roles/k3s_cluster/tasks/setup-coredns.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-- name: Create Core DNS resources
-  run_once: true
-  kubernetes.core.k8s:
-    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
-    definition: "{{ lookup('template', 'coredns.yml.j2') }}"
-    state: present
diff --git a/roles/k3s_cluster/tasks/setup-helm.yml b/roles/k3s_cluster/tasks/setup-helm.yml
deleted file mode 100644
index 12dc159..0000000
--- a/roles/k3s_cluster/tasks/setup-helm.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Install helm
-  ansible.builtin.include_role:
-    name: geerlingguy.helm
-  vars:
-    helm_version: "{{ k3s_cluster_helm_version }}"
-    helm_platform: linux
-    helm_arch: amd64
-
-- name: Install git (required to install Helm plugin)
-  ansible.builtin.apt:
-    name: git
-    state: present
-    update_cache: true
-    force_apt_get: true
-    default_release: bookworm
-
-- name: Install Helm diff plugin
-  kubernetes.core.helm_plugin:
-    plugin_path: https://github.com/databus23/helm-diff
-    state: present
diff --git a/roles/k3s_cluster/tasks/setup-k3s.yml b/roles/k3s_cluster/tasks/setup-k3s.yml
deleted file mode 100644
index 91eba16..0000000
--- a/roles/k3s_cluster/tasks/setup-k3s.yml
+++ /dev/null
@@ -1,103 +0,0 @@
-- name: Create k3s bin directory
-  ansible.builtin.file:
-    path: "/usr/local/bin/k3s-bins/{{ k3s_cluster_version }}"
-    owner: root
-    group: root
-    mode: 0755
-    state: directory
-
-- name: "Download k3s binary (x64)"
-  notify: Restart k3s # New version might have been downloaded
-  ansible.builtin.get_url:
-    url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_cluster_version }}/k3s
-    checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_cluster_version }}/sha256sum-amd64.txt
-    dest: "/usr/local/bin/k3s-bins/{{ k3s_cluster_version }}/k3s"
-    owner: root
-    group: root
-    mode: 0755
-    force: false
-
-- name: "Check k3s symlink destination"
-  register: k3s_cluster_k3s_symlink
-  ansible.builtin.stat:
-    path: "/usr/local/bin/k3s"
-
-- name: "Create k3s symlink"
-  when: "not k3s_cluster_k3s_symlink.stat.exists or k3s_cluster_k3s_symlink.stat.lnk_source != '/usr/local/bin/k3s-bins/' + k3s_cluster_version + '/k3s'"
-  ansible.builtin.file:
-    src: "/usr/local/bin/k3s-bins/{{ k3s_cluster_version }}/k3s"
-    dest: "/usr/local/bin/k3s"
-    state: link
-    force: true
-    owner: root
-    group: root
-    mode: 0750
-
-- name: Create K3s service file
-  register: k3s_cluster_k3s_service
-  ansible.builtin.template:
-    src: "k3s.service.j2"
-    dest: "{{ k3s_cluster_systemd_dir }}/k3s.service"
-    owner: root
-    group: root
-    mode: 0644
-    force: true
-
-- name: Create k3s directory if not exist
-  ansible.builtin.file:
-    path: /etc/rancher/k3s
-    owner: root
-    group: root
-    mode: 0755
-    state: directory
-
-- name: Create config file
-  notify: Restart k3s
-  ansible.builtin.template:
-    src: "k3s-config.yaml.j2"
-    dest: "/etc/rancher/k3s/config.yaml"
-    owner: root
-    group: root
-    mode: 0644
-    force: true
-
-- name: Start the k3s service
-  retries: 10
-  until: "'status' in k3s_cluster_k3s_service and k3s_cluster_k3s_service.status.ActiveState == 'active'"
-  register: k3s_cluster_k3s_service
-  ansible.builtin.systemd:
-    name: k3s
-    daemon_reload: true
-    state: started
-    enabled: true
-
-- name: Create kubectl symlink
-  ansible.builtin.file:
-    src: /usr/local/bin/k3s
-    dest: /usr/local/bin/kubectl
-    state: link
-
-- name: "Force the k3s restart immediately if it needs to happen"
-  ansible.builtin.meta: flush_handlers
-
-- name: Wait for K3s management port to be available
-  ansible.builtin.wait_for:
-    host: "{{ ansible_host }}"
-    port: 6443
-    delay: 5
-    state: started
-
-- name: Wait kube api starts responding
-  retries: 20
-  kubernetes.core.k8s_info:
-    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
-    api_version: v1
-    kind: Pod
-    namespace: kube-system
-
-- name: Tighten /etc/rancher/k3s/k3s.yaml security
-  ansible.builtin.file:
-    path: /etc/rancher/k3s/k3s.yaml
-    mode: 0600
-    owner: root
-    group: root
diff --git a/roles/k3s_cluster/tasks/setup-pip-modules.yml b/roles/k3s_cluster/tasks/setup-pip-modules.yml
deleted file mode 100644
index a443107..0000000
--- a/roles/k3s_cluster/tasks/setup-pip-modules.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Install required pip modules
-  ansible.builtin.apt:
-    name:
-      - python3-kubernetes
-    state: present
diff --git a/roles/k3s_cluster/tasks/setup-sysctls.yml b/roles/k3s_cluster/tasks/setup-sysctls.yml
deleted file mode 100644
index 686138f..0000000
--- a/roles/k3s_cluster/tasks/setup-sysctls.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Configure max UDP buffer size (required for Cloudflared)
-  ansible.posix.sysctl:
-    name: net.core.rmem_max
-    value: '2500000'
-    state: present
diff --git a/roles/k3s_cluster/templates/audit.yml.j2 b/roles/k3s_cluster/templates/audit.yml.j2
deleted file mode 100644
index 9ec0d3c..0000000
--- a/roles/k3s_cluster/templates/audit.yml.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: audit.k8s.io/v1
-kind: Policy
-rules:
-- level: Metadata
\ No newline at end of file
diff --git a/roles/k3s_cluster/templates/coredns.yml.j2 b/roles/k3s_cluster/templates/coredns.yml.j2
deleted file mode 100644
index 74cbb40..0000000
--- a/roles/k3s_cluster/templates/coredns.yml.j2
+++ /dev/null
@@ -1,284 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: coredns
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:coredns
-rules:
-- verbs:
-    - list
-    - watch
-  apiGroups:
-    - ''
-  resources:
-    - endpoints
-    - services
-    - pods
-    - namespaces
-- verbs:
-    - list
-    - watch
-  apiGroups:
-    - discovery.k8s.io
-  resources:
-    - endpointslices
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:coredns
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:coredns
-subjects:
-- kind: ServiceAccount
-  name: coredns
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: coredns
-  namespace: kube-system
-data:
-  Corefile: |
-    cluster.local:5353 {
-      kubernetes cluster.local {
-        pods insecure
-      }
-    }
-    .:5353 {
-        log
-        errors
-        health {
-          lameduck 5s
-        }
-        ready
-        hosts {
-        {% filter indent(width=4) %}
-        {% for host in groups['all'] %}
-        {{ hostvars[host]['ansible_host'] }} {{ host }} {{ hostvars[host].fqdn }}
-        {% endfor %}
-
-        {% for host in groups['gluster_servers'] %}
-        {{ hostvars[host].ansible_host }} {{ hostvars[host].gluster_hostname }} {{ hostvars[host].gluster_fqdn }}
-        {% endfor %}
-
-        {% endfilter %}
-
-          fallthrough
-        }
-        forward . {% for forwarder in k3s_cluster_coredns_forwarders %}tls://{{ forwarder }} {% endfor %} {
-          tls_servername {{ k3s_cluster_coredns_forwarders_tls_servername }}
-          health_check 5s
-        }
-        prometheus :9090
-        cache 30
-        loop
-        reload
-        loadbalance
-    }
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: coredns
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: coredns
-    app.kubernetes.io/instance: kube-dns
-spec:
-  replicas: {{ k3s_cluster_coredns_replicas }}
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: coredns
-      app.kubernetes.io/instance: kube-dns
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: coredns
-        app.kubernetes.io/instance: kube-dns
-    spec:
-      securityContext:
-        runAsNonRoot: true
-      priorityClassName: system-cluster-critical
-      serviceAccountName: coredns
-      automountServiceAccountToken: true
-      tolerations:
-        - key: "CriticalAddonsOnly"
-          operator: "Exists"        
-        - key: homecentr.one/critical-only
-          operator: Exists
-          effect: NoSchedule
-      nodeSelector:
-        kubernetes.io/os: linux
-      affinity:
-         podAntiAffinity:
-           requiredDuringSchedulingIgnoredDuringExecution:
-           - labelSelector:
-               matchExpressions:
-               - key: app.kubernetes.io/name
-                 operator: In
-                 values: ["coredns"]
-               - key: app.kubernetes.io/instance
-                 operator: In
-                 values: ["kube-dns"]
-             topologyKey: kubernetes.io/hostname
-      topologySpreadConstraints:
-      - maxSkew: 1
-        topologyKey: kubernetes.io/hostname
-        whenUnsatisfiable: DoNotSchedule
-        labelSelector:
-          matchLabels:
-            app.kubernetes.io/name: coredns
-            app.kubernetes.io/instance: kube-dns
-      containers:
-      - name: coredns
-        image: coredns/coredns:{{ k3s_cluster_coredns_version }}
-        imagePullPolicy: IfNotPresent
-        resources:
-          limits:
-            cpu: {{ k3s_cluster_coredns_cpu_limit }}
-            memory: {{ k3s_cluster_coredns_memory_limit }}
-          requests:
-            cpu: {{ k3s_cluster_coredns_cpu_request }}
-            memory: {{ k3s_cluster_coredns_memory_request }}
-        args: [ "-conf", "/etc/coredns/Corefile" ]
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/coredns
-          readOnly: true
-        ports:
-        - containerPort: 5353
-          name: dns
-          protocol: UDP
-        - containerPort: 5353
-          name: dns-tcp
-          protocol: TCP
-        - containerPort: 9153
-          name: metrics
-          protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-            drop:
-            - all
-          readOnlyRootFilesystem: true
-        livenessProbe:
-          httpGet:
-            path: /health
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 60
-          timeoutSeconds: 5
-          successThreshold: 1
-          failureThreshold: 5
-        readinessProbe:
-          httpGet:
-            path: /ready
-            port: 8181
-            scheme: HTTP
-      dnsPolicy: Default
-      volumes:
-        - name: config-volume
-          configMap:
-            name: coredns
-            items:
-            - key: Corefile
-              path: Corefile
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: kube-dns
-  namespace: kube-system
-  annotations:
-    prometheus.io/port: "9153"
-    prometheus.io/scrape: "true"
-  labels:
-    app.kubernetes.io/name: coredns
-    app.kubernetes.io/instance: kube-dns
-spec:
-  selector:
-    app.kubernetes.io/name: coredns
-    app.kubernetes.io/instance: kube-dns
-  clusterIP: {{ k3s_cluster_dns_internal_ip | mandatory }}
-  ports:
-  - name: dns
-    port: 53
-    targetPort: 5353
-    protocol: UDP
-  - name: dns-tcp
-    port: 53
-    targetPort: 5353
-    protocol: TCP
-  - name: metrics
-    port: 9153
-    protocol: TCP
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: coredns
-  namespace: kube-system
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: coredns
-      app.kubernetes.io/instance: kube-dns
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from: # DNS queries from other pods
-        - namespaceSelector: {}
-        - podSelector: {}
-      ports:
-        - protocol: TCP
-          port: 53
-        - protocol: UDP
-          port: 53
-        - protocol: TCP
-          port: 5353
-        - protocol: UDP
-          port: 5353
-  egress:
-    - to: # Forwarding external DNS queries
-{% for forwarder in k3s_cluster_coredns_forwarders %}
-        - ipBlock:
-            cidr: {{ forwarder }}/32
-{% endfor %}
-      ports:
-        - protocol: TCP
-          port: 853 # DNS over TLS
-        - protocol: TCP
-          port: 53
-        - protocol: UDP
-          port: 53
-    - to: # Kubernetes API
-{% for node in groups['k8s_nodes'] %}
-      - ipBlock:
-          cidr: {{ hostvars[node]['ansible_host'] }}/32
-{% endfor %}
-      ports:
-        - protocol: TCP
-          port: 6443
\ No newline at end of file
diff --git a/roles/k3s_cluster/templates/k3s-config.yaml.j2 b/roles/k3s_cluster/templates/k3s-config.yaml.j2
deleted file mode 100644
index e4b4e7a..0000000
--- a/roles/k3s_cluster/templates/k3s-config.yaml.j2
+++ /dev/null
@@ -1,59 +0,0 @@
-disable:
-- servicelb
-- coredns
-- metrics-server
-# - traefik
-- local-storage
-
-disable-helm-controller: true
-bind-address: {{ k3s_cluster_node_ip | default(ansible_host) }}
-node-ip: {{ k3s_cluster_node_ip | default(ansible_host) }}
-cluster-cidr: {{ k3s_cluster_cidr | mandatory }}
-service-cidr: {{ k3s_cluster_services_cidr | mandatory }}
-{% if k3s_cluster_init is defined and k3s_cluster_init %}
-cluster-init: true
-{% else %}
-server: {{ k3s_cluster_join | mandatory }}
-{% endif %}
-token: "{{ k3s_cluster_secret | mandatory }}"
-
-{% if k3s_cluster_node_labels is defined %}
-node-label:
-{% for label in k3s_cluster_node_labels %}
-    - {{ label.name }}={{ label.value }}
-{% endfor %}
-{% endif %}
-
-{% if k3s_cluster_node_taints is defined %}
-node-taint:
-{% for taint in k3s_cluster_node_taints %}
-    - {{ taint.name }}={{ taint.value }}:{{ taint.effect }}
-{% endfor %}
-{% endif %}
-
-# etcd-expose-metrics: true
-write-kubeconfig-mode: 600
-
-protect-kernel-defaults: true
-secrets-encryption: true
-kube-apiserver-arg:
-    - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
-    - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
-    - 'audit-log-maxage=30'
-    - 'audit-log-maxbackup=10' 
-    - 'audit-log-maxsize=100'
-    - 'request-timeout=300s'
-    - 'service-account-lookup=true'
-    - 'enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount'
-    - 'feature-gates=PodSecurity=true'
-
-kubelet-arg:
-    - 'streaming-connection-idle-timeout=5m'
-    - 'make-iptables-util-chains=true'
-    - 'node-status-update-frequency=10s'
-
-kube-controller-manager-arg: 
-    - 'terminated-pod-gc-threshold=10'
-    - 'use-service-account-credentials=true'
-    - 'node-monitor-period=5s'
-    - 'node-monitor-grace-period={{ k3s_cluster_node_unhealthy_grace_period | default(20) }}s'
\ No newline at end of file
diff --git a/roles/k3s_cluster/templates/k3s.service.j2 b/roles/k3s_cluster/templates/k3s.service.j2
deleted file mode 100644
index 639e9ad..0000000
--- a/roles/k3s_cluster/templates/k3s.service.j2
+++ /dev/null
@@ -1,26 +0,0 @@
-[Unit]
-Description=Lightweight Kubernetes
-Documentation=https://k3s.io
-After=network-online.target
-
-# PodSecurityPolicy is not enabled in the admission plugins on purpose, cluster is switched to Pod Security Standards
-
-[Service]
-Type=notify
-ExecStartPre=-/sbin/modprobe br_netfilter
-ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_cluster_server_location }} {{ k3s_cluster_extra_server_args | default("") }}
-KillMode=process
-Delegate=yes
-# Having non-zero Limit*s causes performance problems due to accounting overhead
-# in the kernel. We recommend using cgroups to do container-local accounting.
-LimitNOFILE=1048576
-LimitNPROC=infinity
-LimitCORE=infinity
-TasksMax=infinity
-TimeoutStartSec=0
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/k3s_cluster/templates/kubelet.conf.j2 b/roles/k3s_cluster/templates/kubelet.conf.j2
deleted file mode 100644
index b83e7c8..0000000
--- a/roles/k3s_cluster/templates/kubelet.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-vm.panic_on_oom=0
-vm.overcommit_memory=1
-kernel.panic=10
-kernel.panic_on_oops=1
-kernel.keys.root_maxbytes=25000000
\ No newline at end of file
diff --git a/roles/k3s_cluster/templates/namespace.yml.j2 b/roles/k3s_cluster/templates/namespace.yml.j2
deleted file mode 100644
index c694a2c..0000000
--- a/roles/k3s_cluster/templates/namespace.yml.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ name }}
\ No newline at end of file
diff --git a/roles/k3s_cluster/templates/network-policy-default.yml.j2 b/roles/k3s_cluster/templates/network-policy-default.yml.j2
deleted file mode 100644
index 8fbad3b..0000000
--- a/roles/k3s_cluster/templates/network-policy-default.yml.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default
-  namespace: {{ namespace }}
-spec:
-  podSelector: {}
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-  egress:
\ No newline at end of file

From d59046f6179e5c95b1482e47bb4e8dbb3c068b26 Mon Sep 17 00:00:00 2001
From: LH <me@lholota.com>
Date: Fri, 29 Dec 2023 13:23:46 +0100
Subject: [PATCH 02/51] Helm, Sysctls, Argocd working

---
 .../lab/group_vars/k8s_cluster/argocd.yml     |  1 +
 .../lab/group_vars/k8s_cluster/helm.yml       |  3 +++
 .../prod/group_vars/k8s_cluster/argocd.yml    |  1 +
 playbooks/kubernetes.yml                      | 19 +++++++++++++++++++
 requirements.yml                              |  1 +
 roles/argocd/defaults/main.yml                |  1 -
 roles/argocd/tasks/main.yml                   |  5 +++--
 roles/k8s-python-modules/tasks/main.yml       |  4 ++++
 roles/k8s-sysctls/tasks/main.yml              |  5 +++++
 9 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 environments/lab/group_vars/k8s_cluster/helm.yml
 delete mode 100644 roles/argocd/defaults/main.yml
 create mode 100644 roles/k8s-python-modules/tasks/main.yml
 create mode 100644 roles/k8s-sysctls/tasks/main.yml

diff --git a/environments/lab/group_vars/k8s_cluster/argocd.yml b/environments/lab/group_vars/k8s_cluster/argocd.yml
index 14869cf..53cf998 100644
--- a/environments/lab/group_vars/k8s_cluster/argocd.yml
+++ b/environments/lab/group_vars/k8s_cluster/argocd.yml
@@ -1,3 +1,4 @@
+argocd_kubeconfig_path: /etc/rancher/rke2/rke2.yaml
 argocd_url: https://argocd-lab.homecentr.one
 argocd_admin_group_id: b77c210d-8ae3-4292-9e95-c7d42a2f254f
 argocd_git_repository_url: https://github.com/homecentr/kubernetes.git
diff --git a/environments/lab/group_vars/k8s_cluster/helm.yml b/environments/lab/group_vars/k8s_cluster/helm.yml
new file mode 100644
index 0000000..835ecdd
--- /dev/null
+++ b/environments/lab/group_vars/k8s_cluster/helm.yml
@@ -0,0 +1,3 @@
+helm_version: 'v3.13.3'
+helm_platform: linux
+helm_arch: amd64
\ No newline at end of file
diff --git a/environments/prod/group_vars/k8s_cluster/argocd.yml b/environments/prod/group_vars/k8s_cluster/argocd.yml
index 522ad5d..b862f29 100644
--- a/environments/prod/group_vars/k8s_cluster/argocd.yml
+++ b/environments/prod/group_vars/k8s_cluster/argocd.yml
@@ -1,3 +1,4 @@
+argocd_kubeconfig_path: /etc/rancher/rke2/rke2.yaml
 argocd_url: https://argocd.homecentr.one
 argocd_admin_group_id: 64d004bd-9218-4fae-9919-0505ff5eeb8e
 argocd_git_repository_url: https://github.com/homecentr/kubernetes.git
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index 5972d52..33ac796 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -13,6 +13,25 @@
         - k8s
         - rke2
 
+    - name: Configure sysctls
+      ansible.builtin.import_role:
+        name: ../../roles/k8s-sysctls
+      tags:
+        - k8s
+        - rke2
+
+    - name: Install python modules for k8s management
+      ansible.builtin.import_role:
+        name: ../../roles/k8s-python-modules
+      tags:
+        - always
+
+    - name: Install helm
+      ansible.builtin.import_role:
+        name: geerlingguy.helm
+      tags:
+        - helm
+
     - name: Install and configure Argo CD
       ansible.builtin.import_role:
         name: ../../roles/argocd
diff --git a/requirements.yml b/requirements.yml
index c8b89a7..0e38f4d 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -29,6 +29,7 @@ roles:
     version: 2.2.0
   - name: geerlingguy.clamav
   - name: geerlingguy.helm
+    version: 1.0.1
   - name: geerlingguy.node_exporter
     version: 2.0.0
   - name: lablabs.rke2
diff --git a/roles/argocd/defaults/main.yml b/roles/argocd/defaults/main.yml
deleted file mode 100644
index 038ff5e..0000000
--- a/roles/argocd/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-argocd_kubeconfig_path: /etc/rancher/k3s/k3s.yaml
diff --git a/roles/argocd/tasks/main.yml b/roles/argocd/tasks/main.yml
index eae223b..74b0eee 100644
--- a/roles/argocd/tasks/main.yml
+++ b/roles/argocd/tasks/main.yml
@@ -1,5 +1,6 @@
 - name: Install Argo CD
   ansible.builtin.include_tasks: ./install.yml
 
-- name: Configure Argo CD
-  ansible.builtin.include_tasks: ./configure.yml
+# TODO: Replace with application sets
+# - name: Configure Argo CD
+#   ansible.builtin.include_tasks: ./configure.yml
diff --git a/roles/k8s-python-modules/tasks/main.yml b/roles/k8s-python-modules/tasks/main.yml
new file mode 100644
index 0000000..c32f327
--- /dev/null
+++ b/roles/k8s-python-modules/tasks/main.yml
@@ -0,0 +1,4 @@
+- name: Install python for kubernetes management
+  ansible.builtin.apt:
+    name:
+      - python3-kubernetes
\ No newline at end of file
diff --git a/roles/k8s-sysctls/tasks/main.yml b/roles/k8s-sysctls/tasks/main.yml
new file mode 100644
index 0000000..8cae8d6
--- /dev/null
+++ b/roles/k8s-sysctls/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Configure max UDP buffer size (required for Cloudflared)
+  ansible.posix.sysctl:
+    name: net.core.rmem_max
+    value: '2500000'
+    state: present
\ No newline at end of file

From 586a18048d949c97a9fd3e51df13c2f9892bf59c Mon Sep 17 00:00:00 2001
From: LH <me@lholota.com>
Date: Wed, 3 Jan 2024 16:51:25 +0100
Subject: [PATCH 03/51] Application sets working

---
 .../lab/group_vars/k8s_cluster/argocd.yml     | 18 +++++-
 .../prod/group_vars/k8s_cluster/argocd.yml    |  2 +-
 roles/argocd/defaults/main.yml                |  1 +
 roles/argocd/tasks/configure.yml              | 34 ++++++++++-
 roles/argocd/tasks/install.yml                | 10 ++--
 roles/argocd/tasks/main.yml                   |  5 +-
 roles/argocd/templates/application-set.yml.j2 | 58 +++++++++++++++++++
 roles/argocd/templates/application.yml.j2     | 36 ------------
 roles/argocd/templates/keys.txt.j2            |  2 -
 roles/argocd/templates/project-default.yml.j2 | 10 ++++
 roles/argocd/templates/project.yml.j2         | 16 +++++
 11 files changed, 142 insertions(+), 50 deletions(-)
 create mode 100644 roles/argocd/defaults/main.yml
 create mode 100644 roles/argocd/templates/application-set.yml.j2
 delete mode 100644 roles/argocd/templates/application.yml.j2
 delete mode 100644 roles/argocd/templates/keys.txt.j2
 create mode 100644 roles/argocd/templates/project-default.yml.j2
 create mode 100644 roles/argocd/templates/project.yml.j2

diff --git a/environments/lab/group_vars/k8s_cluster/argocd.yml b/environments/lab/group_vars/k8s_cluster/argocd.yml
index 53cf998..1b125e7 100644
--- a/environments/lab/group_vars/k8s_cluster/argocd.yml
+++ b/environments/lab/group_vars/k8s_cluster/argocd.yml
@@ -8,5 +8,19 @@ argocd_environment: lab
 
 # Make sure the chart version contains the app version below
 # The app version drives the CRDs and should be bumped before upgrading the app itself
-argocd_chart_version: 5.24.0
-argocd_app_version: 2.6.7
+argocd_chart_version: 5.51.6
+argocd_app_version: v2.10.0-rc1
+
+argocd_application_sets:
+  - name: cluster
+    project_name: cluster
+  - name: apps
+    project_name: apps
+
+argocd_projects:
+  - name: cluster
+    destination_namespaces:
+      - "*"
+  - name: apps
+    destination_namespaces:
+      - apps
\ No newline at end of file
diff --git a/environments/prod/group_vars/k8s_cluster/argocd.yml b/environments/prod/group_vars/k8s_cluster/argocd.yml
index b862f29..ff108ba 100644
--- a/environments/prod/group_vars/k8s_cluster/argocd.yml
+++ b/environments/prod/group_vars/k8s_cluster/argocd.yml
@@ -9,4 +9,4 @@ argocd_environment: prod
 # Make sure the chart version contains the app version below
 # The app version drives the CRDs and should be bumped before upgrading the app itself
 argocd_chart_version: 5.24.0
-argocd_app_version: 2.6.7
+argocd_app_version: v2.6.7
diff --git a/roles/argocd/defaults/main.yml b/roles/argocd/defaults/main.yml
new file mode 100644
index 0000000..0ce598f
--- /dev/null
+++ b/roles/argocd/defaults/main.yml
@@ -0,0 +1 @@
+argocd_namespace: argo-cd
\ No newline at end of file
diff --git a/roles/argocd/tasks/configure.yml b/roles/argocd/tasks/configure.yml
index 239c9a5..174316e 100644
--- a/roles/argocd/tasks/configure.yml
+++ b/roles/argocd/tasks/configure.yml
@@ -1,6 +1,36 @@
-- name: Create root application
+- name: Configure default project
   run_once: true
   kubernetes.core.k8s:
     kubeconfig: "{{ argocd_kubeconfig_path }}"
-    definition: "{{ lookup('template', 'application.yml.j2') }}"
+    definition: "{{ lookup('template', 'project-default.yml.j2') }}"
     state: present
+
+- name: Create projects
+  run_once: true
+  kubernetes.core.k8s:
+    kubeconfig: "{{ argocd_kubeconfig_path }}"
+    definition: "{{ lookup('template', 'project.yml.j2') }}"
+    state: present
+  loop: "{{ argocd_projects }}"
+  loop_control:
+    loop_var: argocd_project
+
+- name: Debug app sets
+  run_once: true
+  delegate_to: localhost
+  copy:
+    dest: "/tmp/{{ argocd_application_set.name }}.debug"
+    content: "{{ lookup('template', 'application-set.yml.j2') }}"
+  loop: "{{ argocd_application_sets }}"
+  loop_control:
+    loop_var: argocd_application_set
+
+- name: Create application sets
+  run_once: true
+  kubernetes.core.k8s:
+    kubeconfig: "{{ argocd_kubeconfig_path }}"
+    definition: "{{ lookup('template', 'application-set.yml.j2') }}"
+    state: present
+  loop: "{{ argocd_application_sets }}"
+  loop_control:
+    loop_var: argocd_application_set
diff --git a/roles/argocd/tasks/install.yml b/roles/argocd/tasks/install.yml
index ed4d6ce..4e8ed36 100644
--- a/roles/argocd/tasks/install.yml
+++ b/roles/argocd/tasks/install.yml
@@ -1,7 +1,7 @@
 - name: Download CRD manifests
   register: argocd_crd_manifests
   ansible.builtin.uri:
-    url: "https://raw.githubusercontent.com/argoproj/argo-cd/v{{ argocd_app_version }}/manifests/crds/{{ item }}"
+    url: "https://raw.githubusercontent.com/argoproj/argo-cd/{{ argocd_app_version }}/manifests/crds/{{ item }}"
     return_content: true
   loop:
     - application-crd.yaml
@@ -21,7 +21,7 @@
     state: present
     create_namespace: true
     release_name: argo-cd
-    release_namespace: argo-cd
+    release_namespace: "{{ argocd_namespace }}"
     chart_ref: argo-cd
     chart_repo_url: https://argoproj.github.io/argo-helm
     chart_version: "{{ argocd_chart_version }}"
@@ -33,6 +33,8 @@
       crds:
         install: false
       global:
+        image:
+          tag: "{{ argocd_app_version }}"
         networkPolicy:
           create: true
           defaultDenyIngress: false
@@ -139,7 +141,7 @@
           }
         cm:
           timeout.reconciliation: "{{ argocd_git_refresh_interval }}"
-          admin.enabled: false
+          # admin.enabled: false
           url: "{{ argocd_url }}"
           help.chatText: ""
           oidc.config: |
@@ -242,7 +244,7 @@
           kind: Secret
           metadata:
             name: argocd-sops
-            namespace: argo-cd
+            namespace: "{{ argocd_namespace }}"
           data:
             public_key: "{{ argocd_sops.public_key | b64encode }}"
             private_key: "{{ argocd_sops.private_key | b64encode }}"
diff --git a/roles/argocd/tasks/main.yml b/roles/argocd/tasks/main.yml
index 74b0eee..eae223b 100644
--- a/roles/argocd/tasks/main.yml
+++ b/roles/argocd/tasks/main.yml
@@ -1,6 +1,5 @@
 - name: Install Argo CD
   ansible.builtin.include_tasks: ./install.yml
 
-# TODO: Replace with application sets
-# - name: Configure Argo CD
-#   ansible.builtin.include_tasks: ./configure.yml
+- name: Configure Argo CD
+  ansible.builtin.include_tasks: ./configure.yml
diff --git a/roles/argocd/templates/application-set.yml.j2 b/roles/argocd/templates/application-set.yml.j2
new file mode 100644
index 0000000..e0bdbe4
--- /dev/null
+++ b/roles/argocd/templates/application-set.yml.j2
@@ -0,0 +1,58 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: {{ argocd_application_set.name }}
+  namespace: {{ argocd_namespace }}
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+  - git:
+      repoURL: {{ argocd_git_repository_url }}
+      revision: {{ argocd_git_ref }}
+      files:
+      - path: {{ argocd_application_set.name }}/**/.argocd*.y*ml
+      values:
+        environment: {{ argocd_environment }}
+  template:
+    metadata:
+      name: '{% raw %}{{ .name }}{% endraw %}'
+    spec:
+      project: {{ argocd_application_set.project_name }}
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{% raw %}{{ index .path.segments 1 }}{% endraw %}'
+      source:
+        repoURL: {{ argocd_git_repository_url }}
+        targetRevision: {{ argocd_git_ref }}
+  templatePatch: | {% raw %}
+    {{- $environment  := .values.environment -}}
+    spec:
+      source:
+        path: '{{ .path.path }}'
+        {{- if eq .type "helm" }}
+        helm:
+          releaseName: {{ .name }}
+          skipCrds: {{ . | dig "skipCrds" true }}
+          valueFiles:
+          {{- range $valueFile := (. | dig "valueFiles" list) }}
+            - {{ $valueFile | replace "$env" $environment }}
+          {{- end }}
+          {{- range $secretValueFile := (. | dig "secretValueFiles" list) }}
+            - secrets://{{ $secretValueFile | replace "$env" $environment }}
+          {{- end }}
+        {{- else }}
+        directory:
+          exclude: '{.kubescape-exceptions.json,argocd*.json}'
+        {{ end }}
+      ignoreDifferences: {{ ( . | dig "ignoreDifferences" list) | toYaml | nindent 4 }}
+      syncPolicy:
+        automated:
+          selfHeal: {{ . | dig "selfHeal" true }}
+          prune: true
+        syncOptions:
+          - CreateNamespace=true
+          {{ if eq ( . | dig "serverSideApply" false) true }}
+          - ServerSideApply=true
+          {{ end }}
+    {% endraw %}
\ No newline at end of file
diff --git a/roles/argocd/templates/application.yml.j2 b/roles/argocd/templates/application.yml.j2
deleted file mode 100644
index 3c72e9c..0000000
--- a/roles/argocd/templates/application.yml.j2
+++ /dev/null
@@ -1,36 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: index
-  namespace: argo-cd
-spec:
-  project: default
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: argo-cd
-
-  source:
-    repoURL: {{ argocd_git_repository_url }}
-    targetRevision: {{ argocd_git_ref }}
-    path: apps/_index
-
-    helm:
-      releaseName: index
-      
-      parameters:
-        - name: source.repoUrl
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: source.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: environmentName
-          value: {{ argocd_environment }}
-
-      valueFiles:
-        - values.apps.yml
-        - values.{{ argocd_environment }}.yml
-
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
\ No newline at end of file
diff --git a/roles/argocd/templates/keys.txt.j2 b/roles/argocd/templates/keys.txt.j2
deleted file mode 100644
index 21ad681..0000000
--- a/roles/argocd/templates/keys.txt.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-# public key: {{ argocd_sops.public_key }}
-{{ argocd_sops.private_key }}
\ No newline at end of file
diff --git a/roles/argocd/templates/project-default.yml.j2 b/roles/argocd/templates/project-default.yml.j2
new file mode 100644
index 0000000..6e55dfb
--- /dev/null
+++ b/roles/argocd/templates/project-default.yml.j2
@@ -0,0 +1,10 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: default
+  namespace: {{ argocd_namespace }}
+spec:
+  sourceRepos: []
+  destinations: []
+  clusterResourceWhitelist: []
+
diff --git a/roles/argocd/templates/project.yml.j2 b/roles/argocd/templates/project.yml.j2
new file mode 100644
index 0000000..4470925
--- /dev/null
+++ b/roles/argocd/templates/project.yml.j2
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: {{ argocd_project.name }}
+  namespace: {{ argocd_namespace }}
+spec:
+  sourceRepos:
+  - '{{ argocd_git_repository_url }}'
+  destinations:
+{% for namespace in argocd_project.destination_namespaces %}
+  - namespace: '{{ namespace }}'
+    server: 'https://kubernetes.default.svc'
+{% endfor %}
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'

From bba876ab579d09d07fd72d807069eff39fce042a Mon Sep 17 00:00:00 2001
From: LH <me@lholota.com>
Date: Wed, 31 Jan 2024 17:30:48 +0100
Subject: [PATCH 04/51] RKE 2

---
 .../lab/group_vars/k8s_cluster/rke2.yml       |  5 ++-
 .../k8s_cluster/k3s-cluster.sops.yml          | 41 -------------------
 .../group_vars/k8s_cluster/k3s-cluster.yml    | 18 --------
 playbooks/kubernetes.yml                      |  6 +++
 roles/argocd/defaults/main.yml                |  2 +-
 roles/argocd/tasks/install.yml                |  8 ++--
 roles/argocd/templates/application-set.yml.j2 |  3 ++
 .../k8s-longhorn-dependencies/tasks/main.yml  | 21 ++++++++++
 8 files changed, 39 insertions(+), 65 deletions(-)
 delete mode 100644 environments/prod/group_vars/k8s_cluster/k3s-cluster.sops.yml
 delete mode 100644 environments/prod/group_vars/k8s_cluster/k3s-cluster.yml
 create mode 100644 roles/k8s-longhorn-dependencies/tasks/main.yml

diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
index 0eacd42..d9f30d7 100644
--- a/environments/lab/group_vars/k8s_cluster/rke2.yml
+++ b/environments/lab/group_vars/k8s_cluster/rke2.yml
@@ -8,7 +8,7 @@ rke2_kubevip_svc_enable: true
 rke2_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.6.4
 rke2_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.4
 
-rke2_api_ip: 10.1.8.200 # TBA: Assign a different IP
+rke2_api_ip: 10.1.8.130
 rke2_api_cidr: 24
 
 rke2_version: v1.28.4+rke2r1
@@ -22,4 +22,7 @@ rke2_server_options:
   - "cluster-cidr: 172.16.0.0/16" # Pod internal IP addresses
   - "service-cidr: 172.17.0.0/16" # Services internal IP addresses
 
+rke2_loadbalancer_ip_range:
+  range-global: 10.1.8.160-10.1.8.191
+
 # TODO: etcd snapshot backup to S3 ?
\ No newline at end of file
diff --git a/environments/prod/group_vars/k8s_cluster/k3s-cluster.sops.yml b/environments/prod/group_vars/k8s_cluster/k3s-cluster.sops.yml
deleted file mode 100644
index 89f839b..0000000
--- a/environments/prod/group_vars/k8s_cluster/k3s-cluster.sops.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-k3s_cluster_secret: ENC[AES256_GCM,data:wWyLTLt3pKC0yZDzXVa4t2w2X5cGUav5QXA=,iv:7W9A9F+a/YONo44IPgzu914Rwr9RuLYZ4Bt5qhRE+78=,tag:+rJcWznLySjRrCWHhImctQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL291aEpIamluU0UyWEpY
-            dEJ6b3MyQ3ZFZHBONDhaQXZ1ek42OFN5b0gwCitvcS9abHVMWjRmNzU2cmd3OFlN
-            UXh3dXZPRTYxdDFpSnFsanFwRXh1TmsKLS0tIGc3bTdQRVhvMXRGODczRjZTbnJa
-            WHdnQWdTckVpZnNHK1V4RmxyT2p4WnMKSDzkHWfHgY44/tD7MBfE16zaqaeHwtqx
-            pyVUWJGnzSoV2RJjMjvoAMaUOVNtgJjedAKIDlR8WZfpiQ0Bbu6zTQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-13T21:49:11Z"
-    mac: ENC[AES256_GCM,data:UbT8E5Z7+V+IvxB0SL/dLPZTUcVPZtGmdtAtPqu6ifDgHuUQE7GJN5yv0rmoRKO96WalV5pz7qiYiNGdcC+aYM0hZ833hhzO182Az2JbuLHSiCWeIUdrQBY4L8G2knAg1V1Xj4PhGq2jPVa0PEmPi5tLpqEonOlWT11zog9mV2c=,iv:bNfpoqGVA5C6oiOiTAtQJmJm2rnsUVtcTtiLFy9nHgg=,tag:ctQqOArV1MyEZxvr//AODw==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:02:03Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ/+OQQREZEVqKTnkXOlcAupARoWRaFbU3FdPfRStqDi9q+k
-            5AJiDcWzwzVV7REJ2/cNpv38xb5USTaS4ZrPBBF7oy+H5e7ybiEaqrrUoBsth19G
-            pN1zZpuXu4nljhth4RIdcrbt5N/m3Cu6QYEi84BFAIdU9biakdo6Yym/gtN29fJU
-            r/VViSAaJa/phlEBDWccsm+AsjA/hgDI9fTTOX3FFLA/k82dPkPkUHZzdtozXmZs
-            C8ulf8VrtdTT7uAnpBXbu8SRt2oNqC4NRAPXJvu1DEdGJ3TL7RpCsarkQ5GpFRD/
-            Dgw8K7bIHCmIPNPcaKfDF+DEpOsXDUQ+dyq8Tkw4+F40RhG9EApVxhZqj95n+uIN
-            +j7WSyIVRyECZBGZpj9MdSHJQ+ObWA8MMHP3F4anbNYkg9HNcggs1gPeokkUuqKo
-            P+6FpY7H1knzicepK+uGMpirhBHw1tMEo/tD3UMzoM5TRi7xy8jZBwqpGvF8kddE
-            yL7WJE567PxbwMDgxcDJ/e+KHpQXoVTTGRL7NTN10gpxZehWMGTDUXXt0XWRKpYx
-            5jmBCT7Tt1tGpTqq0Su3AG5h7Yj3+cYJj76XPUiPwwK7tQxSAW2/sjp2OEh4AIWw
-            1+Vxut/zjvqkTHTRQ6Mg+iaamVt217NerRWIAzu3HGC8ON8wdXWjo7e4aarpz6TS
-            XAHfR34JwsoKFJT4Risbv1gputNimbv/R6X5Y91yE64qlRBZql9bO6Z19nL7Xr44
-            tF+EQZ6VdP8UHKNNbeMuGHSVpqsWENLFiruz2R1rCQmJ1c0dwEW8oEwJ9QKV
-            =nkIf
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/prod/group_vars/k8s_cluster/k3s-cluster.yml b/environments/prod/group_vars/k8s_cluster/k3s-cluster.yml
deleted file mode 100644
index 7de785d..0000000
--- a/environments/prod/group_vars/k8s_cluster/k3s-cluster.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-k3s_cluster_version: "v1.27.3+k3s1"
-k3s_cluster_helm_version: 'v3.8.1'
-k3s_cluster_cidr: 172.16.0.0/16
-k3s_cluster_services_cidr: 172.17.0.0/16
-k3s_cluster_dns_internal_ip: 172.17.0.10
-
-k3s_cluster_coredns_version: 1.10.0
-k3s_cluster_coredns_replicas: 2
-k3s_cluster_coredns_memory_request: 256Mi
-k3s_cluster_coredns_memory_limit: 512Mi
-k3s_cluster_coredns_cpu_request: 250m
-k3s_cluster_coredns_cpu_limit: 750m
-k3s_cluster_coredns_forwarders:
-  - 1.1.1.1
-  - 1.0.0.1
-k3s_cluster_coredns_forwarders_tls_servername: cloudflare-dns.com
-
-k3s_restart_allowed: false
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index 33ac796..18cb207 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -32,6 +32,12 @@
       tags:
         - helm
 
+    - name: Install Longhorn dependencies
+      ansible.builtin.import_role:
+        name: ../../roles/k8s-longhorn-dependencies
+      tags:
+        - longhorn
+
     - name: Install and configure Argo CD
       ansible.builtin.import_role:
         name: ../../roles/argocd
diff --git a/roles/argocd/defaults/main.yml b/roles/argocd/defaults/main.yml
index 0ce598f..7bff493 100644
--- a/roles/argocd/defaults/main.yml
+++ b/roles/argocd/defaults/main.yml
@@ -1 +1 @@
-argocd_namespace: argo-cd
\ No newline at end of file
+argocd_namespace: argocd-system
\ No newline at end of file
diff --git a/roles/argocd/tasks/install.yml b/roles/argocd/tasks/install.yml
index 4e8ed36..c0f14f6 100644
--- a/roles/argocd/tasks/install.yml
+++ b/roles/argocd/tasks/install.yml
@@ -135,10 +135,10 @@
           policy.default: role:readonly
           policy.csv: |
             g, "{{ argocd_admin_group_id }}", role:admin
-        styles: |
-          .sidebar__version {
-            display: none;
-          }
+        # styles: |
+        #   .sidebar__version {
+        #     display: none;
+        #   }
         cm:
           timeout.reconciliation: "{{ argocd_git_refresh_interval }}"
           # admin.enabled: false
diff --git a/roles/argocd/templates/application-set.yml.j2 b/roles/argocd/templates/application-set.yml.j2
index e0bdbe4..0f1a827 100644
--- a/roles/argocd/templates/application-set.yml.j2
+++ b/roles/argocd/templates/application-set.yml.j2
@@ -27,6 +27,9 @@ spec:
         targetRevision: {{ argocd_git_ref }}
   templatePatch: | {% raw %}
     {{- $environment  := .values.environment -}}
+    metadata:
+      annotations:
+        argocd.argoproj.io/sync-wave: "{{ . | dig "syncWave" 0 }}"
     spec:
       source:
         path: '{{ .path.path }}'
diff --git a/roles/k8s-longhorn-dependencies/tasks/main.yml b/roles/k8s-longhorn-dependencies/tasks/main.yml
new file mode 100644
index 0000000..e75bd54
--- /dev/null
+++ b/roles/k8s-longhorn-dependencies/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: Add apt key for k8s repository
+  ansible.builtin.apt_key:
+    url: https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key
+    keyring: /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+    state: present
+
+- name: Add kubectl apt repository
+  ansible.builtin.apt_repository:
+    repo: 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /'
+    filename: kubernetes.list
+    update_cache: true
+    state: present
+
+- name: Install required packages
+  ansible.builtin.apt:
+    name:
+      - jq
+      - kubectl
+      - nfs-common
+      - open-iscsi
+    state: present

From 5d24fea300402cf35bc38d68457bf1ee22421cc3 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 14 Feb 2024 10:00:55 +0100
Subject: [PATCH 05/51] Removed unnecesarry code

---
 .../lab/group_vars/pve_nodes/secrets.sops.yml |   6 +-
 environments/lab/host_vars/kube1.yml          |   7 --
 environments/lab/host_vars/kube2.yml          |   7 --
 environments/lab/host_vars/kube3.yml          |   8 --
 environments/lab/host_vars/pve1.yml           |  29 +----
 environments/lab/host_vars/pve2.yml           |  29 +----
 environments/lab/host_vars/pve3.yml           |  28 +----
 environments/lab/hosts.yml                    |  22 ++--
 environments/prod/hosts.yml                   |  21 ++--
 playbooks/_all.yml                            |   2 +-
 playbooks/common.yml                          |   3 +-
 playbooks/kubernetes.yml                      |  14 +--
 playbooks/proxmox.yml                         |   5 -
 requirements.yml                              |   2 +-
 .../{argocd => k8s-argocd}/defaults/main.yml  |   0
 .../tasks/configure.yml                       |   0
 .../{argocd => k8s-argocd}/tasks/install.yml  |   0
 roles/{argocd => k8s-argocd}/tasks/main.yml   |   0
 .../templates/application-set.yml.j2          |   0
 .../templates/project-default.yml.j2          |   0
 .../templates/project.yml.j2                  |   0
 roles/pve_virtual_machines/tasks/images.yml   |  10 --
 roles/pve_virtual_machines/tasks/main.yml     |  16 ---
 roles/pve_virtual_machines/tasks/vm.yml       | 114 ------------------
 tools/clearkeys.sh                            |   4 -
 25 files changed, 33 insertions(+), 294 deletions(-)
 delete mode 100644 environments/lab/host_vars/kube1.yml
 delete mode 100644 environments/lab/host_vars/kube2.yml
 delete mode 100644 environments/lab/host_vars/kube3.yml
 rename roles/{argocd => k8s-argocd}/defaults/main.yml (100%)
 rename roles/{argocd => k8s-argocd}/tasks/configure.yml (100%)
 rename roles/{argocd => k8s-argocd}/tasks/install.yml (100%)
 rename roles/{argocd => k8s-argocd}/tasks/main.yml (100%)
 rename roles/{argocd => k8s-argocd}/templates/application-set.yml.j2 (100%)
 rename roles/{argocd => k8s-argocd}/templates/project-default.yml.j2 (100%)
 rename roles/{argocd => k8s-argocd}/templates/project.yml.j2 (100%)
 delete mode 100644 roles/pve_virtual_machines/tasks/images.yml
 delete mode 100644 roles/pve_virtual_machines/tasks/main.yml
 delete mode 100644 roles/pve_virtual_machines/tasks/vm.yml

diff --git a/environments/lab/group_vars/pve_nodes/secrets.sops.yml b/environments/lab/group_vars/pve_nodes/secrets.sops.yml
index 3d087e7..743a595 100644
--- a/environments/lab/group_vars/pve_nodes/secrets.sops.yml
+++ b/environments/lab/group_vars/pve_nodes/secrets.sops.yml
@@ -4,7 +4,7 @@ pve_openid_realms:
       display_name: ENC[AES256_GCM,data:HtobIhXh4/hXD8E+W9nY/vDOUkDHaw==,iv:BqMgdq2Lq/OuTAb3VvSM/mVMzpKyUyWlorANJFCWKZs=,tag:h0x4lx3CNT9p69PPTTlxTA==,type:str]
       client_id: ENC[AES256_GCM,data:LfW/VrjD3sW+KgAc5vsvUribwri7isrroxQb/+JCFZlvd1s3,iv:5FMcT9YaN/fvcC3FUV8r37S4j2H7SLm5+TJWqshhqak=,tag:jQG9edH+QvS9HiVYsxzyFQ==,type:str]
       #ENC[AES256_GCM,data:JtE4/ZbkyLBsWqGQIn970Qxt0XF+V6rWMZzmLXYgcJ4WyhUoNzMJogsKXOzBgr1Tuv/ruWPSpGYd2hXPcA==,iv:Lv++gJYKOyDyQHE0cVj7OEkpSODYGUHsZTNvD00T0e8=,tag:1WYZSiGOHRtsw5fgp/Qg3Q==,type:comment]
-      client_secret: ENC[AES256_GCM,data:YU1ADQhj2AgANnF/l++LL50S0ZTOWkuS4je2YY/534yY+nIzCQPE0g==,iv:rRFabDfkRT86eKWZeHL9Hri2GcuZVvhciX3PrCKUSJY=,tag:rCPswC/WPc8fLztuvch5lA==,type:str]
+      client_secret: ENC[AES256_GCM,data:DC0TXY6CAN0jkNctbNMJ145uLAnwk/cKbuBlUVZzQIh8F5tIg99qXw==,iv:ySlpvvfrvILHEOHBpA0r596tw2kz17SuZdqkvepLbRg=,tag:vU52ajV/cMAziORn2GOiyg==,type:str]
       url: ENC[AES256_GCM,data:ZKPBz5C0QJEGEOpu89ReR4YWF+71IO4H+G05FGBbaFB4Y9GNwQdb1RMKe5Ov5JUZlkLNmEMZJK56tIxhTLoIUHjK8WxMQ9UItTqC,iv:PNLeOaLktZR4kIsw6XHvM8etFxhqgq1f3UOAAmH57/Y=,tag:1gkvM54D7zQZj/WAmhfGvw==,type:str]
       autocreate_users: ENC[AES256_GCM,data:R3TfEQ==,iv:7bbE2lZ3a52dvRPTyacmxPmM/bZYw77JVofkNAz3ELw=,tag:ouf/dZXAiDGZA3jbdawzMg==,type:bool]
       username_claim: ENC[AES256_GCM,data:xGMUZG0=,iv:6WxIlPX8TuJP59IHDM2OJzm5tGvWHaoVqlNKEYQ75Ew=,tag:1zDnG5YW7S3bWqG1+XxEiw==,type:str]
@@ -41,8 +41,8 @@ sops:
             QWU4OTVNQU9nRU12REp3dkpYdWpjbVEKkKpnxWW2iUkjQv3UzO8b0pUXJ2s72HdQ
             tQkvIENt6fns2f3WwAoMsouPsTzZSn4PXGrG9OAIWVcfkGtF/RRdHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-27T22:18:38Z"
-    mac: ENC[AES256_GCM,data:MKmRQRupaInazzPJvWQgQY223SYIIjtPHQVaFMEpTTRtbSvxXAYx/tE/XHyv3wx5v80e8hbB0WulNkuOM2VFPmeIAZsKcuAVkNiwvypUIOfA0fQIU7l6U/+U8f91LH5DH8+YyCkYE54NM9aeA4las1GD81L6pSKeOWS2AxaRkOY=,iv:xf9Mvvqby5ccEB0ypdwOzVisg9bKNt7QDIQntNlRh30=,tag:QxHEPXTaILk+/6F/9pwTcg==,type:str]
+    lastmodified: "2024-02-13T12:55:19Z"
+    mac: ENC[AES256_GCM,data:EFo6mvq/mv+0nlB9+y+SVYysQkxWXtoHUhfzpl8K1lmTZCZAD8sYUCIYtdKsQ4mXf8+4ycpg/FfGxB0ebs8pvHUWgPz4VETTCU9s+FE7onp8FNYnKIOlfUDe6NDDI5z093fki11wFa8RuG6a8SUKYp4BZr28nf425q3nLTWPUxo=,iv:iq8Fd7nZwgiQlRZ4da61vmT2JKTpeU87PYTB/fMGIUg=,tag:f2fAiZ5pb7B3ggjEoafgZA==,type:str]
     pgp:
         - created_at: "2023-06-05T08:57:01Z"
           enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//a0vf1Oh3Tiyv++/rqq6X00JVXl2CZjoQ8BOKeGsX1wOY\r\nHIV7on7BJ4kW9gjIwOGIhsMLPryVIR7yJAJPu/qjQiQFBEk5To8xjoaMib0f3yvI\r\nQRDB2nvgChd04NHE7rYbwl+0aZcK1E88LA2uzXietlri4VzcmoMA9JBZn5/65Eaj\r\n+f2Ari4TKWTomYhseYPUVFCqtm5W64FehtGKao7iNcMAX/vxIupWUwRRDg6EsZu7\r\nP0nGszRVWwiucJ8BfDU2FQVrJKJuoEyerSUYW0tHEhAai+HTV47j2ST/ZvK18D5c\r\n+16RJzp1a3QFCViM3PlOAAVtunoUFQxMwfiLgniUB8kCjFBOMQ5wST8xZFUHrmjw\r\n07tkmV5/eRVA9/Vl5jRqM4sRf2f3Ou0YXbeOeJ3fzLrZgWOliUtTq7YzvN4AnNhg\r\nJfHSQsMR5nYi9wHfq6doTWXArXKp82Z2u/pZoVY5xlAaU9uerxgs6GTs7iRbW4BM\r\n+7WkqxnRo/agFzhLpDWBxehpP0XKx49JgxPdmQXlYDQY6AYc5jPswBsePSYL1LNz\r\nhoPUbCfgPik5nrdAy4pVW6ijBcf8KqgVH8eZAQa1M2GpdyO8tIL5paTLaM+oiyWN\r\nFEjT+GDjxAoxFvDW8ZSOTSlu9GdrLquFMF2hp3zZ0bZ6EfHr3K3cyRXAhkVuLUTS\r\nXgEQAAk4rZa7lH9ODHkKNzOhIfm69V2sAgH5oWHgiBAAJU44ZE5voZSQokVZPu+b\r\nK9ldX8+2W8XoE1CGuWXNtb5GYlWlVFpShFfhPCm1l5b4w9Y5lDhXmEXf8Opdw3c=\r\n=t7MQ\r\n-----END PGP MESSAGE-----\r\n"
diff --git a/environments/lab/host_vars/kube1.yml b/environments/lab/host_vars/kube1.yml
deleted file mode 100644
index 54cf9f9..0000000
--- a/environments/lab/host_vars/kube1.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# Common
-ansible_host: 10.1.8.21
-ansible_hostname: kube1-lab
-fqdn: kube1-lab.homecentr.one
-
-# nVidia drivers
-nvidia_drivers_install_containers: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/kube2.yml b/environments/lab/host_vars/kube2.yml
deleted file mode 100644
index de91418..0000000
--- a/environments/lab/host_vars/kube2.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# Common
-ansible_host: 10.1.8.22
-ansible_hostname: kube2-lab
-fqdn: kube2-lab.homecentr.one
-
-# nVidia drivers
-nvidia_drivers_install_containers: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/kube3.yml b/environments/lab/host_vars/kube3.yml
deleted file mode 100644
index a0b701f..0000000
--- a/environments/lab/host_vars/kube3.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# Common
-ansible_host: 10.1.8.23
-ansible_hostname: kube3-lab
-fqdn: kube3-lab.homecentr.one
-
-# Kubernetes
-rke2_server_node_taints:
-  - 'CriticalAddonsOnly=true:NoSchedule'
diff --git a/environments/lab/host_vars/pve1.yml b/environments/lab/host_vars/pve1.yml
index 1c3e25c..239ba9e 100644
--- a/environments/lab/host_vars/pve1.yml
+++ b/environments/lab/host_vars/pve1.yml
@@ -12,30 +12,5 @@ network_interfaces:
 # UPS
 ups_name: dummy-ups1
 
-# PVE
-pve_pci_passhthrough_enabled: false
-
-pve_vm_machines:
-  - vmid: 101
-    name: kube1-lab
-    protection: false
-    cloud_image_filename: debian-12.1.0.qcow2
-    bios: efi
-    shutdown_timeout_seconds: 120
-    nic_bridge: vmbr0
-    os_storage: local-zfs
-    os_disk_size: 32G
-    cpu_count: 1
-    cpu_cores_per_cpu: 8
-    min_memory: 8192
-    max_memory: 15360
-    nic_ipv4_address: 10.1.8.21
-    nic_ipv4_subnet: 255.255.255.0
-    nic_ipv4_gateway: 10.1.8.1
-    nameservers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-# ClamAV
-# clamav_scanned_dirs:
-# - /usr/local/gfs
+# nVidia drivers
+nvidia_drivers_install_containers: true
diff --git a/environments/lab/host_vars/pve2.yml b/environments/lab/host_vars/pve2.yml
index 2507bf1..ce6968a 100644
--- a/environments/lab/host_vars/pve2.yml
+++ b/environments/lab/host_vars/pve2.yml
@@ -12,30 +12,5 @@ network_interfaces:
 # UPS
 ups_name: dummy-ups1
 
-# PVE
-pve_pci_passhthrough_enabled: false
-
-pve_vm_machines:
-  - vmid: 201
-    name: kube2-lab
-    protection: false
-    cloud_image_filename: debian-12.1.0.qcow2
-    bios: efi
-    shutdown_timeout_seconds: 120
-    nic_bridge: vmbr0
-    os_storage: local-zfs
-    os_disk_size: 32G
-    cpu_count: 1
-    cpu_cores_per_cpu: 8
-    min_memory: 8192
-    max_memory: 15360
-    nic_ipv4_address: 10.1.8.22
-    nic_ipv4_subnet: 255.255.255.0
-    nic_ipv4_gateway: 10.1.8.1
-    nameservers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-# ClamAV
-# clamav_scanned_dirs:
-# - /usr/local/gfs
+# nVidia drivers
+nvidia_drivers_install_containers: true
diff --git a/environments/lab/host_vars/pve3.yml b/environments/lab/host_vars/pve3.yml
index d392cac..d3fbb3b 100644
--- a/environments/lab/host_vars/pve3.yml
+++ b/environments/lab/host_vars/pve3.yml
@@ -12,28 +12,6 @@ network_interfaces:
 # UPS
 ups_name: dummy-ups1
 
-# PVE
-pve_vm_machines:
-  - vmid: 301
-    name: kube3-lab
-    protection: false
-    cloud_image_filename: debian-12.1.0.qcow2
-    bios: efi
-    shutdown_timeout_seconds: 120
-    nic_bridge: vmbr0
-    os_storage: local-zfs
-    os_disk_size: 32G
-    cpu_count: 1
-    cpu_cores_per_cpu: 6
-    min_memory: 8192
-    max_memory: 8192
-    nic_ipv4_address: 10.1.8.23
-    nic_ipv4_subnet: 255.255.255.0
-    nic_ipv4_gateway: 10.1.8.1
-    nameservers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-# ClamAV
-# clamav_scanned_dirs:
-# - /usr/local/gfs
+# Kubernetes
+rke2_server_node_taints:
+  - 'CriticalAddonsOnly=true:NoSchedule'
\ No newline at end of file
diff --git a/environments/lab/hosts.yml b/environments/lab/hosts.yml
index f7a3c17..67e6558 100644
--- a/environments/lab/hosts.yml
+++ b/environments/lab/hosts.yml
@@ -9,22 +9,14 @@ all:
       children:
         masters:
           hosts:
-            kube1:
-            kube2:
-            kube3:
+            pve1:
+            pve2:
+            pve3:
         workers:
           hosts:
-            kube1:
-            kube2:
-            kube3:
-    bare_metal_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
+            pve1:
+            pve2:
+            pve3:
     nvidia_gpu_nodes:
       hosts:
-        pve1:
-        pve2:
-        kube1:
-        kube2:
\ No newline at end of file
+        pve1:
\ No newline at end of file
diff --git a/environments/prod/hosts.yml b/environments/prod/hosts.yml
index f7a3c17..24630f4 100644
--- a/environments/prod/hosts.yml
+++ b/environments/prod/hosts.yml
@@ -9,22 +9,15 @@ all:
       children:
         masters:
           hosts:
-            kube1:
-            kube2:
-            kube3:
+            pve1:
+            pve2:
+            pve3:
         workers:
           hosts:
-            kube1:
-            kube2:
-            kube3:
-    bare_metal_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
+            pve1:
+            pve2:
+            pve3:
     nvidia_gpu_nodes:
       hosts:
         pve1:
-        pve2:
-        kube1:
-        kube2:
\ No newline at end of file
+        pve2:
\ No newline at end of file
diff --git a/playbooks/_all.yml b/playbooks/_all.yml
index cad4d87..79214bd 100644
--- a/playbooks/_all.yml
+++ b/playbooks/_all.yml
@@ -1,4 +1,4 @@
 - import_playbook: proxmox.yml
 - import_playbook: common.yml
 - import_playbook: nvidia.yml
-# - import_playbook: kubernetes.yml
+- import_playbook: kubernetes.yml
diff --git a/playbooks/common.yml b/playbooks/common.yml
index 6144af6..c067af2 100644
--- a/playbooks/common.yml
+++ b/playbooks/common.yml
@@ -56,7 +56,6 @@
     - name: Install and configure Network UPS tools
       ansible.builtin.import_role:
         name: homecentr.system.ups
-      when: "'bare_metal_nodes' in group_names"
       tags:
         - ups
 
@@ -64,7 +63,7 @@
       ansible.builtin.import_role:
         name: homecentr.system.motd
       vars:
-        motd_enable_ups_status: "{{ 'bare_metal_nodes' in group_names }}"
+        motd_enable_ups_status: "true"
       tags:
         - motd
 
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index 18cb207..c3c18a9 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -4,8 +4,6 @@
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tasks:
-    # TODO: Kube nodes will need ZFS (later)
-
     - name: Install Kubernetes cluster (RKE 2)
       ansible.builtin.import_role:
         name: lablabs.rke2
@@ -36,10 +34,10 @@
       ansible.builtin.import_role:
         name: ../../roles/k8s-longhorn-dependencies
       tags:
-        - longhorn
+        - longhorn-deps
 
-    - name: Install and configure Argo CD
-      ansible.builtin.import_role:
-        name: ../../roles/argocd
-      tags:
-        - argocd
+    # - name: Install and configure Argo CD
+    #   ansible.builtin.import_role:
+    #     name: ../../roles/k8s-argocd
+    #   tags:
+    #     - argocd
diff --git a/playbooks/proxmox.yml b/playbooks/proxmox.yml
index 23bbc39..0a9ed3b 100644
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yml
@@ -26,11 +26,6 @@
         name: homecentr.system.network
       tags: [ network ]
 
-    - name: Run upgrade (only first time)
-      ansible.builtin.import_role:
-        name: homecentr.system.init_upgrade
-      tags: [ upgrade ]
-
     - name: Configure https port forwarding
       ansible.builtin.import_role:
         name: homecentr.proxmox.pve_https_forward
diff --git a/requirements.yml b/requirements.yml
index 0e38f4d..aa1d450 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -20,7 +20,7 @@ collections:
     version: master
   - name: https://github.com/homecentr/ansible-collection-proxmox
     type: git
-    version: fix/proxmoxer
+    version: master
 
 roles:
   - name: geerlingguy.pip
diff --git a/roles/argocd/defaults/main.yml b/roles/k8s-argocd/defaults/main.yml
similarity index 100%
rename from roles/argocd/defaults/main.yml
rename to roles/k8s-argocd/defaults/main.yml
diff --git a/roles/argocd/tasks/configure.yml b/roles/k8s-argocd/tasks/configure.yml
similarity index 100%
rename from roles/argocd/tasks/configure.yml
rename to roles/k8s-argocd/tasks/configure.yml
diff --git a/roles/argocd/tasks/install.yml b/roles/k8s-argocd/tasks/install.yml
similarity index 100%
rename from roles/argocd/tasks/install.yml
rename to roles/k8s-argocd/tasks/install.yml
diff --git a/roles/argocd/tasks/main.yml b/roles/k8s-argocd/tasks/main.yml
similarity index 100%
rename from roles/argocd/tasks/main.yml
rename to roles/k8s-argocd/tasks/main.yml
diff --git a/roles/argocd/templates/application-set.yml.j2 b/roles/k8s-argocd/templates/application-set.yml.j2
similarity index 100%
rename from roles/argocd/templates/application-set.yml.j2
rename to roles/k8s-argocd/templates/application-set.yml.j2
diff --git a/roles/argocd/templates/project-default.yml.j2 b/roles/k8s-argocd/templates/project-default.yml.j2
similarity index 100%
rename from roles/argocd/templates/project-default.yml.j2
rename to roles/k8s-argocd/templates/project-default.yml.j2
diff --git a/roles/argocd/templates/project.yml.j2 b/roles/k8s-argocd/templates/project.yml.j2
similarity index 100%
rename from roles/argocd/templates/project.yml.j2
rename to roles/k8s-argocd/templates/project.yml.j2
diff --git a/roles/pve_virtual_machines/tasks/images.yml b/roles/pve_virtual_machines/tasks/images.yml
deleted file mode 100644
index 3c03ec6..0000000
--- a/roles/pve_virtual_machines/tasks/images.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Download cloud images
-  ansible.builtin.get_url:
-    url: "{{ item.url }}"
-    dest: "/var/lib/vz/images/{{ item.filename }}"
-    checksum: "{{ item.checksum }}"
-    owner: root
-    group: root
-    mode: 0644
-  when: pve_vm_cloud_images is defined
-  with_items: "{{ pve_vm_cloud_images }}"
diff --git a/roles/pve_virtual_machines/tasks/main.yml b/roles/pve_virtual_machines/tasks/main.yml
deleted file mode 100644
index 353458f..0000000
--- a/roles/pve_virtual_machines/tasks/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-- name: Install required pip modules
-  ansible.builtin.apt:
-    name: python3-proxmoxer
-    state: present
-
-- name: Download installation cloud images
-  ansible.builtin.include_tasks:
-    file: images.yml
-
-- name: Create virtual machines
-  ansible.builtin.include_tasks:
-    file: vm.yml
-  vars:
-    vm: "{{ item }}"
-  when: pve_vm_machines is defined
-  with_items: "{{ pve_vm_machines }}"
diff --git a/roles/pve_virtual_machines/tasks/vm.yml b/roles/pve_virtual_machines/tasks/vm.yml
deleted file mode 100644
index 5d64fb4..0000000
--- a/roles/pve_virtual_machines/tasks/vm.yml
+++ /dev/null
@@ -1,114 +0,0 @@
-- name: Create cloud-init config
-  ansible.builtin.copy:
-    dest: "{{ hostvars[inventory_hostname].pve_local_storage_path }}/snippets/{{ vm.vmid }}.yml"
-    owner: root
-    group: root
-    mode: 0640
-    force: true
-    content: |
-      #cloud-config
-      hostname: {{ vm.name }}
-      manage_etc_hosts: false
-      user: "{{ (users_admin_users | first).username }}"
-      password: Heslo123
-      chpasswd:
-        expire: false
-      users:
-        - default
-      {% for user in users_admin_users %}
-        - name: {{ user.username }}
-          sudo: ALL=(ALL) NOPASSWD:ALL
-          ssh_authorized_keys:
-      {% for key in user.public_keys %}
-          - {{ key }}
-      {% endfor %}
-      {% endfor %}
-      package_upgrade: true
-
-- name: Create virtual machine
-  community.general.proxmox_kvm:
-    vmid: "{{ vm.vmid }}"
-    proxmox_default_behavior: no_defaults
-    node: "{{ ansible_hostname }}"
-    kvm: true
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: 127.0.0.1
-    name: "{{ vm.name }}"
-    protection: "{{ vm.protection | default(true) }}"
-    acpi: "{{ vm.acpi | default(true) }}"
-    autostart: "{{ vm.autostart | default(true) }}"
-    onboot: "{{ vm.onboot | default(true) }}"
-    ostype: "{{ vm.ostype | default('l26') }}"
-    boot: "{{ vm.boot_order | default('cd') }}"
-    ciuser: "{{ (users_admin_users | first).username }}"
-    cipassword: "Heslo123"
-    sshkeys: "{{ (users_admin_users | first).public_keys | join('\n') }}"
-    cicustom: "user=local:snippets/{{ vm.vmid }}.yml"
-    bios: "{{ 'seabios' if (vm.bios | default('bios')) != 'efi' else 'ovmf' }}"
-    startup: "down={{ vm.shutdown_timeout_seconds }}"
-    # required due to a bug: https://forum.proxmox.com/threads/kernel-panic-after-resizing-a-clone.93738/
-    # which causes kernel panic after resizing the os disk
-    serial:
-      serial0: socket
-    scsi:
-      scsi0: 'local-zfs:cloudinit,format=raw'
-    net:
-      net0: "virtio,bridge={{ vm.nic_bridge }}"
-    ipconfig:
-      ipconfig0: "ip={{ (vm.nic_ipv4_address + '/' + vm.nic_ipv4_subnet) | ansible.utils.ipaddr('host/prefix') }},gw={{ vm.nic_ipv4_gateway }}"  # noqa yaml[line-length]
-    nameservers: "{{ vm.nameservers }}"
-    efidisk0: "{{ ({'storage': vm.os_storage, 'format': 'raw', 'efitype': '4m', 'pre_enrolled_keys': false}) if (vm.bios | default('bios')) == 'efi' else none }}" # noqa yaml[line-length]
-    scsihw: virtio-scsi-pci
-    bootdisk: scsi1
-    tablet: false
-    cpu: "{{ vm.cpu_type | default('kvm64') }}"
-    vcpus: "{{ vm.cpu_count * vm.cpu_cores_per_cpu }}"
-    sockets: "{{ vm.cpu_count }}"
-    cores: "{{ vm.cpu_cores_per_cpu }}"
-    memory: "{{ vm.max_memory }}"
-    balloon: "{{ vm.min_memory }}"
-    state: present
-
-- name: Import disk from cloud image
-  register: vm_disk
-  retries: 5 # transient timeouts
-  until: vm_disk.vmid == vm.vmid
-  community.general.proxmox_disk:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: 127.0.0.1
-    vmid: "{{ vm.vmid }}"
-    disk: scsi1
-    import_from: "/var/lib/vz/images/{{ vm.cloud_image_filename }}"
-    storage: "{{ vm.os_storage }}"
-    ssd: true
-    timeout: 600
-    state: present
-
-- name: Resize imported system disk
-  community.general.proxmox_disk:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: 127.0.0.1
-    vmid: "{{ vm.vmid }}"
-    disk: scsi1
-    size: "{{ vm.os_disk_size }}"
-    state: resized
-
-- name: Start VM
-  community.general.proxmox_kvm:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: 127.0.0.1
-    vmid: "{{ vm.vmid }}"
-    node: "{{ ansible_hostname }}"
-    state: started
-
-- name: Wait for VM to start responding on SSH
-  ansible.builtin.wait_for:
-    host: "{{ vm.nic_ipv4_address }}"
-    port: 22
-    timeout: 400
-    sleep: 2
-    msg: "VM {{ vm.name }} did not start responding on SSH in time."
diff --git a/tools/clearkeys.sh b/tools/clearkeys.sh
index 7e090cb..d937eb7 100755
--- a/tools/clearkeys.sh
+++ b/tools/clearkeys.sh
@@ -3,7 +3,3 @@
 ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.11
 ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.12
 ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.13
-
-ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.21
-ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.22
-ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.23
\ No newline at end of file

From 5efe7cbb46d490704654f8b4cc6fc7fb183e87ba Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 14 Feb 2024 11:22:37 +0100
Subject: [PATCH 06/51] RKE2 cluster working

---
 playbooks/common.yml                          |  6 +++++
 playbooks/kubernetes.yml                      | 26 +++++++------------
 .../k8s-cluster-prerequisites/tasks/main.yml  | 11 ++++++++
 .../tasks/python-modules.yml}                 |  0
 .../tasks/sysctls.yml}                        |  0
 .../tasks/zfs-datasets.yml                    | 13 ++++++++++
 6 files changed, 39 insertions(+), 17 deletions(-)
 create mode 100644 roles/k8s-cluster-prerequisites/tasks/main.yml
 rename roles/{k8s-python-modules/tasks/main.yml => k8s-cluster-prerequisites/tasks/python-modules.yml} (100%)
 rename roles/{k8s-sysctls/tasks/main.yml => k8s-cluster-prerequisites/tasks/sysctls.yml} (100%)
 create mode 100644 roles/k8s-cluster-prerequisites/tasks/zfs-datasets.yml

diff --git a/playbooks/common.yml b/playbooks/common.yml
index c067af2..ceee4fe 100644
--- a/playbooks/common.yml
+++ b/playbooks/common.yml
@@ -59,6 +59,12 @@
       tags:
         - ups
 
+    - name: Install zfs-auto-snapshot
+      ansible.builtin.apt:
+        name: zfs-auto-snapshot
+      tags:
+        - zfs-auto-snapshot
+
     - name: Set up Message-of-the-day
       ansible.builtin.import_role:
         name: homecentr.system.motd
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index c3c18a9..97a423a 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -4,25 +4,17 @@
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tasks:
-    - name: Install Kubernetes cluster (RKE 2)
+    - name: Create ZFS datasets for rke2
       ansible.builtin.import_role:
-        name: lablabs.rke2
+        name: ../../roles/k8s-cluster-prerequisites
       tags:
-        - k8s
-        - rke2
+        - prereqs
 
-    - name: Configure sysctls
-      ansible.builtin.import_role:
-        name: ../../roles/k8s-sysctls
-      tags:
-        - k8s
-        - rke2
-
-    - name: Install python modules for k8s management
+    - name: Install Longhorn dependencies
       ansible.builtin.import_role:
-        name: ../../roles/k8s-python-modules
+        name: ../../roles/k8s-longhorn-dependencies
       tags:
-        - always
+        - longhorn-deps
 
     - name: Install helm
       ansible.builtin.import_role:
@@ -30,11 +22,11 @@
       tags:
         - helm
 
-    - name: Install Longhorn dependencies
+    - name: Install rke2 cluster
       ansible.builtin.import_role:
-        name: ../../roles/k8s-longhorn-dependencies
+        name: lablabs.rke2
       tags:
-        - longhorn-deps
+        - rke2
 
     # - name: Install and configure Argo CD
     #   ansible.builtin.import_role:
diff --git a/roles/k8s-cluster-prerequisites/tasks/main.yml b/roles/k8s-cluster-prerequisites/tasks/main.yml
new file mode 100644
index 0000000..0a4d5a1
--- /dev/null
+++ b/roles/k8s-cluster-prerequisites/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Install required python modules
+  ansible.builtin.include_tasks:
+    file: python-modules.yml
+
+- name: Configure sysctls
+  ansible.builtin.include_tasks:
+    file: sysctls.yml
+
+- name: Create zfs datasets
+  ansible.builtin.include_tasks:
+    file: zfs-datasets.yml
\ No newline at end of file
diff --git a/roles/k8s-python-modules/tasks/main.yml b/roles/k8s-cluster-prerequisites/tasks/python-modules.yml
similarity index 100%
rename from roles/k8s-python-modules/tasks/main.yml
rename to roles/k8s-cluster-prerequisites/tasks/python-modules.yml
diff --git a/roles/k8s-sysctls/tasks/main.yml b/roles/k8s-cluster-prerequisites/tasks/sysctls.yml
similarity index 100%
rename from roles/k8s-sysctls/tasks/main.yml
rename to roles/k8s-cluster-prerequisites/tasks/sysctls.yml
diff --git a/roles/k8s-cluster-prerequisites/tasks/zfs-datasets.yml b/roles/k8s-cluster-prerequisites/tasks/zfs-datasets.yml
new file mode 100644
index 0000000..05c0172
--- /dev/null
+++ b/roles/k8s-cluster-prerequisites/tasks/zfs-datasets.yml
@@ -0,0 +1,13 @@
+- name: Create a dataset for /var/lib/rancher/rke2
+  community.general.zfs:
+    name: rpool/ROOT/rke2/var
+    state: present
+    extra_zfs_properties:
+      mountpoint: /var/lib/rancher/rke2
+
+- name: Create a dataset for /etc/rancher/rke2
+  community.general.zfs:
+    name: rpool/ROOT/rke2/etc
+    state: present
+    extra_zfs_properties:
+      mountpoint: /etc/rke2
\ No newline at end of file

From 14838e3a03962335ad0647a94ca3670a55dad5c4 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 14 Feb 2024 11:23:01 +0100
Subject: [PATCH 07/51] ArgoCD back

---
 playbooks/kubernetes.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index 97a423a..fd06917 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -28,8 +28,8 @@
       tags:
         - rke2
 
-    # - name: Install and configure Argo CD
-    #   ansible.builtin.import_role:
-    #     name: ../../roles/k8s-argocd
-    #   tags:
-    #     - argocd
+    - name: Install and configure Argo CD
+      ansible.builtin.import_role:
+        name: ../../roles/k8s-argocd
+      tags:
+        - argocd

From 8e221c3d9adb95c0858c981e2b514f65f762ea4f Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 14 Feb 2024 15:39:47 +0100
Subject: [PATCH 08/51] ArgoCD netpol

---
 environments/lab/group_vars/k8s_cluster/argocd.yml | 2 +-
 roles/k8s-argocd/tasks/install.yml                 | 6 +-----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/environments/lab/group_vars/k8s_cluster/argocd.yml b/environments/lab/group_vars/k8s_cluster/argocd.yml
index 1b125e7..0bd3dad 100644
--- a/environments/lab/group_vars/k8s_cluster/argocd.yml
+++ b/environments/lab/group_vars/k8s_cluster/argocd.yml
@@ -9,7 +9,7 @@ argocd_environment: lab
 # Make sure the chart version contains the app version below
 # The app version drives the CRDs and should be bumped before upgrading the app itself
 argocd_chart_version: 5.51.6
-argocd_app_version: v2.10.0-rc1
+argocd_app_version: v2.10.0
 
 argocd_application_sets:
   - name: cluster
diff --git a/roles/k8s-argocd/tasks/install.yml b/roles/k8s-argocd/tasks/install.yml
index c0f14f6..51a6e7f 100644
--- a/roles/k8s-argocd/tasks/install.yml
+++ b/roles/k8s-argocd/tasks/install.yml
@@ -36,7 +36,7 @@
         image:
           tag: "{{ argocd_app_version }}"
         networkPolicy:
-          create: true
+          create: false
           defaultDenyIngress: false
       redis-ha:
         enabled: false
@@ -135,10 +135,6 @@
           policy.default: role:readonly
           policy.csv: |
             g, "{{ argocd_admin_group_id }}", role:admin
-        # styles: |
-        #   .sidebar__version {
-        #     display: none;
-        #   }
         cm:
           timeout.reconciliation: "{{ argocd_git_refresh_interval }}"
           # admin.enabled: false

From c922bd808b8057095b667e300dc3a1bb7c5db2d9 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 21 Feb 2024 16:11:44 +0100
Subject: [PATCH 09/51] argocd netpol fixed

---
 .../lab/group_vars/k8s_cluster/argocd.yml     |  1 +
 roles/k8s-argocd/tasks/install.yml            | 49 ++++++++++++++++++-
 .../templates/application-set.yml.j2          |  2 +-
 3 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/environments/lab/group_vars/k8s_cluster/argocd.yml b/environments/lab/group_vars/k8s_cluster/argocd.yml
index 0bd3dad..b54d1ce 100644
--- a/environments/lab/group_vars/k8s_cluster/argocd.yml
+++ b/environments/lab/group_vars/k8s_cluster/argocd.yml
@@ -16,6 +16,7 @@ argocd_application_sets:
     project_name: cluster
   - name: apps
     project_name: apps
+    namespace: apps
 
 argocd_projects:
   - name: cluster
diff --git a/roles/k8s-argocd/tasks/install.yml b/roles/k8s-argocd/tasks/install.yml
index 51a6e7f..ac578d8 100644
--- a/roles/k8s-argocd/tasks/install.yml
+++ b/roles/k8s-argocd/tasks/install.yml
@@ -122,7 +122,7 @@
               - mountPath: /custom-tools
                 name: custom-tools
       applicationSet:
-        replicaCount: 1
+        replicas: 1
       dex:
         enabled: false
       configs:
@@ -244,3 +244,50 @@
           data:
             public_key: "{{ argocd_sops.public_key | b64encode }}"
             private_key: "{{ argocd_sops.private_key | b64encode }}"
+
+
+        - apiVersion: crd.projectcalico.org/v1
+          kind: NetworkPolicy
+          metadata:
+            name: argocd
+            namespace: "{{ argocd_namespace }}"
+          spec:
+            # Instance is not filtered because argo-cd is deployed by ansible so from this chart's point of view the instance is not predictable
+            selector: app.kubernetes.io/part-of == 'argocd'
+            ingress:
+              # Allow internal component calls
+              - action: Allow
+                source:
+                  selector: app.kubernetes.io/part-of == 'argocd'
+
+              # Allow traffic from kubernetes api
+              - action: Allow
+                source:
+                  services:
+                    name: kubernetes
+                    namespace: default
+            egress:
+              # Allow traffic to kubernetes api
+              - action: Allow
+                destination:
+                  services:
+                    name: kubernetes
+                    namespace: default
+
+              # Allow traffic to internet
+              - action: Allow
+                destination:
+                  notNets:
+                    - 10.0.0.0/8
+                    - 172.16.0.0/12
+
+              # Allow internal component calls
+              - action: Allow
+                destination:
+                  selector: app.kubernetes.io/part-of == 'argocd'
+
+              # Explicitly allow access to DNS to bypass dependency on global policies deployed by argocd itself
+              - action: Allow
+                destination:
+                  selector: k8s-app == 'kube-dns'
+                  namespaceSelector: projectcalico.org/name == "kube-system"
diff --git a/roles/k8s-argocd/templates/application-set.yml.j2 b/roles/k8s-argocd/templates/application-set.yml.j2
index 0f1a827..274d011 100644
--- a/roles/k8s-argocd/templates/application-set.yml.j2
+++ b/roles/k8s-argocd/templates/application-set.yml.j2
@@ -21,7 +21,7 @@ spec:
       project: {{ argocd_application_set.project_name }}
       destination:
         server: https://kubernetes.default.svc
-        namespace: '{% raw %}{{ index .path.segments 1 }}{% endraw %}'
+        namespace: '{% if argocd_application_set.namespace is defined %}{{ argocd_application_set.namespace }}{% else %}{% raw %}{{ index .path.segments 1 }}{% endraw %}{% endif %}'
       source:
         repoURL: {{ argocd_git_repository_url }}
         targetRevision: {{ argocd_git_ref }}

From 361d375604023c4ee23e75b0fc788c879b00c91e Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 22 Feb 2024 11:01:22 +0100
Subject: [PATCH 10/51] Pomerium 1

---
 environments/lab/group_vars/k8s_cluster/rke2.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
index d9f30d7..10a2495 100644
--- a/environments/lab/group_vars/k8s_cluster/rke2.yml
+++ b/environments/lab/group_vars/k8s_cluster/rke2.yml
@@ -25,4 +25,12 @@ rke2_server_options:
 rke2_loadbalancer_ip_range:
   range-global: 10.1.8.160-10.1.8.191
 
+rke2_kubevip_args: 
+- param: enableServicesElection
+  value: "true"
+- param: enableNodeLabeling
+  value: "true"
+# - param: onlyAllowTrafficServicePorts
+#   value: true
+
 # TODO: etcd snapshot backup to S3 ?
\ No newline at end of file

From cd5a4b2abd52bb09cfb28c0f03735dda204a9b47 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 22 Feb 2024 11:31:11 +0100
Subject: [PATCH 11/51] Pom policy 2

---
 environments/lab/group_vars/k8s_cluster/rke2.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
index 10a2495..f0075e2 100644
--- a/environments/lab/group_vars/k8s_cluster/rke2.yml
+++ b/environments/lab/group_vars/k8s_cluster/rke2.yml
@@ -27,9 +27,9 @@ rke2_loadbalancer_ip_range:
 
 rke2_kubevip_args: 
 - param: enableServicesElection
-  value: "true"
+  value: "'true'"
 - param: enableNodeLabeling
-  value: "true"
+  value: "'true'"
 # - param: onlyAllowTrafficServicePorts
 #   value: true
 

From e55f8cf270ca54a7b6e57f343f781b6e273b523d Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 22 Feb 2024 12:32:19 +0100
Subject: [PATCH 12/51] Kube vip configured correctly for
 externalTrafficPolicy: local

---
 .../lab/group_vars/k8s_cluster/rke2.yml       | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
index f0075e2..e5e2be7 100644
--- a/environments/lab/group_vars/k8s_cluster/rke2.yml
+++ b/environments/lab/group_vars/k8s_cluster/rke2.yml
@@ -3,10 +3,19 @@ rke2_type: server # All nodes are servers
 rke2_ha_mode: true
 rke2_ha_mode_kubevip: true
 rke2_ha_mode_keepalived: false
+
 rke2_kubevip_cloud_provider_enable: true
-rke2_kubevip_svc_enable: true
-rke2_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.6.4
-rke2_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.4
+rke2_kubevip_svc_enable: "true"
+rke2_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.7.0
+rke2_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.8
+
+rke2_kubevip_args: 
+- param: svc_election
+  value: "'true'"
+- param: enable_node_labeling
+  value: "'true'"
+# - param: onlyAllowTrafficServicePorts
+#   value: true
 
 rke2_api_ip: 10.1.8.130
 rke2_api_cidr: 24
@@ -25,12 +34,4 @@ rke2_server_options:
 rke2_loadbalancer_ip_range:
   range-global: 10.1.8.160-10.1.8.191
 
-rke2_kubevip_args: 
-- param: enableServicesElection
-  value: "'true'"
-- param: enableNodeLabeling
-  value: "'true'"
-# - param: onlyAllowTrafficServicePorts
-#   value: true
-
 # TODO: etcd snapshot backup to S3 ?
\ No newline at end of file

From 0ca4b87e25010d4322973a472440ad91239c457b Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Sun, 25 Feb 2024 16:59:36 +0100
Subject: [PATCH 13/51] Proxmox https forward fixed

---
 environments/lab/group_vars/k8s_cluster/rke2.yml | 4 ++--
 playbooks/proxmox.yml                            | 5 -----
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
index e5e2be7..e8d8564 100644
--- a/environments/lab/group_vars/k8s_cluster/rke2.yml
+++ b/environments/lab/group_vars/k8s_cluster/rke2.yml
@@ -12,8 +12,8 @@ rke2_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0
 rke2_kubevip_args: 
 - param: svc_election
   value: "'true'"
-- param: enable_node_labeling
-  value: "'true'"
+# - param: enable_node_labeling
+#   value: "'true'"
 # - param: onlyAllowTrafficServicePorts
 #   value: true
 
diff --git a/playbooks/proxmox.yml b/playbooks/proxmox.yml
index 0a9ed3b..99f2a35 100644
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yml
@@ -76,8 +76,3 @@
 
     - name: Flush handlers before starting the VMs
       ansible.builtin.meta: flush_handlers
-
-    - name: Create virtual machines
-      ansible.builtin.import_role:
-        name: ../../roles/pve_virtual_machines
-      tags: [ vm ]

From 28854751856f29e49ae335fde54969090a6187c3 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Sun, 25 Feb 2024 17:17:46 +0100
Subject: [PATCH 14/51] iscsi started after installation

---
 roles/k8s-longhorn-dependencies/tasks/main.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/k8s-longhorn-dependencies/tasks/main.yml b/roles/k8s-longhorn-dependencies/tasks/main.yml
index e75bd54..d366d9e 100644
--- a/roles/k8s-longhorn-dependencies/tasks/main.yml
+++ b/roles/k8s-longhorn-dependencies/tasks/main.yml
@@ -19,3 +19,8 @@
       - nfs-common
       - open-iscsi
     state: present
+
+- name: Start iscsi daemon
+  ansible.builtin.service:
+    name: iscsid
+    state: started
\ No newline at end of file

From b872b7fee5bbf8a5326a15d4ad9988cc2c25798a Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 29 Feb 2024 13:39:56 +0100
Subject: [PATCH 15/51] Calico api-server and configuration

---
 environments/lab/group_vars/all/general.yml   |   2 +
 .../group_vars/k8s_cluster/cluster.sops.yml   |  26 ++
 .../lab/group_vars/k8s_cluster/cluster.yml    |  12 +
 .../lab/group_vars/k8s_cluster/rke2.sops.yml  |  24 --
 .../lab/group_vars/k8s_cluster/rke2.yml       |  37 ---
 .../lab/group_vars/k8s_cluster/storage.yml    |  11 +
 environments/lab/host_vars/pve1.yml           |   3 +
 environments/lab/host_vars/pve2.yml           |   3 +
 environments/lab/host_vars/pve3.yml           |   1 +
 environments/prod/group_vars/all/general.yml  |   2 +
 playbooks/_local.yml                          |  66 +++-
 playbooks/kubernetes.yml                      |  25 +-
 .../k8s-cluster-prerequisites/tasks/main.yml  |  11 -
 .../tasks/python-modules.yml                  |   4 -
 roles/k8s-cluster/tasks/iscsi.yaml            |  11 +
 .../tasks/kubectl.yaml}                       |   8 -
 roles/k8s-cluster/tasks/main.yaml             |  91 ++++++
 .../tasks/sysctls.yaml}                       |   0
 .../rke2-calico-apiserver-secret.yaml         |   8 +
 .../templates/rke2-calico-apiserver.yaml      | 307 ++++++++++++++++++
 .../templates/rke2-canal-customize.yaml       |   9 +
 roles/k8s-storage/tasks/longhorn-zvol.yaml    |  20 ++
 roles/k8s-storage/tasks/main.yaml             |  14 +
 roles/k8s-storage/tasks/openebs.yaml          |   7 +
 .../tasks/rke2.yaml}                          |   0
 25 files changed, 599 insertions(+), 103 deletions(-)
 create mode 100644 environments/lab/group_vars/k8s_cluster/cluster.sops.yml
 create mode 100644 environments/lab/group_vars/k8s_cluster/cluster.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/rke2.sops.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/rke2.yml
 create mode 100644 environments/lab/group_vars/k8s_cluster/storage.yml
 delete mode 100644 roles/k8s-cluster-prerequisites/tasks/main.yml
 delete mode 100644 roles/k8s-cluster-prerequisites/tasks/python-modules.yml
 create mode 100644 roles/k8s-cluster/tasks/iscsi.yaml
 rename roles/{k8s-longhorn-dependencies/tasks/main.yml => k8s-cluster/tasks/kubectl.yaml} (80%)
 create mode 100644 roles/k8s-cluster/tasks/main.yaml
 rename roles/{k8s-cluster-prerequisites/tasks/sysctls.yml => k8s-cluster/tasks/sysctls.yaml} (100%)
 create mode 100644 roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml
 create mode 100644 roles/k8s-cluster/templates/rke2-calico-apiserver.yaml
 create mode 100644 roles/k8s-cluster/templates/rke2-canal-customize.yaml
 create mode 100644 roles/k8s-storage/tasks/longhorn-zvol.yaml
 create mode 100644 roles/k8s-storage/tasks/main.yaml
 create mode 100644 roles/k8s-storage/tasks/openebs.yaml
 rename roles/{k8s-cluster-prerequisites/tasks/zfs-datasets.yml => k8s-storage/tasks/rke2.yaml} (100%)

diff --git a/environments/lab/group_vars/all/general.yml b/environments/lab/group_vars/all/general.yml
index 50df83a..60ea91c 100644
--- a/environments/lab/group_vars/all/general.yml
+++ b/environments/lab/group_vars/all/general.yml
@@ -1,2 +1,4 @@
 ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
+
+environment_name: lab
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_cluster/cluster.sops.yml b/environments/lab/group_vars/k8s_cluster/cluster.sops.yml
new file mode 100644
index 0000000..fc84185
--- /dev/null
+++ b/environments/lab/group_vars/k8s_cluster/cluster.sops.yml
@@ -0,0 +1,26 @@
+k8s_cluster_token: ENC[AES256_GCM,data:LU7t+sASI+8It/H1hjbSVLdS,iv:wBqHBXjC08XQbfTgzBqwe8pLYSU44bB5zx4tS4YIWhs=,tag:dvDckJh2R1NuluG4vVdTLQ==,type:str]
+k8s_cluster_calico_apiserver_public_key: ENC[AES256_GCM,data:Q/8rrb1kuXrZEfUXNrdKV49xb2ns+DJ44NgyCD9BF61Wy7eqmxtgiJMkD+7ayNGDaWNXzPYQOWNMfZzeMirVAXI3wZV8DVtT3gNxBTwHYUU6GrYcIxoD90XJcwiW7FdXMwifcGA9/OsYrdYk20XJB3AObOh7p2o2B36RfCNnSkPeHGAaq0+EIiPkndMmLXJp7j6bjRQrGOHBfafjNV8O/C9fOtfqiT78zMMC0klj3vldOR7byAGE/VZ76p22dZ1Cy2ZkP0PnAWhTWrm8S0XK+zSs5LGBcg6J2nzhwsunZeV3pBnSgjv5yjgW8NDtL+0NSPp1oCymROX7wXlxjV3OdEvC/jpwIXFB2vvvaPwUqxx0TfPKVRGTSU55zZcKEHVDDSpSKeE6M4ojbVigRr2k9r+wuJa9nUIqxeGCbEaIlNUYnrKckJD6+E67hyEEiAZD1Nv4WD6PCESI6Y/FmyrVf0N5cvAHGgvFED6M4PefnhreQoTjItVB8BDWicRIoAEtKqAFP8s27MFLdlHefY+HmGYiBZ27pNS4tp8aF9BFtn6JVu5DfdV+uhsormIYsb2ucm75DqLk/xmSLqmw2jer2QrW1hVJaprth3inC0S3GMYtvhhbuMbBfg1gnsqQ8ImWZy0TiXrUlltJ5YMrZ5/2KkeuNkK1CT6QHqGyiruU8VQ72MC1LMBDCaC9koPVT9ud3Evssz31RIR3AolviVTaFIGyi6Tces7Wrs95fD/vWOYuWlmKv5uoeiJknuKNg34lNcpKzLg7uZ/xImW5LC1mITncq2Kri7nCQA0UjnbLCJtfnJROX5oCwtucY3rMx0PrlUxU8giQ58DcMBAVrNk1xrkcTl0n63Zxmui1lgrgthdWb2cyDLmvBiyHOO+rfJziedKrf25nJDnhlQNDFz2dB8r9J1IJXVzbV451QmPpK09gxwAu/fAzH7hyjleGx5VGGm1eW978bwOvAQuadSjwmBKetgMKmSlBto8//q2TthB6m6B39jXNu0tqfo4KONrYoDR+EwRRlPRZEgG/4pzXK8QhOarzn6PVabs7QoSCdVEbXAQDyQDaF5EuaWgHSn6ODvbxNdJB2bojZkfvPhXzIrmy92VF56uSirmr6UlXKkG/YmaGeb0CdHMOIu7yhKX6Po6jgVCJoDZHhltlkmjh09Ar3jq5tiWbxioiqt3za4c5GC0IstTllxTW8LpebbMi0rzWH1sT98mWB1v5J4XRJzqblU/68wqF7COz+0LVeTOcQmv9jwRYVrsazbWHdECFr0QuMyRetN93BGi5SY9tv5FMuvcA6kwUemSRlKwp8ODorgFTmfPPzHDMeSRYbHJW8fg08HkIPZyFMRMhjJ1cCIMUYRNqOdcJbmU6XDej+Df8diVGdpIANoYcGyABtIGQcxhijCMDbt9PTfSMzzY1vK8cjjvLa8FKnRfRy7RnWyTA60xc/kPauyc0EsWxJgXREhMxctLzj8RSYXC7AICdSi8MS+MEZbx+ROLJYWKpgdiCh+kZc6qnjNh7b3x5PIjWWc+MECmONQxJsROYzQq6K7B6XMBP1Ah32jlkkBO5Qa2fEBHRQeZFbAq3f7FXChmC7W0Cmd9w6j1gSvbJMUOClxyisW1ntTF4P74awt9fFpcm5BmrGM+Tvivr41/slqLPSJsPBiXHyny/MyvMQe16Z66AOI1C8Bnd8fFcFN3DZhjs2WXyfmawrGjm/SocxeyAhcGMaVMFeSIkW6+xTfJew1R1oP174H8Pg0RWu+D+UXMxDdrux2Cx8O29jE7JybhzQEwOVdPYyo6TPJAGpSvGNAu11PSATp+tlHf4fN8lTfmqZ4hFlE44S6B09T3y3RaXwfl2BSUsmKvYTZtykli813NiqEvEsNzN1jIo89v+dI/K0zH315kBIHUQWL5cYqYrwdEpl6Djnh2WGc4kbQD6Q1wk/Epg2X2ngO4LC+gmtwmsTZk0ZOXBgByyHcJ/H6iaV3pAfwZOdW72d6qqAYXiAVLwaDCBjHqSGxP7IGZYsi2NOsubHQhK5Wkn1dTbwVfxhtegBzRPmvZJ6JOKD62v8ovVrJEGI9f271sX9OmfYWCAudzKYR1kFXVvXG5CCojVEaIdcsjLBqTMNQPmKM2sHX2nLT19L2+Wwsgl68LyJ2GJpYYxTNDNpuIXwbf38n14RLU79gNmAbU7kEy7Rtj/aN1ym/56aO0Ms960tjQ9yi8vBJst07+U//4482TLyIukYbupwegvYNZs/LIeQ8DXUntBPTZ3odVLkPHJPZ0pY5xUdmlGPAzarC1d65EmRe8LyfFd8HUS0N0hYCNRiTiOWLOvKQXWtFoObT5gf+x/zfXWISXeiKCpdtljwwfVZRnqNqIk8VQVovTxE2xa+10GPl5fY6dGig/lTsDUU7K8pBiMtITu3I0=,iv:COViPnj/k1s91QJcRvJz/T/GuT4KVfg2zBXtsdhmwmQ=,tag:hdcjJy8LPSvh7tPXx6Sqbg==,type:str]
+k8s_cluster_calico_apiserver_private_key: ENC[AES256_GCM,data:oItRri5hSnpl0O+rVuxT++XExlNxOHs3JXxsgqE/XBVUgnYARbAgVb1VWwoFroFpDk81Kie7SdRb1jCIq7BOShBxYHA11xzQNeX4Vm+Dj4wjvp+ilrjW+T6cBchahSJk/bnkxJUvaq0lbD1ZCPZJy7ggsMejaXg01ab2/B60HxP8Rez9egV52cTzkBogtYE4qzvVtk8H7CabZQ4n5s9457/0+rjg8SE+FtLVN8aFODDuqI73duhmzcurB4RKIK2ckTuZ9H0GTJRjguXtGLCgsTCcFAmyjOme4YthjBbVDGn7VxKI7xgTYP3x6VVLAZqovyRb3mcLqFC0BA6AUd4DVthr55p64TBZH8hM0LEoCjMh3dzyMb72iJ+mK+Fvx9SHfS/7eo2ssbkJCoBOuq9ZEeKo18VbSiDw24iV62E8cMNNxrcURzp1v1YbzXqNnUPlGVkq73r94ovlMHx8FMI2UA14DS/gE39AwqgqSDbQ39dwq/F3+QlpYgPhkd4nVaDVVosKPlLRfr4/q5VbeyYb1HXNTQlEuqq9ziOSd6jrHPjujYhUwIOufCMH05iT4swWdbye9vI8tDt41oGX8K61ivo+NXTUI7Cwv/yz93k814n0emkmdzOwcxV4uy6ffQjV12kwmU/aNFIxGE5M8bwYLyM7m+QUwmFXlqoJhQBJSVU5rdLB4idc8OdGNVEJmohjMt/relH90PZBk4llWM7n1KOYepMrCUG7zMQAfksipEkz1HfgCclpriaXuTld8Lct0ywRYyDKsQXGmqD+k6TjSvOtpLzJSLjStGmS/Pkbhn+wgyR9yALfqmbOjQ3IaRuUPLziMXs2pLqn1BYYPs/dj6bIl4k2EyPViN7phJRA4DmKYIL9ZyqxjJUi8rIhijoBtUjZeNaiUBPCXTPVNOhRo2J9S64D2xoE4WPHQ+fH75rUQqtKuhNWBKoCYwmQnEAnK/qBzRVgGqBvd206eEe42OtLxFxOXe/xj88iAYIAEjmiDrDJHU0ILcl1/BlpMEFzsv3A2fApgN8kgi6s23wQUD1jR3jQuGEkDrmeVbYFPZd0KiGB3X+9FqUDMxd4EK4rZuzFr+WxWjd7H2G6RNZXSaDztnhMOJoPGcIr/QxNacicW2YQgcpvhowJUNla6XgYbTVVPsNZgWjtKzywfrOeDkjLuI9lJrVbcSqztRn+tICk8iOQPQAz9vpREu4vAo8qhvSPeEw7mWdKabKApPVWMgwSvtFOOD80qQmTrSvPLNA8gzVneSrw739veNdEYpC2n/mRaINoqKJxPXZLoKEizzWeB/2WAGQqruqlzc4/3c4oPJhtXYUF60rXmZA/SmxXhjM3Q4ALvYJlHxxL+0l/X0tIvzK8WduVBDWGOm6cUWQdvzXLiuBrwMc9Gl3GQkqXolvegNrJmqEIFASNem1BTE+QreLUmeYkvMjS+rxW9Jyzz0W7JTnc2svoThc4eCd6LbS4NIzTl0RMZz4pruNC8J40YEuHg1HXJ7JvEkJpvLBmeMNTblZvIlQcMYHfZdfNvovFzKv8pkLYdhh6WgRUi7EYA+Aiq3Sd6CFb2rZhJ+f9HzPSNJU/xVjOcLLXyQulQSgcdEuLhCY69PcQGk+PN21mPs4Fd3XY1z5yR6JMG3cb7SPdjij77VjXqnHIWzsWUa1syfk8hn056Tzvetv2bDhfN+11sOt9+l75IRHzsi60yWXq6mRKeEJCc7nQbHfl5NhU3DzyZyjuHyvUk8KO/lvt1pOnJkPJpZofBGjzyRsNroJYFxXgBYKF7y7dO7Yw1PqQqEgRPNFBx5KXVtSWbaHizi26F/9t1r1tzMZJLVBB0JEAhkxWFvLxY9MBpIVvCE9Obgv27fX18tCK/TrSxVYAv48LI7zXdWeZl5jN458CIof5/yvx2WB0D+yyBD+uD7a2/BFHteJmVsOEDJSvM5iZd8j3lww/tTyhkfT5AoblAnDyxovCLqw4kk0dPXLTjgWNSqudMLyFyimT86TAvsTqQbweMno+y3IdZtj7YNiIv33/qgL0gKNtHmwjrNMVDRH7SqxT6WY+wbsyiTUN1+U8JMpyLoxxJ+nxW88vXbLRtGpZhpFSf2ykdFIGgL96jXfEHhRjXw8NVRrqrO2hY5m1xFv2RxhU8AL3WHG90A40c5bE4hde3vS4mFc8P1snuBmAi0CeEayI9VHR/4hlO8EucC4jlqq/uNzNnASvZpL6YYSZF9/k+W/o82gwRCy6hMZli+CQqAf3vaOxtUWpKUSLxNPZ5Dt5cNgaldVFC3nh0TYjI4U7xXxNg8DHAOdzvy+m0KeOCCz2giO6H1gf6UsajsOFV2hjSZrrVvi6Dzz/aW/eU8um7UwLcJxsx7tvdSdGXuxM2IkQLgmc3Z0lNeGuG9m8ZCTVLcX9bvHyx0p6KjHbkfPHdYgjjeE8mmDu4mBj9xJAS5I0O6ig85a5h6+yusC/wrVQ7kanc+xxfyQSIks3u+Ffp691ukB6BRNbw6DjtHlVugNviBRye/C/TGeulf0GJ5bYnC6wNpl7TM6hhWccF9wlhTbJyNp1xJD6Hhs/SPqeVI5tRWqQlgG94taiDIGv3GZpd3pNETEi0ES538Na9VhXrh1hZXU7e2Tt2ey3DGh7tGUX4pJ/HudIkg/dviJHN1cFvBF/z1dxmF2tWsCBTH0/NaIoq37tb3xbXrU48UnyvQ5p/1UxA4Gcj0jdpneYbCEdvqxswQ5vZRsCw0TfahHjJh8fyISWft9cHh14nCrYRkXmJ1jUaOSX6RmpQ0v0ZEVUPYOrIRvS/al6TNhP8OPN/2iTIx/xx3tkMLY28BB4jgSDn2kBuDPTv9AJDUHjz6lGJLfscAC+8GOZmXovnugfVnqO8lGamiP53CM1XPqYvozG0bVsStyOudizy9Pqkue2ZMb505RV6wCe/GUzoP0yk5qXy+MsI7UBuujFGRyw9lHb7b/8pD4MFZQuwooETTjGe9l8umgBUnx1xN2E5H1HAZygM6pFoqc+qChHtjCTxdiuCzuK1n6qNINkWrKjFi857ZjjNYW+tezkpQXGgft7aLrc7bkMnibDGoGjesdnFe2+8VD4O7w0F5RyaBFdImwfMJdKCBxC8nx8UUDT/ZmPt5NaHrbM+6FA7kz8LjU/4OFg+InzebyniSHlkeDS7fL/x9rNlOdfiSt3O0Wrx3jOIe7YZXGWsQaESnBLORkb4TTvKSiDILz3m9beg+a5sg7BP4G1kX3tz81wFx/zC1kqQ96q/zWl1XAbg8Xixx423Nnm2UlcG/w2A+4lVR6sY1+5nUDcp20h/h6Ze1eWqUw57o7z42/iN7hDIQ1P62pg3M3c6RQqErecU5uvEjlyd7zlkCp2OaWAu3yI8Y78Y9p4sBGu6/28a+Y0bLhE3O+XRDaURXkGsiDfdtf2StDwyDaND+NOf76W/OVcB2WFI1etDdqMbpJBgnkDvfeq1+nFVZATvCKUUh9z478eseN8Td/62mzLAxW/21EiZ51/wPyuc6ydFeu2pSbTugDS1rn6PAXIXwQ/71LmdiAY1HebB6tFywck7OKC5kkPsWnqnvXckSMJp6IAFp6vruEIH3QoB7RjhfPeGh4AxkXgwKYroFRkVqjkGw2LJHdX3oYJmweZTwc5WvHWUZLLHt3D3R/Z0MT2EHg9fIIWbv/yCbI7sevDsaFR1JovWJ3VE3AADHdl3KfNyphVbde8TAGOvdX6SJLj+QMKGNgrPBXlBPpvTesBV8vBYAGp+xRKZISUXeeaEJdeWAnKqATO/i+4a54Zer5Yg/rxvY76J43rN4oJF9zJ+pW+akxp0ZmSpRnqzZ0JgTkrQyD6al7DHtndnTZnsDRzFp2rWWAOWVUcNDrSRP5djOZ9degc61dz/kd+l5Ut/M6FT60iGKLaRIJoQOjK53IV7osoazbB5JtxlPOp7gb4jFf8iYi5jrEhBPUHMbIoivaUVPdYNciV9QuH3GSjow+guGCRORKNfschJB3n6mCxpSf1SZ39oqtnzYB2MH6PMTXXNSD41EZFJVeIs/RtYglyAu0QcVEoOb9eyMWtOsNS01v5vJK6rW6UUHWfidL7OIFps1irR7hzuFhUBmLFDj4XQK9h07JhQ2P8QdBMtivFegxmNVuX8Au3glPyI5+Wq/YWoTyMUFLUJH5v2gkDPAI7Dfllegev/5R3UBVj1ougTCxjsG71biTBtZQlD1JtdELtSqXJFtSmtyo/aD+syW3QQNwPbjOjVndB+5j+6eRcry8o5moAFGjChkVdOgR0s59j/+KkDRwCBGKyojVcT7yi77xeOthv3Sm1C43b25Wej5TzIeqyu8mJezO9DhstTP0flwsw0wvYzGVMdFDAoqA=,iv:Jhmyl7K+yz3HoahkahWABCA1dNUYHRP7HDPCh93LOA4=,tag:1ufn4Imt5j9YdROSAU0obQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZERVZGphN1puNlo0d2hX
+            QnlnQ0o1Z3JYenFhcnFJNCszTVZKVGJNakZJClo2bEFWbzNCc3FVNFROaU1ObFNi
+            NHBSSnFNNFo3d2ZVMEtaUy9qTkdMMzQKLS0tIEFOL0Q1azA1Q2U0OGowMWRnUTN3
+            Y014N1NGREJiWVN3MDlxZVdDK1Q4WUEKD8rt4RY4sj7BnspGhp7Uqcpl9bkobFU9
+            kjicIjpMCRI5Dnmr2BhtW1SORYNXGj91PFgjNskdk/TnXLzMHFGasw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-29T11:37:05Z"
+    mac: ENC[AES256_GCM,data:J1qD/x04CozsF+64QpyJXy0lzlCM4WRShClFcWBoKQ1AiMPKH5rCWJJuFBHTspP75QucdZzNrWuF6FWSNTANZ0vD2yi+kMN3ER30GW9qO548KBJgvlLwBA3XMPDZga/PgDRLJ8E6kSuvTrscHAvSitD3Oy/3V7EuGAUpPGGQ9RI=,iv:odaEeztzstl6sB7oNXSCVJcJi8EAmktzQ6z2zUMgPIc=,tag:Y9DFhDXBwfo5C4p7AtmEzQ==,type:str]
+    pgp:
+        - created_at: "2023-12-22T08:52:37Z"
+          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//UgusaM/iMVwbAJGDEANTaPE1joy2905k0f/j4RD/9k6X\r\ntC17eEIdIyuGxpSUqzMHmyF3TdHDeiCd7AE8bvy3FCcBNRX9NSsbhrKUKgAN/Y0x\r\naaByf+PUBpG5yD/5uIX2iv0fcnyS5bC1KTt7xjpwVSv7oRLHMiM+ABC3GcWmOFdZ\r\nzxbQJthIuEWMClaytYMrJQFdnDDJmiS2UWwnQBj5hm1DqAHy4zz2xmaYFa+8oEjw\r\n3uELjwmPa17GGU+bmI2Uq+YT8sIt+E/Gpc25kTaLzRw5xA26Hqq57TL3rpTVktVr\r\nzuesMGmJCtjppXoRQkRnIHMctj15pEYBy5xczEzyMr7+lKRoRxWuWDnb9iPYZJoo\r\nEoB8c1N8lmdtLDaGB5yp9nIwqRJY2jOcILFs99BNF27qhfzx+eKKA0u6O00ULoal\r\nWq9HvzDX4a+rEFBjWkm+MzUcBcad8aNdOiK3H48UOyLASsdaIULE30R84Z6TbIby\r\nUIotcka96I6VCJIt/HznpDB271SHxJQ/sFndBzlUKTBPfLcLoovj0oRmdiUgVvt2\r\n6Iv0oWDFZLq5UtYpm1cEPQRgRTQoS6GpZjs862RxnHgIQT8469LA2jx2txw0szM3\r\na+Loq8Rz1oCPIzVVt//WT/U7ysWmpKLrU8675K0NudJ7bTkiR5chaWoJtK2vR//S\r\nXgHejSEdTK6HMhKHBufVkg6OEPIjDgggodfU9ct2dtuk7H8JhTBNQI9dPdxwP+wV\r\nc0+shEuQz4LNUSC0y8ak4RMWmxGLdPFYLJYuNjeZvorTG8rR6plSCIKFE6c3H3E=\r\n=8c17\r\n-----END PGP MESSAGE-----\r\n"
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/environments/lab/group_vars/k8s_cluster/cluster.yml b/environments/lab/group_vars/k8s_cluster/cluster.yml
new file mode 100644
index 0000000..66c0f60
--- /dev/null
+++ b/environments/lab/group_vars/k8s_cluster/cluster.yml
@@ -0,0 +1,12 @@
+k8s_cluster_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.7.0
+k8s_cluster_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.8
+
+k8s_cluster_kubeapi_vip: 10.1.8.130
+k8s_cluster_rke2_version: v1.28.4+rke2r1
+
+k8s_cluster_cluster_cidr: "172.16.0.0/16" # Pod internal IP addresses
+k8s_cluster_service_cidr: "172.17.0.0/16" # Services internal IP addresses
+
+k8s_cluster_kubevip_dynamic_range: "10.1.8.160-10.1.8.191"
+
+# TODO: etcd snapshot backup to S3 ?
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_cluster/rke2.sops.yml b/environments/lab/group_vars/k8s_cluster/rke2.sops.yml
deleted file mode 100644
index bc06c9d..0000000
--- a/environments/lab/group_vars/k8s_cluster/rke2.sops.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-rke2_token: ENC[AES256_GCM,data:kdpp824ygSpOO3j3Js5wXbq3,iv:c0wxTRa1T2Z//w1/ZAnODAUEC67YAL+MVEbkVlDQYWE=,tag:/Wbub9wame0HT/PJcF1nHA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZERVZGphN1puNlo0d2hX
-            QnlnQ0o1Z3JYenFhcnFJNCszTVZKVGJNakZJClo2bEFWbzNCc3FVNFROaU1ObFNi
-            NHBSSnFNNFo3d2ZVMEtaUy9qTkdMMzQKLS0tIEFOL0Q1azA1Q2U0OGowMWRnUTN3
-            Y014N1NGREJiWVN3MDlxZVdDK1Q4WUEKD8rt4RY4sj7BnspGhp7Uqcpl9bkobFU9
-            kjicIjpMCRI5Dnmr2BhtW1SORYNXGj91PFgjNskdk/TnXLzMHFGasw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-22T08:53:07Z"
-    mac: ENC[AES256_GCM,data:IVw4bh0IUuqxOtcb7aZFTkHNzpSQu2sgE56+Kmszlagt/lF/rOVaE2HJbG1A3VFK30pFDxyVzY4XwgbzcQ+gnjcP6iLYH5oPBBtAs5tuiWZhRGdFZjZnobRjrjmTS9Wx6yAufFBlJgMG3MA8QMm74tef8ApLSk4zjD2FhExjEZ0=,iv:hJm0V3Bhvp+nNoKlux8NqQ04HrbejwoO8OsdcoXZE0s=,tag:psjALFHs0vbCajx1kGyo5A==,type:str]
-    pgp:
-        - created_at: "2023-12-22T08:52:37Z"
-          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//UgusaM/iMVwbAJGDEANTaPE1joy2905k0f/j4RD/9k6X\r\ntC17eEIdIyuGxpSUqzMHmyF3TdHDeiCd7AE8bvy3FCcBNRX9NSsbhrKUKgAN/Y0x\r\naaByf+PUBpG5yD/5uIX2iv0fcnyS5bC1KTt7xjpwVSv7oRLHMiM+ABC3GcWmOFdZ\r\nzxbQJthIuEWMClaytYMrJQFdnDDJmiS2UWwnQBj5hm1DqAHy4zz2xmaYFa+8oEjw\r\n3uELjwmPa17GGU+bmI2Uq+YT8sIt+E/Gpc25kTaLzRw5xA26Hqq57TL3rpTVktVr\r\nzuesMGmJCtjppXoRQkRnIHMctj15pEYBy5xczEzyMr7+lKRoRxWuWDnb9iPYZJoo\r\nEoB8c1N8lmdtLDaGB5yp9nIwqRJY2jOcILFs99BNF27qhfzx+eKKA0u6O00ULoal\r\nWq9HvzDX4a+rEFBjWkm+MzUcBcad8aNdOiK3H48UOyLASsdaIULE30R84Z6TbIby\r\nUIotcka96I6VCJIt/HznpDB271SHxJQ/sFndBzlUKTBPfLcLoovj0oRmdiUgVvt2\r\n6Iv0oWDFZLq5UtYpm1cEPQRgRTQoS6GpZjs862RxnHgIQT8469LA2jx2txw0szM3\r\na+Loq8Rz1oCPIzVVt//WT/U7ysWmpKLrU8675K0NudJ7bTkiR5chaWoJtK2vR//S\r\nXgHejSEdTK6HMhKHBufVkg6OEPIjDgggodfU9ct2dtuk7H8JhTBNQI9dPdxwP+wV\r\nc0+shEuQz4LNUSC0y8ak4RMWmxGLdPFYLJYuNjeZvorTG8rR6plSCIKFE6c3H3E=\r\n=8c17\r\n-----END PGP MESSAGE-----\r\n"
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/k8s_cluster/rke2.yml b/environments/lab/group_vars/k8s_cluster/rke2.yml
deleted file mode 100644
index e8d8564..0000000
--- a/environments/lab/group_vars/k8s_cluster/rke2.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-rke2_type: server # All nodes are servers
-
-rke2_ha_mode: true
-rke2_ha_mode_kubevip: true
-rke2_ha_mode_keepalived: false
-
-rke2_kubevip_cloud_provider_enable: true
-rke2_kubevip_svc_enable: "true"
-rke2_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.7.0
-rke2_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.8
-
-rke2_kubevip_args: 
-- param: svc_election
-  value: "'true'"
-# - param: enable_node_labeling
-#   value: "'true'"
-# - param: onlyAllowTrafficServicePorts
-#   value: true
-
-rke2_api_ip: 10.1.8.130
-rke2_api_cidr: 24
-
-rke2_version: v1.28.4+rke2r1
-rke2_drain_node_during_upgrade: true
-
-rke2_disable:
-  - rke2-ingress-nginx
-  - rke2-metrics-server
-
-rke2_server_options:
-  - "cluster-cidr: 172.16.0.0/16" # Pod internal IP addresses
-  - "service-cidr: 172.17.0.0/16" # Services internal IP addresses
-
-rke2_loadbalancer_ip_range:
-  range-global: 10.1.8.160-10.1.8.191
-
-# TODO: etcd snapshot backup to S3 ?
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_cluster/storage.yml b/environments/lab/group_vars/k8s_cluster/storage.yml
new file mode 100644
index 0000000..89aa1b0
--- /dev/null
+++ b/environments/lab/group_vars/k8s_cluster/storage.yml
@@ -0,0 +1,11 @@
+k8s_storage_openebs_zfs_datasets:
+  - name: dpool/openebs/db
+    quota: 10G
+
+k8s_storage_longhorn_zvols:
+  - name: dpool/longhorn/data
+    mountpoint: /longhorn/data
+    size: 20G
+  - name: dpool/longhorn/nvr
+    mountpoint: /longhorn/nvr
+    size: 20G
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve1.yml b/environments/lab/host_vars/pve1.yml
index 239ba9e..dae10f2 100644
--- a/environments/lab/host_vars/pve1.yml
+++ b/environments/lab/host_vars/pve1.yml
@@ -14,3 +14,6 @@ ups_name: dummy-ups1
 
 # nVidia drivers
 nvidia_drivers_install_containers: true
+
+# Kubernetes
+k8s_storage_enabled: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve2.yml b/environments/lab/host_vars/pve2.yml
index ce6968a..20ba0c3 100644
--- a/environments/lab/host_vars/pve2.yml
+++ b/environments/lab/host_vars/pve2.yml
@@ -14,3 +14,6 @@ ups_name: dummy-ups1
 
 # nVidia drivers
 nvidia_drivers_install_containers: true
+
+# Kubernetes
+k8s_storage_enabled: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve3.yml b/environments/lab/host_vars/pve3.yml
index d3fbb3b..5069192 100644
--- a/environments/lab/host_vars/pve3.yml
+++ b/environments/lab/host_vars/pve3.yml
@@ -13,5 +13,6 @@ network_interfaces:
 ups_name: dummy-ups1
 
 # Kubernetes
+k8s_storage_enabled: false
 rke2_server_node_taints:
   - 'CriticalAddonsOnly=true:NoSchedule'
\ No newline at end of file
diff --git a/environments/prod/group_vars/all/general.yml b/environments/prod/group_vars/all/general.yml
index 50df83a..f3b2043 100644
--- a/environments/prod/group_vars/all/general.yml
+++ b/environments/prod/group_vars/all/general.yml
@@ -1,2 +1,4 @@
 ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
+
+environment_name: prod
\ No newline at end of file
diff --git a/playbooks/_local.yml b/playbooks/_local.yml
index b8d3dd7..5a57e2f 100644
--- a/playbooks/_local.yml
+++ b/playbooks/_local.yml
@@ -4,6 +4,24 @@
   become: true
   become_method: ansible.builtin.sudo
   tasks:
+    - name: Get distro codename
+      register: ubuntu_lsb_release
+      changed_when: false
+      ansible.builtin.command:
+        cmd: lsb_release -sc
+
+    - name: Add Cloudflare apt key
+      ansible.builtin.get_url:
+        url: https://pkg.cloudflare.com/cloudflare-main.gpg
+        dest: /usr/share/keyrings/cloudflare-main.gpg
+
+    - name: Add Cloudflare repository
+      ansible.builtin.apt_repository:
+        repo: "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared {{ ubuntu_lsb_release.stdout }} main"
+        filename: cloudflare
+        update_cache: true
+        state: present
+
     - name: Install required python modules
       ansible.builtin.include_role:
         name: geerlingguy.pip
@@ -16,13 +34,53 @@
 
     - name: Install required packages
       ansible.builtin.package:
-        name: sshpass
+        name:
+          - sshpass
+          - cloudflared
+          - grepcidr
+
+    - name: Create proxy command script (for wsl)
+      become: false
+      ansible.builtin.copy:
+        dest: "{{ lookup('env', 'HOME') }}/.ssh/proxy-{{ environment_name }}.sh"
+        mode: 0700
+        content: |
+          #!/usr/bin/env bash
+
+          # $1 = FQDN of the host
+          # $2 = Remote user
+          # $3 = Remote port
+
+          IP=$(dig -t a $1 +short @ | tail -n1)
+          LOCAL_IP=$(echo "$IP" | grepcidr "10.0.0.0/8")
+          
+          if [ -z "$LOCAL_IP" ]; then
+            echo "Remote, using Cloudflare Access..."
+            /usr/local/bin/cloudflared access ssh --hostname $1
+          else
+            ssh $2@$1
+          fi
+
+    - name: Add a host into the configuration (short name)
+      become: false
+      community.general.ssh_config:
+        user: "{{ ansible_user }}"
+        host: "{{ hostvars[item].ansible_hostname }}"
+        hostname: "{{ hostvars[item].ansible_hostname }}"
+        forward_agent: true # To enable YubiKey forwarding
+        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy-{{ environment_name }}.sh %h %r"
+        remote_user: "{{ ansible_user }}"
+        state: present
+      with_items: "{{ groups['all'] }}"
 
-    - name: Add a host into the configuration
+    - name: Add a host into the configuration (full name)
+      become: false
       community.general.ssh_config:
-        user: "{{ ansible_user_id }}"
-        host: "{{ item }}"
+        user: "{{ ansible_user }}"
+        host: "{{ hostvars[item].ansible_hostname }}"
         hostname: "{{ hostvars[item].fqdn }}"
         forward_agent: true # To enable YubiKey forwarding
+        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy-{{ environment_name }}.sh %h %r"
+        remote_user: "{{ ansible_user }}"
         state: present
       with_items: "{{ groups['all'] }}"
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
index fd06917..af5d72e 100644
--- a/playbooks/kubernetes.yml
+++ b/playbooks/kubernetes.yml
@@ -4,29 +4,24 @@
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tasks:
-    - name: Create ZFS datasets for rke2
-      ansible.builtin.import_role:
-        name: ../../roles/k8s-cluster-prerequisites
-      tags:
-        - prereqs
-
-    - name: Install Longhorn dependencies
-      ansible.builtin.import_role:
-        name: ../../roles/k8s-longhorn-dependencies
-      tags:
-        - longhorn-deps
-
     - name: Install helm
       ansible.builtin.import_role:
         name: geerlingguy.helm
       tags:
         - helm
 
-    - name: Install rke2 cluster
+    - name: Set up storage
+      ansible.builtin.import_role:
+        name: ../../roles/k8s-storage
+      tags:
+        - storage
+      when: k8s_storage_enabled == true
+
+    - name: Install and configure the rke2 cluster
       ansible.builtin.import_role:
-        name: lablabs.rke2
+        name: ../../roles/k8s-cluster
       tags:
-        - rke2
+        - cluster
 
     - name: Install and configure Argo CD
       ansible.builtin.import_role:
diff --git a/roles/k8s-cluster-prerequisites/tasks/main.yml b/roles/k8s-cluster-prerequisites/tasks/main.yml
deleted file mode 100644
index 0a4d5a1..0000000
--- a/roles/k8s-cluster-prerequisites/tasks/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Install required python modules
-  ansible.builtin.include_tasks:
-    file: python-modules.yml
-
-- name: Configure sysctls
-  ansible.builtin.include_tasks:
-    file: sysctls.yml
-
-- name: Create zfs datasets
-  ansible.builtin.include_tasks:
-    file: zfs-datasets.yml
\ No newline at end of file
diff --git a/roles/k8s-cluster-prerequisites/tasks/python-modules.yml b/roles/k8s-cluster-prerequisites/tasks/python-modules.yml
deleted file mode 100644
index c32f327..0000000
--- a/roles/k8s-cluster-prerequisites/tasks/python-modules.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: Install python for kubernetes management
-  ansible.builtin.apt:
-    name:
-      - python3-kubernetes
\ No newline at end of file
diff --git a/roles/k8s-cluster/tasks/iscsi.yaml b/roles/k8s-cluster/tasks/iscsi.yaml
new file mode 100644
index 0000000..50f2861
--- /dev/null
+++ b/roles/k8s-cluster/tasks/iscsi.yaml
@@ -0,0 +1,11 @@
+- name: Install required packages
+  ansible.builtin.apt:
+    name:
+      - open-iscsi
+    state: present
+
+- name: Start iscsi daemon
+  ansible.builtin.service:
+    name: iscsid
+    enabled: true
+    state: started
\ No newline at end of file
diff --git a/roles/k8s-longhorn-dependencies/tasks/main.yml b/roles/k8s-cluster/tasks/kubectl.yaml
similarity index 80%
rename from roles/k8s-longhorn-dependencies/tasks/main.yml
rename to roles/k8s-cluster/tasks/kubectl.yaml
index d366d9e..dc4dde8 100644
--- a/roles/k8s-longhorn-dependencies/tasks/main.yml
+++ b/roles/k8s-cluster/tasks/kubectl.yaml
@@ -14,13 +14,5 @@
 - name: Install required packages
   ansible.builtin.apt:
     name:
-      - jq
       - kubectl
-      - nfs-common
-      - open-iscsi
     state: present
-
-- name: Start iscsi daemon
-  ansible.builtin.service:
-    name: iscsid
-    state: started
\ No newline at end of file
diff --git a/roles/k8s-cluster/tasks/main.yaml b/roles/k8s-cluster/tasks/main.yaml
new file mode 100644
index 0000000..053da2c
--- /dev/null
+++ b/roles/k8s-cluster/tasks/main.yaml
@@ -0,0 +1,91 @@
+- name: Install python for kubernetes management
+  ansible.builtin.apt:
+    name:
+      - python3-kubernetes
+
+- name: Install required packages
+  ansible.builtin.apt:
+    name:
+      - jq
+      - nfs-common
+    state: present
+
+- name: Configure sysctls
+  ansible.builtin.include_tasks:
+    file: sysctls.yaml
+
+- name: Install iscsi
+  ansible.builtin.include_tasks:
+    file: iscsi.yaml
+
+- name: Install kubectl
+  ansible.builtin.include_tasks:
+    file: kubectl.yaml
+
+- name: Install rke2 cluster
+  ansible.builtin.import_role:
+    name: lablabs.rke2
+  tags:
+    - rke2
+  vars:
+    rke2_type: server # All nodes are servers
+    rke2_token: "{{ k8s_cluster_token }}"
+
+    rke2_ha_mode: true
+    rke2_ha_mode_kubevip: true
+    rke2_ha_mode_keepalived: false
+    rke2_kubevip_cloud_provider_enable: true
+    rke2_kubevip_svc_enable: "true"
+
+    rke2_kubevip_image: "{{ k8s_cluster_kubevip_image }}"
+    rke2_kubevip_cloud_provider_image: "{{ k8s_cluster_kubevip_cloud_provider_image }}"
+
+    rke2_api_ip: "{{ k8s_cluster_kubeapi_vip }}"
+    rke2_drain_node_during_upgrade: true
+    
+    rke2_version: "{{ k8s_cluster_rke2_version }}"
+
+    rke2_disable:
+      - rke2-ingress-nginx
+      - rke2-metrics-server
+
+    rke2_server_options:
+      - "cluster-cidr: {{ k8s_cluster_cluster_cidr }}" 
+      - "service-cidr: {{ k8s_cluster_service_cidr }}" 
+
+    rke2_loadbalancer_ip_range:
+      range-global: "{{ k8s_cluster_kubevip_dynamic_range }}"
+
+    rke2_kubevip_args: 
+      - param: svc_election
+        value: "'true'"
+      # - param: enable_node_labeling
+      #   value: "'true'"
+      # - param: onlyAllowTrafficServicePorts
+      #   value: true
+
+    rke2_custom_manifests:
+      - rke2-canal-customize.yaml
+      - rke2-calico-apiserver.yaml
+      - rke2-calico-apiserver-secret.yaml
+
+# - name: Load kubeconfig
+#   run_once: true
+#   ansible.builtin.slurp:
+#     src: /etc/rancher/rke2/rke2.yaml
+#   register: k8s_cluster_kubeconfig
+
+# - debug:
+#     msg: "{{ k8s_cluster_kubeconfig.content | b64decode }}"
+
+- name: Patch calico apiservice
+  run_once: true
+  kubernetes.core.k8s_json_patch:
+    kind: APIService
+    name: v3.projectcalico.org
+    kubeconfig: /etc/rancher/rke2/rke2.yaml
+    patch:
+      - op: replace
+        path: /spec/caBundle
+        value: "{{ k8s_cluster_calico_apiserver_public_key | b64encode }}"
+
diff --git a/roles/k8s-cluster-prerequisites/tasks/sysctls.yml b/roles/k8s-cluster/tasks/sysctls.yaml
similarity index 100%
rename from roles/k8s-cluster-prerequisites/tasks/sysctls.yml
rename to roles/k8s-cluster/tasks/sysctls.yaml
diff --git a/roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml b/roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml
new file mode 100644
index 0000000..3a43ce0
--- /dev/null
+++ b/roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: calico-apiserver-certs
+  namespace: calico-apiserver
+data:
+  apiserver.key: "{{ k8s_cluster_calico_apiserver_private_key | b64encode }}"
+  apiserver.crt: "{{ k8s_cluster_calico_apiserver_public_key | b64encode }}"
diff --git a/roles/k8s-cluster/templates/rke2-calico-apiserver.yaml b/roles/k8s-cluster/templates/rke2-calico-apiserver.yaml
new file mode 100644
index 0000000..9fd2865
--- /dev/null
+++ b/roles/k8s-cluster/templates/rke2-calico-apiserver.yaml
@@ -0,0 +1,307 @@
+# Source: https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/apiserver.yaml
+
+
+# This is a tech-preview manifest which installs the Calico API server. Note that this manifest is liable to change
+# or be removed in future releases without further warning.
+#
+# Namespace and namespace-scoped resources.
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    name: calico-apiserver
+  name: calico-apiserver
+spec:
+
+---
+
+# Policy to ensure the API server isn't cut off. Can be modified, but ensure
+# that the main API server is always able to reach the Calico API server.
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-apiserver
+  namespace: calico-apiserver
+spec:
+  podSelector:
+    matchLabels:
+      apiserver: "true"
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 5443
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: calico-api
+  namespace: calico-apiserver
+spec:
+  ports:
+  - name: apiserver
+    port: 443
+    protocol: TCP
+    targetPort: 5443
+  selector:
+    apiserver: "true"
+  type: ClusterIP
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    apiserver: "true"
+    k8s-app: calico-apiserver
+  name: calico-apiserver
+  namespace: calico-apiserver
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      apiserver: "true"
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        apiserver: "true"
+        k8s-app: calico-apiserver
+      name: calico-apiserver
+      namespace: calico-apiserver
+    spec:
+      containers:
+      - args:
+        - --secure-port=5443
+        - -v=5
+        env:
+        - name: DATASTORE_TYPE
+          value: kubernetes
+        image: calico/apiserver:v3.27.2
+        livenessProbe:
+          httpGet:
+            path: /version
+            port: 5443
+            scheme: HTTPS
+          initialDelaySeconds: 90
+          periodSeconds: 10
+        name: calico-apiserver
+        readinessProbe:
+          exec:
+            command:
+            - /code/filecheck
+          failureThreshold: 5
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        securityContext:
+          privileged: false
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /code/apiserver.local.config/certificates
+          name: calico-apiserver-certs
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      restartPolicy: Always
+      serviceAccount: calico-apiserver
+      serviceAccountName: calico-apiserver
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: calico-apiserver-certs
+        secret:
+          secretName: calico-apiserver-certs
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+# Cluster-scoped resources below here.
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v3.projectcalico.org
+spec:
+  group: projectcalico.org
+  groupPriorityMinimum: 1500
+  service:
+    name: calico-api
+    namespace: calico-apiserver
+    port: 443
+  version: v3
+  versionPriority: 200
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-crds
+rules:
+- apiGroups:
+  - extensions
+  - networking.k8s.io
+  - ""
+  resources:
+  - networkpolicies
+  - nodes
+  - namespaces
+  - pods
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - globalnetworkpolicies
+  - networkpolicies
+  - clusterinformations
+  - hostendpoints
+  - globalnetworksets
+  - networksets
+  - bgpconfigurations
+  - bgppeers
+  - bgpfilters
+  - felixconfigurations
+  - kubecontrollersconfigurations
+  - ippools
+  - ipreservations
+  - ipamblocks
+  - blockaffinities
+  - caliconodestatuses
+  - ipamconfigs
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - policy
+  resourceNames:
+  - calico-apiserver
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-extension-apiserver-auth-access
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - extension-apiserver-authentication
+  resources:
+  - configmaps
+  verbs:
+  - list
+  - watch
+  - get
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-webhook-reader
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-apiserver-access-crds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-crds
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-apiserver-delegate-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-apiserver-webhook-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-webhook-reader
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-extension-apiserver-auth-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-extension-apiserver-auth-access
+subjects:
+- kind: ServiceAccount
+  name: calico-apiserver
+  namespace: calico-apiserver
\ No newline at end of file
diff --git a/roles/k8s-cluster/templates/rke2-canal-customize.yaml b/roles/k8s-cluster/templates/rke2-canal-customize.yaml
new file mode 100644
index 0000000..e661479
--- /dev/null
+++ b/roles/k8s-cluster/templates/rke2-canal-customize.yaml
@@ -0,0 +1,9 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: rke2-canal
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    calico:
+      calicoKubeControllers: true
\ No newline at end of file
diff --git a/roles/k8s-storage/tasks/longhorn-zvol.yaml b/roles/k8s-storage/tasks/longhorn-zvol.yaml
new file mode 100644
index 0000000..09bcef9
--- /dev/null
+++ b/roles/k8s-storage/tasks/longhorn-zvol.yaml
@@ -0,0 +1,20 @@
+- name: Create ZFS volumes for Longhorn
+  community.general.zfs:
+    name: "{{ zvol.name }}"
+    state: present
+    extra_zfs_properties:
+      volsize: "{{ zvol.size }}"
+
+- name: Create xfs file system in zvols for Longhorn
+  community.general.filesystem:
+    dev: "/dev/zvol/{{ zvol.name }}"
+    fstype: xfs
+    state: present
+
+- name: Mount zvol
+  ansible.posix.mount:
+    src: "/dev/zvol/{{ zvol.name }}"
+    path: "{{ zvol.mountpoint }}"
+    fstype: xfs
+    opts: noatime,discard
+    state: mounted
\ No newline at end of file
diff --git a/roles/k8s-storage/tasks/main.yaml b/roles/k8s-storage/tasks/main.yaml
new file mode 100644
index 0000000..8f28f3c
--- /dev/null
+++ b/roles/k8s-storage/tasks/main.yaml
@@ -0,0 +1,14 @@
+- name: Create zfs datasets for rke2 cluster
+  ansible.builtin.include_tasks:
+    file: rke2.yaml
+
+- name: Create zfs datasets for openebs
+  ansible.builtin.include_tasks:
+    file: openebs.yaml
+
+- name: Create zvols for longhorn
+  ansible.builtin.include_tasks:
+    file: longhorn-zvol.yaml
+  loop: "{{ k8s_storage_longhorn_zvols }}"
+  loop_control:
+    loop_var: zvol
diff --git a/roles/k8s-storage/tasks/openebs.yaml b/roles/k8s-storage/tasks/openebs.yaml
new file mode 100644
index 0000000..f84eeda
--- /dev/null
+++ b/roles/k8s-storage/tasks/openebs.yaml
@@ -0,0 +1,7 @@
+- name: Create ZFS datasets for OpenEBS
+  community.general.zfs:
+    name: "{{ item.name }}"
+    state: present
+    extra_zfs_properties:
+      quota: "{{ item.quota }}"
+  loop: "{{ k8s_storage_openebs_zfs_datasets }}"
\ No newline at end of file
diff --git a/roles/k8s-cluster-prerequisites/tasks/zfs-datasets.yml b/roles/k8s-storage/tasks/rke2.yaml
similarity index 100%
rename from roles/k8s-cluster-prerequisites/tasks/zfs-datasets.yml
rename to roles/k8s-storage/tasks/rke2.yaml

From fc9594774b7575bab03ed0bd6a8386b3755c7b51 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 1 Mar 2024 14:29:47 +0100
Subject: [PATCH 16/51] Switch to PVE only

---
 .../group_vars/k8s_cluster/argocd.sops.yml    |  48 ---
 .../lab/group_vars/k8s_cluster/argocd.yml     |  27 --
 .../group_vars/k8s_cluster/cluster.sops.yml   |  26 --
 .../lab/group_vars/k8s_cluster/cluster.yml    |  12 -
 .../lab/group_vars/k8s_cluster/helm.yml       |   3 -
 .../lab/group_vars/k8s_cluster/storage.yml    |  11 -
 environments/lab/host_vars/pve1.yml           |  12 -
 environments/lab/host_vars/pve2.yml           |  12 -
 environments/lab/host_vars/pve3.yml           |  11 -
 environments/lab/hosts.yml                    |  15 -
 package.json                                  |   2 +-
 playbooks/_all.yaml                           |   2 +
 playbooks/_all.yml                            |   4 -
 playbooks/{_local.yml => _local.yaml}         |   0
 playbooks/app-powerdns.yaml                   |  20 ++
 playbooks/common.yml                          |  81 -----
 playbooks/kubernetes-destroy.yml              |  30 --
 playbooks/kubernetes.yml                      |  30 --
 playbooks/nvidia.yml                          |  11 -
 playbooks/{proxmox.yml => proxmox.yaml}       |  40 ++-
 requirements.yaml                             |  36 ++
 roles/k8s-argocd/defaults/main.yml            |   1 -
 roles/k8s-argocd/tasks/configure.yml          |  36 --
 roles/k8s-argocd/tasks/install.yml            | 293 -----------------
 roles/k8s-argocd/tasks/main.yml               |   5 -
 .../templates/application-set.yml.j2          |  61 ----
 .../templates/project-default.yml.j2          |  10 -
 roles/k8s-argocd/templates/project.yml.j2     |  16 -
 roles/k8s-cluster/tasks/iscsi.yaml            |  11 -
 roles/k8s-cluster/tasks/kubectl.yaml          |  18 -
 roles/k8s-cluster/tasks/main.yaml             |  91 ------
 roles/k8s-cluster/tasks/sysctls.yaml          |   5 -
 .../rke2-calico-apiserver-secret.yaml         |   8 -
 .../templates/rke2-calico-apiserver.yaml      | 307 ------------------
 .../templates/rke2-canal-customize.yaml       |   9 -
 roles/k8s-storage/tasks/longhorn-zvol.yaml    |  20 --
 roles/k8s-storage/tasks/main.yaml             |  14 -
 roles/k8s-storage/tasks/openebs.yaml          |   7 -
 roles/k8s-storage/tasks/rke2.yaml             |  13 -
 tools/apply.sh                                |  11 +-
 tools/install.sh                              |   6 +
 41 files changed, 106 insertions(+), 1269 deletions(-)
 delete mode 100644 environments/lab/group_vars/k8s_cluster/argocd.sops.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/argocd.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/cluster.sops.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/cluster.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/helm.yml
 delete mode 100644 environments/lab/group_vars/k8s_cluster/storage.yml
 create mode 100644 playbooks/_all.yaml
 delete mode 100644 playbooks/_all.yml
 rename playbooks/{_local.yml => _local.yaml} (100%)
 create mode 100644 playbooks/app-powerdns.yaml
 delete mode 100644 playbooks/common.yml
 delete mode 100644 playbooks/kubernetes-destroy.yml
 delete mode 100644 playbooks/kubernetes.yml
 delete mode 100644 playbooks/nvidia.yml
 rename playbooks/{proxmox.yml => proxmox.yaml} (71%)
 create mode 100644 requirements.yaml
 delete mode 100644 roles/k8s-argocd/defaults/main.yml
 delete mode 100644 roles/k8s-argocd/tasks/configure.yml
 delete mode 100644 roles/k8s-argocd/tasks/install.yml
 delete mode 100644 roles/k8s-argocd/tasks/main.yml
 delete mode 100644 roles/k8s-argocd/templates/application-set.yml.j2
 delete mode 100644 roles/k8s-argocd/templates/project-default.yml.j2
 delete mode 100644 roles/k8s-argocd/templates/project.yml.j2
 delete mode 100644 roles/k8s-cluster/tasks/iscsi.yaml
 delete mode 100644 roles/k8s-cluster/tasks/kubectl.yaml
 delete mode 100644 roles/k8s-cluster/tasks/main.yaml
 delete mode 100644 roles/k8s-cluster/tasks/sysctls.yaml
 delete mode 100644 roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml
 delete mode 100644 roles/k8s-cluster/templates/rke2-calico-apiserver.yaml
 delete mode 100644 roles/k8s-cluster/templates/rke2-canal-customize.yaml
 delete mode 100644 roles/k8s-storage/tasks/longhorn-zvol.yaml
 delete mode 100644 roles/k8s-storage/tasks/main.yaml
 delete mode 100644 roles/k8s-storage/tasks/openebs.yaml
 delete mode 100644 roles/k8s-storage/tasks/rke2.yaml
 create mode 100755 tools/install.sh

diff --git a/environments/lab/group_vars/k8s_cluster/argocd.sops.yml b/environments/lab/group_vars/k8s_cluster/argocd.sops.yml
deleted file mode 100644
index 52e8f55..0000000
--- a/environments/lab/group_vars/k8s_cluster/argocd.sops.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-argocd_oauth_url: ENC[AES256_GCM,data:IfK0R2kecDKJN9cY82KeMFoS2ap30/kNgN/obgIxr32YMUm18fOWgZc5DXgawGHczWKyDOMddeBPEvTCtCFvtmlFHECEwqQItSiO,iv:9e1Sec/FRsy9LBjFdMYnatyRZbE97a34KOGGQ3Ixjv0=,tag:fmJ3ll0Mhqihmts7oIcOCg==,type:str]
-argocd_oauth_client_id: ENC[AES256_GCM,data:U0mQ41y/DZ9xfmgiPLvvJ3ZRBXCql8jYYkBj/ZbUdLiBq7AS,iv:3XFlS4iMOW0rNhAhKCWZ2tONOBK4c9odxH8vkZqmcxs=,tag:nOwy2GiXpiGgALgOY7W9Rw==,type:str]
-argocd_oauth_client_secret: ENC[AES256_GCM,data:ni8NqGVqGaECZCFu/k9FD0voS4hZEXCgA7w4mO4f/IlA/Gl3+L8jtA==,iv:qKKQhitFeBXgFvrF5lLsyBW7HFQ2pLx5IBI9+LaL0CI=,tag:qkA3ldgOAmvKP7GMgdw8lw==,type:str]
-argocd_sops:
-    public_key: ENC[AES256_GCM,data:iaAoq5ZTONCzJd0nEA8jyhu+OwY+mUWV0Hf3+hRHJjv+7Du6tCrsBvB61Uom+RIyPGfsMHITi7gvQSFMHco=,iv:vSDd1sRvXQ1V4Q3w8mOCLYUbNHWTkvUJCBTLf3jk/ow=,tag:HF4dZvj3iEQSy20pdSvK4g==,type:str]
-    private_key: ENC[AES256_GCM,data:8b+shD3LEd1D35spat7RkhXC5GRR9qNBycmm0qJqqI3YH7jACdD1FWh8nhQCwV27DcTtVr86Rll/h+Nw+FXBkFPqzHQA62ms09c=,iv:3rGOXtuTtxXNuo2FzAoqyY2n5Wz5/rs7culXgu2piLA=,tag:M5qmpGQFM0/Py+rQJ2vsag==,type:str]
-argocd_github:
-    token: ENC[AES256_GCM,data:PwVNkys0XudM9Sxf9Ms5MlVBRrUyQDBOVudvJgQOZj9qNWBpPXUka7KgcvL+9B3DqIoypUgC9Xs7ICUyXZuDM0Q8h9I/ir/N3PYkmqzAA+SeYKUTlof4TStbwK0N,iv:6l7Mk6Ve+kJg8h8XLTQao2hy/Eug575siuM0BDGQeWc=,tag:sKJoQPZbnGT6pYpODk/y2g==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdHR3NDVrU2haSEdYVGRL
-            aHQ4K2xJTnk4L2FWTVVBeUtKTTNRMUhwdEJNCktQQnZuTW45dUhSYVVZaGdRVWhV
-            cnVjRncwOG9XcFRpOGJtZ2hZNmk2a0kKLS0tIGxxQllHWEdBQ3lLQmZScWhMays5
-            QTVBeGliYkI2RjhaTjVRK0JpRnpLcDAKi61jaZnQA2ptmeOSHqEAa6X6ZpxPd2Te
-            bBty/cG5XfANtG5TONBETBLa7cFwvmkXorVqvPxa2eGSLEbiWRjE4Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-30T13:15:11Z"
-    mac: ENC[AES256_GCM,data:sJ7rBnblxfacwDvlDqawVafr39LlffFSbEO0imVx0KhdM6jg5u+hl4YNXNjAi0mopFXml9AxtTth9xTlvTxM2WAnCd5s/ynJ+n+HCy6dcYcgf3frjptJlUxcEglnQM2ZIX8wZ54uS/PE89BOmov4ISWze1GO1lzkqLriEZDOs2I=,iv:7OQOHCxBpVhM8a4FvH7Olk4qjkq1xxLa3BrTGJ67B1w=,tag:Esbg6D4zQXpt1XhO4Tbj3A==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:56Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//RoEhrZWf+ERPdo1Nv5py/ew18UFrIhIQsBBggVUQEvSx
-            jCQy/l8nTL6GyIRlemFg6fwUsOOpGMM26NgYim42ryLQ0AinhmyhoK9CVYLaeW04
-            XlfzCk7caElWw7eYRHhILWPvnb3wEbr2foojHC+TcNSWDEHd4tUEgqmwcy2qN5xt
-            pgQZyJ+s4bsnMCZ1kwBpZoj43wBNPnLEPu7AI3h801uguW+ap1YJq6yH3w43BEPa
-            WC+Cbv8/3HrpMbzl91QxWAq3wTFmpEvsBhs3c6hqtRPcu3YAFobyhPlEzC6nRUIF
-            byTfGjoDeOq7DAkImtXfQjngouA+OWwET5kSG48nnVwfvsCKF5XJhXgteWD/AkwV
-            6JIzZzYMacUVTLFT+iBegiScrcbSmcGuVe4lZUDNUFRJjjgipOUmc5e9N1c1nBwP
-            Y11LVSgGStv94Phi4F0P65Tc6ubxgOCcFH9ObggxzcW0cg6LTSRFZnUN8QlXBFlo
-            3niDWE3+RW/+h2rMZ/c1dEJkJM1EPfDYowW808UdqTfeBPFFpVaoXRUUjYJLuGKt
-            CttfXBFuUKRlAsZU0lVscbIYnIJDfDXLVJ2DtdL6YE/K5z1efJIJtpSCZTEwehuz
-            Uxi/Tee/ank2igvDrtko6quxSydIGR2gwlHLw/D2GAPxaU727hM/JO5yCxxRx3zS
-            XgHjbkKkx+k0IMqoi2j/gbRYk5HvnkqXLgEd2QFkP9rdahMeE2T6wwOy4pRzKyo1
-            7YmxZQovYZmlNOHc3x7KRv4v9jA1PKKDkZTTlL9iF4tdgdjbMIDr2pC2o4apKq4=
-            =cPSw
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/k8s_cluster/argocd.yml b/environments/lab/group_vars/k8s_cluster/argocd.yml
deleted file mode 100644
index b54d1ce..0000000
--- a/environments/lab/group_vars/k8s_cluster/argocd.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-argocd_kubeconfig_path: /etc/rancher/rke2/rke2.yaml
-argocd_url: https://argocd-lab.homecentr.one
-argocd_admin_group_id: b77c210d-8ae3-4292-9e95-c7d42a2f254f
-argocd_git_repository_url: https://github.com/homecentr/kubernetes.git
-argocd_git_ref: lab
-argocd_git_refresh_interval: 30s
-argocd_environment: lab
-
-# Make sure the chart version contains the app version below
-# The app version drives the CRDs and should be bumped before upgrading the app itself
-argocd_chart_version: 5.51.6
-argocd_app_version: v2.10.0
-
-argocd_application_sets:
-  - name: cluster
-    project_name: cluster
-  - name: apps
-    project_name: apps
-    namespace: apps
-
-argocd_projects:
-  - name: cluster
-    destination_namespaces:
-      - "*"
-  - name: apps
-    destination_namespaces:
-      - apps
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_cluster/cluster.sops.yml b/environments/lab/group_vars/k8s_cluster/cluster.sops.yml
deleted file mode 100644
index fc84185..0000000
--- a/environments/lab/group_vars/k8s_cluster/cluster.sops.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-k8s_cluster_token: ENC[AES256_GCM,data:LU7t+sASI+8It/H1hjbSVLdS,iv:wBqHBXjC08XQbfTgzBqwe8pLYSU44bB5zx4tS4YIWhs=,tag:dvDckJh2R1NuluG4vVdTLQ==,type:str]
-k8s_cluster_calico_apiserver_public_key: ENC[AES256_GCM,data:Q/8rrb1kuXrZEfUXNrdKV49xb2ns+DJ44NgyCD9BF61Wy7eqmxtgiJMkD+7ayNGDaWNXzPYQOWNMfZzeMirVAXI3wZV8DVtT3gNxBTwHYUU6GrYcIxoD90XJcwiW7FdXMwifcGA9/OsYrdYk20XJB3AObOh7p2o2B36RfCNnSkPeHGAaq0+EIiPkndMmLXJp7j6bjRQrGOHBfafjNV8O/C9fOtfqiT78zMMC0klj3vldOR7byAGE/VZ76p22dZ1Cy2ZkP0PnAWhTWrm8S0XK+zSs5LGBcg6J2nzhwsunZeV3pBnSgjv5yjgW8NDtL+0NSPp1oCymROX7wXlxjV3OdEvC/jpwIXFB2vvvaPwUqxx0TfPKVRGTSU55zZcKEHVDDSpSKeE6M4ojbVigRr2k9r+wuJa9nUIqxeGCbEaIlNUYnrKckJD6+E67hyEEiAZD1Nv4WD6PCESI6Y/FmyrVf0N5cvAHGgvFED6M4PefnhreQoTjItVB8BDWicRIoAEtKqAFP8s27MFLdlHefY+HmGYiBZ27pNS4tp8aF9BFtn6JVu5DfdV+uhsormIYsb2ucm75DqLk/xmSLqmw2jer2QrW1hVJaprth3inC0S3GMYtvhhbuMbBfg1gnsqQ8ImWZy0TiXrUlltJ5YMrZ5/2KkeuNkK1CT6QHqGyiruU8VQ72MC1LMBDCaC9koPVT9ud3Evssz31RIR3AolviVTaFIGyi6Tces7Wrs95fD/vWOYuWlmKv5uoeiJknuKNg34lNcpKzLg7uZ/xImW5LC1mITncq2Kri7nCQA0UjnbLCJtfnJROX5oCwtucY3rMx0PrlUxU8giQ58DcMBAVrNk1xrkcTl0n63Zxmui1lgrgthdWb2cyDLmvBiyHOO+rfJziedKrf25nJDnhlQNDFz2dB8r9J1IJXVzbV451QmPpK09gxwAu/fAzH7hyjleGx5VGGm1eW978bwOvAQuadSjwmBKetgMKmSlBto8//q2TthB6m6B39jXNu0tqfo4KONrYoDR+EwRRlPRZEgG/4pzXK8QhOarzn6PVabs7QoSCdVEbXAQDyQDaF5EuaWgHSn6ODvbxNdJB2bojZkfvPhXzIrmy92VF56uSirmr6UlXKkG/YmaGeb0CdHMOIu7yhKX6Po6jgVCJoDZHhltlkmjh09Ar3jq5tiWbxioiqt3za4c5GC0IstTllxTW8LpebbMi0rzWH1sT98mWB1v5J4XRJzqblU/68wqF7COz+0LVeTOcQmv9jwRYVrsazbWHdECFr0QuMyRetN93BGi5SY9tv5FMuvcA6kwUemSRlKwp8ODorgFTmfPPzHDMeSRYbHJW8fg08HkIPZyFMRMhjJ1cCIMUYRNqOdcJbmU6XDej+Df8diVGdpIANoYcGyABtIGQcxhijCMDbt9PTfSMzzY1vK8cjjvLa8FKnRfRy7RnWyTA60xc/kPauyc0EsWxJgXREhMxctLzj8RSYXC7AICdSi8MS+MEZbx+ROLJYWKpgdiCh+kZc6qnjNh7b3x5PIjWWc+MECmONQxJsROYzQq6K7B6XMBP1Ah32jlkkBO5Qa2fEBHRQeZFbAq3f7FXChmC7W0Cmd9w6j1gSvbJMUOClxyisW1ntTF4P74awt9fFpcm5BmrGM+Tvivr41/slqLPSJsPBiXHyny/MyvMQe16Z66AOI1C8Bnd8fFcFN3DZhjs2WXyfmawrGjm/SocxeyAhcGMaVMFeSIkW6+xTfJew1R1oP174H8Pg0RWu+D+UXMxDdrux2Cx8O29jE7JybhzQEwOVdPYyo6TPJAGpSvGNAu11PSATp+tlHf4fN8lTfmqZ4hFlE44S6B09T3y3RaXwfl2BSUsmKvYTZtykli813NiqEvEsNzN1jIo89v+dI/K0zH315kBIHUQWL5cYqYrwdEpl6Djnh2WGc4kbQD6Q1wk/Epg2X2ngO4LC+gmtwmsTZk0ZOXBgByyHcJ/H6iaV3pAfwZOdW72d6qqAYXiAVLwaDCBjHqSGxP7IGZYsi2NOsubHQhK5Wkn1dTbwVfxhtegBzRPmvZJ6JOKD62v8ovVrJEGI9f271sX9OmfYWCAudzKYR1kFXVvXG5CCojVEaIdcsjLBqTMNQPmKM2sHX2nLT19L2+Wwsgl68LyJ2GJpYYxTNDNpuIXwbf38n14RLU79gNmAbU7kEy7Rtj/aN1ym/56aO0Ms960tjQ9yi8vBJst07+U//4482TLyIukYbupwegvYNZs/LIeQ8DXUntBPTZ3odVLkPHJPZ0pY5xUdmlGPAzarC1d65EmRe8LyfFd8HUS0N0hYCNRiTiOWLOvKQXWtFoObT5gf+x/zfXWISXeiKCpdtljwwfVZRnqNqIk8VQVovTxE2xa+10GPl5fY6dGig/lTsDUU7K8pBiMtITu3I0=,iv:COViPnj/k1s91QJcRvJz/T/GuT4KVfg2zBXtsdhmwmQ=,tag:hdcjJy8LPSvh7tPXx6Sqbg==,type:str]
-k8s_cluster_calico_apiserver_private_key: ENC[AES256_GCM,data:oItRri5hSnpl0O+rVuxT++XExlNxOHs3JXxsgqE/XBVUgnYARbAgVb1VWwoFroFpDk81Kie7SdRb1jCIq7BOShBxYHA11xzQNeX4Vm+Dj4wjvp+ilrjW+T6cBchahSJk/bnkxJUvaq0lbD1ZCPZJy7ggsMejaXg01ab2/B60HxP8Rez9egV52cTzkBogtYE4qzvVtk8H7CabZQ4n5s9457/0+rjg8SE+FtLVN8aFODDuqI73duhmzcurB4RKIK2ckTuZ9H0GTJRjguXtGLCgsTCcFAmyjOme4YthjBbVDGn7VxKI7xgTYP3x6VVLAZqovyRb3mcLqFC0BA6AUd4DVthr55p64TBZH8hM0LEoCjMh3dzyMb72iJ+mK+Fvx9SHfS/7eo2ssbkJCoBOuq9ZEeKo18VbSiDw24iV62E8cMNNxrcURzp1v1YbzXqNnUPlGVkq73r94ovlMHx8FMI2UA14DS/gE39AwqgqSDbQ39dwq/F3+QlpYgPhkd4nVaDVVosKPlLRfr4/q5VbeyYb1HXNTQlEuqq9ziOSd6jrHPjujYhUwIOufCMH05iT4swWdbye9vI8tDt41oGX8K61ivo+NXTUI7Cwv/yz93k814n0emkmdzOwcxV4uy6ffQjV12kwmU/aNFIxGE5M8bwYLyM7m+QUwmFXlqoJhQBJSVU5rdLB4idc8OdGNVEJmohjMt/relH90PZBk4llWM7n1KOYepMrCUG7zMQAfksipEkz1HfgCclpriaXuTld8Lct0ywRYyDKsQXGmqD+k6TjSvOtpLzJSLjStGmS/Pkbhn+wgyR9yALfqmbOjQ3IaRuUPLziMXs2pLqn1BYYPs/dj6bIl4k2EyPViN7phJRA4DmKYIL9ZyqxjJUi8rIhijoBtUjZeNaiUBPCXTPVNOhRo2J9S64D2xoE4WPHQ+fH75rUQqtKuhNWBKoCYwmQnEAnK/qBzRVgGqBvd206eEe42OtLxFxOXe/xj88iAYIAEjmiDrDJHU0ILcl1/BlpMEFzsv3A2fApgN8kgi6s23wQUD1jR3jQuGEkDrmeVbYFPZd0KiGB3X+9FqUDMxd4EK4rZuzFr+WxWjd7H2G6RNZXSaDztnhMOJoPGcIr/QxNacicW2YQgcpvhowJUNla6XgYbTVVPsNZgWjtKzywfrOeDkjLuI9lJrVbcSqztRn+tICk8iOQPQAz9vpREu4vAo8qhvSPeEw7mWdKabKApPVWMgwSvtFOOD80qQmTrSvPLNA8gzVneSrw739veNdEYpC2n/mRaINoqKJxPXZLoKEizzWeB/2WAGQqruqlzc4/3c4oPJhtXYUF60rXmZA/SmxXhjM3Q4ALvYJlHxxL+0l/X0tIvzK8WduVBDWGOm6cUWQdvzXLiuBrwMc9Gl3GQkqXolvegNrJmqEIFASNem1BTE+QreLUmeYkvMjS+rxW9Jyzz0W7JTnc2svoThc4eCd6LbS4NIzTl0RMZz4pruNC8J40YEuHg1HXJ7JvEkJpvLBmeMNTblZvIlQcMYHfZdfNvovFzKv8pkLYdhh6WgRUi7EYA+Aiq3Sd6CFb2rZhJ+f9HzPSNJU/xVjOcLLXyQulQSgcdEuLhCY69PcQGk+PN21mPs4Fd3XY1z5yR6JMG3cb7SPdjij77VjXqnHIWzsWUa1syfk8hn056Tzvetv2bDhfN+11sOt9+l75IRHzsi60yWXq6mRKeEJCc7nQbHfl5NhU3DzyZyjuHyvUk8KO/lvt1pOnJkPJpZofBGjzyRsNroJYFxXgBYKF7y7dO7Yw1PqQqEgRPNFBx5KXVtSWbaHizi26F/9t1r1tzMZJLVBB0JEAhkxWFvLxY9MBpIVvCE9Obgv27fX18tCK/TrSxVYAv48LI7zXdWeZl5jN458CIof5/yvx2WB0D+yyBD+uD7a2/BFHteJmVsOEDJSvM5iZd8j3lww/tTyhkfT5AoblAnDyxovCLqw4kk0dPXLTjgWNSqudMLyFyimT86TAvsTqQbweMno+y3IdZtj7YNiIv33/qgL0gKNtHmwjrNMVDRH7SqxT6WY+wbsyiTUN1+U8JMpyLoxxJ+nxW88vXbLRtGpZhpFSf2ykdFIGgL96jXfEHhRjXw8NVRrqrO2hY5m1xFv2RxhU8AL3WHG90A40c5bE4hde3vS4mFc8P1snuBmAi0CeEayI9VHR/4hlO8EucC4jlqq/uNzNnASvZpL6YYSZF9/k+W/o82gwRCy6hMZli+CQqAf3vaOxtUWpKUSLxNPZ5Dt5cNgaldVFC3nh0TYjI4U7xXxNg8DHAOdzvy+m0KeOCCz2giO6H1gf6UsajsOFV2hjSZrrVvi6Dzz/aW/eU8um7UwLcJxsx7tvdSdGXuxM2IkQLgmc3Z0lNeGuG9m8ZCTVLcX9bvHyx0p6KjHbkfPHdYgjjeE8mmDu4mBj9xJAS5I0O6ig85a5h6+yusC/wrVQ7kanc+xxfyQSIks3u+Ffp691ukB6BRNbw6DjtHlVugNviBRye/C/TGeulf0GJ5bYnC6wNpl7TM6hhWccF9wlhTbJyNp1xJD6Hhs/SPqeVI5tRWqQlgG94taiDIGv3GZpd3pNETEi0ES538Na9VhXrh1hZXU7e2Tt2ey3DGh7tGUX4pJ/HudIkg/dviJHN1cFvBF/z1dxmF2tWsCBTH0/NaIoq37tb3xbXrU48UnyvQ5p/1UxA4Gcj0jdpneYbCEdvqxswQ5vZRsCw0TfahHjJh8fyISWft9cHh14nCrYRkXmJ1jUaOSX6RmpQ0v0ZEVUPYOrIRvS/al6TNhP8OPN/2iTIx/xx3tkMLY28BB4jgSDn2kBuDPTv9AJDUHjz6lGJLfscAC+8GOZmXovnugfVnqO8lGamiP53CM1XPqYvozG0bVsStyOudizy9Pqkue2ZMb505RV6wCe/GUzoP0yk5qXy+MsI7UBuujFGRyw9lHb7b/8pD4MFZQuwooETTjGe9l8umgBUnx1xN2E5H1HAZygM6pFoqc+qChHtjCTxdiuCzuK1n6qNINkWrKjFi857ZjjNYW+tezkpQXGgft7aLrc7bkMnibDGoGjesdnFe2+8VD4O7w0F5RyaBFdImwfMJdKCBxC8nx8UUDT/ZmPt5NaHrbM+6FA7kz8LjU/4OFg+InzebyniSHlkeDS7fL/x9rNlOdfiSt3O0Wrx3jOIe7YZXGWsQaESnBLORkb4TTvKSiDILz3m9beg+a5sg7BP4G1kX3tz81wFx/zC1kqQ96q/zWl1XAbg8Xixx423Nnm2UlcG/w2A+4lVR6sY1+5nUDcp20h/h6Ze1eWqUw57o7z42/iN7hDIQ1P62pg3M3c6RQqErecU5uvEjlyd7zlkCp2OaWAu3yI8Y78Y9p4sBGu6/28a+Y0bLhE3O+XRDaURXkGsiDfdtf2StDwyDaND+NOf76W/OVcB2WFI1etDdqMbpJBgnkDvfeq1+nFVZATvCKUUh9z478eseN8Td/62mzLAxW/21EiZ51/wPyuc6ydFeu2pSbTugDS1rn6PAXIXwQ/71LmdiAY1HebB6tFywck7OKC5kkPsWnqnvXckSMJp6IAFp6vruEIH3QoB7RjhfPeGh4AxkXgwKYroFRkVqjkGw2LJHdX3oYJmweZTwc5WvHWUZLLHt3D3R/Z0MT2EHg9fIIWbv/yCbI7sevDsaFR1JovWJ3VE3AADHdl3KfNyphVbde8TAGOvdX6SJLj+QMKGNgrPBXlBPpvTesBV8vBYAGp+xRKZISUXeeaEJdeWAnKqATO/i+4a54Zer5Yg/rxvY76J43rN4oJF9zJ+pW+akxp0ZmSpRnqzZ0JgTkrQyD6al7DHtndnTZnsDRzFp2rWWAOWVUcNDrSRP5djOZ9degc61dz/kd+l5Ut/M6FT60iGKLaRIJoQOjK53IV7osoazbB5JtxlPOp7gb4jFf8iYi5jrEhBPUHMbIoivaUVPdYNciV9QuH3GSjow+guGCRORKNfschJB3n6mCxpSf1SZ39oqtnzYB2MH6PMTXXNSD41EZFJVeIs/RtYglyAu0QcVEoOb9eyMWtOsNS01v5vJK6rW6UUHWfidL7OIFps1irR7hzuFhUBmLFDj4XQK9h07JhQ2P8QdBMtivFegxmNVuX8Au3glPyI5+Wq/YWoTyMUFLUJH5v2gkDPAI7Dfllegev/5R3UBVj1ougTCxjsG71biTBtZQlD1JtdELtSqXJFtSmtyo/aD+syW3QQNwPbjOjVndB+5j+6eRcry8o5moAFGjChkVdOgR0s59j/+KkDRwCBGKyojVcT7yi77xeOthv3Sm1C43b25Wej5TzIeqyu8mJezO9DhstTP0flwsw0wvYzGVMdFDAoqA=,iv:Jhmyl7K+yz3HoahkahWABCA1dNUYHRP7HDPCh93LOA4=,tag:1ufn4Imt5j9YdROSAU0obQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZERVZGphN1puNlo0d2hX
-            QnlnQ0o1Z3JYenFhcnFJNCszTVZKVGJNakZJClo2bEFWbzNCc3FVNFROaU1ObFNi
-            NHBSSnFNNFo3d2ZVMEtaUy9qTkdMMzQKLS0tIEFOL0Q1azA1Q2U0OGowMWRnUTN3
-            Y014N1NGREJiWVN3MDlxZVdDK1Q4WUEKD8rt4RY4sj7BnspGhp7Uqcpl9bkobFU9
-            kjicIjpMCRI5Dnmr2BhtW1SORYNXGj91PFgjNskdk/TnXLzMHFGasw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-29T11:37:05Z"
-    mac: ENC[AES256_GCM,data:J1qD/x04CozsF+64QpyJXy0lzlCM4WRShClFcWBoKQ1AiMPKH5rCWJJuFBHTspP75QucdZzNrWuF6FWSNTANZ0vD2yi+kMN3ER30GW9qO548KBJgvlLwBA3XMPDZga/PgDRLJ8E6kSuvTrscHAvSitD3Oy/3V7EuGAUpPGGQ9RI=,iv:odaEeztzstl6sB7oNXSCVJcJi8EAmktzQ6z2zUMgPIc=,tag:Y9DFhDXBwfo5C4p7AtmEzQ==,type:str]
-    pgp:
-        - created_at: "2023-12-22T08:52:37Z"
-          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//UgusaM/iMVwbAJGDEANTaPE1joy2905k0f/j4RD/9k6X\r\ntC17eEIdIyuGxpSUqzMHmyF3TdHDeiCd7AE8bvy3FCcBNRX9NSsbhrKUKgAN/Y0x\r\naaByf+PUBpG5yD/5uIX2iv0fcnyS5bC1KTt7xjpwVSv7oRLHMiM+ABC3GcWmOFdZ\r\nzxbQJthIuEWMClaytYMrJQFdnDDJmiS2UWwnQBj5hm1DqAHy4zz2xmaYFa+8oEjw\r\n3uELjwmPa17GGU+bmI2Uq+YT8sIt+E/Gpc25kTaLzRw5xA26Hqq57TL3rpTVktVr\r\nzuesMGmJCtjppXoRQkRnIHMctj15pEYBy5xczEzyMr7+lKRoRxWuWDnb9iPYZJoo\r\nEoB8c1N8lmdtLDaGB5yp9nIwqRJY2jOcILFs99BNF27qhfzx+eKKA0u6O00ULoal\r\nWq9HvzDX4a+rEFBjWkm+MzUcBcad8aNdOiK3H48UOyLASsdaIULE30R84Z6TbIby\r\nUIotcka96I6VCJIt/HznpDB271SHxJQ/sFndBzlUKTBPfLcLoovj0oRmdiUgVvt2\r\n6Iv0oWDFZLq5UtYpm1cEPQRgRTQoS6GpZjs862RxnHgIQT8469LA2jx2txw0szM3\r\na+Loq8Rz1oCPIzVVt//WT/U7ysWmpKLrU8675K0NudJ7bTkiR5chaWoJtK2vR//S\r\nXgHejSEdTK6HMhKHBufVkg6OEPIjDgggodfU9ct2dtuk7H8JhTBNQI9dPdxwP+wV\r\nc0+shEuQz4LNUSC0y8ak4RMWmxGLdPFYLJYuNjeZvorTG8rR6plSCIKFE6c3H3E=\r\n=8c17\r\n-----END PGP MESSAGE-----\r\n"
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/k8s_cluster/cluster.yml b/environments/lab/group_vars/k8s_cluster/cluster.yml
deleted file mode 100644
index 66c0f60..0000000
--- a/environments/lab/group_vars/k8s_cluster/cluster.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-k8s_cluster_kubevip_image: ghcr.io/kube-vip/kube-vip:v0.7.0
-k8s_cluster_kubevip_cloud_provider_image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.8
-
-k8s_cluster_kubeapi_vip: 10.1.8.130
-k8s_cluster_rke2_version: v1.28.4+rke2r1
-
-k8s_cluster_cluster_cidr: "172.16.0.0/16" # Pod internal IP addresses
-k8s_cluster_service_cidr: "172.17.0.0/16" # Services internal IP addresses
-
-k8s_cluster_kubevip_dynamic_range: "10.1.8.160-10.1.8.191"
-
-# TODO: etcd snapshot backup to S3 ?
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_cluster/helm.yml b/environments/lab/group_vars/k8s_cluster/helm.yml
deleted file mode 100644
index 835ecdd..0000000
--- a/environments/lab/group_vars/k8s_cluster/helm.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-helm_version: 'v3.13.3'
-helm_platform: linux
-helm_arch: amd64
\ No newline at end of file
diff --git a/environments/lab/group_vars/k8s_cluster/storage.yml b/environments/lab/group_vars/k8s_cluster/storage.yml
deleted file mode 100644
index 89aa1b0..0000000
--- a/environments/lab/group_vars/k8s_cluster/storage.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-k8s_storage_openebs_zfs_datasets:
-  - name: dpool/openebs/db
-    quota: 10G
-
-k8s_storage_longhorn_zvols:
-  - name: dpool/longhorn/data
-    mountpoint: /longhorn/data
-    size: 20G
-  - name: dpool/longhorn/nvr
-    mountpoint: /longhorn/nvr
-    size: 20G
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve1.yml b/environments/lab/host_vars/pve1.yml
index dae10f2..f85b0d4 100644
--- a/environments/lab/host_vars/pve1.yml
+++ b/environments/lab/host_vars/pve1.yml
@@ -3,17 +3,5 @@ ansible_host: 10.1.8.11
 ansible_hostname: pve1-lab
 fqdn: pve1-lab.homecentr.one
 
-network_interfaces:
-  ens19:
-    method: static
-    address: 192.168.7.11/24
-    auto: true
-
 # UPS
 ups_name: dummy-ups1
-
-# nVidia drivers
-nvidia_drivers_install_containers: true
-
-# Kubernetes
-k8s_storage_enabled: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve2.yml b/environments/lab/host_vars/pve2.yml
index 20ba0c3..99830d2 100644
--- a/environments/lab/host_vars/pve2.yml
+++ b/environments/lab/host_vars/pve2.yml
@@ -3,17 +3,5 @@ ansible_host: 10.1.8.12
 ansible_hostname: pve2-lab
 fqdn: pve2-lab.homecentr.one
 
-network_interfaces:
-  ens19:
-    method: static
-    address: 192.168.7.12/24
-    auto: true
-
 # UPS
 ups_name: dummy-ups1
-
-# nVidia drivers
-nvidia_drivers_install_containers: true
-
-# Kubernetes
-k8s_storage_enabled: true
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve3.yml b/environments/lab/host_vars/pve3.yml
index 5069192..95b1199 100644
--- a/environments/lab/host_vars/pve3.yml
+++ b/environments/lab/host_vars/pve3.yml
@@ -3,16 +3,5 @@ ansible_host: 10.1.8.13
 ansible_hostname: pve3-lab
 fqdn: pve3-lab.homecentr.one
 
-network_interfaces:
-  ens19:
-    method: static
-    address: 192.168.7.13/24
-    auto: true
-
 # UPS
 ups_name: dummy-ups1
-
-# Kubernetes
-k8s_storage_enabled: false
-rke2_server_node_taints:
-  - 'CriticalAddonsOnly=true:NoSchedule'
\ No newline at end of file
diff --git a/environments/lab/hosts.yml b/environments/lab/hosts.yml
index 67e6558..2bcf389 100644
--- a/environments/lab/hosts.yml
+++ b/environments/lab/hosts.yml
@@ -5,18 +5,3 @@ all:
         pve1:
         pve2:
         pve3:
-    k8s_cluster:
-      children:
-        masters:
-          hosts:
-            pve1:
-            pve2:
-            pve3:
-        workers:
-          hosts:
-            pve1:
-            pve2:
-            pve3:
-    nvidia_gpu_nodes:
-      hosts:
-        pve1:
\ No newline at end of file
diff --git a/package.json b/package.json
index 7e16719..495d191 100644
--- a/package.json
+++ b/package.json
@@ -6,8 +6,8 @@
   "license": "GPL",
   "private": true,
   "scripts": {
+    "install": "./tools/install.sh",
     "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint",
-    "setup:local": "ansible-galaxy install -r ./requirements.yml --force && ansible-playbook ./playbooks/_local.yml",
     "lab:clear-keys": "./tools/clearkeys.sh",
     "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox -u root -e ansible_user=root --tags init -k",
     "lab:apply": "./tools/apply.sh lab",
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
new file mode 100644
index 0000000..3b4b4ec
--- /dev/null
+++ b/playbooks/_all.yaml
@@ -0,0 +1,2 @@
+- import_playbook: proxmox.yaml
+- import_playbook: app-powerdns.yaml
\ No newline at end of file
diff --git a/playbooks/_all.yml b/playbooks/_all.yml
deleted file mode 100644
index 79214bd..0000000
--- a/playbooks/_all.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- import_playbook: proxmox.yml
-- import_playbook: common.yml
-- import_playbook: nvidia.yml
-- import_playbook: kubernetes.yml
diff --git a/playbooks/_local.yml b/playbooks/_local.yaml
similarity index 100%
rename from playbooks/_local.yml
rename to playbooks/_local.yaml
diff --git a/playbooks/app-powerdns.yaml b/playbooks/app-powerdns.yaml
new file mode 100644
index 0000000..0f56200
--- /dev/null
+++ b/playbooks/app-powerdns.yaml
@@ -0,0 +1,20 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    # Create container
+    - name: Create application container
+      ansible.builtin.import_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "app_powerdns"
+
+# - name: Setup Powerdns
+#   hosts: app_powerdns
+#   become: true
+#   become_method: ansible.builtin.sudo
+#   any_errors_fatal: true
+#   tasks:
+#     # TODO: 
\ No newline at end of file
diff --git a/playbooks/common.yml b/playbooks/common.yml
deleted file mode 100644
index ceee4fe..0000000
--- a/playbooks/common.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-- name: "Common set up on all servers"
-  hosts: all
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create users
-      ansible.builtin.import_role:
-        name: homecentr.system.users
-      tags:
-        - users
-
-    - name: Create host records for servers
-      ansible.builtin.import_role:
-        name: ../../roles/hosts
-      tags:
-        - hosts
-
-    - name: Setup Chrony (NTP client)
-      ansible.builtin.import_role:
-        name: homecentr.system.chrony
-      tags:
-        - chrony
-        - ntp
-
-    - name: Install benchmarks
-      ansible.builtin.import_role:
-        name: homecentr.system.benchmarks
-      tags:
-        - benchmarks
-
-    - name: Install lynis
-      ansible.builtin.import_role:
-        name: homecentr.system.lynis
-      tags:
-        - lynis
-
-    - name: Harden the system according to lynis recommendations
-      ansible.builtin.import_role:
-        name: homecentr.system.lynis_hardening
-      tags:
-        - lynis
-
-    - name: Install ClamAV antivirus
-      ansible.builtin.import_role:
-        name: homecentr.system.clamav
-      tags:
-        - clamav
-
-    - name: Configure and secure SSH
-      ansible.builtin.import_role:
-        name: homecentr.system.ssh
-      tags:
-        - ssh
-
-    - name: Install and configure Network UPS tools
-      ansible.builtin.import_role:
-        name: homecentr.system.ups
-      tags:
-        - ups
-
-    - name: Install zfs-auto-snapshot
-      ansible.builtin.apt:
-        name: zfs-auto-snapshot
-      tags:
-        - zfs-auto-snapshot
-
-    - name: Set up Message-of-the-day
-      ansible.builtin.import_role:
-        name: homecentr.system.motd
-      vars:
-        motd_enable_ups_status: "true"
-      tags:
-        - motd
-
-    - name: Install node-exporter
-      ansible.builtin.import_role:
-        name: geerlingguy.node_exporter
-      tags:
-        - node_exporter
-        - node-exporter
diff --git a/playbooks/kubernetes-destroy.yml b/playbooks/kubernetes-destroy.yml
deleted file mode 100644
index 37bed1c..0000000
--- a/playbooks/kubernetes-destroy.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-- name: Set up Kubernetes cluster
-  hosts: k8s_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Verify playbook is running in allowed environment
-      ansible.builtin.assert:
-        that:
-          - "(inventory_dir | basename) == 'lab'"
-        fail_msg: "Running this playbook is only allowed in non-production environments"
-        quiet: true
-
-    - name: Collect service facts
-      ansible.builtin.service_facts:
-
-    - name: Stop k3s service
-      ansible.builtin.service:
-        name: k3s
-        state: stopped
-      # when: "'k3s' in ansible_facts.services"
-
-    - name: Remove directories
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: absent
-      with_items:
-        - /etc/rancher
-        - /var/lib/rancher
-        - /var/lib/kubelet
diff --git a/playbooks/kubernetes.yml b/playbooks/kubernetes.yml
deleted file mode 100644
index af5d72e..0000000
--- a/playbooks/kubernetes.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-- name: Set up Kubernetes cluster
-  hosts: k8s_cluster
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Install helm
-      ansible.builtin.import_role:
-        name: geerlingguy.helm
-      tags:
-        - helm
-
-    - name: Set up storage
-      ansible.builtin.import_role:
-        name: ../../roles/k8s-storage
-      tags:
-        - storage
-      when: k8s_storage_enabled == true
-
-    - name: Install and configure the rke2 cluster
-      ansible.builtin.import_role:
-        name: ../../roles/k8s-cluster
-      tags:
-        - cluster
-
-    - name: Install and configure Argo CD
-      ansible.builtin.import_role:
-        name: ../../roles/k8s-argocd
-      tags:
-        - argocd
diff --git a/playbooks/nvidia.yml b/playbooks/nvidia.yml
deleted file mode 100644
index e9681f7..0000000
--- a/playbooks/nvidia.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: "nVidia drivers installation"
-  hosts: nvidia_gpu_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Install drivers
-      ansible.builtin.import_role:
-        name: homecentr.system.nvidia_drivers
-      tags:
-        - drivers
diff --git a/playbooks/proxmox.yml b/playbooks/proxmox.yaml
similarity index 71%
rename from playbooks/proxmox.yml
rename to playbooks/proxmox.yaml
index 99f2a35..33bb607 100644
--- a/playbooks/proxmox.yml
+++ b/playbooks/proxmox.yaml
@@ -74,5 +74,43 @@
         pve_local_storage_api_user: root@pam
         pve_local_storage_api_password: "{{ users_root_password }}"
 
-    - name: Flush handlers before starting the VMs
+    - name: Create host records for servers
+      ansible.builtin.import_role:
+        name: ../../roles/hosts
+      tags:
+        - hosts
+
+    - name: Install benchmarks
+      ansible.builtin.import_role:
+        name: homecentr.system.benchmarks
+      tags:
+        - benchmarks
+
+    - name: Install lynis
+      ansible.builtin.import_role:
+        name: homecentr.system.lynis
+      tags:
+        - lynis
+
+    - name: Harden the system according to lynis recommendations
+      ansible.builtin.import_role:
+        name: homecentr.system.lynis_hardening
+      tags:
+        - lynis
+
+    - name: Install and configure Network UPS tools
+      ansible.builtin.import_role:
+        name: homecentr.system.ups
+      tags:
+        - ups
+
+    - name: Set up Message-of-the-day
+      ansible.builtin.import_role:
+        name: homecentr.system.motd
+      vars:
+        motd_enable_ups_status: "true"
+      tags:
+        - motd
+
+    - name: Flush handlers before starting the VMs & Containers
       ansible.builtin.meta: flush_handlers
diff --git a/requirements.yaml b/requirements.yaml
new file mode 100644
index 0000000..aa1d450
--- /dev/null
+++ b/requirements.yaml
@@ -0,0 +1,36 @@
+---
+collections:
+  - name: ansible.posix
+    version: 1.4.0
+  - name: ansible.utils
+    version: 2.7.0
+  - name: oasis_roles.system
+  - name: community.general
+    version: 6.3.0
+  - name: gluster.gluster
+    version: 1.0.2
+  - name: kubernetes.core
+    version: 2.3.2
+  - name: community.crypto
+    version: 2.5.0
+  - name: community.sops
+    version: 1.6.0
+  - name: https://github.com/homecentr/ansible-collection-system
+    type: git
+    version: master
+  - name: https://github.com/homecentr/ansible-collection-proxmox
+    type: git
+    version: master
+
+roles:
+  - name: geerlingguy.pip
+    version: 2.2.0
+  - name: geerlingguy.security
+    version: 2.2.0
+  - name: geerlingguy.clamav
+  - name: geerlingguy.helm
+    version: 1.0.1
+  - name: geerlingguy.node_exporter
+    version: 2.0.0
+  - name: lablabs.rke2
+    version: 1.28.0
\ No newline at end of file
diff --git a/roles/k8s-argocd/defaults/main.yml b/roles/k8s-argocd/defaults/main.yml
deleted file mode 100644
index 7bff493..0000000
--- a/roles/k8s-argocd/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-argocd_namespace: argocd-system
\ No newline at end of file
diff --git a/roles/k8s-argocd/tasks/configure.yml b/roles/k8s-argocd/tasks/configure.yml
deleted file mode 100644
index 174316e..0000000
--- a/roles/k8s-argocd/tasks/configure.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-- name: Configure default project
-  run_once: true
-  kubernetes.core.k8s:
-    kubeconfig: "{{ argocd_kubeconfig_path }}"
-    definition: "{{ lookup('template', 'project-default.yml.j2') }}"
-    state: present
-
-- name: Create projects
-  run_once: true
-  kubernetes.core.k8s:
-    kubeconfig: "{{ argocd_kubeconfig_path }}"
-    definition: "{{ lookup('template', 'project.yml.j2') }}"
-    state: present
-  loop: "{{ argocd_projects }}"
-  loop_control:
-    loop_var: argocd_project
-
-- name: Debug app sets
-  run_once: true
-  delegate_to: localhost
-  copy:
-    dest: "/tmp/{{ argocd_application_set.name }}.debug"
-    content: "{{ lookup('template', 'application-set.yml.j2') }}"
-  loop: "{{ argocd_application_sets }}"
-  loop_control:
-    loop_var: argocd_application_set
-
-- name: Create application sets
-  run_once: true
-  kubernetes.core.k8s:
-    kubeconfig: "{{ argocd_kubeconfig_path }}"
-    definition: "{{ lookup('template', 'application-set.yml.j2') }}"
-    state: present
-  loop: "{{ argocd_application_sets }}"
-  loop_control:
-    loop_var: argocd_application_set
diff --git a/roles/k8s-argocd/tasks/install.yml b/roles/k8s-argocd/tasks/install.yml
deleted file mode 100644
index ac578d8..0000000
--- a/roles/k8s-argocd/tasks/install.yml
+++ /dev/null
@@ -1,293 +0,0 @@
-- name: Download CRD manifests
-  register: argocd_crd_manifests
-  ansible.builtin.uri:
-    url: "https://raw.githubusercontent.com/argoproj/argo-cd/{{ argocd_app_version }}/manifests/crds/{{ item }}"
-    return_content: true
-  loop:
-    - application-crd.yaml
-    - applicationset-crd.yaml
-    - appproject-crd.yaml
-
-- name: Install Argo CD CRDs
-  kubernetes.core.k8s:
-    kubeconfig: "{{ argocd_kubeconfig_path }}"
-    definition: "{{ item.content }}"
-    state: present
-  loop: "{{ argocd_crd_manifests.results }}"
-
-- name: Install Argo CD helm chart
-  run_once: true
-  kubernetes.core.helm:
-    state: present
-    create_namespace: true
-    release_name: argo-cd
-    release_namespace: "{{ argocd_namespace }}"
-    chart_ref: argo-cd
-    chart_repo_url: https://argoproj.github.io/argo-helm
-    chart_version: "{{ argocd_chart_version }}"
-    kubeconfig_path: "{{ argocd_kubeconfig_path }}"
-    wait: true
-    timeout: 5m0s
-    skip_crds: true # CRDs installed separately outside of helm chart scope
-    values:
-      crds:
-        install: false
-      global:
-        image:
-          tag: "{{ argocd_app_version }}"
-        networkPolicy:
-          create: false
-          defaultDenyIngress: false
-      redis-ha:
-        enabled: false
-      controller:
-        replicas: 1
-        podLabels:
-          netpol.homecentr.one/kubeapi: initiator
-      server:
-        replicas: 1
-        podLabels:
-          netpol.homecentr.one/internet: initiator
-          netpol.homecentr.one/kubeapi: initiator
-      repoServer:
-        podLabels:
-          netpol.homecentr.one/internet: initiator
-        replicas: 1
-        env:
-          - name: HELM_PLUGINS
-            value: /custom-tools/helm-plugins/
-          - name: HELM_SECRETS_SOPS_PATH
-            value: /custom-tools/sops
-          - name: HELM_SECRETS_VALS_PATH
-            value: /custom-tools/vals
-          - name: HELM_SECRETS_KUBECTL_PATH
-            value: /custom-tools/kubectl
-          - name: HELM_SECRETS_CURL_PATH
-            value: /custom-tools/curl
-          - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
-            value: "false"
-          - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
-            value: "false"
-          - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
-            value: "false"
-          - name: SOPS_AGE_RECIPIENTS
-            valueFrom:
-              secretKeyRef:
-                name: argocd-sops
-                key: public_key
-                optional: false
-          - name: SOPS_AGE_KEY
-            valueFrom:
-              secretKeyRef:
-                name: argocd-sops
-                key: private_key
-                optional: false
-        volumes:
-          - name: custom-tools
-            emptyDir: {}
-        volumeMounts:
-          - mountPath: /custom-tools
-            name: custom-tools
-
-        initContainers:
-          - name: download-tools
-            image: alpine:latest
-            command: [sh, -ec]
-            env:
-              - name: HELM_SECRETS_VERSION
-                value: "3.12.0"
-              - name: KUBECTL_VERSION
-                value: "1.24.3"
-              - name: VALS_VERSION
-                value: "0.18.0"
-              - name: SOPS_VERSION
-                value: "3.7.3"
-            args:
-            # yamllint disable rule:line-length
-              - |
-                mkdir -p /custom-tools/helm-plugins
-                wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
-
-                wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
-                wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
-
-                wget -qO- https://github.com/variantdev/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;
-
-                # helm secrets wrapper mode installation (optional)
-                # RUN printf '#!/usr/bin/env sh\nexec %s secrets "$@"' "${HELM_SECRETS_HELM_PATH}" >"/usr/local/sbin/helm" && chmod +x "/custom-tools/helm"
-
-                chmod +x /custom-tools/*
-            # yamllint enable rule:line-length
-            volumeMounts:
-              - mountPath: /custom-tools
-                name: custom-tools
-      applicationSet:
-        replicas: 1
-      dex:
-        enabled: false
-      configs:
-        params:
-          "server.insecure": true
-        secret:
-          extra:
-            "oidc.azure.clientSecret": "{{ argocd_oauth_client_secret }}"
-        rbac:
-          policy.default: role:readonly
-          policy.csv: |
-            g, "{{ argocd_admin_group_id }}", role:admin
-        cm:
-          timeout.reconciliation: "{{ argocd_git_refresh_interval }}"
-          # admin.enabled: false
-          url: "{{ argocd_url }}"
-          help.chatText: ""
-          oidc.config: |
-             name: Azure
-             issuer: "{{ argocd_oauth_url }}"
-             clientID: "{{ argocd_oauth_client_id }}"
-             clientSecret: $oidc.azure.clientSecret
-             requestedIDTokenClaims:
-                groups:
-                   essential: true
-             requestedScopes:
-                - openid
-                - profile
-                - email
-          helm.valuesFileSchemes: >-
-            secrets+gpg-import, secrets+gpg-import-kubernetes,
-            secrets+age-import, secrets+age-import-kubernetes,
-            secrets,secrets+literal,
-            https
-      notifications:
-        enabled: true
-        argocdUrl: "{{ argocd_url }}"
-        cm:
-          create: true
-        subscriptions:
-          - recipients:
-              - gh
-            triggers:
-              - on-deployed
-              - on-sync-failed
-              - on-sync-status-unknown
-              - on-sync-running
-        templates:
-          template.github-commit-status: |
-            {% raw %}
-            webhook:
-              gh:
-                method: POST
-                path: /repos/{{call .repo.FullNameByRepoURL .app.spec.source.repoURL}}/statuses/{{.app.status.sync.revision}}
-                body: |
-                  {
-                    {{if eq .app.status.operationState.phase "Running"}} "state": "pending"{{end}}
-                    {{if eq .app.status.operationState.phase "Succeeded"}} "state": "success"{{end}}
-                    {{if eq .app.status.operationState.phase "Error"}} "state": "error"{{end}}
-                    {{if eq .app.status.operationState.phase "Failed"}} "state": "error"{{end}},
-                    "description": "ArgoCD",
-                    "target_url": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-                    "context": "argocd/{{.app.metadata.name}}"
-                  }
-            {% endraw %}
-        triggers:
-          trigger.on-deployed: |
-            - description: Application is synced and healthy. Triggered once per commit.
-              oncePer: app.status.operationState.operation.sync.revision + app.metadata.name + time.Now().String()
-              send:
-              - github-commit-status
-              when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
-          trigger.on-health-degraded: |
-            - description: Application has degraded
-              oncePer: app.status.operationState.operation.sync.revision + app.metadata.name + time.Now().String()
-              send:
-              - github-commit-status
-              when: app.status.health.status == 'Degraded'
-          trigger.on-sync-failed: |
-            - description: Application syncing has failed
-              oncePer: app.status.operationState.operation.sync.revision + app.metadata.name + time.Now().String()
-              send:
-              - github-commit-status
-              when: app.status.operationState.phase in ['Error', 'Failed']
-          trigger.on-sync-running: |
-            - description: Application is being synced
-              oncePer: app.status.operationState.operation.sync.revision + app.metadata.name + time.Now().String()
-              send:
-              - github-commit-status
-              when: app.status.operationState.phase in ['Running']
-          trigger.on-sync-status-unknown: |
-            - description: Application status is 'Unknown'
-              oncePer: app.status.operationState.operation.sync.revision + app.metadata.name + time.Now().String()
-              send:
-              - github-commit-status
-              when: app.status.sync.status == 'Unknown'
-          trigger.on-sync-succeeded: |
-            - description: Application syncing has succeeded
-              oncePer: app.status.operationState.operation.sync.revision + app.metadata.name + time.Now().String()
-              send:
-              - github-commit-status
-              when: app.status.operationState.phase in ['Succeeded']
-        notifiers:
-          service.webhook.gh: |
-            url: https://api.github.com
-            headers:
-            - name: Authorization
-              value: Bearer $github-token
-        secret:
-          create: true
-          items:
-            github-token: "{{ argocd_github.token }}"
-      extraObjects:
-        - apiVersion: v1
-          kind: Secret
-          metadata:
-            name: argocd-sops
-            namespace: "{{ argocd_namespace }}"
-          data:
-            public_key: "{{ argocd_sops.public_key | b64encode }}"
-            private_key: "{{ argocd_sops.private_key | b64encode }}"
-
-
-        - apiVersion: crd.projectcalico.org/v1
-          kind: NetworkPolicy
-          metadata:
-            name: argocd
-            namespace: "{{ argocd_namespace }}"
-          spec:
-            # Instance is not filtered because argo-cd is deployed by ansible so from this chart's point of view the instance is not predictable
-            selector: app.kubernetes.io/part-of == 'argocd'
-            ingress:
-              # Allow internal component calls
-              - action: Allow
-                source:
-                  selector: app.kubernetes.io/part-of == 'argocd'
-
-              # Allow traffic from kubernetes api
-              - action: Allow
-                source:
-                  services:
-                    name: kubernetes
-                    namespace: default
-            egress:
-              # Allow traffic to kubernetes api
-              - action: Allow
-                destination:
-                  services:
-                    name: kubernetes
-                    namespace: default
-
-              # Allow traffic to internet
-              - action: Allow
-                destination:
-                  notNets:
-                    - 10.0.0.0/8
-                    - 172.16.0.0/12
-
-              # Allow internal component calls
-              - action: Allow
-                destination:
-                  selector: app.kubernetes.io/part-of == 'argocd'
-
-              # Explicitly allow access to DNS to bypass dependency on global policies deployed by argocd itself
-              - action: Allow
-                destination:
-                  selector: k8s-app == 'kube-dns'
-                  namespaceSelector: projectcalico.org/name == "kube-system"
diff --git a/roles/k8s-argocd/tasks/main.yml b/roles/k8s-argocd/tasks/main.yml
deleted file mode 100644
index eae223b..0000000
--- a/roles/k8s-argocd/tasks/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Install Argo CD
-  ansible.builtin.include_tasks: ./install.yml
-
-- name: Configure Argo CD
-  ansible.builtin.include_tasks: ./configure.yml
diff --git a/roles/k8s-argocd/templates/application-set.yml.j2 b/roles/k8s-argocd/templates/application-set.yml.j2
deleted file mode 100644
index 274d011..0000000
--- a/roles/k8s-argocd/templates/application-set.yml.j2
+++ /dev/null
@@ -1,61 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: {{ argocd_application_set.name }}
-  namespace: {{ argocd_namespace }}
-spec:
-  goTemplate: true
-  goTemplateOptions: ["missingkey=error"]
-  generators:
-  - git:
-      repoURL: {{ argocd_git_repository_url }}
-      revision: {{ argocd_git_ref }}
-      files:
-      - path: {{ argocd_application_set.name }}/**/.argocd*.y*ml
-      values:
-        environment: {{ argocd_environment }}
-  template:
-    metadata:
-      name: '{% raw %}{{ .name }}{% endraw %}'
-    spec:
-      project: {{ argocd_application_set.project_name }}
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: '{% if argocd_application_set.namespace is defined %}{{ argocd_application_set.namespace }}{% else %}{% raw %}{{ index .path.segments 1 }}{% endraw %}{% endif %}'
-      source:
-        repoURL: {{ argocd_git_repository_url }}
-        targetRevision: {{ argocd_git_ref }}
-  templatePatch: | {% raw %}
-    {{- $environment  := .values.environment -}}
-    metadata:
-      annotations:
-        argocd.argoproj.io/sync-wave: "{{ . | dig "syncWave" 0 }}"
-    spec:
-      source:
-        path: '{{ .path.path }}'
-        {{- if eq .type "helm" }}
-        helm:
-          releaseName: {{ .name }}
-          skipCrds: {{ . | dig "skipCrds" true }}
-          valueFiles:
-          {{- range $valueFile := (. | dig "valueFiles" list) }}
-            - {{ $valueFile | replace "$env" $environment }}
-          {{- end }}
-          {{- range $secretValueFile := (. | dig "secretValueFiles" list) }}
-            - secrets://{{ $secretValueFile | replace "$env" $environment }}
-          {{- end }}
-        {{- else }}
-        directory:
-          exclude: '{.kubescape-exceptions.json,argocd*.json}'
-        {{ end }}
-      ignoreDifferences: {{ ( . | dig "ignoreDifferences" list) | toYaml | nindent 4 }}
-      syncPolicy:
-        automated:
-          selfHeal: {{ . | dig "selfHeal" true }}
-          prune: true
-        syncOptions:
-          - CreateNamespace=true
-          {{ if eq ( . | dig "serverSideApply" false) true }}
-          - ServerSideApply=true
-          {{ end }}
-    {% endraw %}
\ No newline at end of file
diff --git a/roles/k8s-argocd/templates/project-default.yml.j2 b/roles/k8s-argocd/templates/project-default.yml.j2
deleted file mode 100644
index 6e55dfb..0000000
--- a/roles/k8s-argocd/templates/project-default.yml.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: default
-  namespace: {{ argocd_namespace }}
-spec:
-  sourceRepos: []
-  destinations: []
-  clusterResourceWhitelist: []
-
diff --git a/roles/k8s-argocd/templates/project.yml.j2 b/roles/k8s-argocd/templates/project.yml.j2
deleted file mode 100644
index 4470925..0000000
--- a/roles/k8s-argocd/templates/project.yml.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: {{ argocd_project.name }}
-  namespace: {{ argocd_namespace }}
-spec:
-  sourceRepos:
-  - '{{ argocd_git_repository_url }}'
-  destinations:
-{% for namespace in argocd_project.destination_namespaces %}
-  - namespace: '{{ namespace }}'
-    server: 'https://kubernetes.default.svc'
-{% endfor %}
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
diff --git a/roles/k8s-cluster/tasks/iscsi.yaml b/roles/k8s-cluster/tasks/iscsi.yaml
deleted file mode 100644
index 50f2861..0000000
--- a/roles/k8s-cluster/tasks/iscsi.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Install required packages
-  ansible.builtin.apt:
-    name:
-      - open-iscsi
-    state: present
-
-- name: Start iscsi daemon
-  ansible.builtin.service:
-    name: iscsid
-    enabled: true
-    state: started
\ No newline at end of file
diff --git a/roles/k8s-cluster/tasks/kubectl.yaml b/roles/k8s-cluster/tasks/kubectl.yaml
deleted file mode 100644
index dc4dde8..0000000
--- a/roles/k8s-cluster/tasks/kubectl.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-- name: Add apt key for k8s repository
-  ansible.builtin.apt_key:
-    url: https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key
-    keyring: /etc/apt/keyrings/kubernetes-apt-keyring.gpg
-    state: present
-
-- name: Add kubectl apt repository
-  ansible.builtin.apt_repository:
-    repo: 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /'
-    filename: kubernetes.list
-    update_cache: true
-    state: present
-
-- name: Install required packages
-  ansible.builtin.apt:
-    name:
-      - kubectl
-    state: present
diff --git a/roles/k8s-cluster/tasks/main.yaml b/roles/k8s-cluster/tasks/main.yaml
deleted file mode 100644
index 053da2c..0000000
--- a/roles/k8s-cluster/tasks/main.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
-- name: Install python for kubernetes management
-  ansible.builtin.apt:
-    name:
-      - python3-kubernetes
-
-- name: Install required packages
-  ansible.builtin.apt:
-    name:
-      - jq
-      - nfs-common
-    state: present
-
-- name: Configure sysctls
-  ansible.builtin.include_tasks:
-    file: sysctls.yaml
-
-- name: Install iscsi
-  ansible.builtin.include_tasks:
-    file: iscsi.yaml
-
-- name: Install kubectl
-  ansible.builtin.include_tasks:
-    file: kubectl.yaml
-
-- name: Install rke2 cluster
-  ansible.builtin.import_role:
-    name: lablabs.rke2
-  tags:
-    - rke2
-  vars:
-    rke2_type: server # All nodes are servers
-    rke2_token: "{{ k8s_cluster_token }}"
-
-    rke2_ha_mode: true
-    rke2_ha_mode_kubevip: true
-    rke2_ha_mode_keepalived: false
-    rke2_kubevip_cloud_provider_enable: true
-    rke2_kubevip_svc_enable: "true"
-
-    rke2_kubevip_image: "{{ k8s_cluster_kubevip_image }}"
-    rke2_kubevip_cloud_provider_image: "{{ k8s_cluster_kubevip_cloud_provider_image }}"
-
-    rke2_api_ip: "{{ k8s_cluster_kubeapi_vip }}"
-    rke2_drain_node_during_upgrade: true
-    
-    rke2_version: "{{ k8s_cluster_rke2_version }}"
-
-    rke2_disable:
-      - rke2-ingress-nginx
-      - rke2-metrics-server
-
-    rke2_server_options:
-      - "cluster-cidr: {{ k8s_cluster_cluster_cidr }}" 
-      - "service-cidr: {{ k8s_cluster_service_cidr }}" 
-
-    rke2_loadbalancer_ip_range:
-      range-global: "{{ k8s_cluster_kubevip_dynamic_range }}"
-
-    rke2_kubevip_args: 
-      - param: svc_election
-        value: "'true'"
-      # - param: enable_node_labeling
-      #   value: "'true'"
-      # - param: onlyAllowTrafficServicePorts
-      #   value: true
-
-    rke2_custom_manifests:
-      - rke2-canal-customize.yaml
-      - rke2-calico-apiserver.yaml
-      - rke2-calico-apiserver-secret.yaml
-
-# - name: Load kubeconfig
-#   run_once: true
-#   ansible.builtin.slurp:
-#     src: /etc/rancher/rke2/rke2.yaml
-#   register: k8s_cluster_kubeconfig
-
-# - debug:
-#     msg: "{{ k8s_cluster_kubeconfig.content | b64decode }}"
-
-- name: Patch calico apiservice
-  run_once: true
-  kubernetes.core.k8s_json_patch:
-    kind: APIService
-    name: v3.projectcalico.org
-    kubeconfig: /etc/rancher/rke2/rke2.yaml
-    patch:
-      - op: replace
-        path: /spec/caBundle
-        value: "{{ k8s_cluster_calico_apiserver_public_key | b64encode }}"
-
diff --git a/roles/k8s-cluster/tasks/sysctls.yaml b/roles/k8s-cluster/tasks/sysctls.yaml
deleted file mode 100644
index 8cae8d6..0000000
--- a/roles/k8s-cluster/tasks/sysctls.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Configure max UDP buffer size (required for Cloudflared)
-  ansible.posix.sysctl:
-    name: net.core.rmem_max
-    value: '2500000'
-    state: present
\ No newline at end of file
diff --git a/roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml b/roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml
deleted file mode 100644
index 3a43ce0..0000000
--- a/roles/k8s-cluster/templates/rke2-calico-apiserver-secret.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: calico-apiserver-certs
-  namespace: calico-apiserver
-data:
-  apiserver.key: "{{ k8s_cluster_calico_apiserver_private_key | b64encode }}"
-  apiserver.crt: "{{ k8s_cluster_calico_apiserver_public_key | b64encode }}"
diff --git a/roles/k8s-cluster/templates/rke2-calico-apiserver.yaml b/roles/k8s-cluster/templates/rke2-calico-apiserver.yaml
deleted file mode 100644
index 9fd2865..0000000
--- a/roles/k8s-cluster/templates/rke2-calico-apiserver.yaml
+++ /dev/null
@@ -1,307 +0,0 @@
-# Source: https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/apiserver.yaml
-
-
-# This is a tech-preview manifest which installs the Calico API server. Note that this manifest is liable to change
-# or be removed in future releases without further warning.
-#
-# Namespace and namespace-scoped resources.
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: calico-apiserver
-  name: calico-apiserver
-spec:
-
----
-
-# Policy to ensure the API server isn't cut off. Can be modified, but ensure
-# that the main API server is always able to reach the Calico API server.
-kind: NetworkPolicy
-apiVersion: networking.k8s.io/v1
-metadata:
-  name: allow-apiserver
-  namespace: calico-apiserver
-spec:
-  podSelector:
-    matchLabels:
-      apiserver: "true"
-  ingress:
-  - ports:
-    - protocol: TCP
-      port: 5443
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: calico-api
-  namespace: calico-apiserver
-spec:
-  ports:
-  - name: apiserver
-    port: 443
-    protocol: TCP
-    targetPort: 5443
-  selector:
-    apiserver: "true"
-  type: ClusterIP
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    apiserver: "true"
-    k8s-app: calico-apiserver
-  name: calico-apiserver
-  namespace: calico-apiserver
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      apiserver: "true"
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        apiserver: "true"
-        k8s-app: calico-apiserver
-      name: calico-apiserver
-      namespace: calico-apiserver
-    spec:
-      containers:
-      - args:
-        - --secure-port=5443
-        - -v=5
-        env:
-        - name: DATASTORE_TYPE
-          value: kubernetes
-        image: calico/apiserver:v3.27.2
-        livenessProbe:
-          httpGet:
-            path: /version
-            port: 5443
-            scheme: HTTPS
-          initialDelaySeconds: 90
-          periodSeconds: 10
-        name: calico-apiserver
-        readinessProbe:
-          exec:
-            command:
-            - /code/filecheck
-          failureThreshold: 5
-          initialDelaySeconds: 5
-          periodSeconds: 10
-        securityContext:
-          privileged: false
-          runAsUser: 0
-        volumeMounts:
-        - mountPath: /code/apiserver.local.config/certificates
-          name: calico-apiserver-certs
-      dnsPolicy: ClusterFirst
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: Always
-      serviceAccount: calico-apiserver
-      serviceAccountName: calico-apiserver
-      tolerations:
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/master
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/control-plane
-      volumes:
-      - name: calico-apiserver-certs
-        secret:
-          secretName: calico-apiserver-certs
-
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: calico-apiserver
-  namespace: calico-apiserver
-
----
-
-# Cluster-scoped resources below here.
-apiVersion: apiregistration.k8s.io/v1
-kind: APIService
-metadata:
-  name: v3.projectcalico.org
-spec:
-  group: projectcalico.org
-  groupPriorityMinimum: 1500
-  service:
-    name: calico-api
-    namespace: calico-apiserver
-    port: 443
-  version: v3
-  versionPriority: 200
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: calico-crds
-rules:
-- apiGroups:
-  - extensions
-  - networking.k8s.io
-  - ""
-  resources:
-  - networkpolicies
-  - nodes
-  - namespaces
-  - pods
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - crd.projectcalico.org
-  resources:
-  - globalnetworkpolicies
-  - networkpolicies
-  - clusterinformations
-  - hostendpoints
-  - globalnetworksets
-  - networksets
-  - bgpconfigurations
-  - bgppeers
-  - bgpfilters
-  - felixconfigurations
-  - kubecontrollersconfigurations
-  - ippools
-  - ipreservations
-  - ipamblocks
-  - blockaffinities
-  - caliconodestatuses
-  - ipamconfigs
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
-- apiGroups:
-  - policy
-  resourceNames:
-  - calico-apiserver
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: calico-extension-apiserver-auth-access
-rules:
-- apiGroups:
-  - ""
-  resourceNames:
-  - extension-apiserver-authentication
-  resources:
-  - configmaps
-  verbs:
-  - list
-  - watch
-  - get
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterroles
-  - clusterrolebindings
-  - roles
-  - rolebindings
-  verbs:
-  - get
-  - list
-  - watch
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: calico-webhook-reader
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - watch
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: calico-apiserver-access-crds
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: calico-crds
-subjects:
-- kind: ServiceAccount
-  name: calico-apiserver
-  namespace: calico-apiserver
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: calico-apiserver-delegate-auth
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: calico-apiserver
-  namespace: calico-apiserver
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: calico-apiserver-webhook-reader
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: calico-webhook-reader
-subjects:
-- kind: ServiceAccount
-  name: calico-apiserver
-  namespace: calico-apiserver
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: calico-extension-apiserver-auth-access
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: calico-extension-apiserver-auth-access
-subjects:
-- kind: ServiceAccount
-  name: calico-apiserver
-  namespace: calico-apiserver
\ No newline at end of file
diff --git a/roles/k8s-cluster/templates/rke2-canal-customize.yaml b/roles/k8s-cluster/templates/rke2-canal-customize.yaml
deleted file mode 100644
index e661479..0000000
--- a/roles/k8s-cluster/templates/rke2-canal-customize.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChartConfig
-metadata:
-  name: rke2-canal
-  namespace: kube-system
-spec:
-  valuesContent: |-
-    calico:
-      calicoKubeControllers: true
\ No newline at end of file
diff --git a/roles/k8s-storage/tasks/longhorn-zvol.yaml b/roles/k8s-storage/tasks/longhorn-zvol.yaml
deleted file mode 100644
index 09bcef9..0000000
--- a/roles/k8s-storage/tasks/longhorn-zvol.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Create ZFS volumes for Longhorn
-  community.general.zfs:
-    name: "{{ zvol.name }}"
-    state: present
-    extra_zfs_properties:
-      volsize: "{{ zvol.size }}"
-
-- name: Create xfs file system in zvols for Longhorn
-  community.general.filesystem:
-    dev: "/dev/zvol/{{ zvol.name }}"
-    fstype: xfs
-    state: present
-
-- name: Mount zvol
-  ansible.posix.mount:
-    src: "/dev/zvol/{{ zvol.name }}"
-    path: "{{ zvol.mountpoint }}"
-    fstype: xfs
-    opts: noatime,discard
-    state: mounted
\ No newline at end of file
diff --git a/roles/k8s-storage/tasks/main.yaml b/roles/k8s-storage/tasks/main.yaml
deleted file mode 100644
index 8f28f3c..0000000
--- a/roles/k8s-storage/tasks/main.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-- name: Create zfs datasets for rke2 cluster
-  ansible.builtin.include_tasks:
-    file: rke2.yaml
-
-- name: Create zfs datasets for openebs
-  ansible.builtin.include_tasks:
-    file: openebs.yaml
-
-- name: Create zvols for longhorn
-  ansible.builtin.include_tasks:
-    file: longhorn-zvol.yaml
-  loop: "{{ k8s_storage_longhorn_zvols }}"
-  loop_control:
-    loop_var: zvol
diff --git a/roles/k8s-storage/tasks/openebs.yaml b/roles/k8s-storage/tasks/openebs.yaml
deleted file mode 100644
index f84eeda..0000000
--- a/roles/k8s-storage/tasks/openebs.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: Create ZFS datasets for OpenEBS
-  community.general.zfs:
-    name: "{{ item.name }}"
-    state: present
-    extra_zfs_properties:
-      quota: "{{ item.quota }}"
-  loop: "{{ k8s_storage_openebs_zfs_datasets }}"
\ No newline at end of file
diff --git a/roles/k8s-storage/tasks/rke2.yaml b/roles/k8s-storage/tasks/rke2.yaml
deleted file mode 100644
index 05c0172..0000000
--- a/roles/k8s-storage/tasks/rke2.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-- name: Create a dataset for /var/lib/rancher/rke2
-  community.general.zfs:
-    name: rpool/ROOT/rke2/var
-    state: present
-    extra_zfs_properties:
-      mountpoint: /var/lib/rancher/rke2
-
-- name: Create a dataset for /etc/rancher/rke2
-  community.general.zfs:
-    name: rpool/ROOT/rke2/etc
-    state: present
-    extra_zfs_properties:
-      mountpoint: /etc/rke2
\ No newline at end of file
diff --git a/tools/apply.sh b/tools/apply.sh
index 14d5e78..180ffda 100755
--- a/tools/apply.sh
+++ b/tools/apply.sh
@@ -1,9 +1,5 @@
 #!/usr/bin/env bash
 
-printHelp() {
-  echo "Usage: apply (lab|prod) <category> <playbook>"
-}
-
 case "$1" in
  lab)
   INVENTORY="./environments/lab"
@@ -13,12 +9,12 @@ case "$1" in
   ;;
  *)
   # else
-  printHelp
+  echo "Error, invalid arguments"
   exit 1
   ;;
 esac
 
-PLAYBOOK="./playbooks/${2:-_all}.yml"
+PLAYBOOK="./playbooks/${2:-_all}.yaml"
 
 if [ ! -f "$PLAYBOOK" ]; then
   printHelp
@@ -31,9 +27,6 @@ shift
 
 export ANSIBLE_CONFIG="./ansible.cfg"
 
-# Install Ansible dependencies (roles and collections)
-ansible-galaxy install -r ./requirements.yml --force
-
 COMMAND="ansible-playbook -i $INVENTORY $PLAYBOOK ${@:1}"
 
 echo $COMMAND
diff --git a/tools/install.sh b/tools/install.sh
new file mode 100755
index 0000000..c766e4b
--- /dev/null
+++ b/tools/install.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# yarn install is executed automatically
+
+ansible-galaxy install -r ./requirements.yaml --force
+ansible-playbook ./playbooks/_local.yaml
\ No newline at end of file

From 0c5a343b899358b5de9af1def3b53466090efa97 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Mon, 4 Mar 2024 21:58:44 +0100
Subject: [PATCH 17/51] Checkpoint

---
 .../all/{general.yml => general.yaml}         |  3 -
 .../lab/group_vars/all/node-exporter.yml      |  1 -
 .../group_vars/app_containers/general.yaml    |  1 +
 .../group_vars/app_containers/users.sops.yaml | 46 ++++++++++
 .../lab/group_vars/pve_nodes/firewall.yaml    | 34 +++++++
 .../lab/group_vars/pve_nodes/general.yaml     | 69 ++++++++++++++
 .../lab/group_vars/pve_nodes/general.yml      | 23 -----
 .../{secrets.sops.yml => secrets.sops.yaml}   |  0
 .../ups.sops.yml => pve_nodes/ups.sops.yaml}  |  0
 .../{all/ups.yml => pve_nodes/ups.yaml}       |  0
 .../users.sops.yaml}                          |  0
 environments/lab/host_vars/app_coredns.yaml   | 25 +++++
 .../lab/host_vars/{pve1.yml => pve1.yaml}     |  0
 .../lab/host_vars/{pve2.yml => pve2.yaml}     |  0
 .../lab/host_vars/{pve3.yml => pve3.yaml}     |  0
 environments/lab/hosts.yaml                   | 15 +++
 environments/lab/hosts.yml                    |  7 --
 environments/prod/group_vars/all/general.yml  |  2 -
 package.json                                  |  4 +-
 playbooks/_all.yaml                           |  5 +-
 playbooks/app-powerdns.yaml                   | 20 ----
 playbooks/apps/coredns.yaml                   | 28 ++++++
 playbooks/{_local.yaml => local/setup.yaml}   | 31 +------
 playbooks/local/ssh.yaml                      | 29 ++++++
 playbooks/proxmox-cluster.yaml                | 33 +++++++
 .../{proxmox.yaml => proxmox-nodes.yaml}      |  5 -
 playbooks/test.yaml                           | 16 ++++
 requirements.yaml                             |  4 +-
 roles/app-container/tasks/container.yaml      | 91 +++++++++++++++++++
 roles/app-container/tasks/firewall.yaml       |  3 +
 roles/app-container/tasks/ha.yaml             | 17 ++++
 roles/app-container/tasks/main.yaml           | 30 ++++++
 roles/app-container/tasks/replication.yaml    | 22 +++++
 .../templates/network-interfaces.j2           |  6 ++
 roles/pve_cluster_firewall/tasks/main.yaml    | 19 ++++
 roles/pve_cluster_ha/tasks/main.yaml          |  9 ++
 roles/pve_cluster_ha/templates/ha-groups.j2   | 12 +++
 roles/pve_cluster_options/tasks/main.yaml     |  8 ++
 roles/pve_cluster_vxlan/tasks/main.yaml       | 23 +++++
 roles/pve_cluster_vxlan/tasks/subnet.yaml     | 11 +++
 roles/pve_cluster_vxlan/tasks/vnet.yaml       | 24 +++++
 roles/pve_cluster_vxlan/tasks/zone.yaml       | 19 ++++
 roles/pve_firewall_common/tasks/aliases.yaml  | 21 +++++
 roles/pve_firewall_common/tasks/ipsets.yaml   | 12 +++
 roles/pve_firewall_common/tasks/main.yaml     | 19 ++++
 roles/pve_firewall_common/tasks/options.yaml  | 17 ++++
 roles/pve_firewall_common/tasks/rules.yaml    | 20 ++++
 .../tasks/security-groups.yaml                | 12 +++
 .../templates/firewall-file.j2                |  0
 .../templates/firewall-rule.j2                | 21 +++++
 roles/pve_firewall_common/templates/ipset.j2  |  8 ++
 .../templates/partials/destination-port.j2    |  3 +
 .../templates/partials/destination.j2         |  3 +
 .../templates/partials/host-expression.j2     |  7 ++
 .../templates/partials/interface.j2           |  3 +
 .../templates/partials/log.j2                 |  1 +
 .../templates/partials/protocol.j2            |  3 +
 .../templates/partials/source-port.j2         |  3 +
 .../templates/partials/source.j2              |  3 +
 .../templates/security-group.j2               |  4 +
 tools/install.sh                              |  4 +-
 61 files changed, 764 insertions(+), 95 deletions(-)
 rename environments/lab/group_vars/all/{general.yml => general.yaml} (51%)
 delete mode 100644 environments/lab/group_vars/all/node-exporter.yml
 create mode 100644 environments/lab/group_vars/app_containers/general.yaml
 create mode 100644 environments/lab/group_vars/app_containers/users.sops.yaml
 create mode 100644 environments/lab/group_vars/pve_nodes/firewall.yaml
 create mode 100644 environments/lab/group_vars/pve_nodes/general.yaml
 delete mode 100644 environments/lab/group_vars/pve_nodes/general.yml
 rename environments/lab/group_vars/pve_nodes/{secrets.sops.yml => secrets.sops.yaml} (100%)
 rename environments/lab/group_vars/{all/ups.sops.yml => pve_nodes/ups.sops.yaml} (100%)
 rename environments/lab/group_vars/{all/ups.yml => pve_nodes/ups.yaml} (100%)
 rename environments/lab/group_vars/{all/users.sops.yml => pve_nodes/users.sops.yaml} (100%)
 create mode 100644 environments/lab/host_vars/app_coredns.yaml
 rename environments/lab/host_vars/{pve1.yml => pve1.yaml} (100%)
 rename environments/lab/host_vars/{pve2.yml => pve2.yaml} (100%)
 rename environments/lab/host_vars/{pve3.yml => pve3.yaml} (100%)
 create mode 100644 environments/lab/hosts.yaml
 delete mode 100644 environments/lab/hosts.yml
 delete mode 100644 playbooks/app-powerdns.yaml
 create mode 100644 playbooks/apps/coredns.yaml
 rename playbooks/{_local.yaml => local/setup.yaml} (59%)
 create mode 100644 playbooks/local/ssh.yaml
 create mode 100644 playbooks/proxmox-cluster.yaml
 rename playbooks/{proxmox.yaml => proxmox-nodes.yaml} (95%)
 create mode 100644 playbooks/test.yaml
 create mode 100644 roles/app-container/tasks/container.yaml
 create mode 100644 roles/app-container/tasks/firewall.yaml
 create mode 100644 roles/app-container/tasks/ha.yaml
 create mode 100644 roles/app-container/tasks/main.yaml
 create mode 100644 roles/app-container/tasks/replication.yaml
 create mode 100644 roles/app-container/templates/network-interfaces.j2
 create mode 100644 roles/pve_cluster_firewall/tasks/main.yaml
 create mode 100644 roles/pve_cluster_ha/tasks/main.yaml
 create mode 100644 roles/pve_cluster_ha/templates/ha-groups.j2
 create mode 100644 roles/pve_cluster_options/tasks/main.yaml
 create mode 100644 roles/pve_cluster_vxlan/tasks/main.yaml
 create mode 100644 roles/pve_cluster_vxlan/tasks/subnet.yaml
 create mode 100644 roles/pve_cluster_vxlan/tasks/vnet.yaml
 create mode 100644 roles/pve_cluster_vxlan/tasks/zone.yaml
 create mode 100644 roles/pve_firewall_common/tasks/aliases.yaml
 create mode 100644 roles/pve_firewall_common/tasks/ipsets.yaml
 create mode 100644 roles/pve_firewall_common/tasks/main.yaml
 create mode 100644 roles/pve_firewall_common/tasks/options.yaml
 create mode 100644 roles/pve_firewall_common/tasks/rules.yaml
 create mode 100644 roles/pve_firewall_common/tasks/security-groups.yaml
 create mode 100644 roles/pve_firewall_common/templates/firewall-file.j2
 create mode 100644 roles/pve_firewall_common/templates/firewall-rule.j2
 create mode 100644 roles/pve_firewall_common/templates/ipset.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/destination-port.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/destination.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/host-expression.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/interface.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/log.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/protocol.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/source-port.j2
 create mode 100644 roles/pve_firewall_common/templates/partials/source.j2
 create mode 100644 roles/pve_firewall_common/templates/security-group.j2

diff --git a/environments/lab/group_vars/all/general.yml b/environments/lab/group_vars/all/general.yaml
similarity index 51%
rename from environments/lab/group_vars/all/general.yml
rename to environments/lab/group_vars/all/general.yaml
index 60ea91c..a05fc20 100644
--- a/environments/lab/group_vars/all/general.yml
+++ b/environments/lab/group_vars/all/general.yaml
@@ -1,4 +1 @@
-ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
-
-environment_name: lab
\ No newline at end of file
diff --git a/environments/lab/group_vars/all/node-exporter.yml b/environments/lab/group_vars/all/node-exporter.yml
deleted file mode 100644
index 105c404..0000000
--- a/environments/lab/group_vars/all/node-exporter.yml
+++ /dev/null
@@ -1 +0,0 @@
-node_exporter_version: '0.18.1'
diff --git a/environments/lab/group_vars/app_containers/general.yaml b/environments/lab/group_vars/app_containers/general.yaml
new file mode 100644
index 0000000..a03e94e
--- /dev/null
+++ b/environments/lab/group_vars/app_containers/general.yaml
@@ -0,0 +1 @@
+ansible_user: root
diff --git a/environments/lab/group_vars/app_containers/users.sops.yaml b/environments/lab/group_vars/app_containers/users.sops.yaml
new file mode 100644
index 0000000..6454d6f
--- /dev/null
+++ b/environments/lab/group_vars/app_containers/users.sops.yaml
@@ -0,0 +1,46 @@
+users_root_password: ENC[AES256_GCM,data:PZzlveMWJes=,iv:6sdOBQTPO8zYOfyX3GBuyhTwFJu6oM1yTkdaALdwc9k=,tag:muPFihvLypNwxi3GfKS0XQ==,type:str]
+users_root_password_salt: ENC[AES256_GCM,data:bIh4HuKVKIB1tqOF3v/Jvw==,iv:d8vO9fkguP/pTcFlDxweF8JDkjrRaNDfxkEciyNzVqY=,tag:nU8rshht6ZhaaGutUmkyag==,type:str]
+users_root_public_keys:
+    - ENC[AES256_GCM,data:CVajSr/sEc1dv9r5n4QG370tpghd99kwSVoGeFrDR7tHgGorNYAwEXlHKUEBtoyRNQvs68TSHQiGoNiZfiuPFmcu8Rrl1oaSyMVX0kJLBiH0vum1AB5akMpysH4Bon3IxJ4A/X9GXRl/hQbkHKqWCkQQD5m+rd0i94qQtKtWY0LeaCgOxuEVjsWZthsSVCIQit5Zi3aouKvoS4uRmGcZz4oA92urtRmeBZ3MJdP0NXy3lEH/0YA53zW+C8motQe+isikkQb2dL95DZart6R2zsDkO+B8dnu1McudiY75x4g9CmMjs0srnTHbaJ6cbCJdi61dvm1S+3uAMJ1tjgol2Tu/4/3+lB3MvUgK/8ErE8tBUCx91UUYt/6cev0RZ+eXCC3X63NzKBebFqcCq3BzHDHr970RBTgUTzINboYF/NrfoGRiQNylcckF1vnk5zj6qdnafId/tvZdSYBVP5ww4JERev4D8pFr+O8pCXX3s4NqXCW0df1exbLtzdpRTU9jMl2k7sh+yL1fd3iUuI4cYF+nePfcTeCqbJoQx223HpEED63MB9IiMWirtf0LilCE0M1uWVYw9f/oZeey0cNeemt5JAwPOtEtvI+szkgmUpTExJGWBtMEcOZ/VlDoGZ/J2ARlxDpoQtVZ8ulsgFHEpHLIsPkYTiqd/3Yv28s3VXAEQXCuIujhVL7nhSj5OGpcUS6lWLvhxiO5xS/XPg2ssEsmVnEh3ASTJJmmOZPqXov9FTfVE+PfqUqLENKLT99H7roove7E9VW1eBuwsbs8gB0L10DhAx+qcDmSXQdX5sAAKkifh4r1EBvmDBLK38pey623fN0xfHxHO473qxHwnZ7Z7DSXS/kZBpzpU6XaPxsSQPBSr8KE4FDYOjFcciBOCegNJdeVJlwHxGF+sVjB+yG66wQtYtYaRU/6JB5q7Qv/FOJHwPpVlN2cOkFIRBAjE8eoXw==,iv:xRwREsAghivufF8uaU//PXeOohaoVBPQE8A24vyX6BE=,tag:jbr50UoopLQeao8JLyH/8Q==,type:str]
+    - ENC[AES256_GCM,data:+q8pAVwFe2lyfbocP3cYYsqQLvqR4EsPlMrjaQYvgrHu2U95dceShYk3DlDWcvesSuArwkTRF6rn2ltdlXR23TBkauTjTYRDDXA79Z83JpxgRl+0eyDrA5n8mpNY0GHPSayVGyADfZh8Vuzff73QLu8pSoRh174ZCkR1VfwdQFXSoToyOvnSGsgAHfcKzoxKnIYPICSkQpd5EmGacks8hVP3bwaYeKn/iq56OzW6v+LqlzQWOLSi5p4jvkYhsjIQ/fQV8hSv6zQ4GFeAwZqlASNW23OUqXspLWPMUbDVaPD3pTO33wExYh4Kr4C+KwiYKVdNpLoZMmRuTlHHJz9SjYViA/CoTVBtjMOdqZ7eCr9gr7KpMVU1oXXKDmzi2KNGRrGMPPrDINkRFln4+gYQdMv3rfX1/xqJKxcA8v7MiiNe9DcrZhLotI5n9XzoOJ6iIdiGxgZedUMJycGkkwnau1Uez+bvg7KtsPGk4BkZNwbFqnHgB9/siFnxupJd9/u8NG7a7yP12HKAAD0cKMhTZppoULUFQVS5vS6+jMmrLiT1Yp1TSbAHC5m5GWjC2/EinIUqgs6iYMCb5WGbTvlbq6PSDVftqt7m4fS9yZr2sdqh6WspvRAKTaVK1RnkHT1avpJKUYoHtuRSRvZbnWHQGjohD4XxjxRfx+lTqNDbo/KtMmJXFYky/3zbUfk+ipN62SyLak2aBp1ge5ltmaLxMW9E/j1bULXNIUkuOccl6kkHh+3zM1l4BmXkFpap5DB4w22aGiyZafP/Lr/qk5ZmIeAUxNOs59JqXDEp0KQqN9EfMlYAf/5WMKpOFlVAFT0+R5SV4TuNvWtJtCQOtcBJF79XdcIx2hsxJKvSzZPRUZ205m4quwe1513tykclq5yo/Y5bAcE5eZuXLzoemRp1bmhfmrKB72G1Wx+GYET06dpXhb/mnNzsXJbNfkoPsJmZCEDLpmkMRYWNC9wyOIk2W9lu9g==,iv:Y9EdUxjC3Ge95u87a6pcFWohtDl28ozAS06X5IIcQE8=,tag:G7l28Vr8mvW+cJIBY3Gm1w==,type:str]
+    - ENC[AES256_GCM,data:9ACHLGpI4I5atIPIECjbCeASKtIVuqGF4j+HE0wBDfxqM1Z97EtD5v4PhLjrMMqiX7cUNPWPXtoa+3pMvNICZKXwm7JUvQTseqsJRNhNBBvPd3CL7DWzMaKb4ax/kKuP36CkUKytiZon7+oSiS/gpwc5mMGZaN1SmgcZWbt3C8hTgt0nDVGmMma0n3O4v++KlZk/feJBtaz8J2AUZm23pWk42DB4uPQ3UulBr3fzMlafWGmgwB33Y1gcNS5/T+kJaobtmjk6BA/d1CRnayJrUbZCp+K8nFQHFO+14ewm93uUkQvU/SCAnTbXUZLG2rr4OoUfzrVQGcEM/H+3MNov+vXdqJk2JgMTRBx3Ldd2ssbKJm7lGz2aaj+wLhJS9OqMc29GiJf0SvAh+pXkUPxH4xl45Am9y49nLx8swAKzihXAcblaaaPDHR+o3yw2qsfJPCILOUxSJwhBeddBY19f5FbPBpeVjL7Kl3OTm0fFibnYlk4s95bHlTBO4P8BcgL+TYfdKqYYmtg/BJIZKgSQy/cMVGgnt/oQ3xz1PjOu/t++WPBF6cmdSaQadMCfIiFy7hEeaHmA5LGvw0ihGE5IMQgHZ7eTE+gEiAKaNiH9mpz5mCNj4F1kHX1EKV833LHN3OX/YgDcoyLb1KsBlnGk5zEjnrEDZLUq8t/n5DdrcUIN71zSS8BVgBNbc3DsvxJvrbVhGpJ5bRVqeVSy79CZNgssdAna3ItXJ+MUqdm+THVQp2uS1REhWYs40mb814SXRPElJLgVNeMh7P3Y3ONlvmy0m37g+3DaAkb30GX1pb12ov8k9/Zul1vc+g9oD4krN4UIHP924RrCM0/Ap78E5AETdgwDUMHXLxoKJ8tM6HtXRx2xNgIR5unK8d3d2klEK8gwVIVR0T/RfQ/WpTG1eHihE2+OgCO2fyQZua4a29I890ITtwyOsTcmADIJ6Z6B75oXqDCESJ38y/38Ktsx4i/VKn0fITpMuE2gc5CvnQQ=,iv:KxqUgadkGhCwMRM6xjlt0Iy6bAiAN1MB2r46Twz4dig=,tag:AShP4PfmIll9UMOH1bmMGA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlcGtqLzVYSDNidlZYZXlx
+            cUFnRkV1SlZyZzNQSHIxRm9ZVVVkSFhPeDJBCkN6ZXQ0a01zR3R5WWxQMEJncWRI
+            NGFiN2VGMEtqc0J4MEJIT0JPTXNhbmsKLS0tIGVSMlR5Rm4yVjc2R3EvQ2ZOSEVt
+            R1N0bStSdEJjaW1wMXJMVzNvclpvMTAKulRaHwKsz0poqTfDEGAE8iICYIw5X6gD
+            a8uhf0O3I+kaHvfJUo5s6BXKdUh6utdjozYWGOUsfaOAjzm21noM2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-01T14:11:32Z"
+    mac: ENC[AES256_GCM,data:UfPe5+aaR46H59VDDcRe3odxcFjEybBN38ehHAX9kCVFdlnLKmxB3Q2oU7UmG4TuXGUq7Dqa6jMu3ELpORP/L4Ys6ELNfJsBSWhzsbm7yK//EOWv1CV5VAWGiDsCPVKsAdV43WappE710I5BWFJGC5u2svR0auh9JSiPP5Fg7rQ=,iv:3ed8TAqmv3VQCiQgr2nAoNe/ReWp59uJgIyqYBmOi4w=,tag:sPBanLFsBLMGKsCmlHGrYQ==,type:str]
+    pgp:
+        - created_at: "2024-03-01T14:07:49Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//Tf1v5ZnPcNH4GGjiqymsvG4sIn5pJbsYgAD+M1wJ1i74
+            ZZQneycZQw9J0i0MsaMcaSRcUO7YUWCGweb6rS+fxQB+AlJzDJJaNZEWZeNzuG34
+            R8MD5dCyErNWOG9ViC5Rxs8rv6AApXyXofiY8hTnn4zciApA7HOgKPfMXb3ScUK4
+            abSEpzHdgnp1OgOfBFOtUFDrJtd/au8IC9Ew4mUy3DcffN7y2Aq/NVPZVelYnYL6
+            omx6C3J6m72yYfoJGoO9NKChF10XIVh531SCBI0/mgooeIUgE6L8kwwo5rr5w61V
+            fgAQVTbbAAT2O/PdlPYKOcKhrhI/SiMzyVd/EROTP1s17Sa3svwPynzJAyU7c2Pd
+            WBoJanv/zNcitRwxNJqb2FNof2UfYEuYtuFbFEfZDsZuPmtMBwMAnEbM8x62+rOb
+            OiVFAYyw3Ogv5pq5EEGPxrzKdYSuUop8IG1NZtOWr3VZq0Sr17Bjd3vuw2ks7Sd/
+            geYMyzf2ln3BncnnRxFAtlfKFtuliWhQeAv8YW95/vFu5e6m+SQrTlGWlgviah8d
+            lxJ6PCWg1S1BvgcB0hg2d995msoKNj7lg8rUwe5epTt8dsXLPyhr35hmkVZwKMyb
+            iIee5/fL87iyPplFr4F/zqKwTskKhl0V+vXdQWzs+TuFSTTxwxeiUU+3Ep3hdkfS
+            XgE5/5dFd20D3ikx0O9e6EGaj08xuaRu4lITwJ/YHELY92AQM4vNCqtXq0ZwGDyH
+            +LBnjxylf9LQy8Xv+rS7jo0Ht8x7NuZ1phTuHU8IZ5svUVj/iCX8Qo498yUF65M=
+            =OiN3
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/environments/lab/group_vars/pve_nodes/firewall.yaml b/environments/lab/group_vars/pve_nodes/firewall.yaml
new file mode 100644
index 0000000..36a53d4
--- /dev/null
+++ b/environments/lab/group_vars/pve_nodes/firewall.yaml
@@ -0,0 +1,34 @@
+pve_cluster_firewall_enabled: false
+
+pve_cluster_firewall_aliases:
+  - name: some-alias
+    cidr: 10.1.3.0/24 # must be an ip or cidr => cidr
+
+pve_cluster_firewall_ipsets:
+  - name: My set
+    items:
+      - type: alias
+        name: some-alias
+      - type: cidr
+        cidr: 10.1.8.0/24 # type cidr should be default
+
+pve_cluster_firewall_security_groups:
+  - name: my-group
+    rules:
+      - direction: IN
+        action: ACCEPT
+        macro: SSH
+        source:
+          type: ipset
+          name: some-ipset
+        destination: 10.1.8.0/24 # optional
+
+      - enabled: false # default = true
+        direction: IN
+        action: ACCEPT
+        source_port: 25
+        destination_port: http
+        source: # might be: ipset (+<name>), alias (dc/<name>), comma-separated list of ips or most likely also a cidr
+          type: alias
+          name: some-alias
+        destination: 10.1.8.0/24
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
new file mode 100644
index 0000000..b8e97ee
--- /dev/null
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -0,0 +1,69 @@
+ansible_user: lholota
+
+# This is required for VNC proxy between the nodes
+ssh_allow_root_login_trusted_clients:
+  - pve1
+  - pve2
+  - pve3
+
+pve_zfs_max_arc_size_gb: 0.5
+
+pve_cluster_options_migration_network: 192.168.8.0/24
+
+pve_cluster_vxlans:
+  - name: overlay
+    peer_hosts:
+      - pve1
+      - pve2
+      - pve3
+    vnets:
+      - name: cont
+        tag: 100
+        subnets:
+          - cidr: 192.168.100.0/24
+
+pve_cluster_ha_groups:
+  - name: critical-priority-pve1
+    nodes:
+      - name: pve1
+        priority: 1000
+      - name: pve2
+        priority: 1
+    restricted: false
+    nofailback: false
+  - name: critical-priority-pve2
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1000
+    restricted: false
+    nofailback: false
+  - name: critical
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1
+    restricted: false
+    nofailback: false
+  - name: non-critical
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1
+    restricted: true
+    nofailback: false
+
+pve_domain: homecentr.one
+pve_nameservers:
+  - 1.1.1.1
+  - 1.0.0.1
+
+pve_smtp_host: 10.1.8.130
+pve_smtp_port: 25
+pve_smtp_tls: false
+
+pve_ct_templates:
+- http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/general.yml b/environments/lab/group_vars/pve_nodes/general.yml
deleted file mode 100644
index 97c4075..0000000
--- a/environments/lab/group_vars/pve_nodes/general.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# This is required for VNC proxy between the nodes
-ssh_allow_root_login_trusted_clients:
-  - pve1
-  - pve2
-  - pve3
-
-pve_zfs_max_arc_size_gb: 0.5
-
-# TODO: Move this to a common role !!!
-pve_domain: homecentr.one
-pve_nameservers:
-  - 1.1.1.1
-  - 1.0.0.1
-
-pve_smtp_host: 10.1.8.130
-pve_smtp_port: 25
-pve_smtp_tls: false
-
-pve_vm_cloud_images:
-  - filename: debian-12.1.0.qcow2
-    url: https://cloud.debian.org/images/cloud/bookworm/20230723-1450/debian-12-generic-amd64-20230723-1450.qcow2
-    format: qcow2
-    checksum: sha512:398589d1baa0c1a79358d2c6f14ba9212c25419df2693c513645cb493e15e19952f873703f27d87c491272a478f51a957fb26b21f485dca5933db6be37207d59
diff --git a/environments/lab/group_vars/pve_nodes/secrets.sops.yml b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
similarity index 100%
rename from environments/lab/group_vars/pve_nodes/secrets.sops.yml
rename to environments/lab/group_vars/pve_nodes/secrets.sops.yaml
diff --git a/environments/lab/group_vars/all/ups.sops.yml b/environments/lab/group_vars/pve_nodes/ups.sops.yaml
similarity index 100%
rename from environments/lab/group_vars/all/ups.sops.yml
rename to environments/lab/group_vars/pve_nodes/ups.sops.yaml
diff --git a/environments/lab/group_vars/all/ups.yml b/environments/lab/group_vars/pve_nodes/ups.yaml
similarity index 100%
rename from environments/lab/group_vars/all/ups.yml
rename to environments/lab/group_vars/pve_nodes/ups.yaml
diff --git a/environments/lab/group_vars/all/users.sops.yml b/environments/lab/group_vars/pve_nodes/users.sops.yaml
similarity index 100%
rename from environments/lab/group_vars/all/users.sops.yml
rename to environments/lab/group_vars/pve_nodes/users.sops.yaml
diff --git a/environments/lab/host_vars/app_coredns.yaml b/environments/lab/host_vars/app_coredns.yaml
new file mode 100644
index 0000000..13a04a8
--- /dev/null
+++ b/environments/lab/host_vars/app_coredns.yaml
@@ -0,0 +1,25 @@
+ansible_host: 10.1.8.191
+ansible_hostname: coredns-lab
+fqdn: coredns-lab.homecentr.one
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_cpus: 0 # unlimited, should be default
+app_container_storage_name: dpool
+app_container_storage_size_gb: 10
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.191/24
+    ipv4_gateway: 10.1.8.1
+  - name: eth1
+    bridge: cont
+    ipv4_address: dhcp
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: unrestricted-priority-pve1
+app_container_pve_replication_cron_expression: "*/5"
+app_container_pve_replication_nodes:
+  - pve2
+app_container_bind_mounts:
+  - hostpath: /ssl
+    containerpath: /some-ssl
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve1.yml b/environments/lab/host_vars/pve1.yaml
similarity index 100%
rename from environments/lab/host_vars/pve1.yml
rename to environments/lab/host_vars/pve1.yaml
diff --git a/environments/lab/host_vars/pve2.yml b/environments/lab/host_vars/pve2.yaml
similarity index 100%
rename from environments/lab/host_vars/pve2.yml
rename to environments/lab/host_vars/pve2.yaml
diff --git a/environments/lab/host_vars/pve3.yml b/environments/lab/host_vars/pve3.yaml
similarity index 100%
rename from environments/lab/host_vars/pve3.yml
rename to environments/lab/host_vars/pve3.yaml
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
new file mode 100644
index 0000000..5d5306f
--- /dev/null
+++ b/environments/lab/hosts.yaml
@@ -0,0 +1,15 @@
+all:
+  children:
+    pve_nodes:
+      hosts:
+        pve1:
+        pve2:
+        pve3:
+    app_containers:
+      # children:
+      #   app_coredns:
+      #     hosts:
+      #       app_coredns_primary:
+      #       app_coredns_secondary:
+      hosts:
+        app_coredns:
\ No newline at end of file
diff --git a/environments/lab/hosts.yml b/environments/lab/hosts.yml
deleted file mode 100644
index 2bcf389..0000000
--- a/environments/lab/hosts.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-all:
-  children:
-    pve_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
diff --git a/environments/prod/group_vars/all/general.yml b/environments/prod/group_vars/all/general.yml
index f3b2043..50df83a 100644
--- a/environments/prod/group_vars/all/general.yml
+++ b/environments/prod/group_vars/all/general.yml
@@ -1,4 +1,2 @@
 ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
-
-environment_name: prod
\ No newline at end of file
diff --git a/package.json b/package.json
index 495d191..92e6767 100644
--- a/package.json
+++ b/package.json
@@ -9,9 +9,9 @@
     "install": "./tools/install.sh",
     "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint",
     "lab:clear-keys": "./tools/clearkeys.sh",
-    "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox -u root -e ansible_user=root --tags init -k",
+    "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox-nodes -u root -e ansible_user=root --tags init -k",
     "lab:apply": "./tools/apply.sh lab",
-    "prod:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh prod proxmox -u root -e ansible_user=root --tags init -k",
+    "prod:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh prod proxmox-nodes -u root -e ansible_user=root --tags init -k",
     "prod:apply": "./tools/apply.sh prod",
     "validate-values": "node ./tools/validations.js"
   },
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index 3b4b4ec..c0e85ec 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -1,2 +1,3 @@
-- import_playbook: proxmox.yaml
-- import_playbook: app-powerdns.yaml
\ No newline at end of file
+- import_playbook: proxmox-nodes.yaml
+- import_playbook: proxmox-cluster.yaml
+- import_playbook: apps/powerdns.yaml
\ No newline at end of file
diff --git a/playbooks/app-powerdns.yaml b/playbooks/app-powerdns.yaml
deleted file mode 100644
index 0f56200..0000000
--- a/playbooks/app-powerdns.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    # Create container
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "app_powerdns"
-
-# - name: Setup Powerdns
-#   hosts: app_powerdns
-#   become: true
-#   become_method: ansible.builtin.sudo
-#   any_errors_fatal: true
-#   tasks:
-#     # TODO: 
\ No newline at end of file
diff --git a/playbooks/apps/coredns.yaml b/playbooks/apps/coredns.yaml
new file mode 100644
index 0000000..470236d
--- /dev/null
+++ b/playbooks/apps/coredns.yaml
@@ -0,0 +1,28 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tags: create-container
+  tasks:
+    # Create container
+    - name: Create application container
+      ansible.builtin.import_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: app_coredns
+
+- name: Setup Coredns containers
+  hosts: app_coredns
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tags: configure-container
+  tasks:
+    - name: Dummy
+      ansible.builtin.copy:
+        dest: /tmp/test.txt
+        owner: root
+        group: root
+        mode: 0666
+        content: Hello, world!
\ No newline at end of file
diff --git a/playbooks/_local.yaml b/playbooks/local/setup.yaml
similarity index 59%
rename from playbooks/_local.yaml
rename to playbooks/local/setup.yaml
index 5a57e2f..6428fc2 100644
--- a/playbooks/_local.yaml
+++ b/playbooks/local/setup.yaml
@@ -1,4 +1,4 @@
-- name: Configure Ansible controller
+- name: Install required packages
   hosts: localhost
   connection: local
   become: true
@@ -42,8 +42,9 @@
     - name: Create proxy command script (for wsl)
       become: false
       ansible.builtin.copy:
-        dest: "{{ lookup('env', 'HOME') }}/.ssh/proxy-{{ environment_name }}.sh"
+        dest: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh"
         mode: 0700
+        force: true
         content: |
           #!/usr/bin/env bash
 
@@ -59,28 +60,4 @@
             /usr/local/bin/cloudflared access ssh --hostname $1
           else
             ssh $2@$1
-          fi
-
-    - name: Add a host into the configuration (short name)
-      become: false
-      community.general.ssh_config:
-        user: "{{ ansible_user }}"
-        host: "{{ hostvars[item].ansible_hostname }}"
-        hostname: "{{ hostvars[item].ansible_hostname }}"
-        forward_agent: true # To enable YubiKey forwarding
-        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy-{{ environment_name }}.sh %h %r"
-        remote_user: "{{ ansible_user }}"
-        state: present
-      with_items: "{{ groups['all'] }}"
-
-    - name: Add a host into the configuration (full name)
-      become: false
-      community.general.ssh_config:
-        user: "{{ ansible_user }}"
-        host: "{{ hostvars[item].ansible_hostname }}"
-        hostname: "{{ hostvars[item].fqdn }}"
-        forward_agent: true # To enable YubiKey forwarding
-        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy-{{ environment_name }}.sh %h %r"
-        remote_user: "{{ ansible_user }}"
-        state: present
-      with_items: "{{ groups['all'] }}"
+          fi
\ No newline at end of file
diff --git a/playbooks/local/ssh.yaml b/playbooks/local/ssh.yaml
new file mode 100644
index 0000000..b675a40
--- /dev/null
+++ b/playbooks/local/ssh.yaml
@@ -0,0 +1,29 @@
+- name: Install required packages
+  hosts: localhost
+  connection: local
+  become: true
+  become_method: ansible.builtin.sudo
+  tasks:
+    - name: Add a host into the configuration (short name)
+      become: false
+      community.general.ssh_config:
+        user: "{{ ansible_user }}"
+        host: "{{ hostvars[item].ansible_hostname }}"
+        hostname: "{{ hostvars[item].ansible_hostname }}"
+        forward_agent: true # To enable YubiKey forwarding
+        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh %h %r"
+        remote_user: "{{ ansible_user }}"
+        state: present
+      with_items: "{{ groups['all'] }}"
+
+    - name: Add a host into the configuration (full name)
+      become: false
+      community.general.ssh_config:
+        user: "{{ ansible_user }}"
+        host: "{{ hostvars[item].ansible_hostname }}"
+        hostname: "{{ hostvars[item].fqdn }}"
+        forward_agent: true # To enable YubiKey forwarding
+        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh %h %r"
+        remote_user: "{{ ansible_user }}"
+        state: present
+      with_items: "{{ groups['all'] }}"
diff --git a/playbooks/proxmox-cluster.yaml b/playbooks/proxmox-cluster.yaml
new file mode 100644
index 0000000..15a1dad
--- /dev/null
+++ b/playbooks/proxmox-cluster.yaml
@@ -0,0 +1,33 @@
+- name: Proxmox Virtual Environment Configuration
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Download Container templates
+      ansible.builtin.get_url:
+        url: "{{ item }}"
+        dest: "/var/lib/vz/template/cache/{{ item | basename }}"
+      loop: "{{ pve_ct_templates }}"
+      tags:
+        - ct_templates
+
+    - name: Configure cluster-level options
+      ansible.builtin.import_role:
+        name: ../roles/pve_cluster_options
+      tags: cluster_options
+
+    - name: Configure container vxlan sdn networks
+      ansible.builtin.import_role:
+        name: ../roles/pve_cluster_vxlan
+      tags: vxlan
+
+    - name: Configure cluster-level firewall
+      ansible.builtin.import_role:
+        name: ../roles/pve_cluster_firewall
+      tags: firewall
+
+    - name: Configure HA
+      ansible.builtin.import_role:
+        name: ../roles/pve_cluster_ha
+      tags: ha
diff --git a/playbooks/proxmox.yaml b/playbooks/proxmox-nodes.yaml
similarity index 95%
rename from playbooks/proxmox.yaml
rename to playbooks/proxmox-nodes.yaml
index 33bb607..35ff252 100644
--- a/playbooks/proxmox.yaml
+++ b/playbooks/proxmox-nodes.yaml
@@ -21,11 +21,6 @@
         name: homecentr.proxmox.pve_users
       tags: [ init, users ]
 
-    - name: Configure network interfaces
-      ansible.builtin.import_role:
-        name: homecentr.system.network
-      tags: [ network ]
-
     - name: Configure https port forwarding
       ansible.builtin.import_role:
         name: homecentr.proxmox.pve_https_forward
diff --git a/playbooks/test.yaml b/playbooks/test.yaml
new file mode 100644
index 0000000..7b76619
--- /dev/null
+++ b/playbooks/test.yaml
@@ -0,0 +1,16 @@
+- name: Proxmox Virtual Environment Configuration
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  vars:
+    hosts: 
+      - pve1
+      - pve2
+  tasks:
+    - name: Debug
+      run_once: true
+      debug:
+        #msg: "{{ hosts }}"
+        msg: "{{ hosts | map('extract', hostvars, 'ansible_host') | join(',') }}"
+        #msg: "{{ ansible_play_hosts_all }}"
diff --git a/requirements.yaml b/requirements.yaml
index aa1d450..8bffef1 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -6,7 +6,7 @@ collections:
     version: 2.7.0
   - name: oasis_roles.system
   - name: community.general
-    version: 6.3.0
+    version: 8.4.0
   - name: gluster.gluster
     version: 1.0.2
   - name: kubernetes.core
@@ -20,7 +20,7 @@ collections:
     version: master
   - name: https://github.com/homecentr/ansible-collection-proxmox
     type: git
-    version: master
+    version: origin/fix/https-forward-2 # master
 
 roles:
   - name: geerlingguy.pip
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
new file mode 100644
index 0000000..4796563
--- /dev/null
+++ b/roles/app-container/tasks/container.yaml
@@ -0,0 +1,91 @@
+- name: Create new container with minimal options
+  run_once: true
+  community.general.proxmox:
+    api_user: root@pam
+    api_password: "{{ users_root_password }}"
+    api_host: "localhost"
+    node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
+    password: "{{ users_root_password }}"
+    hostname: "{{ container_vars.ansible_hostname }}"
+    ostemplate: "{{ container_vars.app_container_ostemplate }}"
+    memory: "{{ container_vars.app_container_memory }}"
+    cpus: "{{ container_vars.app_container_cpus }}"
+    unprivileged: "{{ container_vars.app_container_unprivileged | default(true) }}"
+    swap: "{{ container_vars.app_container_swap_mb | default(512) }}"
+    disk: "{{ container_vars.app_container_storage_name }}:{{ container_vars.app_container_storage_size_gb }},replicate=1"
+    pubkey: "{{ container_vars.users_root_public_keys | join('\n') }}"
+    onboot: "{{ container_vars.start_onboot | default(true) }}"
+    netif: "{{ lookup('template', 'network-interfaces.j2', template_vars=dict(app_container_network_interfaces=container_vars.app_container_network_interfaces)) }}"
+    state: present
+
+- name: Create new container with minimal options
+  run_once: true
+  register: container_update
+  community.general.proxmox:
+    api_user: root@pam
+    api_password: "{{ users_root_password }}"
+    api_host: "localhost"
+    node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
+    password: "{{ users_root_password }}"
+    hostname: "{{ container_vars.ansible_hostname }}"
+    memory: "{{ container_vars.app_container_memory }}"
+    cpus: "{{ container_vars.app_container_cpus }}"
+    unprivileged: "{{ container_vars.app_container_unprivileged | default(true) }}"
+    swap: "{{ container_vars.app_container_swap_mb | default(512) }}"
+    disk: "{{ container_vars.app_container_storage_name }}:{{ container_vars.app_container_storage_size_gb }},replicate=1"
+    pubkey: "{{ container_vars.users_root_public_keys | join('\n') }}"
+    onboot: "{{ container_vars.start_onboot | default(true) }}"
+    netif: "{{ lookup('template', 'network-interfaces.j2', template_vars=dict(app_container_network_interfaces=container_vars.app_container_network_interfaces)) }}"
+    update: true
+    state: present
+
+- name: Wait for the container to be created
+  register: app_container_info
+  community.general.proxmox_vm_info:
+    api_user: root@pam
+    api_password: "{{ users_root_password }}"
+    api_host: "localhost"
+    type: lxc
+    name: "{{ container_vars.ansible_hostname }}"
+
+- name: Flatten container info
+  ansible.builtin.set_fact:
+    app_container_info: "{{ app_container_info.proxmox_vms.0 }}"
+
+- name: Add bind-mounts
+  register: bind_mounts
+  loop: container_vars.app_container_bind_mounts
+  loop_control:
+    loop_var: bind
+  ansible.builtin.lineinfile:
+    path: "/etc/pve/lxc/{{ app_container_info.vmid }}.cfg"
+    regex: "^mp{{ loop.index - 1 }}: .*"
+    line: "mp{{ loop.index - 1 }}: {{ bind.hostpath }},mp={{ bind.containerpath }}"
+
+- name: Stop the container if it's started but definition has changed
+  when: (container_update.changed or bind_mounts.changed) and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
+  run_once: true
+  community.general.proxmox:
+    api_user: root@pam
+    api_password: "{{ users_root_password }}"
+    api_host: "localhost"
+    hostname: "{{ container_vars.ansible_hostname }}"
+    state: stopped
+
+- name: Start container
+  run_once: true
+  community.general.proxmox:
+    api_user: root@pam
+    api_password: "{{ hostvars[container_vars.app_container_pve_node].users_root_password }}"
+    api_host: "localhost"
+    hostname: "{{ container_vars.ansible_hostname }}"
+    state: started
+
+- name: Wait for the container to start responding on SSH
+  run_once: true
+  ansible.builtin.wait_for:
+    host: "{{ container_vars.ansible_host }}"
+    port: 22
+    timeout: 400
+    sleep: 2
+    msg: "Container {{ container_vars.ansible_hostname }} did not start responding on SSH in time."
\ No newline at end of file
diff --git a/roles/app-container/tasks/firewall.yaml b/roles/app-container/tasks/firewall.yaml
new file mode 100644
index 0000000..06182a7
--- /dev/null
+++ b/roles/app-container/tasks/firewall.yaml
@@ -0,0 +1,3 @@
+# IPSet
+# Alias
+# Rules
\ No newline at end of file
diff --git a/roles/app-container/tasks/ha.yaml b/roles/app-container/tasks/ha.yaml
new file mode 100644
index 0000000..b025bdd
--- /dev/null
+++ b/roles/app-container/tasks/ha.yaml
@@ -0,0 +1,17 @@
+- name: Configure container as a ha resource
+  run_once: true
+  ansible.builtin.blockinfile:
+    path: /etc/pve/ha/resources.cfg
+    create: true
+    owner: root
+    group: www-data
+    mode: "0640"
+    marker: "# {mark} Ansible managed ha container {{ container_vars.ansible_hostname }}"
+    prepend_newline: true
+    block: |
+      ct: {{ app_container_info.vmid }}
+        state {{ container_vars.app_container_desired_state | default('started') }}
+        {%- if container_vars.app_container_pve_ha_group_name %}
+
+        group {{ container_vars.app_container_pve_ha_group_name }}
+        {%- endif %}
\ No newline at end of file
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
new file mode 100644
index 0000000..110bdff
--- /dev/null
+++ b/roles/app-container/tasks/main.yaml
@@ -0,0 +1,30 @@
+- name: Create container
+  ansible.builtin.include_tasks:
+    file: container.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
+- name: Configure replication
+  ansible.builtin.include_tasks:
+    file: replication.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
+- name: Configure high-availability
+  ansible.builtin.include_tasks:
+    file: ha.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
+- name: Configure container firewall
+  ansible.builtin.import_role:
+    name: "{{ role_path }}/../pve_firewall_common"
+  vars:
+    pve_firewall_default_scope: null
+    pve_firewall_filepath: "/etc/pve/firewall/{{ app_container_info.vmid }}.fw"
+    pve_firewall_aliases: "{{ pve_cluster_firewall_aliases }}"
+    pve_firewall_ipsets: "{{ pve_cluster_firewall_ipsets }}"
+    pve_firewall_rules: "{{ pve_cluster_firewall_rules }}"
+    pve_firewall_enabled: "{{ pve_cluster_firewall_enabled }}"
+
+# TODO: Support bindmounts (e.g for ssl cert mount)
\ No newline at end of file
diff --git a/roles/app-container/tasks/replication.yaml b/roles/app-container/tasks/replication.yaml
new file mode 100644
index 0000000..3d0906f
--- /dev/null
+++ b/roles/app-container/tasks/replication.yaml
@@ -0,0 +1,22 @@
+- name: Configure storage replication
+  run_once: true
+  loop: "{{ container_vars.app_container_pve_replication_nodes }}"
+  loop_control:
+    loop_var: node
+    index_var: node_index
+  ansible.builtin.blockinfile:
+    path: "/etc/pve/replication.cfg"
+    create: true
+    owner: root
+    group: www-data
+    mode: "0640"
+    marker: "# {mark} Ansible managed replication ct{{ app_container_info.vmid }}-{{ hostvars[node].ansible_hostname }}"
+    prepend_newline: true
+    block: |
+      local: {{ app_container_info.vmid }}-{{ node_index }}
+        source {{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}
+        target {{ hostvars[node].ansible_hostname }}
+        schedule {{ container_vars.app_container_pve_replication_cron_expression }}
+        {%- if container_vars.app_container_pve_replication_bandwidth | default("") != "" %}
+        rate {{ container_vars.app_container_pve_replication_bandwidth }}
+        {%- endif %}
\ No newline at end of file
diff --git a/roles/app-container/templates/network-interfaces.j2 b/roles/app-container/templates/network-interfaces.j2
new file mode 100644
index 0000000..c21a073
--- /dev/null
+++ b/roles/app-container/templates/network-interfaces.j2
@@ -0,0 +1,6 @@
+{% raw %}{{% endraw %}
+{%- for nic in app_container_network_interfaces %}
+"net{{ loop.index - 1 }}": "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}"
+{%- if not loop.last %},{% endif %}
+{%- endfor %}
+{% raw %}}{% endraw %}
\ No newline at end of file
diff --git a/roles/pve_cluster_firewall/tasks/main.yaml b/roles/pve_cluster_firewall/tasks/main.yaml
new file mode 100644
index 0000000..3177ea0
--- /dev/null
+++ b/roles/pve_cluster_firewall/tasks/main.yaml
@@ -0,0 +1,19 @@
+- name: Create firewall config file if it does not exist
+  ansible.builtin.file:
+    path: /etc/pve/firewall/cluster.fw
+    state: file
+    owner: root
+    group: www-data
+    mode: "0640"
+
+- name: Configure cluster firewall
+  ansible.builtin.import_role:
+    name: "{{ role_path }}/../pve_firewall_common"
+  vars:
+    pve_firewall_default_scope: dc
+    pve_firewall_filepath: /etc/pve/firewall/cluster.fw
+    pve_firewall_aliases: "{{ pve_cluster_firewall_aliases }}"
+    pve_firewall_ipsets: "{{ pve_cluster_firewall_ipsets }}"
+    pve_firewall_rules: "{{ pve_cluster_firewall_rules }}"
+    pve_firewall_enabled: "{{ pve_cluster_firewall_enabled }}"
+    pve_firewall_security_groups: "{{ pve_cluster_firewall_security_groups }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_ha/tasks/main.yaml b/roles/pve_cluster_ha/tasks/main.yaml
new file mode 100644
index 0000000..5193152
--- /dev/null
+++ b/roles/pve_cluster_ha/tasks/main.yaml
@@ -0,0 +1,9 @@
+- name: Create ha config file if it does not exist
+  run_once: true
+  ansible.builtin.copy:
+    dest: /etc/pve/ha/groups.cfg
+    owner: root
+    group: www-data
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', 'ha-groups.j2') }}"
diff --git a/roles/pve_cluster_ha/templates/ha-groups.j2 b/roles/pve_cluster_ha/templates/ha-groups.j2
new file mode 100644
index 0000000..ff2f915
--- /dev/null
+++ b/roles/pve_cluster_ha/templates/ha-groups.j2
@@ -0,0 +1,12 @@
+{%- for group in pve_cluster_ha_groups %}
+group: {{ group.name }}
+       nodes {% for node in group.nodes %}
+{{- hostvars[node.name].ansible_hostname -}}
+{%- if node.priority | default("") != "" %}:{{ node.priority }}{% endif %}
+{%- if not loop.last %},{% endif %}
+{% endfor %}
+
+       nofailback {{ '1' if (group.nofailback | default(false)) else '0' }}
+       restricted {{ '1' if (group.restricted | default(false)) else '0' }}
+
+{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_options/tasks/main.yaml b/roles/pve_cluster_options/tasks/main.yaml
new file mode 100644
index 0000000..788df1b
--- /dev/null
+++ b/roles/pve_cluster_options/tasks/main.yaml
@@ -0,0 +1,8 @@
+- name: Configure migration network
+  run_once: true
+  ansible.builtin.lineinfile:
+    path: /etc/pve/datacenter.cfg
+    create: false
+    regexp: "^migration:.*"
+    line: "network={{ pve_cluster_options_migration_network }},type=secure"
+  when: pve_cluster_options_migration_network is defined and pve_cluster_options_migration_network != ""
diff --git a/roles/pve_cluster_vxlan/tasks/main.yaml b/roles/pve_cluster_vxlan/tasks/main.yaml
new file mode 100644
index 0000000..e051947
--- /dev/null
+++ b/roles/pve_cluster_vxlan/tasks/main.yaml
@@ -0,0 +1,23 @@
+- name: Install required packages
+  ansible.builtin.apt:
+    name: libpve-network-perl
+    state: present
+
+- name: Verify SDN is enabled
+  ansible.builtin.lineinfile:
+    path: /etc/network/interfaces
+    create: false
+    line: "source /etc/network/interfaces.d/*"
+
+- name: Configure zones
+  run_once: true
+  loop: "{{ pve_cluster_vxlans }}"
+  loop_control:
+    loop_var: zone
+  ansible.builtin.include_tasks:
+    file: zone.yaml
+
+- name: Apply changes to the whole cluster
+  changed_when: true
+  ansible.builtin.command:
+    cmd: pvesh set /cluster/sdn
diff --git a/roles/pve_cluster_vxlan/tasks/subnet.yaml b/roles/pve_cluster_vxlan/tasks/subnet.yaml
new file mode 100644
index 0000000..7b30d6c
--- /dev/null
+++ b/roles/pve_cluster_vxlan/tasks/subnet.yaml
@@ -0,0 +1,11 @@
+- name: Configure subnets
+  ansible.builtin.blockinfile:
+    path: /etc/pve/sdn/subnets.cfg
+    create: true
+    owner: root
+    group: www-data
+    mode: "0640"
+    marker: "# {mark} Ansible managed subnet {{ zone.name }}-{{ vnet.name }}-{{ subnet.cidr | replace('/', '-') }}"
+    block: |
+      subnet: {{ zone.name }}-{{ subnet.cidr | replace('/', '-') }}
+              vnet {{ vnet.name }}
diff --git a/roles/pve_cluster_vxlan/tasks/vnet.yaml b/roles/pve_cluster_vxlan/tasks/vnet.yaml
new file mode 100644
index 0000000..54d8b63
--- /dev/null
+++ b/roles/pve_cluster_vxlan/tasks/vnet.yaml
@@ -0,0 +1,24 @@
+- name: Validate vnet name length
+  ansible.builtin.assert:
+    that: vnet.name | length <= 9  # total 15 with vxlan_ prefix
+    msg: VNet name must be 9 characters or less
+
+- name: Configure vnet
+  ansible.builtin.blockinfile:
+    path: /etc/pve/sdn/vnets.cfg
+    create: true
+    owner: root
+    group: www-data
+    mode: "0640"
+    marker: "# {mark} Ansible managed vnet {{ vnet.name }}"
+    block: |
+      vnet: {{ vnet.name }}
+            zone {{ zone.name }}
+            tag {{ vnet.tag }}
+
+- name: Configure subnet
+  loop: "{{ vnet.subnets }}"
+  loop_control:
+    loop_var: subnet
+  ansible.builtin.include_tasks:
+    file: subnet.yaml
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/tasks/zone.yaml b/roles/pve_cluster_vxlan/tasks/zone.yaml
new file mode 100644
index 0000000..6f30f3e
--- /dev/null
+++ b/roles/pve_cluster_vxlan/tasks/zone.yaml
@@ -0,0 +1,19 @@
+- name: Configure zome
+  ansible.builtin.blockinfile:
+    path: /etc/pve/sdn/zones.cfg
+    create: true
+    owner: root
+    group: www-data
+    mode: "0640"
+    marker: "# {mark} Ansible managed vxlan {{ zone.name }}"
+    block: |
+      vxlan: {{ zone.name }}
+             peers {{ zone.peer_hosts | map('extract', hostvars, 'ansible_host') | join(',') }}
+             ipam {{ zone.ipam | default('pve') }}
+
+- name: Configure vnets
+  loop: "{{ zone.vnets }}"
+  loop_control:
+    loop_var: vnet
+  ansible.builtin.include_tasks:
+    file: vnet.yaml
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/aliases.yaml b/roles/pve_firewall_common/tasks/aliases.yaml
new file mode 100644
index 0000000..71d313d
--- /dev/null
+++ b/roles/pve_firewall_common/tasks/aliases.yaml
@@ -0,0 +1,21 @@
+- name: Ensure the aliases section
+  run_once: true
+  ansible.builtin.lineinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    line: "[ALIASES]"
+    state: present
+
+- name: Configure aliases
+  run_once: true
+  loop: "{{ pve_firewall_aliases | default([]) }}"
+  loop_control:
+    loop_var: alias
+  ansible.builtin.lineinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    regex: "^{{ alias.name }} .*"
+    line: "{{ alias.name }} {{ alias.cidr }}"
+    firstmatch: true
+    insertafter: "[ALIASES]"
+    state: present
diff --git a/roles/pve_firewall_common/tasks/ipsets.yaml b/roles/pve_firewall_common/tasks/ipsets.yaml
new file mode 100644
index 0000000..b510d0f
--- /dev/null
+++ b/roles/pve_firewall_common/tasks/ipsets.yaml
@@ -0,0 +1,12 @@
+- name: Configure ipset
+  run_once: true
+  loop: "{{ pve_firewall_ipsets | default([]) }}"
+  loop_control:
+    loop_var: ipset
+  ansible.builtin.blockinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    state: present
+    prepend_newline: true
+    marker: "# {mark} Ansible managed ipset ({{ ipset.name }})"
+    block: "{{ lookup('template', 'ipset.j2', template_vars=dict(ipset=ipset, default_scope=pve_firewall_default_scope)) }}"
diff --git a/roles/pve_firewall_common/tasks/main.yaml b/roles/pve_firewall_common/tasks/main.yaml
new file mode 100644
index 0000000..d3b8c80
--- /dev/null
+++ b/roles/pve_firewall_common/tasks/main.yaml
@@ -0,0 +1,19 @@
+- name: Configure aliases
+  ansible.builtin.include_tasks:
+    file: aliases.yaml
+
+- name: Configure ipsets
+  ansible.builtin.include_tasks:
+    file: ipsets.yaml
+
+- name: Configure security groups
+  ansible.builtin.include_tasks:
+    file: security-groups.yaml
+
+- name: Configure rules
+  ansible.builtin.include_tasks:
+    file: rules.yaml
+
+- name: Configure options
+  ansible.builtin.include_tasks:
+    file: options.yaml
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/options.yaml b/roles/pve_firewall_common/tasks/options.yaml
new file mode 100644
index 0000000..a90a937
--- /dev/null
+++ b/roles/pve_firewall_common/tasks/options.yaml
@@ -0,0 +1,17 @@
+- name: Ensure the options section
+  run_once: true
+  ansible.builtin.lineinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    line: "[OPTIONS]"
+    state: present
+
+- name: Configure firewall enabled option
+  run_once: true
+  ansible.builtin.lineinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    regex: "^enable: .*"
+    line: "enable: {{ '1' if pve_firewall_enabled else '0' }}"
+    firstmatch: true
+    insertafter: "[OPTIONS]"
diff --git a/roles/pve_firewall_common/tasks/rules.yaml b/roles/pve_firewall_common/tasks/rules.yaml
new file mode 100644
index 0000000..b654a43
--- /dev/null
+++ b/roles/pve_firewall_common/tasks/rules.yaml
@@ -0,0 +1,20 @@
+- name: Ensure the rules section
+  run_once: true
+  ansible.builtin.lineinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    line: "[RULES]"
+    state: present
+
+- name: Configure rules
+  run_once: true
+  loop: "{{ pve_firewall_rules | default([]) }}"
+  loop_control:
+    loop_var: rule
+  ansible.builtin.lineinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    line: "{{ lookup('template', 'firewall-rule.j2', template_vars=dict(rule=rule, default_scope='dc')) }}"
+    firstmatch: true
+    insertafter: "[RULES]"
+    state: present
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/security-groups.yaml b/roles/pve_firewall_common/tasks/security-groups.yaml
new file mode 100644
index 0000000..2f2e580
--- /dev/null
+++ b/roles/pve_firewall_common/tasks/security-groups.yaml
@@ -0,0 +1,12 @@
+- name: Configure security group
+  run_once: true
+  loop: "{{ pve_firewall_security_groups | default([]) }}"
+  loop_control:
+    loop_var: group
+  ansible.builtin.blockinfile:
+    path: "{{ pve_firewall_filepath }}"
+    create: false
+    prepend_newline: true
+    state: present
+    marker: "# {mark} Ansible managed group ({{ group.name }})"
+    block: "{{ lookup('template', 'security-group.j2', template_vars=dict(group=group, default_scope=pve_firewall_default_scope)) }}"
diff --git a/roles/pve_firewall_common/templates/firewall-file.j2 b/roles/pve_firewall_common/templates/firewall-file.j2
new file mode 100644
index 0000000..e69de29
diff --git a/roles/pve_firewall_common/templates/firewall-rule.j2 b/roles/pve_firewall_common/templates/firewall-rule.j2
new file mode 100644
index 0000000..1c88dad
--- /dev/null
+++ b/roles/pve_firewall_common/templates/firewall-rule.j2
@@ -0,0 +1,21 @@
+{%- if rule.enabled | default(true) == false %}|{% endif -%}
+{%- if rule.type | default("") | lower == "group" %}
+GROUP {{ rule.name }}
+    {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+{%- elif rule.type | default("") | lower == "macro" %}
+    {{- rule.direction | upper }}
+    {{- rule.name }}({{ rule.action | upper }})
+    {{- lookup('template', 'partials/source.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/destination.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/log.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+{%- else %}
+    {{- rule.action | upper }}
+    {{- lookup('template', 'partials/source.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/destination.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/protocol.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/source-port.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/destination-port.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+    {{- lookup('template', 'partials/log.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
+{%- endif -%}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/ipset.j2 b/roles/pve_firewall_common/templates/ipset.j2
new file mode 100644
index 0000000..9563779
--- /dev/null
+++ b/roles/pve_firewall_common/templates/ipset.j2
@@ -0,0 +1,8 @@
+[IPSET {{ ipset.name }}]
+{% for item in ipset["items"] %}
+{% if item.type | default("") == "alias" %}
+{{ item.scope | default(default_scope) }}/{{ item.name }}
+{% else %}
+{{ item.cidr }}
+{% endif %}
+{%- endfor %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/destination-port.j2 b/roles/pve_firewall_common/templates/partials/destination-port.j2
new file mode 100644
index 0000000..1ce94fc
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/destination-port.j2
@@ -0,0 +1,3 @@
+{%- if rule.destination_port | default("") != "" %}
+ -dport {{ rule.destination_port }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/destination.j2 b/roles/pve_firewall_common/templates/partials/destination.j2
new file mode 100644
index 0000000..cc56d12
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/destination.j2
@@ -0,0 +1,3 @@
+{%- if rule.source is defined %}
+ -destination {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.source, default_scope=default_scope))) }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/host-expression.j2 b/roles/pve_firewall_common/templates/partials/host-expression.j2
new file mode 100644
index 0000000..1b44867
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/host-expression.j2
@@ -0,0 +1,7 @@
+{%- if expression.type | default("") == "ipset" %}
++{{ expression.scope | default(default_scope) | mandatory }}/{{ expression.name }}
+{%- elif expression.type | default("") == "alias" %}
+{{ expression.scope | default(default_scope) | mandatory }}/{{ expression.name }} 
+{%- else %}
+{{ expression }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/interface.j2 b/roles/pve_firewall_common/templates/partials/interface.j2
new file mode 100644
index 0000000..9e61fc4
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/interface.j2
@@ -0,0 +1,3 @@
+{%- if rule.interface | default("") != "" %}
+ -i {{ rule.interface }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/log.j2 b/roles/pve_firewall_common/templates/partials/log.j2
new file mode 100644
index 0000000..f22406e
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/log.j2
@@ -0,0 +1 @@
+ -log {{ rule.log_level | default("nolog") }}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/protocol.j2 b/roles/pve_firewall_common/templates/partials/protocol.j2
new file mode 100644
index 0000000..e4671d6
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/protocol.j2
@@ -0,0 +1,3 @@
+{%- if rule.protocol | default("") != "" %}
+ -p {{ rule.protocol | lower }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/source-port.j2 b/roles/pve_firewall_common/templates/partials/source-port.j2
new file mode 100644
index 0000000..d116987
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/source-port.j2
@@ -0,0 +1,3 @@
+{%- if rule.source_port | default("") != "" %}
+ -sport {{ rule.source_port }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/source.j2 b/roles/pve_firewall_common/templates/partials/source.j2
new file mode 100644
index 0000000..19a934d
--- /dev/null
+++ b/roles/pve_firewall_common/templates/partials/source.j2
@@ -0,0 +1,3 @@
+{%- if rule.source is defined %}
+ -source {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.source, default_scope=default_scope))) }}
+{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/security-group.j2 b/roles/pve_firewall_common/templates/security-group.j2
new file mode 100644
index 0000000..a079e99
--- /dev/null
+++ b/roles/pve_firewall_common/templates/security-group.j2
@@ -0,0 +1,4 @@
+[group {{ group.name }}]
+{% for rule in group.rules %}
+{{ lookup('template', '../../pve_firewall_common/templates/firewall-rule.j2',template_vars=(dict(rule=rule,default_scope=default_scope))) }}
+{% endfor %}
\ No newline at end of file
diff --git a/tools/install.sh b/tools/install.sh
index c766e4b..a07ed6e 100755
--- a/tools/install.sh
+++ b/tools/install.sh
@@ -3,4 +3,6 @@
 # yarn install is executed automatically
 
 ansible-galaxy install -r ./requirements.yaml --force
-ansible-playbook ./playbooks/_local.yaml
\ No newline at end of file
+ansible-playbook ./playbooks/local/setup.yaml
+ansible-playbook -i ./environments/lab/ ./playbooks/local/ssh.yaml
+ansible-playbook -i ./environments/prod/ ./playbooks/local/ssh.yaml
\ No newline at end of file

From a0c33f86cecc39b21127b039c7cdeea8197c4ec1 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Mon, 4 Mar 2024 22:31:15 +0100
Subject: [PATCH 18/51] Cluster firewall working

---
 .../lab/group_vars/pve_nodes/firewall.yaml    | 17 +++++-
 roles/pve_firewall_common/tasks/aliases.yaml  | 21 -------
 roles/pve_firewall_common/tasks/ipsets.yaml   | 12 ----
 roles/pve_firewall_common/tasks/main.yaml     | 55 +++++++++++++------
 roles/pve_firewall_common/tasks/options.yaml  | 17 ------
 roles/pve_firewall_common/tasks/rules.yaml    | 20 -------
 .../tasks/security-groups.yaml                | 12 ----
 .../templates/firewall-file.j2                | 28 ++++++++++
 .../templates/firewall-rule.j2                |  3 +-
 roles/pve_firewall_common/templates/ipset.j2  |  1 +
 .../templates/partials/destination.j2         |  2 +-
 .../templates/security-group.j2               |  1 +
 12 files changed, 86 insertions(+), 103 deletions(-)
 delete mode 100644 roles/pve_firewall_common/tasks/aliases.yaml
 delete mode 100644 roles/pve_firewall_common/tasks/ipsets.yaml
 delete mode 100644 roles/pve_firewall_common/tasks/options.yaml
 delete mode 100644 roles/pve_firewall_common/tasks/rules.yaml
 delete mode 100644 roles/pve_firewall_common/tasks/security-groups.yaml

diff --git a/environments/lab/group_vars/pve_nodes/firewall.yaml b/environments/lab/group_vars/pve_nodes/firewall.yaml
index 36a53d4..abcc8b0 100644
--- a/environments/lab/group_vars/pve_nodes/firewall.yaml
+++ b/environments/lab/group_vars/pve_nodes/firewall.yaml
@@ -5,7 +5,7 @@ pve_cluster_firewall_aliases:
     cidr: 10.1.3.0/24 # must be an ip or cidr => cidr
 
 pve_cluster_firewall_ipsets:
-  - name: My set
+  - name: some-ipset
     items:
       - type: alias
         name: some-alias
@@ -16,8 +16,9 @@ pve_cluster_firewall_security_groups:
   - name: my-group
     rules:
       - direction: IN
+        type: macro
+        name: SSH
         action: ACCEPT
-        macro: SSH
         source:
           type: ipset
           name: some-ipset
@@ -26,9 +27,19 @@ pve_cluster_firewall_security_groups:
       - enabled: false # default = true
         direction: IN
         action: ACCEPT
+        protocol: TCP
         source_port: 25
         destination_port: http
         source: # might be: ipset (+<name>), alias (dc/<name>), comma-separated list of ips or most likely also a cidr
           type: alias
           name: some-alias
-        destination: 10.1.8.0/24
\ No newline at end of file
+        destination: 10.1.8.0/24
+
+pve_cluster_firewall_rules:
+  - direction: IN
+    action: ACCEPT
+    macro: SSH
+    source:
+      type: ipset
+      name: some-ipset
+    destination: 10.1.8.0/24 # optional
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/aliases.yaml b/roles/pve_firewall_common/tasks/aliases.yaml
deleted file mode 100644
index 71d313d..0000000
--- a/roles/pve_firewall_common/tasks/aliases.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-- name: Ensure the aliases section
-  run_once: true
-  ansible.builtin.lineinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    line: "[ALIASES]"
-    state: present
-
-- name: Configure aliases
-  run_once: true
-  loop: "{{ pve_firewall_aliases | default([]) }}"
-  loop_control:
-    loop_var: alias
-  ansible.builtin.lineinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    regex: "^{{ alias.name }} .*"
-    line: "{{ alias.name }} {{ alias.cidr }}"
-    firstmatch: true
-    insertafter: "[ALIASES]"
-    state: present
diff --git a/roles/pve_firewall_common/tasks/ipsets.yaml b/roles/pve_firewall_common/tasks/ipsets.yaml
deleted file mode 100644
index b510d0f..0000000
--- a/roles/pve_firewall_common/tasks/ipsets.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-- name: Configure ipset
-  run_once: true
-  loop: "{{ pve_firewall_ipsets | default([]) }}"
-  loop_control:
-    loop_var: ipset
-  ansible.builtin.blockinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    state: present
-    prepend_newline: true
-    marker: "# {mark} Ansible managed ipset ({{ ipset.name }})"
-    block: "{{ lookup('template', 'ipset.j2', template_vars=dict(ipset=ipset, default_scope=pve_firewall_default_scope)) }}"
diff --git a/roles/pve_firewall_common/tasks/main.yaml b/roles/pve_firewall_common/tasks/main.yaml
index d3b8c80..fc20b02 100644
--- a/roles/pve_firewall_common/tasks/main.yaml
+++ b/roles/pve_firewall_common/tasks/main.yaml
@@ -1,19 +1,42 @@
-- name: Configure aliases
-  ansible.builtin.include_tasks:
-    file: aliases.yaml
+- name: Validate aliases
+  run_once: true
+  loop: "{{ pve_firewall_aliases | default([]) }}"
+  loop_control:
+    loop_var: alias
+  ansible.builtin.assert:
+    quiet: true
+    that:
+      - (alias.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == alias.name
+      - (alias.name | length) <= 64
 
-- name: Configure ipsets
-  ansible.builtin.include_tasks:
-    file: ipsets.yaml
+- name: Validate ipsets
+  run_once: true
+  loop: "{{ pve_firewall_ipsets | default([]) }}"
+  loop_control:
+    loop_var: ipset
+  ansible.builtin.assert:
+    quiet: true
+    that:
+      - (ipset.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == ipset.name
+      - (ipset.name | length) <= 64
 
-- name: Configure security groups
-  ansible.builtin.include_tasks:
-    file: security-groups.yaml
+- name: Validate security groups
+  run_once: true
+  loop: "{{ pve_firewall_security_groups | default([]) }}"
+  loop_control:
+    loop_var: group
+  ansible.builtin.assert:
+    quiet: true
+    that:
+      - (group.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == group.name
+      - (group.name | length) <= 18
 
-- name: Configure rules
-  ansible.builtin.include_tasks:
-    file: rules.yaml
-
-- name: Configure options
-  ansible.builtin.include_tasks:
-    file: options.yaml
\ No newline at end of file
+- name: Update firewall file
+  run_once: true
+  ansible.builtin.copy:
+    dest: "{{ pve_firewall_filepath }}"
+    mode: "0640"
+    owner: root
+    group: www-data
+    force: true
+    content: "{{ lookup('template', 'firewall-file.j2') }}"
diff --git a/roles/pve_firewall_common/tasks/options.yaml b/roles/pve_firewall_common/tasks/options.yaml
deleted file mode 100644
index a90a937..0000000
--- a/roles/pve_firewall_common/tasks/options.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Ensure the options section
-  run_once: true
-  ansible.builtin.lineinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    line: "[OPTIONS]"
-    state: present
-
-- name: Configure firewall enabled option
-  run_once: true
-  ansible.builtin.lineinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    regex: "^enable: .*"
-    line: "enable: {{ '1' if pve_firewall_enabled else '0' }}"
-    firstmatch: true
-    insertafter: "[OPTIONS]"
diff --git a/roles/pve_firewall_common/tasks/rules.yaml b/roles/pve_firewall_common/tasks/rules.yaml
deleted file mode 100644
index b654a43..0000000
--- a/roles/pve_firewall_common/tasks/rules.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Ensure the rules section
-  run_once: true
-  ansible.builtin.lineinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    line: "[RULES]"
-    state: present
-
-- name: Configure rules
-  run_once: true
-  loop: "{{ pve_firewall_rules | default([]) }}"
-  loop_control:
-    loop_var: rule
-  ansible.builtin.lineinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    line: "{{ lookup('template', 'firewall-rule.j2', template_vars=dict(rule=rule, default_scope='dc')) }}"
-    firstmatch: true
-    insertafter: "[RULES]"
-    state: present
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/security-groups.yaml b/roles/pve_firewall_common/tasks/security-groups.yaml
deleted file mode 100644
index 2f2e580..0000000
--- a/roles/pve_firewall_common/tasks/security-groups.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-- name: Configure security group
-  run_once: true
-  loop: "{{ pve_firewall_security_groups | default([]) }}"
-  loop_control:
-    loop_var: group
-  ansible.builtin.blockinfile:
-    path: "{{ pve_firewall_filepath }}"
-    create: false
-    prepend_newline: true
-    state: present
-    marker: "# {mark} Ansible managed group ({{ group.name }})"
-    block: "{{ lookup('template', 'security-group.j2', template_vars=dict(group=group, default_scope=pve_firewall_default_scope)) }}"
diff --git a/roles/pve_firewall_common/templates/firewall-file.j2 b/roles/pve_firewall_common/templates/firewall-file.j2
index e69de29..63f8caa 100644
--- a/roles/pve_firewall_common/templates/firewall-file.j2
+++ b/roles/pve_firewall_common/templates/firewall-file.j2
@@ -0,0 +1,28 @@
+[OPTIONS]
+
+enable: {{ '1' if pve_firewall_enabled else '0' }}
+
+{% if pve_firewall_aliases | default([]) | length > 0 %}
+[ALIASES]
+
+{% for alias in pve_firewall_aliases %}
+{{ alias.name }} {{ alias.cidr }}
+{%- endfor %}
+{%- endif %}
+
+{% for ipset in pve_firewall_ipsets %}
+
+{{ lookup('template', 'ipset.j2', template_vars=dict(ipset=ipset, default_scope=pve_firewall_default_scope)) }}
+{%- endfor %}
+
+{% for group in pve_firewall_security_groups %}
+{{ lookup('template', 'security-group.j2', template_vars=dict(group=group, default_scope=pve_firewall_default_scope)) }}
+{%- endfor %}
+
+{%- if pve_firewall_rules | default([]) | length > 0 %}
+
+[RULES]
+{% for rule in pve_firewall_rules %}
+{{ lookup('template', 'firewall-rule.j2', template_vars=dict(rule=rule, default_scope=pve_firewall_default_scope)) }}
+{%- endfor %}
+{%- endif %}
diff --git a/roles/pve_firewall_common/templates/firewall-rule.j2 b/roles/pve_firewall_common/templates/firewall-rule.j2
index 1c88dad..33e0cf3 100644
--- a/roles/pve_firewall_common/templates/firewall-rule.j2
+++ b/roles/pve_firewall_common/templates/firewall-rule.j2
@@ -3,13 +3,14 @@
 GROUP {{ rule.name }}
     {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
 {%- elif rule.type | default("") | lower == "macro" %}
-    {{- rule.direction | upper }}
+    {{- rule.direction | upper }}{%raw%} {%endraw%}
     {{- rule.name }}({{ rule.action | upper }})
     {{- lookup('template', 'partials/source.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
     {{- lookup('template', 'partials/destination.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
     {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
     {{- lookup('template', 'partials/log.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
 {%- else %}
+    {{- rule.direction | upper }}{%raw%} {%endraw%}
     {{- rule.action | upper }}
     {{- lookup('template', 'partials/source.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
     {{- lookup('template', 'partials/destination.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
diff --git a/roles/pve_firewall_common/templates/ipset.j2 b/roles/pve_firewall_common/templates/ipset.j2
index 9563779..36a7764 100644
--- a/roles/pve_firewall_common/templates/ipset.j2
+++ b/roles/pve_firewall_common/templates/ipset.j2
@@ -1,4 +1,5 @@
 [IPSET {{ ipset.name }}]
+
 {% for item in ipset["items"] %}
 {% if item.type | default("") == "alias" %}
 {{ item.scope | default(default_scope) }}/{{ item.name }}
diff --git a/roles/pve_firewall_common/templates/partials/destination.j2 b/roles/pve_firewall_common/templates/partials/destination.j2
index cc56d12..1d03c40 100644
--- a/roles/pve_firewall_common/templates/partials/destination.j2
+++ b/roles/pve_firewall_common/templates/partials/destination.j2
@@ -1,3 +1,3 @@
 {%- if rule.source is defined %}
- -destination {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.source, default_scope=default_scope))) }}
+ -dest {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.source, default_scope=default_scope))) }}
 {%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/security-group.j2 b/roles/pve_firewall_common/templates/security-group.j2
index a079e99..889525a 100644
--- a/roles/pve_firewall_common/templates/security-group.j2
+++ b/roles/pve_firewall_common/templates/security-group.j2
@@ -1,4 +1,5 @@
 [group {{ group.name }}]
+
 {% for rule in group.rules %}
 {{ lookup('template', '../../pve_firewall_common/templates/firewall-rule.j2',template_vars=(dict(rule=rule,default_scope=default_scope))) }}
 {% endfor %}
\ No newline at end of file

From f550343b7e84c0eeaed69264b431aac4b5e287e5 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 7 Mar 2024 12:55:43 +0100
Subject: [PATCH 19/51] Coredns

---
 .../{pve_nodes => all}/users.sops.yaml        |  0
 .../group_vars/app_containers/general.yaml    |  1 -
 .../group_vars/app_containers/users.sops.yaml | 46 ----------------
 .../lab/group_vars/app_coredns/coredns.yaml   | 17 ++++++
 .../lab/group_vars/pve_nodes/general.yaml     |  4 +-
 ..._coredns.yaml => app_coredns_primary.yaml} | 18 ++----
 .../lab/host_vars/app_coredns_secondary.yaml  | 19 +++++++
 environments/lab/hosts.yaml                   | 12 ++--
 playbooks/apps/_common.yaml                   | 11 ++++
 playbooks/apps/coredns.yaml                   | 21 +++----
 playbooks/proxmox-nodes.yaml                  |  5 ++
 playbooks/test.yaml                           | 21 +++----
 requirements.yaml                             |  2 +-
 roles/app-container/tasks/container.yaml      | 55 ++++---------------
 roles/app-container/tasks/firewall.yaml       | 12 +++-
 roles/app-container/tasks/init.yaml           | 27 +++++++++
 roles/app-container/tasks/main.yaml           | 25 +++++----
 roles/app-container/tasks/ssh.yaml            | 15 +++++
 roles/app-container/templates/init-script.j2  | 37 +++++++++++++
 roles/app-container/templates/pct-set.j2      | 24 ++++++++
 roles/app-coredns/tasks/configure.yaml        | 16 ++++++
 roles/app-coredns/tasks/install.yaml          | 25 +++++++++
 roles/app-coredns/tasks/main.yaml             | 21 +++++++
 roles/app-coredns/tasks/systemd.yaml          | 19 +++++++
 roles/app-coredns/templates/corefile.j2       | 18 ++++++
 roles/app-coredns/templates/systemd-unit.j2   | 17 ++++++
 roles/pve_firewall_common/tasks/main.yaml     | 10 +++-
 .../templates/firewall-file.j2                |  4 +-
 28 files changed, 350 insertions(+), 152 deletions(-)
 rename environments/lab/group_vars/{pve_nodes => all}/users.sops.yaml (100%)
 delete mode 100644 environments/lab/group_vars/app_containers/general.yaml
 delete mode 100644 environments/lab/group_vars/app_containers/users.sops.yaml
 create mode 100644 environments/lab/group_vars/app_coredns/coredns.yaml
 rename environments/lab/host_vars/{app_coredns.yaml => app_coredns_primary.yaml} (60%)
 create mode 100644 environments/lab/host_vars/app_coredns_secondary.yaml
 create mode 100644 playbooks/apps/_common.yaml
 create mode 100644 roles/app-container/tasks/init.yaml
 create mode 100644 roles/app-container/tasks/ssh.yaml
 create mode 100644 roles/app-container/templates/init-script.j2
 create mode 100644 roles/app-container/templates/pct-set.j2
 create mode 100644 roles/app-coredns/tasks/configure.yaml
 create mode 100644 roles/app-coredns/tasks/install.yaml
 create mode 100644 roles/app-coredns/tasks/main.yaml
 create mode 100644 roles/app-coredns/tasks/systemd.yaml
 create mode 100644 roles/app-coredns/templates/corefile.j2
 create mode 100644 roles/app-coredns/templates/systemd-unit.j2

diff --git a/environments/lab/group_vars/pve_nodes/users.sops.yaml b/environments/lab/group_vars/all/users.sops.yaml
similarity index 100%
rename from environments/lab/group_vars/pve_nodes/users.sops.yaml
rename to environments/lab/group_vars/all/users.sops.yaml
diff --git a/environments/lab/group_vars/app_containers/general.yaml b/environments/lab/group_vars/app_containers/general.yaml
deleted file mode 100644
index a03e94e..0000000
--- a/environments/lab/group_vars/app_containers/general.yaml
+++ /dev/null
@@ -1 +0,0 @@
-ansible_user: root
diff --git a/environments/lab/group_vars/app_containers/users.sops.yaml b/environments/lab/group_vars/app_containers/users.sops.yaml
deleted file mode 100644
index 6454d6f..0000000
--- a/environments/lab/group_vars/app_containers/users.sops.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-users_root_password: ENC[AES256_GCM,data:PZzlveMWJes=,iv:6sdOBQTPO8zYOfyX3GBuyhTwFJu6oM1yTkdaALdwc9k=,tag:muPFihvLypNwxi3GfKS0XQ==,type:str]
-users_root_password_salt: ENC[AES256_GCM,data:bIh4HuKVKIB1tqOF3v/Jvw==,iv:d8vO9fkguP/pTcFlDxweF8JDkjrRaNDfxkEciyNzVqY=,tag:nU8rshht6ZhaaGutUmkyag==,type:str]
-users_root_public_keys:
-    - ENC[AES256_GCM,data:CVajSr/sEc1dv9r5n4QG370tpghd99kwSVoGeFrDR7tHgGorNYAwEXlHKUEBtoyRNQvs68TSHQiGoNiZfiuPFmcu8Rrl1oaSyMVX0kJLBiH0vum1AB5akMpysH4Bon3IxJ4A/X9GXRl/hQbkHKqWCkQQD5m+rd0i94qQtKtWY0LeaCgOxuEVjsWZthsSVCIQit5Zi3aouKvoS4uRmGcZz4oA92urtRmeBZ3MJdP0NXy3lEH/0YA53zW+C8motQe+isikkQb2dL95DZart6R2zsDkO+B8dnu1McudiY75x4g9CmMjs0srnTHbaJ6cbCJdi61dvm1S+3uAMJ1tjgol2Tu/4/3+lB3MvUgK/8ErE8tBUCx91UUYt/6cev0RZ+eXCC3X63NzKBebFqcCq3BzHDHr970RBTgUTzINboYF/NrfoGRiQNylcckF1vnk5zj6qdnafId/tvZdSYBVP5ww4JERev4D8pFr+O8pCXX3s4NqXCW0df1exbLtzdpRTU9jMl2k7sh+yL1fd3iUuI4cYF+nePfcTeCqbJoQx223HpEED63MB9IiMWirtf0LilCE0M1uWVYw9f/oZeey0cNeemt5JAwPOtEtvI+szkgmUpTExJGWBtMEcOZ/VlDoGZ/J2ARlxDpoQtVZ8ulsgFHEpHLIsPkYTiqd/3Yv28s3VXAEQXCuIujhVL7nhSj5OGpcUS6lWLvhxiO5xS/XPg2ssEsmVnEh3ASTJJmmOZPqXov9FTfVE+PfqUqLENKLT99H7roove7E9VW1eBuwsbs8gB0L10DhAx+qcDmSXQdX5sAAKkifh4r1EBvmDBLK38pey623fN0xfHxHO473qxHwnZ7Z7DSXS/kZBpzpU6XaPxsSQPBSr8KE4FDYOjFcciBOCegNJdeVJlwHxGF+sVjB+yG66wQtYtYaRU/6JB5q7Qv/FOJHwPpVlN2cOkFIRBAjE8eoXw==,iv:xRwREsAghivufF8uaU//PXeOohaoVBPQE8A24vyX6BE=,tag:jbr50UoopLQeao8JLyH/8Q==,type:str]
-    - ENC[AES256_GCM,data:+q8pAVwFe2lyfbocP3cYYsqQLvqR4EsPlMrjaQYvgrHu2U95dceShYk3DlDWcvesSuArwkTRF6rn2ltdlXR23TBkauTjTYRDDXA79Z83JpxgRl+0eyDrA5n8mpNY0GHPSayVGyADfZh8Vuzff73QLu8pSoRh174ZCkR1VfwdQFXSoToyOvnSGsgAHfcKzoxKnIYPICSkQpd5EmGacks8hVP3bwaYeKn/iq56OzW6v+LqlzQWOLSi5p4jvkYhsjIQ/fQV8hSv6zQ4GFeAwZqlASNW23OUqXspLWPMUbDVaPD3pTO33wExYh4Kr4C+KwiYKVdNpLoZMmRuTlHHJz9SjYViA/CoTVBtjMOdqZ7eCr9gr7KpMVU1oXXKDmzi2KNGRrGMPPrDINkRFln4+gYQdMv3rfX1/xqJKxcA8v7MiiNe9DcrZhLotI5n9XzoOJ6iIdiGxgZedUMJycGkkwnau1Uez+bvg7KtsPGk4BkZNwbFqnHgB9/siFnxupJd9/u8NG7a7yP12HKAAD0cKMhTZppoULUFQVS5vS6+jMmrLiT1Yp1TSbAHC5m5GWjC2/EinIUqgs6iYMCb5WGbTvlbq6PSDVftqt7m4fS9yZr2sdqh6WspvRAKTaVK1RnkHT1avpJKUYoHtuRSRvZbnWHQGjohD4XxjxRfx+lTqNDbo/KtMmJXFYky/3zbUfk+ipN62SyLak2aBp1ge5ltmaLxMW9E/j1bULXNIUkuOccl6kkHh+3zM1l4BmXkFpap5DB4w22aGiyZafP/Lr/qk5ZmIeAUxNOs59JqXDEp0KQqN9EfMlYAf/5WMKpOFlVAFT0+R5SV4TuNvWtJtCQOtcBJF79XdcIx2hsxJKvSzZPRUZ205m4quwe1513tykclq5yo/Y5bAcE5eZuXLzoemRp1bmhfmrKB72G1Wx+GYET06dpXhb/mnNzsXJbNfkoPsJmZCEDLpmkMRYWNC9wyOIk2W9lu9g==,iv:Y9EdUxjC3Ge95u87a6pcFWohtDl28ozAS06X5IIcQE8=,tag:G7l28Vr8mvW+cJIBY3Gm1w==,type:str]
-    - ENC[AES256_GCM,data:9ACHLGpI4I5atIPIECjbCeASKtIVuqGF4j+HE0wBDfxqM1Z97EtD5v4PhLjrMMqiX7cUNPWPXtoa+3pMvNICZKXwm7JUvQTseqsJRNhNBBvPd3CL7DWzMaKb4ax/kKuP36CkUKytiZon7+oSiS/gpwc5mMGZaN1SmgcZWbt3C8hTgt0nDVGmMma0n3O4v++KlZk/feJBtaz8J2AUZm23pWk42DB4uPQ3UulBr3fzMlafWGmgwB33Y1gcNS5/T+kJaobtmjk6BA/d1CRnayJrUbZCp+K8nFQHFO+14ewm93uUkQvU/SCAnTbXUZLG2rr4OoUfzrVQGcEM/H+3MNov+vXdqJk2JgMTRBx3Ldd2ssbKJm7lGz2aaj+wLhJS9OqMc29GiJf0SvAh+pXkUPxH4xl45Am9y49nLx8swAKzihXAcblaaaPDHR+o3yw2qsfJPCILOUxSJwhBeddBY19f5FbPBpeVjL7Kl3OTm0fFibnYlk4s95bHlTBO4P8BcgL+TYfdKqYYmtg/BJIZKgSQy/cMVGgnt/oQ3xz1PjOu/t++WPBF6cmdSaQadMCfIiFy7hEeaHmA5LGvw0ihGE5IMQgHZ7eTE+gEiAKaNiH9mpz5mCNj4F1kHX1EKV833LHN3OX/YgDcoyLb1KsBlnGk5zEjnrEDZLUq8t/n5DdrcUIN71zSS8BVgBNbc3DsvxJvrbVhGpJ5bRVqeVSy79CZNgssdAna3ItXJ+MUqdm+THVQp2uS1REhWYs40mb814SXRPElJLgVNeMh7P3Y3ONlvmy0m37g+3DaAkb30GX1pb12ov8k9/Zul1vc+g9oD4krN4UIHP924RrCM0/Ap78E5AETdgwDUMHXLxoKJ8tM6HtXRx2xNgIR5unK8d3d2klEK8gwVIVR0T/RfQ/WpTG1eHihE2+OgCO2fyQZua4a29I890ITtwyOsTcmADIJ6Z6B75oXqDCESJ38y/38Ktsx4i/VKn0fITpMuE2gc5CvnQQ=,iv:KxqUgadkGhCwMRM6xjlt0Iy6bAiAN1MB2r46Twz4dig=,tag:AShP4PfmIll9UMOH1bmMGA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlcGtqLzVYSDNidlZYZXlx
-            cUFnRkV1SlZyZzNQSHIxRm9ZVVVkSFhPeDJBCkN6ZXQ0a01zR3R5WWxQMEJncWRI
-            NGFiN2VGMEtqc0J4MEJIT0JPTXNhbmsKLS0tIGVSMlR5Rm4yVjc2R3EvQ2ZOSEVt
-            R1N0bStSdEJjaW1wMXJMVzNvclpvMTAKulRaHwKsz0poqTfDEGAE8iICYIw5X6gD
-            a8uhf0O3I+kaHvfJUo5s6BXKdUh6utdjozYWGOUsfaOAjzm21noM2g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-01T14:11:32Z"
-    mac: ENC[AES256_GCM,data:UfPe5+aaR46H59VDDcRe3odxcFjEybBN38ehHAX9kCVFdlnLKmxB3Q2oU7UmG4TuXGUq7Dqa6jMu3ELpORP/L4Ys6ELNfJsBSWhzsbm7yK//EOWv1CV5VAWGiDsCPVKsAdV43WappE710I5BWFJGC5u2svR0auh9JSiPP5Fg7rQ=,iv:3ed8TAqmv3VQCiQgr2nAoNe/ReWp59uJgIyqYBmOi4w=,tag:sPBanLFsBLMGKsCmlHGrYQ==,type:str]
-    pgp:
-        - created_at: "2024-03-01T14:07:49Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//Tf1v5ZnPcNH4GGjiqymsvG4sIn5pJbsYgAD+M1wJ1i74
-            ZZQneycZQw9J0i0MsaMcaSRcUO7YUWCGweb6rS+fxQB+AlJzDJJaNZEWZeNzuG34
-            R8MD5dCyErNWOG9ViC5Rxs8rv6AApXyXofiY8hTnn4zciApA7HOgKPfMXb3ScUK4
-            abSEpzHdgnp1OgOfBFOtUFDrJtd/au8IC9Ew4mUy3DcffN7y2Aq/NVPZVelYnYL6
-            omx6C3J6m72yYfoJGoO9NKChF10XIVh531SCBI0/mgooeIUgE6L8kwwo5rr5w61V
-            fgAQVTbbAAT2O/PdlPYKOcKhrhI/SiMzyVd/EROTP1s17Sa3svwPynzJAyU7c2Pd
-            WBoJanv/zNcitRwxNJqb2FNof2UfYEuYtuFbFEfZDsZuPmtMBwMAnEbM8x62+rOb
-            OiVFAYyw3Ogv5pq5EEGPxrzKdYSuUop8IG1NZtOWr3VZq0Sr17Bjd3vuw2ks7Sd/
-            geYMyzf2ln3BncnnRxFAtlfKFtuliWhQeAv8YW95/vFu5e6m+SQrTlGWlgviah8d
-            lxJ6PCWg1S1BvgcB0hg2d995msoKNj7lg8rUwe5epTt8dsXLPyhr35hmkVZwKMyb
-            iIee5/fL87iyPplFr4F/zqKwTskKhl0V+vXdQWzs+TuFSTTxwxeiUU+3Ep3hdkfS
-            XgE5/5dFd20D3ikx0O9e6EGaj08xuaRu4lITwJ/YHELY92AQM4vNCqtXq0ZwGDyH
-            +LBnjxylf9LQy8Xv+rS7jo0Ht8x7NuZ1phTuHU8IZ5svUVj/iCX8Qo498yUF65M=
-            =OiN3
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/app_coredns/coredns.yaml b/environments/lab/group_vars/app_coredns/coredns.yaml
new file mode 100644
index 0000000..9cbc440
--- /dev/null
+++ b/environments/lab/group_vars/app_coredns/coredns.yaml
@@ -0,0 +1,17 @@
+app_coredns_version: 1.11.1
+
+app_coredns_forwarders_tls_servername: cloudflare-dns.com
+
+app_coredns_forwarders:
+  - 1.1.1.1
+  - 1.0.0.1
+
+app_coredns_records:
+  - name: dns1-lab.homecentr.one
+    value: 10.1.8.128
+  - name: dns2-lab.homecentr.one
+    value: 10.1.8.129
+  - name: login-lab.homecentr.one
+    value: 10.1.8.132
+  - name: gatus-lab.homecentr.one
+    value: 10.1.8.132
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
index b8e97ee..4930dd0 100644
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -18,9 +18,9 @@ pve_cluster_vxlans:
       - pve3
     vnets:
       - name: cont
-        tag: 100
+        tag: 8
         subnets:
-          - cidr: 192.168.100.0/24
+          - cidr: 192.168.8.0/24
 
 pve_cluster_ha_groups:
   - name: critical-priority-pve1
diff --git a/environments/lab/host_vars/app_coredns.yaml b/environments/lab/host_vars/app_coredns_primary.yaml
similarity index 60%
rename from environments/lab/host_vars/app_coredns.yaml
rename to environments/lab/host_vars/app_coredns_primary.yaml
index 13a04a8..0b9d55a 100644
--- a/environments/lab/host_vars/app_coredns.yaml
+++ b/environments/lab/host_vars/app_coredns_primary.yaml
@@ -1,25 +1,19 @@
-ansible_host: 10.1.8.191
-ansible_hostname: coredns-lab
-fqdn: coredns-lab.homecentr.one
+ansible_host: 10.1.8.128
+ansible_hostname: dns1-lab
+fqdn: dns1-lab.homecentr.one
 
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
-app_container_cpus: 0 # unlimited, should be default
 app_container_storage_name: dpool
 app_container_storage_size_gb: 10
+app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.191/24
+    ipv4_address: 10.1.8.128/24
     ipv4_gateway: 10.1.8.1
-  - name: eth1
-    bridge: cont
-    ipv4_address: dhcp
+
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: unrestricted-priority-pve1
-app_container_pve_replication_cron_expression: "*/5"
 app_container_pve_replication_nodes:
   - pve2
-app_container_bind_mounts:
-  - hostpath: /ssl
-    containerpath: /some-ssl
\ No newline at end of file
diff --git a/environments/lab/host_vars/app_coredns_secondary.yaml b/environments/lab/host_vars/app_coredns_secondary.yaml
new file mode 100644
index 0000000..2cc04b3
--- /dev/null
+++ b/environments/lab/host_vars/app_coredns_secondary.yaml
@@ -0,0 +1,19 @@
+ansible_host: 10.1.8.129
+ansible_hostname: dns2-lab
+fqdn: dns2-lab.homecentr.one
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 10
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.129/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: unrestricted-priority-pve2
+app_container_pve_replication_nodes:
+  - pve1
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index 5d5306f..5928044 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -6,10 +6,8 @@ all:
         pve2:
         pve3:
     app_containers:
-      # children:
-      #   app_coredns:
-      #     hosts:
-      #       app_coredns_primary:
-      #       app_coredns_secondary:
-      hosts:
-        app_coredns:
\ No newline at end of file
+      children:
+        app_coredns:
+          hosts:
+            app_coredns_primary:
+            app_coredns_secondary:
\ No newline at end of file
diff --git a/playbooks/apps/_common.yaml b/playbooks/apps/_common.yaml
new file mode 100644
index 0000000..6f08cc7
--- /dev/null
+++ b/playbooks/apps/_common.yaml
@@ -0,0 +1,11 @@
+- name: Configure users
+  ansible.builtin.import_role:
+    name: homecentr.system.users
+
+- name: Configure ssh
+  ansible.builtin.import_role:
+    name: homecentr.system.ssh
+
+- name: Configure motd
+  ansible.builtin.import_role:
+    name: homecentr.system.motd
\ No newline at end of file
diff --git a/playbooks/apps/coredns.yaml b/playbooks/apps/coredns.yaml
index 470236d..c35ec67 100644
--- a/playbooks/apps/coredns.yaml
+++ b/playbooks/apps/coredns.yaml
@@ -5,24 +5,25 @@
   any_errors_fatal: true
   tags: create-container
   tasks:
-    # Create container
     - name: Create application container
       ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: app_coredns
+        container_inventory_name: app_coredns_primary
+      # TODO: Add loop of all instances
 
 - name: Setup Coredns containers
-  hosts: app_coredns
+  hosts: app_coredns_primary # TODO: Replace with group
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tags: configure-container
   tasks:
-    - name: Dummy
-      ansible.builtin.copy:
-        dest: /tmp/test.txt
-        owner: root
-        group: root
-        mode: 0666
-        content: Hello, world!
\ No newline at end of file
+    - name: Run common set up
+      ansible.builtin.include_tasks:
+        file: _common.yaml
+
+    - name: Install coredns
+      ansible.builtin.import_role:
+        name: ../../roles/app-coredns
+    
\ No newline at end of file
diff --git a/playbooks/proxmox-nodes.yaml b/playbooks/proxmox-nodes.yaml
index 35ff252..2f5e1b8 100644
--- a/playbooks/proxmox-nodes.yaml
+++ b/playbooks/proxmox-nodes.yaml
@@ -46,6 +46,11 @@
         name: homecentr.proxmox.pve_corosync_fix
       tags: [ corosync ]
 
+    - name: Remove the no-subscription warning
+      ansible.builtin.import_role:
+        name: homecentr.proxmox.pve_nosubs_warning
+      tags: [ no-subs-warning ]
+
     - name: Configure ACME
       ansible.builtin.import_role:
         name: homecentr.proxmox.pve_acme
diff --git a/playbooks/test.yaml b/playbooks/test.yaml
index 7b76619..fd38ebe 100644
--- a/playbooks/test.yaml
+++ b/playbooks/test.yaml
@@ -1,16 +1,13 @@
-- name: Proxmox Virtual Environment Configuration
-  hosts: pve_nodes
+- name: Test
+  hosts: localhost
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
-  vars:
-    hosts: 
-      - pve1
-      - pve2
   tasks:
-    - name: Debug
-      run_once: true
-      debug:
-        #msg: "{{ hosts }}"
-        msg: "{{ hosts | map('extract', hostvars, 'ansible_host') | join(',') }}"
-        #msg: "{{ ansible_play_hosts_all }}"
+  - name: Replace dialog script
+    ansible.builtin.replace:
+      path: /tmp/proxmoxlib.js
+      before: "title:\\s+gettext\\('No valid subscription'\\)"
+      regexp: 'Ext\.Msg\.show'
+      replace: 'void'
+      backup: true
\ No newline at end of file
diff --git a/requirements.yaml b/requirements.yaml
index 8bffef1..317c668 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -17,7 +17,7 @@ collections:
     version: 1.6.0
   - name: https://github.com/homecentr/ansible-collection-system
     type: git
-    version: master
+    version: origin/fix/ssh #master
   - name: https://github.com/homecentr/ansible-collection-proxmox
     type: git
     version: origin/fix/https-forward-2 # master
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
index 4796563..0c2167d 100644
--- a/roles/app-container/tasks/container.yaml
+++ b/roles/app-container/tasks/container.yaml
@@ -1,4 +1,4 @@
-- name: Create new container with minimal options
+- name: Create app container
   run_once: true
   community.general.proxmox:
     api_user: root@pam
@@ -6,41 +6,15 @@
     api_host: "localhost"
     node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
     password: "{{ users_root_password }}"
-    hostname: "{{ container_vars.ansible_hostname }}"
     ostemplate: "{{ container_vars.app_container_ostemplate }}"
-    memory: "{{ container_vars.app_container_memory }}"
-    cpus: "{{ container_vars.app_container_cpus }}"
-    unprivileged: "{{ container_vars.app_container_unprivileged | default(true) }}"
-    swap: "{{ container_vars.app_container_swap_mb | default(512) }}"
-    disk: "{{ container_vars.app_container_storage_name }}:{{ container_vars.app_container_storage_size_gb }},replicate=1"
-    pubkey: "{{ container_vars.users_root_public_keys | join('\n') }}"
-    onboot: "{{ container_vars.start_onboot | default(true) }}"
-    netif: "{{ lookup('template', 'network-interfaces.j2', template_vars=dict(app_container_network_interfaces=container_vars.app_container_network_interfaces)) }}"
-    state: present
-
-- name: Create new container with minimal options
-  run_once: true
-  register: container_update
-  community.general.proxmox:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: "localhost"
-    node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
-    password: "{{ users_root_password }}"
-    hostname: "{{ container_vars.ansible_hostname }}"
-    memory: "{{ container_vars.app_container_memory }}"
-    cpus: "{{ container_vars.app_container_cpus }}"
-    unprivileged: "{{ container_vars.app_container_unprivileged | default(true) }}"
-    swap: "{{ container_vars.app_container_swap_mb | default(512) }}"
     disk: "{{ container_vars.app_container_storage_name }}:{{ container_vars.app_container_storage_size_gb }},replicate=1"
-    pubkey: "{{ container_vars.users_root_public_keys | join('\n') }}"
-    onboot: "{{ container_vars.start_onboot | default(true) }}"
-    netif: "{{ lookup('template', 'network-interfaces.j2', template_vars=dict(app_container_network_interfaces=container_vars.app_container_network_interfaces)) }}"
-    update: true
     state: present
 
 - name: Wait for the container to be created
-  register: app_container_info
+  retries: 10
+  delay: 3
+  until: (app_container_info_raw is defined) and (app_container_info_raw.proxmox_vms | length) > 0
+  register: app_container_info_raw
   community.general.proxmox_vm_info:
     api_user: root@pam
     api_password: "{{ users_root_password }}"
@@ -50,20 +24,15 @@
 
 - name: Flatten container info
   ansible.builtin.set_fact:
-    app_container_info: "{{ app_container_info.proxmox_vms.0 }}"
+    app_container_info: "{{ app_container_info_raw.proxmox_vms.0 }}"
 
-- name: Add bind-mounts
-  register: bind_mounts
-  loop: container_vars.app_container_bind_mounts
-  loop_control:
-    loop_var: bind
-  ansible.builtin.lineinfile:
-    path: "/etc/pve/lxc/{{ app_container_info.vmid }}.cfg"
-    regex: "^mp{{ loop.index - 1 }}: .*"
-    line: "mp{{ loop.index - 1 }}: {{ bind.hostpath }},mp={{ bind.containerpath }}"
+- name: Update existing container values
+  changed_when: true
+  ansible.builtin.command:
+    cmd: "{{ lookup('template', 'pct-set.j2', template_vars=dict(app_container_id=app_container_info.vmid).update(container_vars)) }}"
 
-- name: Stop the container if it's started but definition has changed
-  when: (container_update.changed or bind_mounts.changed) and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
+- name: Stop the container if it's started and definition has changed
+  when: bind_mounts.changed and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
   run_once: true
   community.general.proxmox:
     api_user: root@pam
diff --git a/roles/app-container/tasks/firewall.yaml b/roles/app-container/tasks/firewall.yaml
index 06182a7..12ed6f5 100644
--- a/roles/app-container/tasks/firewall.yaml
+++ b/roles/app-container/tasks/firewall.yaml
@@ -1,3 +1,9 @@
-# IPSet
-# Alias
-# Rules
\ No newline at end of file
+- ansible.builtin.import_role:
+    name: "{{ role_path }}/../pve_firewall_common"
+  vars:
+    pve_firewall_default_scope: null
+    pve_firewall_filepath: "/etc/pve/firewall/{{ app_container_info.vmid }}.fw"
+    pve_firewall_aliases: "{{ container_vars.app_container_firewall_aliases | default([]) }}"
+    pve_firewall_ipsets: "{{ container_vars.app_container_firewall_ipsets | default([]) }}"
+    pve_firewall_rules: "{{ container_vars.app_container_firewall_rules | default([]) }}"
+    pve_firewall_enabled: "{{ container_vars.app_container_firewall_enabled | default(false) }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/init.yaml b/roles/app-container/tasks/init.yaml
new file mode 100644
index 0000000..8629b7e
--- /dev/null
+++ b/roles/app-container/tasks/init.yaml
@@ -0,0 +1,27 @@
+- name: Check if container has been already initialized
+  changed_when: false
+  failed_when: false
+  register: app_container_init_check
+  ansible.builtin.command:
+    cmd: "pct exec {{ app_container_info.vmid }} ls /etc/container-init"
+
+- name: Create initialization script
+  when: app_container_init_check.rc != 0
+  ansible.builtin.copy:
+    dest: "/tmp/ct-{{ app_container_info.vmid }}-init.sh"
+    owner: root
+    group: root
+    mode: 0750
+    content: "{{ lookup('template', 'init-script.j2') }}"
+
+- name: Copy init script into the container
+  when: app_container_init_check.rc != 0
+  changed_when: true
+  ansible.builtin.command:
+    cmd: "pct push {{ app_container_info.vmid }} /tmp/ct-{{ app_container_info.vmid }}-init.sh /tmp/init.sh --perms 0755"
+
+- name: Execute init script
+  when: app_container_init_check.rc != 0
+  changed_when: true
+  ansible.builtin.command:
+    cmd: "pct exec {{ app_container_info.vmid }} /tmp/init.sh"
\ No newline at end of file
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index 110bdff..cd3b4fa 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -4,6 +4,18 @@
   vars:
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
+- name: Initialize container
+  run_once: true
+  ansible.builtin.include_tasks:
+    file: init.yaml
+
+- name: Add container to ssh known_hosts
+  run_once: true
+  ansible.builtin.include_tasks:
+    file: ssh.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
 - name: Configure replication
   ansible.builtin.include_tasks:
     file: replication.yaml
@@ -17,14 +29,7 @@
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
 - name: Configure container firewall
-  ansible.builtin.import_role:
-    name: "{{ role_path }}/../pve_firewall_common"
+  ansible.builtin.include_tasks:
+    file: firewall.yaml
   vars:
-    pve_firewall_default_scope: null
-    pve_firewall_filepath: "/etc/pve/firewall/{{ app_container_info.vmid }}.fw"
-    pve_firewall_aliases: "{{ pve_cluster_firewall_aliases }}"
-    pve_firewall_ipsets: "{{ pve_cluster_firewall_ipsets }}"
-    pve_firewall_rules: "{{ pve_cluster_firewall_rules }}"
-    pve_firewall_enabled: "{{ pve_cluster_firewall_enabled }}"
-
-# TODO: Support bindmounts (e.g for ssl cert mount)
\ No newline at end of file
+    container_vars: "{{ hostvars[container_inventory_name] }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/ssh.yaml b/roles/app-container/tasks/ssh.yaml
new file mode 100644
index 0000000..074cfa4
--- /dev/null
+++ b/roles/app-container/tasks/ssh.yaml
@@ -0,0 +1,15 @@
+- name: Scan for container SSH host keys
+  become: false
+  delegate_to: localhost
+  changed_when: false
+  register: app_container_ssh_scan
+  ansible.builtin.shell:
+    cmd: ssh-keyscan {{ container_vars.ansible_host }} 2>/dev/null
+
+- name: Update known_hosts
+  become: false
+  delegate_to: localhost
+  ansible.builtin.known_hosts:
+    key: "{{ item }}"
+    name: "{{ container_vars.ansible_host }}"
+  with_items: "{{ app_container_ssh_scan.stdout_lines }}"
\ No newline at end of file
diff --git a/roles/app-container/templates/init-script.j2 b/roles/app-container/templates/init-script.j2
new file mode 100644
index 0000000..becf445
--- /dev/null
+++ b/roles/app-container/templates/init-script.j2
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+set -e
+
+apt-get update
+apt-get install -y sudo
+
+# Enable passwordless sudo
+sed -i -E 's/%sudo\s+ALL=\(ALL:ALL\)\s+ALL/%sudo   ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
+
+{% for user in users_admin_users %}
+# Create user {{ user.username }}
+adduser --disabled-password --gecos GECOS {{ user.username }}
+usermod -a -G sudo {{ user.username }}
+
+# Create .ssh directory
+mkdir /home/{{ user.username }}/.ssh
+chown {{ user.username }} /home/{{ user.username }}/.ssh
+chgrp {{ user.username }} /home/{{ user.username }}/.ssh
+chmod 0700 /home/{{ user.username }}/.ssh
+
+# Configure public keys
+echo "" > /home/{{ user.username }}/.ssh/authorized_keys
+{% for public_key in user.public_keys %}
+echo "{{ public_key }}" >> /home/{{ user.username }}/.ssh/authorized_keys
+{% endfor %}
+{% endfor %}
+
+# Add allowed ssh users
+SSH_ALLOWED_USERS="AllowUsers {{ ssh_allowed_users | join(' ') }}"
+grep -q "AllowedUsers " /etc/ssh/sshd_config || echo "$SSH_ALLOWED_USERS" >> /etc/ssh/sshd_config
+
+# Apply sshd changes
+systemctl restart sshd
+
+# Mark container init as finished
+touch /etc/container-init
\ No newline at end of file
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
new file mode 100644
index 0000000..4a04f24
--- /dev/null
+++ b/roles/app-container/templates/pct-set.j2
@@ -0,0 +1,24 @@
+pct set {{ container_id }}
+{%- if app_container_cpu_cores is defined %} --cores {{ app_container_cpu_cores }} \{% endif %}
+ --features nesting=1{% if app_container_fuse_enabled %},fuse=1{% endif %} \
+ --hostname {{ ansible_hostname }} \
+ --memory {{ app_container_memory }} \
+ {%- for bindmount in app_container_bind_mounts %}
+ --mp{{ loop.index - 1 }} "{{ bindmount.hostpath }},mp={{ bindmount.containerpath }}"
+ {%- endfor %}
+ {%- for nic in app_container_network_interfaces %}
+ --net{{ loop.index - 1 }} "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}" \
+ {%- endfor %}
+ {%- if app_container_start_onboot is defined %}
+ --onboot {{ '1' if (app_container_start_onboot | default(true)) else '0' }} \
+ {%- endif %}
+ {%- if app_container_protection is defined %}
+ --protection {{ '1' if app_container_protection else '0' }} \
+ {%- endif %}
+ {%- if app_container_startup_order is defined %}
+ --startup {{ app_container_startup_order }} \
+ {%- endif %}
+ {%- if app_container_swap is defined %}
+ --swap {{ app_container_swap }} \
+ {%- endif %}
+ --unprivileged {{ '1' if (app_container_unprivileged | default(1)) else '0' }}
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/configure.yaml b/roles/app-coredns/tasks/configure.yaml
new file mode 100644
index 0000000..b0bad46
--- /dev/null
+++ b/roles/app-coredns/tasks/configure.yaml
@@ -0,0 +1,16 @@
+- name: Create etc directory
+  ansible.builtin.file:
+    path: /etc/coredns
+    owner: coredns
+    group: coredns
+    mode: "0770"
+    state: directory
+
+- name: Create config file
+  register: app_coredns_corefile
+  ansible.builtin.copy:
+    dest: /etc/coredns/Corefile
+    owner: coredns
+    group: coredns
+    mode: "0660"
+    content: "{{ lookup('template', 'corefile.j2') }}"
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/install.yaml b/roles/app-coredns/tasks/install.yaml
new file mode 100644
index 0000000..f516d03
--- /dev/null
+++ b/roles/app-coredns/tasks/install.yaml
@@ -0,0 +1,25 @@
+- name: Check if version installed
+  failed_when: false
+  register: app_coredns_current_version
+  ansible.builtin.slurp:
+    path: /etc/coredns-version
+
+- name: Download coredns
+  when: (not app_coredns_current_version is succeeded) or (not 'content' in app_coredns_current_version) or (app_coredns_current_version.content | b64decode) != app_coredns_version
+  ansible.builtin.get_url:
+    dest: /tmp/coredns.tar.gz
+    url: "https://github.com/coredns/coredns/releases/download/v{{ app_coredns_version }}/coredns_{{ app_coredns_version }}_linux_amd64.tgz"
+    checksum: "sha256:https://github.com/coredns/coredns/releases/download/v{{ app_coredns_version }}/coredns_{{ app_coredns_version }}_linux_amd64.tgz.sha256"
+
+- name: Extract coredns
+  when: (not app_coredns_current_version is succeeded) or (not 'content' in app_coredns_current_version) or (app_coredns_current_version.content | b64decode) != app_coredns_version
+  ansible.builtin.unarchive:
+    src: /tmp/coredns.tar.gz
+    dest: /usr/bin
+    remote_src: true
+
+- name: Create marker file
+  ansible.builtin.copy:
+    dest: /etc/coredns-version
+    content: "{{ app_coredns_version }}"
+    force: true
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/main.yaml b/roles/app-coredns/tasks/main.yaml
new file mode 100644
index 0000000..d9a5866
--- /dev/null
+++ b/roles/app-coredns/tasks/main.yaml
@@ -0,0 +1,21 @@
+- name: Create coredns group
+  ansible.builtin.user:
+    name: coredns
+
+- name: Create coredns user
+  ansible.builtin.user:
+    name: coredns
+    group: coredns
+    create_home: false
+
+- name: Install coredns
+  ansible.builtin.include_tasks:
+    file: install.yaml
+
+- name: Configure coredns
+  ansible.builtin.include_tasks:
+    file: configure.yaml
+
+- name: Configure systemd
+  ansible.builtin.include_tasks:
+    file: systemd.yaml
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/systemd.yaml b/roles/app-coredns/tasks/systemd.yaml
new file mode 100644
index 0000000..9b8c99f
--- /dev/null
+++ b/roles/app-coredns/tasks/systemd.yaml
@@ -0,0 +1,19 @@
+- name: Create systemd unit file
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/coredns.service
+    owner: root
+    group: root
+    mode: "0644"
+    content: "{{ lookup('template', 'systemd-unit.j2') }}"
+
+- name: Enable service
+  ansible.builtin.systemd_service:
+    name: coredns
+    enabled: true
+    daemon_reload: true
+    state: present
+
+- name: (Re)start service
+  ansible.builtin.systemd_service:
+    name: coredns
+    state: "{{ 'restarted' if app_coredns_corefile.changed else 'started' }}"
\ No newline at end of file
diff --git a/roles/app-coredns/templates/corefile.j2 b/roles/app-coredns/templates/corefile.j2
new file mode 100644
index 0000000..2796144
--- /dev/null
+++ b/roles/app-coredns/templates/corefile.j2
@@ -0,0 +1,18 @@
+. {
+    log
+    errors
+    hosts {
+        {%- for host in app_coredns_records %}
+        {{ host.ip }} {{ host.name }}
+        {%- endfor %}
+    }
+    forward . {% for forwarder in app_coredns_forwarders %}tls://{{ forwarder }} {% endfor %} {
+        tls_servername {{ app_coredns_forwarders_tls_servername }}
+        max_concurrent 1000
+    }
+    cache 30
+    prometheus localhost:9153 # TODO: Internal IP ?
+    loop
+    reload
+    loadbalance
+}
\ No newline at end of file
diff --git a/roles/app-coredns/templates/systemd-unit.j2 b/roles/app-coredns/templates/systemd-unit.j2
new file mode 100644
index 0000000..b9305c9
--- /dev/null
+++ b/roles/app-coredns/templates/systemd-unit.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description=CoreDNS Server
+Documentation=https://coredns.io/manual/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=coredns
+Group=coredns
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+Restart=always
+WorkingDirectory=/etc/coredns
+ExecStart=/usr/bin/coredns 
+ExecReload=/usr/bin/kill -USR1 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/main.yaml b/roles/pve_firewall_common/tasks/main.yaml
index fc20b02..7c02c40 100644
--- a/roles/pve_firewall_common/tasks/main.yaml
+++ b/roles/pve_firewall_common/tasks/main.yaml
@@ -31,12 +31,16 @@
       - (group.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == group.name
       - (group.name | length) <= 18
 
+- name: Touch firewall file to make sure it exists
+  run_once: true
+  ansible.builtin.file:
+    path: "{{ pve_firewall_filepath }}"
+    state: touch
+
 - name: Update firewall file
   run_once: true
   ansible.builtin.copy:
     dest: "{{ pve_firewall_filepath }}"
-    mode: "0640"
-    owner: root
-    group: www-data
     force: true
+    unsafe_writes: true
     content: "{{ lookup('template', 'firewall-file.j2') }}"
diff --git a/roles/pve_firewall_common/templates/firewall-file.j2 b/roles/pve_firewall_common/templates/firewall-file.j2
index 63f8caa..f2fcb80 100644
--- a/roles/pve_firewall_common/templates/firewall-file.j2
+++ b/roles/pve_firewall_common/templates/firewall-file.j2
@@ -10,12 +10,12 @@ enable: {{ '1' if pve_firewall_enabled else '0' }}
 {%- endfor %}
 {%- endif %}
 
-{% for ipset in pve_firewall_ipsets %}
+{% for ipset in pve_firewall_ipsets | default([]) %}
 
 {{ lookup('template', 'ipset.j2', template_vars=dict(ipset=ipset, default_scope=pve_firewall_default_scope)) }}
 {%- endfor %}
 
-{% for group in pve_firewall_security_groups %}
+{% for group in pve_firewall_security_groups | default([]) %}
 {{ lookup('template', 'security-group.j2', template_vars=dict(group=group, default_scope=pve_firewall_default_scope)) }}
 {%- endfor %}
 

From 5fde02bfb3756e0545462ca96bcd73e29ae5e430 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 7 Mar 2024 13:36:09 +0100
Subject: [PATCH 20/51] Debug

---
 roles/app-container/tasks/container.yaml | 8 ++++++++
 roles/app-container/templates/pct-set.j2 | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
index 0c2167d..64e45f0 100644
--- a/roles/app-container/tasks/container.yaml
+++ b/roles/app-container/tasks/container.yaml
@@ -4,6 +4,7 @@
     api_user: root@pam
     api_password: "{{ users_root_password }}"
     api_host: "localhost"
+    hostname: "{{ ansible_hostname }}"
     node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
     password: "{{ users_root_password }}"
     ostemplate: "{{ container_vars.app_container_ostemplate }}"
@@ -26,8 +27,15 @@
   ansible.builtin.set_fact:
     app_container_info: "{{ app_container_info_raw.proxmox_vms.0 }}"
 
+
+- name: Debug 1
+  debug:
+    msg: "{{ dict(app_container_id=app_container_info.vmid).update(container_vars)) }}"
+
+# Note: This must be executed on the node which hosts the container, pct does not work across hosts
 - name: Update existing container values
   changed_when: true
+  when: inventory_hostname == container_vars.app_container_pve_node
   ansible.builtin.command:
     cmd: "{{ lookup('template', 'pct-set.j2', template_vars=dict(app_container_id=app_container_info.vmid).update(container_vars)) }}"
 
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index 4a04f24..53e654d 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -1,4 +1,4 @@
-pct set {{ container_id }}
+pct set {{ app_container_id }}
 {%- if app_container_cpu_cores is defined %} --cores {{ app_container_cpu_cores }} \{% endif %}
  --features nesting=1{% if app_container_fuse_enabled %},fuse=1{% endif %} \
  --hostname {{ ansible_hostname }} \

From 4f37818c60a92e838f678de01e015869b4f3f85c Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 8 Mar 2024 14:13:00 +0100
Subject: [PATCH 21/51] Coredns working

---
 .../lab/group_vars/app_coredns/coredns.yaml   |  8 ++--
 .../lab/group_vars/app_pomerium/pomerium.yaml |  1 +
 .../group_vars/app_pomerium/secrets.sops.yaml | 47 +++++++++++++++++++
 .../lab/group_vars/pve_nodes/general.yaml     |  2 +-
 .../lab/host_vars/app_pomerium_primary.yaml   | 19 ++++++++
 .../lab/host_vars/app_pomerium_secondary.yaml | 19 ++++++++
 environments/lab/hosts.yaml                   |  6 ++-
 playbooks/_all.yaml                           |  3 +-
 playbooks/apps/coredns.yaml                   | 17 ++++---
 playbooks/apps/pomerium.yaml                  | 32 +++++++++++++
 playbooks/test.yaml                           | 13 -----
 roles/app-acmesh/tasks/main.yaml              |  5 ++
 roles/app-container/tasks/container.yaml      | 25 +++++-----
 roles/app-container/tasks/ha.yaml             |  6 +++
 roles/app-container/tasks/main.yaml           |  8 +++-
 roles/app-container/tasks/replication.yaml    |  6 +++
 roles/app-container/tasks/ssh.yaml            | 10 ++--
 .../templates/network-interfaces.j2           |  6 ---
 roles/app-container/templates/pct-set.j2      | 23 +++++----
 roles/app-coredns/tasks/systemd.yaml          |  9 +---
 roles/app-coredns/templates/corefile.j2       |  8 ++--
 roles/app-pomerium/tasks/configure.yaml       |  9 ++++
 roles/app-pomerium/tasks/install.yaml         | 17 +++++++
 roles/app-pomerium/tasks/main.yaml            | 11 +++++
 roles/app-pomerium/tasks/systemd.yaml         | 24 ++++++++++
 roles/app-pomerium/templates/config.j2        | 19 ++++++++
 roles/pve_cluster_firewall/tasks/main.yaml    |  6 +--
 roles/pve_cluster_ha/tasks/main.yaml          |  6 +++
 roles/pve_cluster_vxlan/tasks/configs.yaml    | 35 ++++++++++++++
 roles/pve_cluster_vxlan/tasks/ipam.yaml       |  7 +++
 roles/pve_cluster_vxlan/tasks/main.yaml       | 12 +++--
 roles/pve_cluster_vxlan/tasks/subnet.yaml     | 11 -----
 roles/pve_cluster_vxlan/tasks/vnet.yaml       | 24 ----------
 roles/pve_cluster_vxlan/tasks/zone.yaml       | 19 --------
 .../templates/subnet-list.j2                  |  9 ++++
 roles/pve_cluster_vxlan/templates/subnets.j2  | 12 +++++
 roles/pve_cluster_vxlan/templates/vnets.j2    |  8 ++++
 roles/pve_cluster_vxlan/templates/zones.j2    |  6 +++
 38 files changed, 374 insertions(+), 134 deletions(-)
 create mode 100644 environments/lab/group_vars/app_pomerium/pomerium.yaml
 create mode 100644 environments/lab/group_vars/app_pomerium/secrets.sops.yaml
 create mode 100644 environments/lab/host_vars/app_pomerium_primary.yaml
 create mode 100644 environments/lab/host_vars/app_pomerium_secondary.yaml
 create mode 100644 playbooks/apps/pomerium.yaml
 delete mode 100644 playbooks/test.yaml
 create mode 100644 roles/app-acmesh/tasks/main.yaml
 delete mode 100644 roles/app-container/templates/network-interfaces.j2
 create mode 100644 roles/app-pomerium/tasks/configure.yaml
 create mode 100644 roles/app-pomerium/tasks/install.yaml
 create mode 100644 roles/app-pomerium/tasks/main.yaml
 create mode 100644 roles/app-pomerium/tasks/systemd.yaml
 create mode 100644 roles/app-pomerium/templates/config.j2
 create mode 100644 roles/pve_cluster_vxlan/tasks/configs.yaml
 create mode 100644 roles/pve_cluster_vxlan/tasks/ipam.yaml
 delete mode 100644 roles/pve_cluster_vxlan/tasks/subnet.yaml
 delete mode 100644 roles/pve_cluster_vxlan/tasks/vnet.yaml
 delete mode 100644 roles/pve_cluster_vxlan/tasks/zone.yaml
 create mode 100644 roles/pve_cluster_vxlan/templates/subnet-list.j2
 create mode 100644 roles/pve_cluster_vxlan/templates/subnets.j2
 create mode 100644 roles/pve_cluster_vxlan/templates/vnets.j2
 create mode 100644 roles/pve_cluster_vxlan/templates/zones.j2

diff --git a/environments/lab/group_vars/app_coredns/coredns.yaml b/environments/lab/group_vars/app_coredns/coredns.yaml
index 9cbc440..bfda1c5 100644
--- a/environments/lab/group_vars/app_coredns/coredns.yaml
+++ b/environments/lab/group_vars/app_coredns/coredns.yaml
@@ -8,10 +8,10 @@ app_coredns_forwarders:
 
 app_coredns_records:
   - name: dns1-lab.homecentr.one
-    value: 10.1.8.128
+    ip: 10.1.8.128
   - name: dns2-lab.homecentr.one
-    value: 10.1.8.129
+    ip: 10.1.8.129
   - name: login-lab.homecentr.one
-    value: 10.1.8.132
+    ip: 10.1.8.132
   - name: gatus-lab.homecentr.one
-    value: 10.1.8.132
\ No newline at end of file
+    ip: 10.1.8.132
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/pomerium.yaml b/environments/lab/group_vars/app_pomerium/pomerium.yaml
new file mode 100644
index 0000000..b8eecfb
--- /dev/null
+++ b/environments/lab/group_vars/app_pomerium/pomerium.yaml
@@ -0,0 +1 @@
+app_pomerium_hostname: login-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/secrets.sops.yaml b/environments/lab/group_vars/app_pomerium/secrets.sops.yaml
new file mode 100644
index 0000000..3d9b863
--- /dev/null
+++ b/environments/lab/group_vars/app_pomerium/secrets.sops.yaml
@@ -0,0 +1,47 @@
+app_pomerium_letsencrypt_email: ENC[AES256_GCM,data:o32R3ulDZVq4QlaZJmOkrx/aG4yHUwg=,iv:9Ul6KltiHnfPs9SLdNvktTR1iwtEz7jrKJ9RzS3ZUyE=,tag:iycUBPx8SVbZQVLxgOZCNg==,type:str]
+app_pomerium_letsencrypt_use_staging: ENC[AES256_GCM,data:CqCEgQ==,iv:EdyGmD3jhs4t6qOwsWo6fMPqYuBZ2E3UsF1OFZi8h68=,tag:1vjpbPJmKrPpvzUnMxWnuw==,type:bool]
+app_pomerium_idp_provider: ENC[AES256_GCM,data:BeWU9TwJMg==,iv:Lt6g9zKPVdeq3e3RbKlyaOnX4IyndcxNOqS//Zsxams=,tag:07vgPtg9W8agifG7QrdHcQ==,type:str]
+app_pomerium_idp_client_id: ENC[AES256_GCM,data:Wpz/jOMkBel3eUsrpfiRUz7qOdMBSE3/FIYwbXrmKdw8pS5j,iv:bJd0Hwf2Z14oXayoB1Zf0tYxJqupvr3GjMNXuzzrebU=,tag:lmjnOH/jLM87+GuBE/kBLg==,type:str]
+app_pomerium_idp_client_secret: ENC[AES256_GCM,data:RUAcrW/hIBPpPffbX3XTZDQHqdrYyF1/eByga1yZSiARUl/cdSsNYA==,iv:KPpimeDMB7oxpFMDb8AFZpySGfJtIAnB0ZXaDgzAlyQ=,tag:16b8scdDn8t9nNqKBVRgAw==,type:str]
+app_pomerium_idp_provider_url: ENC[AES256_GCM,data:HxSh2Xu4EvYn3fGgpTc5ZnoEv2hL62Lg/gMX3aO3PuasMM+Y0b8ixLDNz2QGMzzWmMhJlYvTzS24+M2RDBFWnakYLpfELT404evz,iv:zxQ2M25o2HbzBbKyrNCL2i32gXEc0WZiDwdA4OD4uoU=,tag:NuLhRcVakfEFE3RrYRNo6A==,type:str]
+app_pomerium_cookie_secret: ENC[AES256_GCM,data:AxSiccltyyhamL/ddS3656P7wfVZVnA7lsdogOhO6/l9GHZO+RWERCVhcnc=,iv:KApzn0Ce5Zp49FIa2rqEwPHqD+vrbETM59GL3pIdj4g=,tag:vXY0jb54xR6tFh6QNEU6zg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSHZGZnQ2Szh3OXk1MVlJ
+            dTQydEZxSWRGRXczcDdEb1J4S1VPR3JqbXlnCndyOExGZDJqQUpneXdCMC8vcndK
+            QklvS3Rtc1ZHOFRBTnp6NzdNZ3JmdDgKLS0tIExJTTF1SUxlN0psbmpYdXV5c0Fh
+            SHpnRHlnWnBwWUQwTk5jVHJSdEdCUUkK59zwMk1ZNsBdvo4I26Hv7lrrkmJ5jeVE
+            TwbEthfwlCwmCOtId+zuolCZwZbAxrayIdWgtlOCpX0myDrGX0qx4g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-07T21:04:42Z"
+    mac: ENC[AES256_GCM,data:rcv/fORx0QvRnhgETP7crsDb2c0cLSoMqa0v9fQPRpMqGL++Pc99LNjvK9nheGoSHnb2WqsemXeLIwGxvqbrzdbkuDZliS7pX+BwvoRtqH6obtDvk+Gv3yYtSAFMlcKU5uVddq0h+ABlLEYm86zAuKP6eQwA+OxnqJpBkrW+K3w=,iv:mWlUWzBUzYDojxwG/volsWd5eacnxN0jlwy5yAZu0c0=,tag:liPO9M9N4PpMnjSYPqwL5g==,type:str]
+    pgp:
+        - created_at: "2024-03-07T21:01:19Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//TaWYnk0QfSwq39kQKGNkH3C1pq0DHjjDcosttXRKVT6A
+            dBo+hjvfrxHWOaRrP2ABuNzmkbcZ98Os8qk+Z0NFioZllL42mGrB8+p4TyZl9n9D
+            ai9tGncA/ByWEgdzBCqp8utZk6nG0BJ+PfyA9014mAU0GROek5y+OUwjNDkZXZ6u
+            YbPQsoUj316rONWtSgf/8+SDeu7J5k9gKwhkDcj2V6KDVC6VdCF6NAXQKvrYTKfh
+            X2MAABCE/yn6Gs7pYymjJJGxPYGxjh5huk0C89nZW1kcmW/DaDh1e5o0CYR/p8RK
+            iaJmF8i6N6DNFrI3GcCMHb4wqBzDTCBkm+jsFT5f+VUkivANxb/IqfuDJZn54OFz
+            hke4g0oLnB+JueGVU/wfzYKviVegCVbEbM0dYmSjI24Bp8DDHv/FroUoPAA87lE6
+            veTt5mEaayHCBI4ivhQtuPlHBL2ij6DDHSdx4Roi5gGxUmLtUqSg5nQwiItSNdn5
+            eaRGfKCaKrpurDECobqTjUZpubxbDbKE52vvJDphB0+TTxVaiTnWjXt/pJ2nhMvS
+            9RMiOyJQttrKkDuRR9TOMEVg+urtTlix8Cp7UuCF9RTMqwQu1oQenBHOByHVVrXn
+            k3Lf5Ue55G9CWtBiUekP4ohsd1JBiz2QDXnkJ6wEA88srzMY8YgrH0ukBnHFOM7S
+            XgFQig9vICka+uxescA7IbP8g7adUaduepOCewa4HU0Vrun59JZr1b0JzNp8oHVk
+            Fspn4I9u/EG27gSIdf4M2cEhhvugG5O5n5WWSPv4ovUOFTVEHGk7+tTU1gdMGS0=
+            =jN6m
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
index 4930dd0..0c5468f 100644
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -20,7 +20,7 @@ pve_cluster_vxlans:
       - name: cont
         tag: 8
         subnets:
-          - cidr: 192.168.8.0/24
+          - cidr: 10.1.9.0/24
 
 pve_cluster_ha_groups:
   - name: critical-priority-pve1
diff --git a/environments/lab/host_vars/app_pomerium_primary.yaml b/environments/lab/host_vars/app_pomerium_primary.yaml
new file mode 100644
index 0000000..2ba8f5f
--- /dev/null
+++ b/environments/lab/host_vars/app_pomerium_primary.yaml
@@ -0,0 +1,19 @@
+ansible_host: 10.1.8.130
+ansible_hostname: pomerium1-lab
+fqdn: pomerium1-lab.homecentr.one
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 2
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.130/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: unrestricted-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
diff --git a/environments/lab/host_vars/app_pomerium_secondary.yaml b/environments/lab/host_vars/app_pomerium_secondary.yaml
new file mode 100644
index 0000000..4f33cce
--- /dev/null
+++ b/environments/lab/host_vars/app_pomerium_secondary.yaml
@@ -0,0 +1,19 @@
+ansible_host: 10.1.8.131
+ansible_hostname: pomerium2-lab
+fqdn: pomerium2-lab.homecentr.one
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 2
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.131/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: unrestricted-priority-pve2
+app_container_pve_replication_nodes:
+  - pve1
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index 5928044..77e1dfa 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -10,4 +10,8 @@ all:
         app_coredns:
           hosts:
             app_coredns_primary:
-            app_coredns_secondary:
\ No newline at end of file
+            app_coredns_secondary:
+        app_pomerium:
+          hosts:
+            app_pomerium_primary:
+            app_pomerium_secondary:
\ No newline at end of file
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index c0e85ec..f57532e 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -1,3 +1,4 @@
 - import_playbook: proxmox-nodes.yaml
 - import_playbook: proxmox-cluster.yaml
-- import_playbook: apps/powerdns.yaml
\ No newline at end of file
+- import_playbook: apps/coredns.yaml
+- import_playbook: apps/pomerium.yaml
\ No newline at end of file
diff --git a/playbooks/apps/coredns.yaml b/playbooks/apps/coredns.yaml
index c35ec67..f5abfa6 100644
--- a/playbooks/apps/coredns.yaml
+++ b/playbooks/apps/coredns.yaml
@@ -3,27 +3,30 @@
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
-  tags: create-container
   tasks:
     - name: Create application container
-      ansible.builtin.import_role:
+      loop: "{{ groups['app_coredns'] }}"
+      loop_control:
+        loop_var: container_inventory_name
+      ansible.builtin.include_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: app_coredns_primary
-      # TODO: Add loop of all instances
+        container_inventory_name: "{{ container_inventory_name }}"
+      tags: [ container ]
 
 - name: Setup Coredns containers
-  hosts: app_coredns_primary # TODO: Replace with group
+  hosts: app_coredns
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
-  tags: configure-container
   tasks:
     - name: Run common set up
-      ansible.builtin.include_tasks:
+      ansible.builtin.import_tasks:
         file: _common.yaml
+      tags: [ common ]
 
     - name: Install coredns
       ansible.builtin.import_role:
         name: ../../roles/app-coredns
+      tags: [ coredns ]
     
\ No newline at end of file
diff --git a/playbooks/apps/pomerium.yaml b/playbooks/apps/pomerium.yaml
new file mode 100644
index 0000000..46c0fbd
--- /dev/null
+++ b/playbooks/apps/pomerium.yaml
@@ -0,0 +1,32 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      loop: "{{ groups['app_pomerium'] }}"
+      loop_control:
+        loop_var: container_inventory_name
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "{{ container_inventory_name }}"
+      tags: [ container ]
+
+- name: Setup Pomerium containers
+  hosts: app_pomerium_primary # TODO: Replace with group
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.include_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install pomerium
+      ansible.builtin.import_role:
+        name: ../../roles/app-pomerium
+      tags: [ pomerium ]
+    
\ No newline at end of file
diff --git a/playbooks/test.yaml b/playbooks/test.yaml
deleted file mode 100644
index fd38ebe..0000000
--- a/playbooks/test.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-- name: Test
-  hosts: localhost
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-  - name: Replace dialog script
-    ansible.builtin.replace:
-      path: /tmp/proxmoxlib.js
-      before: "title:\\s+gettext\\('No valid subscription'\\)"
-      regexp: 'Ext\.Msg\.show'
-      replace: 'void'
-      backup: true
\ No newline at end of file
diff --git a/roles/app-acmesh/tasks/main.yaml b/roles/app-acmesh/tasks/main.yaml
new file mode 100644
index 0000000..7e510ff
--- /dev/null
+++ b/roles/app-acmesh/tasks/main.yaml
@@ -0,0 +1,5 @@
+# TODO: Install - download probably from GitHub
+# TODO: If script does not exist in homedir (of pomerium user), run install
+  # TODO: Else run --update-account to ensure the e-mail is in sync with the ansible var
+# TODO: List certs
+  # TODO: If cert with domain not in the result above, request certs immediately using a shell command
\ No newline at end of file
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
index 64e45f0..9283d15 100644
--- a/roles/app-container/tasks/container.yaml
+++ b/roles/app-container/tasks/container.yaml
@@ -1,13 +1,13 @@
 - name: Create app container
-  run_once: true
   community.general.proxmox:
     api_user: root@pam
     api_password: "{{ users_root_password }}"
     api_host: "localhost"
-    hostname: "{{ ansible_hostname }}"
+    hostname: "{{ container_vars.ansible_hostname }}"
     node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
     password: "{{ users_root_password }}"
     ostemplate: "{{ container_vars.app_container_ostemplate }}"
+    unprivileged: "{{ container_vars.app_container_unprivileged | default(1) }}"
     disk: "{{ container_vars.app_container_storage_name }}:{{ container_vars.app_container_storage_size_gb }},replicate=1"
     state: present
 
@@ -27,21 +27,23 @@
   ansible.builtin.set_fact:
     app_container_info: "{{ app_container_info_raw.proxmox_vms.0 }}"
 
+- name: Get container definition
+  register: app_container_before_pct
+  ansible.builtin.slurp:
+    src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
 
-- name: Debug 1
-  debug:
-    msg: "{{ dict(app_container_id=app_container_info.vmid).update(container_vars)) }}"
-
-# Note: This must be executed on the node which hosts the container, pct does not work across hosts
 - name: Update existing container values
   changed_when: true
-  when: inventory_hostname == container_vars.app_container_pve_node
   ansible.builtin.command:
-    cmd: "{{ lookup('template', 'pct-set.j2', template_vars=dict(app_container_id=app_container_info.vmid).update(container_vars)) }}"
+    cmd: "{{ lookup('template', 'pct-set.j2', template_vars=(dict(app_container_id=app_container_info.vmid) | combine(container_vars))) }}"
+
+- name: Get container definition
+  register: app_container_after_pct
+  ansible.builtin.slurp:
+    src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
 
 - name: Stop the container if it's started and definition has changed
-  when: bind_mounts.changed and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
-  run_once: true
+  when: app_container_before_pct.content != app_container_after_pct.content and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
   community.general.proxmox:
     api_user: root@pam
     api_password: "{{ users_root_password }}"
@@ -50,7 +52,6 @@
     state: stopped
 
 - name: Start container
-  run_once: true
   community.general.proxmox:
     api_user: root@pam
     api_password: "{{ hostvars[container_vars.app_container_pve_node].users_root_password }}"
diff --git a/roles/app-container/tasks/ha.yaml b/roles/app-container/tasks/ha.yaml
index b025bdd..ddb778a 100644
--- a/roles/app-container/tasks/ha.yaml
+++ b/roles/app-container/tasks/ha.yaml
@@ -1,3 +1,9 @@
+- name: Touch ha resources config file
+  run_once: true
+  ansible.builtin.file:
+    path: /etc/pve/ha/resources.cfg
+    state: touch
+
 - name: Configure container as a ha resource
   run_once: true
   ansible.builtin.blockinfile:
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index cd3b4fa..dbc0b4c 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -1,16 +1,19 @@
 - name: Create container
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
     file: container.yaml
   vars:
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
 - name: Initialize container
-  run_once: true
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
     file: init.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
 
 - name: Add container to ssh known_hosts
-  run_once: true
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
     file: ssh.yaml
   vars:
@@ -29,6 +32,7 @@
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
 - name: Configure container firewall
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
     file: firewall.yaml
   vars:
diff --git a/roles/app-container/tasks/replication.yaml b/roles/app-container/tasks/replication.yaml
index 3d0906f..f2092b9 100644
--- a/roles/app-container/tasks/replication.yaml
+++ b/roles/app-container/tasks/replication.yaml
@@ -1,3 +1,9 @@
+- name: Create replication file if it does not exist
+  run_once: true
+  ansible.builtin.file:
+    path: "/etc/pve/replication.cfg"
+    state: touch
+
 - name: Configure storage replication
   run_once: true
   loop: "{{ container_vars.app_container_pve_replication_nodes }}"
diff --git a/roles/app-container/tasks/ssh.yaml b/roles/app-container/tasks/ssh.yaml
index 074cfa4..342141c 100644
--- a/roles/app-container/tasks/ssh.yaml
+++ b/roles/app-container/tasks/ssh.yaml
@@ -1,15 +1,17 @@
 - name: Scan for container SSH host keys
-  become: false
-  delegate_to: localhost
   changed_when: false
+  run_once: true
+  retries: 5
+  until: app_container_ssh_scan.rc == 0
   register: app_container_ssh_scan
   ansible.builtin.shell:
-    cmd: ssh-keyscan {{ container_vars.ansible_host }} 2>/dev/null
+    cmd: "pct exec {{ app_container_info.vmid }} cat /etc/ssh/ssh_host_rsa_key.pub"
 
 - name: Update known_hosts
   become: false
   delegate_to: localhost
+  run_once: true
   ansible.builtin.known_hosts:
-    key: "{{ item }}"
+    key: "{{ container_vars.ansible_host }} {{ item }}"
     name: "{{ container_vars.ansible_host }}"
   with_items: "{{ app_container_ssh_scan.stdout_lines }}"
\ No newline at end of file
diff --git a/roles/app-container/templates/network-interfaces.j2 b/roles/app-container/templates/network-interfaces.j2
deleted file mode 100644
index c21a073..0000000
--- a/roles/app-container/templates/network-interfaces.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-{% raw %}{{% endraw %}
-{%- for nic in app_container_network_interfaces %}
-"net{{ loop.index - 1 }}": "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}"
-{%- if not loop.last %},{% endif %}
-{%- endfor %}
-{% raw %}}{% endraw %}
\ No newline at end of file
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index 53e654d..fa951d6 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -1,16 +1,20 @@
 pct set {{ app_container_id }}
-{%- if app_container_cpu_cores is defined %} --cores {{ app_container_cpu_cores }} \{% endif %}
- --features nesting=1{% if app_container_fuse_enabled %},fuse=1{% endif %} \
- --hostname {{ ansible_hostname }} \
- --memory {{ app_container_memory }} \
- {%- for bindmount in app_container_bind_mounts %}
- --mp{{ loop.index - 1 }} "{{ bindmount.hostpath }},mp={{ bindmount.containerpath }}"
+{%- raw %} --hostname {% endraw %}{{ ansible_hostname }}
+{%- raw %} --memory {% endraw %} {{ app_container_memory }}
+{%- if app_container_cpu_cores is defined %} --cores {{ app_container_cpu_cores }}{% endif -%}
+ {%- raw %} --features nesting=1{% endraw %}{% if app_container_fuse_enabled | default(false) == true %},fuse=1{% endif -%}
+ {%- for mount in (app_container_mounts | default([])) %}
+ {%- if mount.type == "bind" %}
+ --mp{{ loop.index - 1 }} "{{ mount.hostpath }},mp={{ mount.target_path }}"
+ {%- else %}
+ --mp{{ loop.index - 1 }} "{{ mount.zfs_pool }}:{{ zfs_dataset_name }},size={{ mount.size }},replicate={{ '1' if (mount.replicate | default(true)) else '0' }},,mp={{ mount.target_path }}"
+ {%- endif %}
  {%- endfor %}
  {%- for nic in app_container_network_interfaces %}
- --net{{ loop.index - 1 }} "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}" \
+ --net{{ loop.index - 1 }} "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}"
  {%- endfor %}
  {%- if app_container_start_onboot is defined %}
- --onboot {{ '1' if (app_container_start_onboot | default(true)) else '0' }} \
+ --onboot {{ '1' if (app_container_start_onboot | default(true)) else '0' }}
  {%- endif %}
  {%- if app_container_protection is defined %}
  --protection {{ '1' if app_container_protection else '0' }} \
@@ -20,5 +24,4 @@ pct set {{ app_container_id }}
  {%- endif %}
  {%- if app_container_swap is defined %}
  --swap {{ app_container_swap }} \
- {%- endif %}
- --unprivileged {{ '1' if (app_container_unprivileged | default(1)) else '0' }}
\ No newline at end of file
+ {%- endif %}
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/systemd.yaml b/roles/app-coredns/tasks/systemd.yaml
index 9b8c99f..5ca3b08 100644
--- a/roles/app-coredns/tasks/systemd.yaml
+++ b/roles/app-coredns/tasks/systemd.yaml
@@ -6,14 +6,9 @@
     mode: "0644"
     content: "{{ lookup('template', 'systemd-unit.j2') }}"
 
-- name: Enable service
+- name: (Re)start service
   ansible.builtin.systemd_service:
     name: coredns
     enabled: true
     daemon_reload: true
-    state: present
-
-- name: (Re)start service
-  ansible.builtin.systemd_service:
-    name: coredns
-    state: "{{ 'restarted' if app_coredns_corefile.changed else 'started' }}"
\ No newline at end of file
+    state: "{{ 'restarted' if app_coredns_corefile.changed else 'started' }}"
diff --git a/roles/app-coredns/templates/corefile.j2 b/roles/app-coredns/templates/corefile.j2
index 2796144..08f1000 100644
--- a/roles/app-coredns/templates/corefile.j2
+++ b/roles/app-coredns/templates/corefile.j2
@@ -2,16 +2,18 @@
     log
     errors
     hosts {
-        {%- for host in app_coredns_records %}
+        {% for host in app_coredns_records %}
         {{ host.ip }} {{ host.name }}
-        {%- endfor %}
+        {% endfor %}
+        fallthrough
     }
     forward . {% for forwarder in app_coredns_forwarders %}tls://{{ forwarder }} {% endfor %} {
         tls_servername {{ app_coredns_forwarders_tls_servername }}
         max_concurrent 1000
     }
     cache 30
-    prometheus localhost:9153 # TODO: Internal IP ?
+    # TODO: Use vxlan ip
+    prometheus localhost:9153
     loop
     reload
     loadbalance
diff --git a/roles/app-pomerium/tasks/configure.yaml b/roles/app-pomerium/tasks/configure.yaml
new file mode 100644
index 0000000..d7414c4
--- /dev/null
+++ b/roles/app-pomerium/tasks/configure.yaml
@@ -0,0 +1,9 @@
+- name: Create config file
+  register: app_pomerium_config_file
+  ansible.builtin.copy:
+    dest: /etc/pomerium/config.yaml
+    owner: pomerium
+    group: pomerium
+    mode: 0440
+    force: true
+    content: "{{ lookup('template', 'config.j2') }}"
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/install.yaml b/roles/app-pomerium/tasks/install.yaml
new file mode 100644
index 0000000..f640c76
--- /dev/null
+++ b/roles/app-pomerium/tasks/install.yaml
@@ -0,0 +1,17 @@
+- name: Download apt key
+  ansible.builtin.get_url:
+    url: "https://dl.cloudsmith.io/public/pomerium/pomerium/gpg.6E388440B94E1407.key"
+    dest: /etc/apt/keyrings/pomerium.asc
+
+- name: Add apt repository
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/pomerium.asc] https://dl.cloudsmith.io/public/pomerium/pomerium/deb/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main"
+    state: present
+    update_cache: true
+    filename: pomerium
+
+- name: Install Pomerium package
+  ansible.builtin.apt:
+    name:
+      - pomerium
+      - pomerium-cli
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/main.yaml b/roles/app-pomerium/tasks/main.yaml
new file mode 100644
index 0000000..474204e
--- /dev/null
+++ b/roles/app-pomerium/tasks/main.yaml
@@ -0,0 +1,11 @@
+- name: Install pomerium
+  ansible.builtin.include_tasks:
+    file: install.yaml
+
+- name: Configure pomerium
+  ansible.builtin.include_tasks:
+    file: configure.yaml
+
+- name: Configure systemd
+  ansible.builtin.include_tasks:
+    file: systemd.yaml
diff --git a/roles/app-pomerium/tasks/systemd.yaml b/roles/app-pomerium/tasks/systemd.yaml
new file mode 100644
index 0000000..0b8b635
--- /dev/null
+++ b/roles/app-pomerium/tasks/systemd.yaml
@@ -0,0 +1,24 @@
+- name: Create override directory
+  ansible.builtin.file:
+    dest: /etc/systemd/system/pomerium.service.d
+    owner: root
+    group: root
+    mode: "0755"
+    state: directory
+
+- name: Create override file to allow usage of port 443
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/pomerium.service.d/override-port.conf
+    owner: root
+    group: root
+    mode: "0644"
+    content: |
+      [Service]
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+- name: (Re)start service
+  ansible.builtin.systemd_service:
+    name: pomerium
+    enabled: true
+    daemon_reload: true
+    state: "{{ 'restarted' if app_pomerium_config_file.changed else 'started' }}"
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
new file mode 100644
index 0000000..cb4652f
--- /dev/null
+++ b/roles/app-pomerium/templates/config.j2
@@ -0,0 +1,19 @@
+authenticate_service_url: https://{{ app_pomerium_hostname }}
+
+autocert: true
+autocert_email: {{ app_pomerium_letsencrypt_email }}
+autocert_use_staging: {{ app_pomerium_letsencrypt_use_staging }}
+
+idp_provider: {{ app_pomerium_idp_provider }}
+idp_provider_url: '{{ app_pomerium_idp_provider_url }}'
+idp_client_id: {{ app_pomerium_idp_client_id }}
+idp_client_secret: {{ app_pomerium_idp_client_secret }}
+
+cookie_secret: {{ app_pomerium_cookie_secret }}
+
+# TODO: metrics_address: :9090
+
+routes:
+  - from: https://google-lab.homecentr.one
+    to: https://google.com
+    pass_identity_headers: false
\ No newline at end of file
diff --git a/roles/pve_cluster_firewall/tasks/main.yaml b/roles/pve_cluster_firewall/tasks/main.yaml
index 3177ea0..ed815c9 100644
--- a/roles/pve_cluster_firewall/tasks/main.yaml
+++ b/roles/pve_cluster_firewall/tasks/main.yaml
@@ -1,10 +1,8 @@
 - name: Create firewall config file if it does not exist
+  run_once: true
   ansible.builtin.file:
     path: /etc/pve/firewall/cluster.fw
-    state: file
-    owner: root
-    group: www-data
-    mode: "0640"
+    state: touch
 
 - name: Configure cluster firewall
   ansible.builtin.import_role:
diff --git a/roles/pve_cluster_ha/tasks/main.yaml b/roles/pve_cluster_ha/tasks/main.yaml
index 5193152..3ca6154 100644
--- a/roles/pve_cluster_ha/tasks/main.yaml
+++ b/roles/pve_cluster_ha/tasks/main.yaml
@@ -1,4 +1,10 @@
 - name: Create ha config file if it does not exist
+  run_once: true
+  ansible.builtin.file:
+    dest: /etc/pve/ha/groups.cfg
+    state: touch
+
+- name: Update the ha config file
   run_once: true
   ansible.builtin.copy:
     dest: /etc/pve/ha/groups.cfg
diff --git a/roles/pve_cluster_vxlan/tasks/configs.yaml b/roles/pve_cluster_vxlan/tasks/configs.yaml
new file mode 100644
index 0000000..0eb493e
--- /dev/null
+++ b/roles/pve_cluster_vxlan/tasks/configs.yaml
@@ -0,0 +1,35 @@
+- name: Touch config files first to make it work with proxmox corosync
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: touch
+  loop:
+    - /etc/pve/sdn/zones.cfg
+    - /etc/pve/sdn/vnets.cfg
+    - /etc/pve/sdn/subnets.cfg
+
+- name: Configure zones
+  ansible.builtin.copy:
+    dest: /etc/pve/sdn/zones.cfg
+    owner: root
+    group: www-data
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', 'zones.j2') }}"
+
+- name: Configure vnets
+  ansible.builtin.copy:
+    dest: /etc/pve/sdn/vnets.cfg
+    owner: root
+    group: www-data
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', 'vnets.j2') }}"
+
+- name: Configure subnets
+  ansible.builtin.copy:
+    dest: /etc/pve/sdn/subnets.cfg
+    owner: root
+    group: www-data
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', 'subnets.j2') }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/tasks/ipam.yaml b/roles/pve_cluster_vxlan/tasks/ipam.yaml
new file mode 100644
index 0000000..d88510a
--- /dev/null
+++ b/roles/pve_cluster_vxlan/tasks/ipam.yaml
@@ -0,0 +1,7 @@
+- name: Configure IPAM and DHCP ranges for subnet
+  changed_when: true
+  loop: "{{ lookup('template', 'subnet-list.j2') | from_yaml }}"
+  loop_control:
+    loop_var: subnet
+  ansible.builtin.command:
+    cmd: "pvesh set /cluster/sdn/vnets/{{ subnet.vnet_name }}/subnets/{{ subnet.id }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/tasks/main.yaml b/roles/pve_cluster_vxlan/tasks/main.yaml
index e051947..be99d57 100644
--- a/roles/pve_cluster_vxlan/tasks/main.yaml
+++ b/roles/pve_cluster_vxlan/tasks/main.yaml
@@ -9,13 +9,15 @@
     create: false
     line: "source /etc/network/interfaces.d/*"
 
-- name: Configure zones
+- name: Update config files
   run_once: true
-  loop: "{{ pve_cluster_vxlans }}"
-  loop_control:
-    loop_var: zone
   ansible.builtin.include_tasks:
-    file: zone.yaml
+    file: configs.yaml
+
+- name: Update IPAM
+  run_once: true
+  ansible.builtin.include_tasks:
+    file: ipam.yaml
 
 - name: Apply changes to the whole cluster
   changed_when: true
diff --git a/roles/pve_cluster_vxlan/tasks/subnet.yaml b/roles/pve_cluster_vxlan/tasks/subnet.yaml
deleted file mode 100644
index 7b30d6c..0000000
--- a/roles/pve_cluster_vxlan/tasks/subnet.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Configure subnets
-  ansible.builtin.blockinfile:
-    path: /etc/pve/sdn/subnets.cfg
-    create: true
-    owner: root
-    group: www-data
-    mode: "0640"
-    marker: "# {mark} Ansible managed subnet {{ zone.name }}-{{ vnet.name }}-{{ subnet.cidr | replace('/', '-') }}"
-    block: |
-      subnet: {{ zone.name }}-{{ subnet.cidr | replace('/', '-') }}
-              vnet {{ vnet.name }}
diff --git a/roles/pve_cluster_vxlan/tasks/vnet.yaml b/roles/pve_cluster_vxlan/tasks/vnet.yaml
deleted file mode 100644
index 54d8b63..0000000
--- a/roles/pve_cluster_vxlan/tasks/vnet.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-- name: Validate vnet name length
-  ansible.builtin.assert:
-    that: vnet.name | length <= 9  # total 15 with vxlan_ prefix
-    msg: VNet name must be 9 characters or less
-
-- name: Configure vnet
-  ansible.builtin.blockinfile:
-    path: /etc/pve/sdn/vnets.cfg
-    create: true
-    owner: root
-    group: www-data
-    mode: "0640"
-    marker: "# {mark} Ansible managed vnet {{ vnet.name }}"
-    block: |
-      vnet: {{ vnet.name }}
-            zone {{ zone.name }}
-            tag {{ vnet.tag }}
-
-- name: Configure subnet
-  loop: "{{ vnet.subnets }}"
-  loop_control:
-    loop_var: subnet
-  ansible.builtin.include_tasks:
-    file: subnet.yaml
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/tasks/zone.yaml b/roles/pve_cluster_vxlan/tasks/zone.yaml
deleted file mode 100644
index 6f30f3e..0000000
--- a/roles/pve_cluster_vxlan/tasks/zone.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-- name: Configure zome
-  ansible.builtin.blockinfile:
-    path: /etc/pve/sdn/zones.cfg
-    create: true
-    owner: root
-    group: www-data
-    mode: "0640"
-    marker: "# {mark} Ansible managed vxlan {{ zone.name }}"
-    block: |
-      vxlan: {{ zone.name }}
-             peers {{ zone.peer_hosts | map('extract', hostvars, 'ansible_host') | join(',') }}
-             ipam {{ zone.ipam | default('pve') }}
-
-- name: Configure vnets
-  loop: "{{ zone.vnets }}"
-  loop_control:
-    loop_var: vnet
-  ansible.builtin.include_tasks:
-    file: vnet.yaml
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/subnet-list.j2 b/roles/pve_cluster_vxlan/templates/subnet-list.j2
new file mode 100644
index 0000000..249508f
--- /dev/null
+++ b/roles/pve_cluster_vxlan/templates/subnet-list.j2
@@ -0,0 +1,9 @@
+{% for zone in pve_cluster_vxlans %}
+{% for vnet in zone.vnets %}
+{% for subnet in vnet.subnets %}
+- vnet_name: {{ vnet.name }}
+  id: {{ zone.name }}-{{ subnet.cidr | replace('/', '-') }}
+
+{% endfor %}
+{% endfor %}
+{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/subnets.j2 b/roles/pve_cluster_vxlan/templates/subnets.j2
new file mode 100644
index 0000000..d112103
--- /dev/null
+++ b/roles/pve_cluster_vxlan/templates/subnets.j2
@@ -0,0 +1,12 @@
+{% for zone in pve_cluster_vxlans %}
+{% for vnet in zone.vnets %}
+{% for subnet in vnet.subnets %}
+subnet: {{ zone.name }}-{{ subnet.cidr | replace('/', '-') }}
+        vnet {{ vnet.name }}
+{% for dhcp_range in subnet.dhcp_ranges | default([]) %}
+        dhcp-range start-address={{ dhcp_range.start }},end-address={{ dhcp_range.end }}
+{% endfor %}
+
+{% endfor %}
+{% endfor %}
+{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/vnets.j2 b/roles/pve_cluster_vxlan/templates/vnets.j2
new file mode 100644
index 0000000..c997805
--- /dev/null
+++ b/roles/pve_cluster_vxlan/templates/vnets.j2
@@ -0,0 +1,8 @@
+{% for zone in pve_cluster_vxlans %}
+{% for vnet in zone.vnets %}
+vnet: {{ vnet.name }}
+    zone {{ zone.name }}
+    tag {{ vnet.tag }}
+
+{% endfor %}
+{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/zones.j2 b/roles/pve_cluster_vxlan/templates/zones.j2
new file mode 100644
index 0000000..52428d4
--- /dev/null
+++ b/roles/pve_cluster_vxlan/templates/zones.j2
@@ -0,0 +1,6 @@
+{% for zone in pve_cluster_vxlans %}
+vxlan: {{ zone.name }}
+    peers {{ zone.peer_hosts | map('extract', hostvars, 'ansible_host') | join(',') }}
+    ipam {{ zone.ipam | default('pve') }}
+
+{% endfor %}
\ No newline at end of file

From fa5b00adb79f1f0926b1165531ff0710db1ad7a7 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Mon, 11 Mar 2024 14:02:04 +0100
Subject: [PATCH 22/51] Pomerium half way

---
 .../group_vars/app_pomerium/container.yaml    |  9 +++
 .../lab/group_vars/app_pomerium/getssl.yaml   |  8 +++
 .../lab/group_vars/app_pomerium/pomerium.yaml |  6 +-
 .../lab/group_vars/pve_nodes/getssl.sops.yaml | 47 +++++++++++++++
 .../lab/host_vars/app_pomerium_primary.yaml   |  5 --
 .../lab/host_vars/app_pomerium_secondary.yaml |  5 --
 environments/lab/host_vars/pve1.yaml          |  3 +
 environments/lab/host_vars/pve2.yaml          |  3 +
 environments/lab/host_vars/pve3.yaml          |  3 +
 playbooks/apps/pomerium.yaml                  | 16 ++++-
 playbooks/proxmox-cluster.yaml                |  5 ++
 playbooks/proxmox-nodes.yaml                  |  5 --
 requirements.yaml                             |  2 +-
 roles/app-acmesh/tasks/main.yaml              |  5 --
 roles/app-container/tasks/container.yaml      | 30 ++--------
 roles/app-container/tasks/getssl.yaml         | 21 +++++++
 roles/app-container/tasks/main.yaml           | 22 ++++++-
 roles/app-container/tasks/start.yaml          | 26 ++++++++
 .../app-container/tasks/uid-gid-mapping.yaml  | 28 +++++++++
 .../app-container/templates/getssl-config.j2  | 17 ++++++
 roles/app-container/templates/lxc-idmap.j2    | 35 +++++++++++
 roles/app-container/templates/pct-set.j2      |  9 ++-
 roles/app-pomerium/templates/config.j2        | 10 +++-
 .../files/getssl-copy-container-all.sh        |  9 +++
 .../files/getssl-copy-container.sh            | 59 +++++++++++++++++++
 .../files/getssl-copy-pveproxy.sh             | 19 ++++++
 roles/pve_cluster_getssl/tasks/configure.yaml | 45 ++++++++++++++
 roles/pve_cluster_getssl/tasks/cron.yaml      | 26 ++++++++
 roles/pve_cluster_getssl/tasks/main.yaml      | 28 +++++++++
 roles/pve_cluster_getssl/tasks/scripts.yaml   | 11 ++++
 .../templates/getssl-certificate.j2           |  5 ++
 .../templates/getssl-root.j2                  | 19 ++++++
 32 files changed, 485 insertions(+), 56 deletions(-)
 create mode 100644 environments/lab/group_vars/app_pomerium/container.yaml
 create mode 100644 environments/lab/group_vars/app_pomerium/getssl.yaml
 create mode 100644 environments/lab/group_vars/pve_nodes/getssl.sops.yaml
 delete mode 100644 roles/app-acmesh/tasks/main.yaml
 create mode 100644 roles/app-container/tasks/getssl.yaml
 create mode 100644 roles/app-container/tasks/start.yaml
 create mode 100644 roles/app-container/tasks/uid-gid-mapping.yaml
 create mode 100644 roles/app-container/templates/getssl-config.j2
 create mode 100644 roles/app-container/templates/lxc-idmap.j2
 create mode 100644 roles/pve_cluster_getssl/files/getssl-copy-container-all.sh
 create mode 100644 roles/pve_cluster_getssl/files/getssl-copy-container.sh
 create mode 100644 roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh
 create mode 100644 roles/pve_cluster_getssl/tasks/configure.yaml
 create mode 100644 roles/pve_cluster_getssl/tasks/cron.yaml
 create mode 100644 roles/pve_cluster_getssl/tasks/main.yaml
 create mode 100644 roles/pve_cluster_getssl/tasks/scripts.yaml
 create mode 100644 roles/pve_cluster_getssl/templates/getssl-certificate.j2
 create mode 100644 roles/pve_cluster_getssl/templates/getssl-root.j2

diff --git a/environments/lab/group_vars/app_pomerium/container.yaml b/environments/lab/group_vars/app_pomerium/container.yaml
new file mode 100644
index 0000000..4cd4579
--- /dev/null
+++ b/environments/lab/group_vars/app_pomerium/container.yaml
@@ -0,0 +1,9 @@
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 2
+app_container_pve_replication_cron_expression: "*/5"
+app_container_mapped_uids:
+  - 7000
+app_container_mapped_gids:
+  - 7000
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/getssl.yaml b/environments/lab/group_vars/app_pomerium/getssl.yaml
new file mode 100644
index 0000000..14aa535
--- /dev/null
+++ b/environments/lab/group_vars/app_pomerium/getssl.yaml
@@ -0,0 +1,8 @@
+app_container_getssl_certificates:
+  - name: "*.homecentr.one"
+    fullchain_filename: "wildcard_fullchain.crt"
+    cert_filename: "wildcard.crt"
+    key_filename: "wildcard.key"
+    user: 7000
+    group: 7000
+    mode: 0440
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/pomerium.yaml b/environments/lab/group_vars/app_pomerium/pomerium.yaml
index b8eecfb..e0a1ca9 100644
--- a/environments/lab/group_vars/app_pomerium/pomerium.yaml
+++ b/environments/lab/group_vars/app_pomerium/pomerium.yaml
@@ -1 +1,5 @@
-app_pomerium_hostname: login-lab.homecentr.one
\ No newline at end of file
+app_pomerium_hostname: login-lab.homecentr.one
+
+app_pomeriums_certificates:
+  - fullchain_path: /getssl/wildcard_fullchain.crt
+    key_path: /getssl/wildcard.key
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/getssl.sops.yaml b/environments/lab/group_vars/pve_nodes/getssl.sops.yaml
new file mode 100644
index 0000000..9d646ae
--- /dev/null
+++ b/environments/lab/group_vars/pve_nodes/getssl.sops.yaml
@@ -0,0 +1,47 @@
+getssl_version: ENC[AES256_GCM,data:ypZgdw==,iv:pktvgmp96bQdFnxa9whJXIyRvjscf93UaZQrPpvk448=,tag:od6ICPAH05wqxE6JFR5fhw==,type:float]
+getssl_acme_email: ENC[AES256_GCM,data:vW1i9Q6FCzicUEkWb0mocVQv8/jVzZc=,iv:wFoCCJYnwC8X/cxXF8MmwpoNYzNuhi3f0/uB+XZrcN8=,tag:bk2FcpQsfZb7Ig7E7jS4mw==,type:str]
+getssl_certificates:
+    - domain: ENC[AES256_GCM,data:IL2U60AOP4Qe2s/Q4JpA,iv:m/Al38Q9+Hfoqbp65rZxcQC3davsj1hCF8sFUILor1Q=,tag:bEvmOKVjk0o6f26FBum4YQ==,type:str]
+      pveproxy: ENC[AES256_GCM,data:Z3PlWw==,iv:G+GeW6QuTS9JcEKJxBKeHvc0mOs6vS4FBpadjnL3swA=,tag:PazIu8PuVI+mwdZTFKNkaw==,type:bool]
+getssl_cloudflare_email: ENC[AES256_GCM,data:g8ra8XdIC3yq9J1zWD+h9C8oqK51hQ==,iv:i8ldg/fJLD3N3Ivrl9jm2PtRUZrbjVRGzv3F1FFT/Qk=,tag:C9HTM5pC9LGo1TWQypv0mA==,type:str]
+getssl_cloudflare_api_token: ENC[AES256_GCM,data:XTT1bBWsslV/LZNg+1G+TXwmhSxlIcy8iA4G268TfX0RaJPHuNmoiQ==,iv:kYnJA1nbVCsxZ45pCub/QFX1hWtoPqYoUuc5pJ7819g=,tag:5rlk9oOHXc7auOG1BbgXcQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1clBQeVhsWVBBNG05V0NH
+            ejZTQ2RJcFpFMm1DUG16cGFDT2VreDI3dUdzCkdqdTJoL3VVSTV6TGp6Y1FKRUpR
+            UGNQVjYvN1BMek83U29HaHRVeG1TYVUKLS0tIGZMcEtwSUt2UkxhamtRa1c1MUx1
+            NTVRVTlXdlltaHFRN2o0cVV3UFZHa2sKyVnFYLdIIlM4HAnu5UT8zuf0spT70P7t
+            CQA28nBLIEBim+fc7y1iO+1DdFmFK6igoDFx8Rf6IPfihsWjfKs2Cg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-08T18:21:39Z"
+    mac: ENC[AES256_GCM,data:dkmcK47/AwyECu300oXilnb/7KZdDUUrimNa3eVNUuhPXa549b9TUJ4TKzQzvCwdU4VtTKE08guyeqalsc2eJVCd1b9HrVYxiIRFUYJWm9pCXoYckq4Fi21o4jaLWgdaBQpR1MiCMt3uDSpKNQwU+lYveWjbEzf2DVFMyp+2d8w=,iv:h3HtWjDT3fgm6Bpkjo1tjZtDfLYoJUobaPohbwfu8Ig=,tag:5b3+IomU+0VWT82YfqhSAw==,type:str]
+    pgp:
+        - created_at: "2024-03-08T17:36:39Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//YMTZz/Hm3udKdJ+o+Lk2o5Y3/KZxU32pndkwIiOQHbQl
+            tu0WIuDLrsMh+wmTDcNYXVjNqs46u+iRYgJoKKABvYAGOI0qXJyZr56KVqewmZ5I
+            i9wdADrUYznAs/0J2UPOocBRGcW/40nR7i0tBOHY3JH6/UUyzqjQTJ8bwkAmIECF
+            p9MiPCyubjcL88Fl9xjae5BFLgT615Gq8ii3N2Aloavalxtge6qRgxIxbGpI3kZ4
+            P26PVTWj/KqCi2SxfWm9E4R5/7/Wb6puYGS8Ey4QPGwnpNgPpEJOu8GnAOfOwgV5
+            KPcJP3alZdQPvQD8ta4Fasm36l+/7YAe4TfZ+9WqdKi9pYZ5p6vpE0rc6u8aELZm
+            38JUva401PE8JWgQdzkXFckMQ3+Dl5gAuZQCUBZi73uG6cEIZxXjPBzVExoIWB7/
+            C+ZCJhb/4q1K8v+ZFuxduMa07W505SnnmL8HVs4cnM9ijvDBn1ZUiq3KDEm9IBdZ
+            CGEfGHrLeL+wlF46s45u/D/ESGiUlTyt+qPl7vvMgQhdn9AIGnHb6qD8zlXE8hVj
+            QfjgyLp8L2TwQaRb1oXltePZyuG3PZOchhCfe18jNzINtPzl9XvFTkAAzIE1fTtz
+            2oXnUgL8DcYH0agzKe7LH6U7j/ZVVJAiuj7y8h3lkgWKsMunAk29o/49FMspDFzS
+            XAFmJ40anJ/M5jbj5Sfeqslm0XaBQYO8t3PO07rSkIiDNeUHwVe5/uB0IICNgteK
+            zsQKDfmCGMKLVMMQqG7K6uXXN5wL0M+3oaIc6cPHfevNT/OG0QL8J3jm4vQu
+            =JxcY
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/environments/lab/host_vars/app_pomerium_primary.yaml b/environments/lab/host_vars/app_pomerium_primary.yaml
index 2ba8f5f..e7bbac2 100644
--- a/environments/lab/host_vars/app_pomerium_primary.yaml
+++ b/environments/lab/host_vars/app_pomerium_primary.yaml
@@ -2,11 +2,6 @@ ansible_host: 10.1.8.130
 ansible_hostname: pomerium1-lab
 fqdn: pomerium1-lab.homecentr.one
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 2
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
diff --git a/environments/lab/host_vars/app_pomerium_secondary.yaml b/environments/lab/host_vars/app_pomerium_secondary.yaml
index 4f33cce..4ed41e3 100644
--- a/environments/lab/host_vars/app_pomerium_secondary.yaml
+++ b/environments/lab/host_vars/app_pomerium_secondary.yaml
@@ -2,11 +2,6 @@ ansible_host: 10.1.8.131
 ansible_hostname: pomerium2-lab
 fqdn: pomerium2-lab.homecentr.one
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 2
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
diff --git a/environments/lab/host_vars/pve1.yaml b/environments/lab/host_vars/pve1.yaml
index f85b0d4..5675e3b 100644
--- a/environments/lab/host_vars/pve1.yaml
+++ b/environments/lab/host_vars/pve1.yaml
@@ -5,3 +5,6 @@ fqdn: pve1-lab.homecentr.one
 
 # UPS
 ups_name: dummy-ups1
+
+# GetSSL
+getssl_cron_renewal_hour: 16
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve2.yaml b/environments/lab/host_vars/pve2.yaml
index 99830d2..52eda15 100644
--- a/environments/lab/host_vars/pve2.yaml
+++ b/environments/lab/host_vars/pve2.yaml
@@ -5,3 +5,6 @@ fqdn: pve2-lab.homecentr.one
 
 # UPS
 ups_name: dummy-ups1
+
+# GetSSL
+getssl_cron_renewal_hour: 17
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve3.yaml b/environments/lab/host_vars/pve3.yaml
index 95b1199..2ee611f 100644
--- a/environments/lab/host_vars/pve3.yaml
+++ b/environments/lab/host_vars/pve3.yaml
@@ -5,3 +5,6 @@ fqdn: pve3-lab.homecentr.one
 
 # UPS
 ups_name: dummy-ups1
+
+# GetSSL
+getssl_cron_renewal_hour: 18
\ No newline at end of file
diff --git a/playbooks/apps/pomerium.yaml b/playbooks/apps/pomerium.yaml
index 46c0fbd..deec4e7 100644
--- a/playbooks/apps/pomerium.yaml
+++ b/playbooks/apps/pomerium.yaml
@@ -25,8 +25,22 @@
         file: _common.yaml
       tags: [ common ]
 
+    - name: Create pomerium group with fixed GID
+      ansible.builtin.group:
+        name: pomerium
+        gid: 7000
+
+    - name: Create pomerium user with fixed UID
+      ansible.builtin.user:
+        name: pomerium
+        group: pomerium
+        uid: 7000
+        create_home: false
+
     - name: Install pomerium
       ansible.builtin.import_role:
         name: ../../roles/app-pomerium
       tags: [ pomerium ]
-    
\ No newline at end of file
+    
+    # TODO: Copy certificate
+    # use delegate to
\ No newline at end of file
diff --git a/playbooks/proxmox-cluster.yaml b/playbooks/proxmox-cluster.yaml
index 15a1dad..f09bb78 100644
--- a/playbooks/proxmox-cluster.yaml
+++ b/playbooks/proxmox-cluster.yaml
@@ -31,3 +31,8 @@
       ansible.builtin.import_role:
         name: ../roles/pve_cluster_ha
       tags: ha
+
+    - name: Install and configure getssl
+      ansible.builtin.import_role:
+        name: ../roles/pve_cluster_getssl
+      tags: getssl
\ No newline at end of file
diff --git a/playbooks/proxmox-nodes.yaml b/playbooks/proxmox-nodes.yaml
index 2f5e1b8..afed3e8 100644
--- a/playbooks/proxmox-nodes.yaml
+++ b/playbooks/proxmox-nodes.yaml
@@ -51,11 +51,6 @@
         name: homecentr.proxmox.pve_nosubs_warning
       tags: [ no-subs-warning ]
 
-    - name: Configure ACME
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_acme
-      tags: [ acme ]
-
     - name: Configure USB HID quirk for UPS communication
       ansible.builtin.import_role:
         name: homecentr.system.usbhid_quirk
diff --git a/requirements.yaml b/requirements.yaml
index 317c668..ddecc7a 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -14,7 +14,7 @@ collections:
   - name: community.crypto
     version: 2.5.0
   - name: community.sops
-    version: 1.6.0
+    version: 1.6.7
   - name: https://github.com/homecentr/ansible-collection-system
     type: git
     version: origin/fix/ssh #master
diff --git a/roles/app-acmesh/tasks/main.yaml b/roles/app-acmesh/tasks/main.yaml
deleted file mode 100644
index 7e510ff..0000000
--- a/roles/app-acmesh/tasks/main.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-# TODO: Install - download probably from GitHub
-# TODO: If script does not exist in homedir (of pomerium user), run install
-  # TODO: Else run --update-account to ensure the e-mail is in sync with the ansible var
-# TODO: List certs
-  # TODO: If cert with domain not in the result above, request certs immediately using a shell command
\ No newline at end of file
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
index 9283d15..7a1d1dd 100644
--- a/roles/app-container/tasks/container.yaml
+++ b/roles/app-container/tasks/container.yaml
@@ -1,4 +1,5 @@
 - name: Create app container
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   community.general.proxmox:
     api_user: root@pam
     api_password: "{{ users_root_password }}"
@@ -28,42 +29,19 @@
     app_container_info: "{{ app_container_info_raw.proxmox_vms.0 }}"
 
 - name: Get container definition
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   register: app_container_before_pct
   ansible.builtin.slurp:
     src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
 
 - name: Update existing container values
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   changed_when: true
   ansible.builtin.command:
     cmd: "{{ lookup('template', 'pct-set.j2', template_vars=(dict(app_container_id=app_container_info.vmid) | combine(container_vars))) }}"
 
 - name: Get container definition
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   register: app_container_after_pct
   ansible.builtin.slurp:
     src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
-
-- name: Stop the container if it's started and definition has changed
-  when: app_container_before_pct.content != app_container_after_pct.content and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
-  community.general.proxmox:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: "localhost"
-    hostname: "{{ container_vars.ansible_hostname }}"
-    state: stopped
-
-- name: Start container
-  community.general.proxmox:
-    api_user: root@pam
-    api_password: "{{ hostvars[container_vars.app_container_pve_node].users_root_password }}"
-    api_host: "localhost"
-    hostname: "{{ container_vars.ansible_hostname }}"
-    state: started
-
-- name: Wait for the container to start responding on SSH
-  run_once: true
-  ansible.builtin.wait_for:
-    host: "{{ container_vars.ansible_host }}"
-    port: 22
-    timeout: 400
-    sleep: 2
-    msg: "Container {{ container_vars.ansible_hostname }} did not start responding on SSH in time."
\ No newline at end of file
diff --git a/roles/app-container/tasks/getssl.yaml b/roles/app-container/tasks/getssl.yaml
new file mode 100644
index 0000000..b5a8734
--- /dev/null
+++ b/roles/app-container/tasks/getssl.yaml
@@ -0,0 +1,21 @@
+- name: Touch passthrough config file
+  ansible.builtin.file:
+    path: "/etc/pve/getssl-containers/{{ app_container_info.vmid }}.json"
+    state: touch
+
+- name: Create passthrough config file
+  ansible.builtin.copy:
+    force: true
+    dest: "/etc/pve/getssl-containers/{{ app_container_info.vmid }}.json"
+    content: "{{ lookup('template', 'getssl-config.j2', template_vars=container_vars) }}"
+
+- name: Create mount directory
+  ansible.builtin.file:
+    path: "/var/lib/getssl/{{ app_container_info.vmid }}"
+    owner: root
+    group: root
+    state: directory
+
+- name: Copy certificates
+  ansible.builtin.command:
+    cmd: "getssl-copy-container {{ app_container_info.vmid }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index dbc0b4c..cf96cd1 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -1,10 +1,30 @@
 - name: Create container
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
     file: container.yaml
   vars:
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
+- name: Configure SSL certificates passthrough
+  when: hostvars[container_inventory_name].app_container_getssl_certificates is defined
+  ansible.builtin.include_tasks:
+    file: getssl.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
+- name: Configure mapped UID/GID
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
+  ansible.builtin.include_tasks:
+    file: uid-gid-mapping.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
+- name: Start container
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
+  ansible.builtin.include_tasks:
+    file: start.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
 - name: Initialize container
   when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
diff --git a/roles/app-container/tasks/start.yaml b/roles/app-container/tasks/start.yaml
new file mode 100644
index 0000000..0736d08
--- /dev/null
+++ b/roles/app-container/tasks/start.yaml
@@ -0,0 +1,26 @@
+- name: Stop the container if it's started and definition has changed
+  when: app_container_before_pct.content != app_container_after_pct.content and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
+  community.general.proxmox:
+    api_user: root@pam
+    api_password: "{{ users_root_password }}"
+    api_host: "localhost"
+    hostname: "{{ container_vars.ansible_hostname }}"
+    state: stopped
+
+- name: Start container
+  run_once: true
+  community.general.proxmox:
+    api_user: root@pam
+    api_password: "{{ hostvars[container_vars.app_container_pve_node].users_root_password }}"
+    api_host: "localhost"
+    hostname: "{{ container_vars.ansible_hostname }}"
+    state: started
+
+- name: Wait for the container to start responding on SSH
+  run_once: true
+  ansible.builtin.wait_for:
+    host: "{{ container_vars.ansible_host }}"
+    port: 22
+    timeout: 400
+    sleep: 2
+    msg: "Container {{ container_vars.ansible_hostname }} did not start responding on SSH in time."
\ No newline at end of file
diff --git a/roles/app-container/tasks/uid-gid-mapping.yaml b/roles/app-container/tasks/uid-gid-mapping.yaml
new file mode 100644
index 0000000..f9f123d
--- /dev/null
+++ b/roles/app-container/tasks/uid-gid-mapping.yaml
@@ -0,0 +1,28 @@
+- name: Load current container config file
+  register: app_container_config
+  ansible.builtin.slurp:
+    path: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
+
+- name: Update config with lxc.idmap
+  ansible.builtin.copy:
+    force: true
+    dest: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
+    content: "{{ lookup('template', 'lxc-idmap.j2', template_vars=dict(current_config=(app_container_config.content | b64decode)) | combine(container_vars)) }}"
+
+- name: Add mapped uids to setuid
+  loop: "{{ container_vars.app_container_mapped_uids | default([]) }}"
+  loop_control:
+    loop_var: uid
+  ansible.builtin.lineinfile:
+    path: /etc/subuid
+    create: false
+    line: "root:{{ uid }}:1"
+
+- name: Add mapped gids to setgid
+  loop: "{{ container_vars.app_container_mapped_gids | default([]) }}"
+  loop_control:
+    loop_var: gid
+  ansible.builtin.lineinfile:
+    path: /etc/subgid
+    create: false
+    line: "root:{{ gid }}:1"
diff --git a/roles/app-container/templates/getssl-config.j2 b/roles/app-container/templates/getssl-config.j2
new file mode 100644
index 0000000..30bf95b
--- /dev/null
+++ b/roles/app-container/templates/getssl-config.j2
@@ -0,0 +1,17 @@
+[
+    {% for cert in app_container_getssl_certificates %}
+    {
+        "name": "{{ cert.name }}",
+        "cert_filename": "{{ cert.cert_filename }}",
+        "key_filename": "{{ cert.key_filename }}",
+        "fullchain_filename": "{{ cert.fullchain_filename }}",
+        "user": "{{ cert.user }}",
+        "group": "{{ cert.group }}",
+        "permissions": "{{ cert.permissions | default('0440') }}"
+    {% if loop.last %}
+    }
+    {% else %}
+    },
+    {% endif %}
+    {% endfor %}
+]
\ No newline at end of file
diff --git a/roles/app-container/templates/lxc-idmap.j2 b/roles/app-container/templates/lxc-idmap.j2
new file mode 100644
index 0000000..5f7f2c0
--- /dev/null
+++ b/roles/app-container/templates/lxc-idmap.j2
@@ -0,0 +1,35 @@
+{% for line in current_config | split("\n") %}
+{% if not line | regex_search("^lxc\.idmap:") %}
+{{ line }}
+{% endif %}
+{% endfor %}
+
+{% if app_container_mapped_uids is defined and app_container_mapped_uids | length > 0 %}
+{%- set sorted_uids = app_container_mapped_uids | sort %}
+lxc.idmap: u 0 100000 {{ sorted_uids | first }}
+{% for uid in sorted_uids %}
+lxc.idmap: u {{ uid }} {{ uid }} 1
+{% if not loop.last %}
+{% if sorted_uids[loop.index0 + 1] - uid > 1 %}
+lxc.idmap: u {{ uid + 1 }} {{ uid + 100000 + 1 }} {{ sorted_uids[loop.index0 + 1] - uid - 1 }}
+{% endif %}
+{% else %}
+lxc.idmap: u {{ uid + 1 }} {{ uid + 100000 + 1 }} {{ 65535 - uid - 1 }}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if app_container_mapped_gids is defined and app_container_mapped_gids | length > 0 %}
+{%- set sorted_gids = app_container_mapped_gids | sort %}
+lxc.idmap: g 0 100000 {{ sorted_gids | first }}
+{% for gid in sorted_gids %}
+lxc.idmap: g {{ gid }} {{ gid }} 1
+{% if not loop.last %}
+{% if sorted_gids[loop.index0 + 1] - gid > 1 %}
+lxc.idmap: g {{ gid + 1 }} {{ gid + 100000 + 1 }} {{ sorted_gids[loop.index0 + 1] - gid - 1 }}
+{% endif %}
+{% else %}
+lxc.idmap: g {{ gid + 1 }} {{ gid + 100000 + 1 }} {{ 65535 - gid - 1 }}
+{% endif %}
+{% endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index fa951d6..ba65a0f 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -10,6 +10,9 @@ pct set {{ app_container_id }}
  --mp{{ loop.index - 1 }} "{{ mount.zfs_pool }}:{{ zfs_dataset_name }},size={{ mount.size }},replicate={{ '1' if (mount.replicate | default(true)) else '0' }},,mp={{ mount.target_path }}"
  {%- endif %}
  {%- endfor %}
+ {%- if app_container_getssl_certificates is defined %}
+ --mp{{ app_container_mounts | default([]) | length }} "/var/lib/getssl/{{ app_container_id }},mp={{ app_container_getssl_mountpoint | default('/getssl') }},replicate=0"
+ {%- endif %}
  {%- for nic in app_container_network_interfaces %}
  --net{{ loop.index - 1 }} "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}"
  {%- endfor %}
@@ -17,11 +20,11 @@ pct set {{ app_container_id }}
  --onboot {{ '1' if (app_container_start_onboot | default(true)) else '0' }}
  {%- endif %}
  {%- if app_container_protection is defined %}
- --protection {{ '1' if app_container_protection else '0' }} \
+ --protection {{ '1' if app_container_protection else '0' }}
  {%- endif %}
  {%- if app_container_startup_order is defined %}
- --startup {{ app_container_startup_order }} \
+ --startup {{ app_container_startup_order }}
  {%- endif %}
  {%- if app_container_swap is defined %}
- --swap {{ app_container_swap }} \
+ --swap {{ app_container_swap }}
  {%- endif %}
\ No newline at end of file
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
index cb4652f..349f9c3 100644
--- a/roles/app-pomerium/templates/config.j2
+++ b/roles/app-pomerium/templates/config.j2
@@ -1,8 +1,12 @@
 authenticate_service_url: https://{{ app_pomerium_hostname }}
 
-autocert: true
-autocert_email: {{ app_pomerium_letsencrypt_email }}
-autocert_use_staging: {{ app_pomerium_letsencrypt_use_staging }}
+autocert: false
+
+certificates:
+{% for cert in app_pomeriums_certificates %}
+  - cert: '{{ cert.fullchain_path }}'
+    key: '{{ cert.key_path }}'
+{% endfor %}
 
 idp_provider: {{ app_pomerium_idp_provider }}
 idp_provider_url: '{{ app_pomerium_idp_provider_url }}'
diff --git a/roles/pve_cluster_getssl/files/getssl-copy-container-all.sh b/roles/pve_cluster_getssl/files/getssl-copy-container-all.sh
new file mode 100644
index 0000000..5c86ddf
--- /dev/null
+++ b/roles/pve_cluster_getssl/files/getssl-copy-container-all.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+CONTAINER_CONFIGS=$(ls -l /etc/pve/getssl-containers/*.json 2>/dev/null | cut -d' ' -f9)
+
+for CONTAINER_CONFIG in $CONTAINER_CONFIGS
+do
+    CONTAINER_ID="${CONTAINER_CONFIG%.*}"
+    getssl-copy-container $CONTAINER_ID || echo "Failure is ignored on purpose"
+done
diff --git a/roles/pve_cluster_getssl/files/getssl-copy-container.sh b/roles/pve_cluster_getssl/files/getssl-copy-container.sh
new file mode 100644
index 0000000..4c7e389
--- /dev/null
+++ b/roles/pve_cluster_getssl/files/getssl-copy-container.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+set -e
+
+CONTAINER_ID=$1
+
+CONFIG_FILE="/etc/pve/getssl-containers/$CONTAINER_ID.json"
+MOUNTPOINTS_ROOT="/var/lib/getssl" # /$CONTAINER_ID
+
+# Check if config file exists
+if ! test -f $CONFIG_FILE; then
+    exit 0
+fi
+
+function getCertField() {
+    CERT_NAME=$1
+    FIELD_NAME=$2
+    CONFIG_FILE=$3
+
+    VALUE=$(jq -r ".[] | select(.name == \"$CERT_NAME\").$FIELD_NAME" $CONFIG_FILE)
+
+    if [ -z "$VALUE" ]; then
+        echo "The field $FIELD_NAME is mandatory"
+        exit 1
+    fi
+
+    echo "$VALUE"
+}
+
+CERTIFICATES=$(jq -r '.[].name' $CONFIG_FILE)
+
+for CERT in $CERTIFICATES
+do
+    CERT_TARGET_NAME=$(getCertField "$CERT" "cert_filename" "$CONFIG_FILE")
+    KEY_TARGET_NAME=$(getCertField "$CERT" "key_filename" "$CONFIG_FILE")
+    FULLCHAIN_TARGET_NAME=$(getCertField "$CERT" "fullchain_filename" "$CONFIG_FILE")
+    OWNER=$(getCertField "$CERT" "user" $CONFIG_FILE)
+    GROUP=$(getCertField "$CERT" "group" $CONFIG_FILE)
+    PERMS=$(getCertField "$CERT" "mode" $CONFIG_FILE)
+
+    # Copy files with new names
+    cp "/etc/pve/getssl/$CERT/fullchain.crt" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp"
+    cp "/etc/pve/getssl/$CERT/$CERT.crt" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp"
+    cp "/etc/pve/getssl/$CERT/$CERT.key" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp"
+
+    # Change permissions
+    chown "$OWNER" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp"
+    chown "$OWNER" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp"
+    chown "$OWNER" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp"
+
+    chgrp "$GROUP" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp"
+    chgrp "$GROUP" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp"
+    chgrp "$GROUP" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp"
+
+    # Overwrite the files
+    mv "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME"
+    mv "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME"
+    mv "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME"
+done
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh b/roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh
new file mode 100644
index 0000000..7cf883d
--- /dev/null
+++ b/roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+UPDATE=false
+NODE_NAME=$(hostname)
+GETSSL_CERTNAME=$1
+
+PROXY_PEM_HASH=$(sha1sum "/etc/pve/nodes/$NODE_NAME/pveproxy-ssl.pem" 2>/dev/null)
+PROXY_KEY_HASH=$(sha1sum "/etc/pve/nodes/$NODE_NAME/pveproxy-ssl.key" 2>/dev/null)
+
+GETSSL_PEM_HASH=$(sha1sum "/etc/pve/getssl/$GETSSL_CERTNAME/fullchain.crt" 2>/dev/null)
+GETSSL_KEY_HASH=$(sha1sum "/etc/pve/getssl/$GETSSL_CERTNAME/$GETSSL_CERTNAME.key" 2>/dev/null)
+
+if [ "$PROXY_PEM_HASH" == "" ] || [ "$PROXY_KEY_HASH" == "" ] || [ "$PROXY_PEM_HASH" != "$GETSSL_PEM_HASH" ] || [ "$PROXY_KEY_HASH" != "$GETSSL_KEY_HASH" ]; then
+    echo "Updating certificates..."
+    cp /etc/pve/getssl/$GETSSL_CERTNAME/fullchain.crt /etc/pve/nodes/$NODE_NAME/pveproxy-ssl.pem
+    cp /etc/pve/getssl/$GETSSL_CERTNAME/$GETSSL_CERTNAME.key /etc/pve/nodes/$NODE_NAME/pveproxy-ssl.key
+
+    systemctl restart pveproxy
+fi
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/tasks/configure.yaml b/roles/pve_cluster_getssl/tasks/configure.yaml
new file mode 100644
index 0000000..448929f
--- /dev/null
+++ b/roles/pve_cluster_getssl/tasks/configure.yaml
@@ -0,0 +1,45 @@
+- name: Create workdir in proxmox cluster fs
+  ansible.builtin.file:
+    path: "/etc/pve/getssl"
+    state: directory
+
+- name: Create containers mapping directory
+  ansible.builtin.file:
+    path: "/etc/pve/getssl-containers"
+    state: directory
+
+- name: Create configuration directory for each certificate
+  loop: "{{ getssl_certificates }}"
+  loop_control:
+    loop_var: certificate
+  ansible.builtin.file:
+    path: "/etc/pve/getssl/{{ certificate.domain }}"
+    state: directory
+
+- name: Touch global configuration file
+  ansible.builtin.file:
+    path: /etc/pve/getssl/getssl.cfg
+    state: touch
+
+- name: Create global configuration file
+  ansible.builtin.copy:
+    dest: /etc/pve/getssl/getssl.cfg
+    content: "{{ lookup('template', 'getssl-root.j2') }}"
+    force: true
+
+- name: Touch certificate configuration files
+  loop: "{{ getssl_certificates }}"
+  loop_control:
+    loop_var: certificate
+  ansible.builtin.file:
+    path: "/etc/pve/getssl/{{ certificate.domain }}/getssl.cfg"
+    state: touch
+
+- name: Create certificate configuration files
+  loop: "{{ getssl_certificates }}"
+  loop_control:
+    loop_var: certificate
+  ansible.builtin.copy:
+    dest: "/etc/pve/getssl/{{ certificate.domain }}/getssl.cfg"
+    content: "{{ lookup('template', 'getssl-certificate.j2', template_vars=certificate) }}"
+    force: true
diff --git a/roles/pve_cluster_getssl/tasks/cron.yaml b/roles/pve_cluster_getssl/tasks/cron.yaml
new file mode 100644
index 0000000..33bd27f
--- /dev/null
+++ b/roles/pve_cluster_getssl/tasks/cron.yaml
@@ -0,0 +1,26 @@
+- name: Create cron for automated certificate renewal
+  ansible.builtin.cron:
+    name: "getssl-renewal"
+    cron_file: getssl-renewal
+    user: root
+    job: "/usr/bin/getssl -u -a -w /etc/pve/getssl &>> /var/log/getssl.log"
+    hour: "{{ getssl_cron_renewal_hour | default(17) }}"
+    minute: 0
+
+- name: Create cron for automated certificate push to the containers
+  ansible.builtin.cron:
+    name: "getssl-containers"
+    cron_file: getssl-containers
+    user: root
+    job: "/usr/bin/getssl-copy-container-all &>> /var/log/getssl-containers.log"
+    hour: 20
+    minute: 0
+
+- name: Create cron to update pve proxy certificate
+  ansible.builtin.cron:
+    name: "getssl-pveproxy"
+    cron_file: getssl-pveproxy
+    user: root
+    job: "/usr/bin/getssl-copy-pveproxy \"{{ (getssl_certificates | selectattr('pveproxy', 'defined') | selectattr('pveproxy', 'equalto', true) | first).domain }}\" &>> /var/log/getssl-pveproxy.log"
+    hour: 23
+    minute: 0
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/tasks/main.yaml b/roles/pve_cluster_getssl/tasks/main.yaml
new file mode 100644
index 0000000..92a9898
--- /dev/null
+++ b/roles/pve_cluster_getssl/tasks/main.yaml
@@ -0,0 +1,28 @@
+- name: Install required packages
+  ansible.builtin.apt:
+    name: jq # Required for parsing the config files
+
+- name: Install getssl
+  ansible.builtin.apt:
+    deb: "https://github.com/srvrco/getssl/releases/download/v{{ getssl_version }}/getssl_{{ getssl_version }}-1_all.deb"
+
+- name: Configure getssl
+  run_once: true
+  ansible.builtin.include_tasks:
+    file: configure.yaml
+
+- name: Create copy scripts
+  ansible.builtin.include_tasks:
+    file: scripts.yaml
+
+- name: Create cron jobs
+  ansible.builtin.include_tasks:
+    file: cron.yaml
+
+- name: Issue certificates
+  run_once: true
+  loop: "{{ getssl_certificates }}"
+  loop_control:
+    loop_var: certificate
+  ansible.builtin.command:
+    cmd: "getssl {{ certificate.domain }} -w /etc/pve/getssl"
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/tasks/scripts.yaml b/roles/pve_cluster_getssl/tasks/scripts.yaml
new file mode 100644
index 0000000..ac984b3
--- /dev/null
+++ b/roles/pve_cluster_getssl/tasks/scripts.yaml
@@ -0,0 +1,11 @@
+- name: Copy script files
+  ansible.builtin.copy:
+    dest: "/usr/bin/{{ item }}"
+    content: "{{ lookup('file', item + '.sh') }}"
+    owner: root
+    group: root
+    mode: "0750"
+  loop:
+    - getssl-copy-container
+    - getssl-copy-container-all
+    - getssl-copy-pveproxy
diff --git a/roles/pve_cluster_getssl/templates/getssl-certificate.j2 b/roles/pve_cluster_getssl/templates/getssl-certificate.j2
new file mode 100644
index 0000000..ee44709
--- /dev/null
+++ b/roles/pve_cluster_getssl/templates/getssl-certificate.j2
@@ -0,0 +1,5 @@
+VALIDATE_VIA_DNS="true"
+
+{%- if certificate.additional_domains is defined %}
+SANS="{{ certificate.additional_domains | join(",") }}"
+{% endif %}
diff --git a/roles/pve_cluster_getssl/templates/getssl-root.j2 b/roles/pve_cluster_getssl/templates/getssl-root.j2
new file mode 100644
index 0000000..1943b04
--- /dev/null
+++ b/roles/pve_cluster_getssl/templates/getssl-root.j2
@@ -0,0 +1,19 @@
+CA="https://acme-staging-v02.api.letsencrypt.org"
+#CA="https://acme-v02.api.letsencrypt.org"
+
+ACCOUNT_EMAIL="{{ getssl_acme_email }}"
+ACCOUNT_KEY_LENGTH=4096
+
+PRIVATE_KEY_ALG="rsa"
+
+RENEW_ALLOW="30"
+
+SERVER_TYPE="https"
+CHECK_REMOTE="true"
+
+VALIDATE_VIA_DNS="true"
+DNS_ADD_COMMAND=/usr/share/getssl/dns_scripts/dns_add_cloudflare
+DNS_DEL_COMMAND=/usr/share/getssl/dns_scripts/dns_del_cloudflare
+
+export CF_EMAIL="{{ getssl_cloudflare_email }}"
+export CF_API_TOKEN="{{ getssl_cloudflare_api_token }}"
\ No newline at end of file

From c10eb9cab25ccb5f5a5fc1873fcb0b31ef8d8364 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Mon, 11 Mar 2024 15:13:21 +0100
Subject: [PATCH 23/51] MQTT added

---
 .../lab/host_vars/app_mqtt_primary.yaml       | 19 ++++++++++++
 environments/lab/hosts.yaml                   |  5 ++-
 playbooks/apps/mqtt.yaml                      | 31 +++++++++++++++++++
 playbooks/apps/pomerium.yaml                  |  9 +++---
 roles/app-mosquitto/tasks/main.yaml           |  6 ++++
 5 files changed, 64 insertions(+), 6 deletions(-)
 create mode 100644 environments/lab/host_vars/app_mqtt_primary.yaml
 create mode 100644 playbooks/apps/mqtt.yaml
 create mode 100644 roles/app-mosquitto/tasks/main.yaml

diff --git a/environments/lab/host_vars/app_mqtt_primary.yaml b/environments/lab/host_vars/app_mqtt_primary.yaml
new file mode 100644
index 0000000..429a9a9
--- /dev/null
+++ b/environments/lab/host_vars/app_mqtt_primary.yaml
@@ -0,0 +1,19 @@
+ansible_host: 10.1.8.132
+ansible_hostname: mqtt-lab
+fqdn: mqtt-lab.homecentr.one
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 10
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.132/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: non-critical
+app_container_pve_replication_nodes:
+  - pve2
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index 77e1dfa..f2e9d39 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -14,4 +14,7 @@ all:
         app_pomerium:
           hosts:
             app_pomerium_primary:
-            app_pomerium_secondary:
\ No newline at end of file
+            app_pomerium_secondary:
+        app_mqtt:
+          hosts:
+            app_mqtt_primary:
\ No newline at end of file
diff --git a/playbooks/apps/mqtt.yaml b/playbooks/apps/mqtt.yaml
new file mode 100644
index 0000000..d9e99ec
--- /dev/null
+++ b/playbooks/apps/mqtt.yaml
@@ -0,0 +1,31 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      loop: "{{ groups['app_mqtt'] }}"
+      loop_control:
+        loop_var: container_inventory_name
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "{{ container_inventory_name }}"
+      tags: [ container ]
+
+- name: Setup Pomerium containers
+  hosts: app_mqtt
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.include_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install Mosquitto
+      ansible.builtin.import_role:
+        name: ../../roles/app-mosquitto
+      tags: [ mosquitto ]
diff --git a/playbooks/apps/pomerium.yaml b/playbooks/apps/pomerium.yaml
index deec4e7..6b3f9e7 100644
--- a/playbooks/apps/pomerium.yaml
+++ b/playbooks/apps/pomerium.yaml
@@ -15,7 +15,7 @@
       tags: [ container ]
 
 - name: Setup Pomerium containers
-  hosts: app_pomerium_primary # TODO: Replace with group
+  hosts: app_pomerium
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
@@ -29,18 +29,17 @@
       ansible.builtin.group:
         name: pomerium
         gid: 7000
+      tags: [ pomerium ]
 
     - name: Create pomerium user with fixed UID
       ansible.builtin.user:
         name: pomerium
         group: pomerium
         uid: 7000
-        create_home: false
+        create_home: true
+      tags: [ pomerium ]
 
     - name: Install pomerium
       ansible.builtin.import_role:
         name: ../../roles/app-pomerium
       tags: [ pomerium ]
-    
-    # TODO: Copy certificate
-    # use delegate to
\ No newline at end of file
diff --git a/roles/app-mosquitto/tasks/main.yaml b/roles/app-mosquitto/tasks/main.yaml
new file mode 100644
index 0000000..b44673a
--- /dev/null
+++ b/roles/app-mosquitto/tasks/main.yaml
@@ -0,0 +1,6 @@
+- name: Install Mosquitto
+  ansible.builtin.apt:
+    name: mosquitto
+    state: present
+
+# TODO: Config file
\ No newline at end of file

From b12c841c8b43f86e254e3c3481be304a9af9caf1 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Mon, 11 Mar 2024 18:28:07 +0100
Subject: [PATCH 24/51] Before switch to pihole

---
 .../lab/group_vars/pve_nodes/firewall.yaml    | 120 +++++++++++++-----
 ...mqtt_primary.yaml => app_mqtt_single.yaml} |   0
 .../lab/host_vars/app_pihole_single.yaml      |  23 ++++
 environments/lab/hosts.yaml                   |  11 +-
 playbooks/_all.yaml                           |   1 +
 .../templates/firewall-file.j2                |   6 +-
 roles/pve_firewall_common/templates/ipset.j2  |   2 +-
 .../templates/partials/destination.j2         |   4 +-
 8 files changed, 122 insertions(+), 45 deletions(-)
 rename environments/lab/host_vars/{app_mqtt_primary.yaml => app_mqtt_single.yaml} (100%)
 create mode 100644 environments/lab/host_vars/app_pihole_single.yaml

diff --git a/environments/lab/group_vars/pve_nodes/firewall.yaml b/environments/lab/group_vars/pve_nodes/firewall.yaml
index abcc8b0..685f7c3 100644
--- a/environments/lab/group_vars/pve_nodes/firewall.yaml
+++ b/environments/lab/group_vars/pve_nodes/firewall.yaml
@@ -1,45 +1,95 @@
 pve_cluster_firewall_enabled: false
 
 pve_cluster_firewall_aliases:
-  - name: some-alias
-    cidr: 10.1.3.0/24 # must be an ip or cidr => cidr
+  - name: subnet-home
+    cidr: 10.1.3.0/24
+  - name: subnet-services
+    cidr: 10.1.8.0/24
+
+  - name: pve1
+    cidr: 10.1.8.11/32
+  - name: pve2
+    cidr: 10.1.8.12/32
+  - name: pve3
+    cidr: 10.1.8.13/32
+
+  - name: mqtt
+    cidr: 10.1.8.132/32
+  - name: pomerium1
+    cidr: 10.1.8.130/32
+  - name: pomerium2
+    cidr: 10.1.8.131/32
 
 pve_cluster_firewall_ipsets:
-  - name: some-ipset
+  - name: management
+    items:
+      - type: alias
+        name: subnet-home
+  - name: proxmox
+    items:
+      - type: alias
+        name: pve1
+      - type: alias
+        name: pve2
+      - type: alias
+        name: pve3
+  - name: pomerium
+    items:
+      - type: alias
+        name: pomerium1
+      - type: alias
+        name: pomerium2
+  - name: mqtt
     items:
       - type: alias
-        name: some-alias
-      - type: cidr
-        cidr: 10.1.8.0/24 # type cidr should be default
+        name: mqtt
 
-pve_cluster_firewall_security_groups:
-  - name: my-group
-    rules:
-      - direction: IN
-        type: macro
-        name: SSH
-        action: ACCEPT
-        source:
-          type: ipset
-          name: some-ipset
-        destination: 10.1.8.0/24 # optional
+pve_cluster_firewall_security_groups: []
+  # - name: my-group
+  #   rules:
+  #     - direction: IN
+  #       type: macro
+  #       name: SSH
+  #       action: ACCEPT
+  #       source:
+  #         type: ipset
+  #         name: some-ipset
+  #       destination: 10.1.8.0/24 # optional
 
-      - enabled: false # default = true
-        direction: IN
-        action: ACCEPT
-        protocol: TCP
-        source_port: 25
-        destination_port: http
-        source: # might be: ipset (+<name>), alias (dc/<name>), comma-separated list of ips or most likely also a cidr
-          type: alias
-          name: some-alias
-        destination: 10.1.8.0/24
+  #     - enabled: false # default = true
+  #       direction: IN
+  #       action: ACCEPT
+  #       protocol: TCP
+  #       source_port: 25
+  #       destination_port: http
+  #       source: # might be: ipset (+<name>), alias (dc/<name>), comma-separated list of ips or most likely also a cidr
+  #         type: alias
+  #         name: some-alias
+  #       destination: 10.1.8.0/24
 
-pve_cluster_firewall_rules:
-  - direction: IN
-    action: ACCEPT
-    macro: SSH
-    source:
-      type: ipset
-      name: some-ipset
-    destination: 10.1.8.0/24 # optional
\ No newline at end of file
+# pve_cluster_firewall_rules:
+  # - direction: IN
+  #   action: ACCEPT
+  #   macro: SSH
+  #   source:
+  #     type: alias
+  #     name: subnet-home
+  # - direction: IN
+  #   action: ACCEPT
+  #   macro: HTTPS
+  #   destination:
+  #     type: ipset
+  #     name: management
+  #   source:
+  #     type: alias
+  #     name: subnet-home
+  # - direction: IN
+  #   action: ACCEPT
+  #   destination_port: 8006
+  #   protocol: TCP
+  #   destination:
+  #     type: ipset
+  #     name: management
+  #   source:
+  #     type: alias
+  #     name: subnet-home
\ No newline at end of file
diff --git a/environments/lab/host_vars/app_mqtt_primary.yaml b/environments/lab/host_vars/app_mqtt_single.yaml
similarity index 100%
rename from environments/lab/host_vars/app_mqtt_primary.yaml
rename to environments/lab/host_vars/app_mqtt_single.yaml
diff --git a/environments/lab/host_vars/app_pihole_single.yaml b/environments/lab/host_vars/app_pihole_single.yaml
new file mode 100644
index 0000000..18e3c3f
--- /dev/null
+++ b/environments/lab/host_vars/app_pihole_single.yaml
@@ -0,0 +1,23 @@
+ansible_host: 10.1.8.128
+ansible_hostname: dns-lab
+fqdn: dns-lab.homecentr.one
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.128/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: unrestricted-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
+
+app_pihole_forwarders:
+  - 1.1.1.1
+  - 1.0.0.1
\ No newline at end of file
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index f2e9d39..ace58fd 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -7,14 +7,17 @@ all:
         pve3:
     app_containers:
       children:
-        app_coredns:
+        # app_coredns:
+        #   hosts:
+        #     app_coredns_primary:
+        #     app_coredns_secondary:
+        app_pihole:
           hosts:
-            app_coredns_primary:
-            app_coredns_secondary:
+            app_pihole_single:
         app_pomerium:
           hosts:
             app_pomerium_primary:
             app_pomerium_secondary:
         app_mqtt:
           hosts:
-            app_mqtt_primary:
\ No newline at end of file
+            app_mqtt_single:
\ No newline at end of file
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index f57532e..df8462c 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -1,4 +1,5 @@
 - import_playbook: proxmox-nodes.yaml
 - import_playbook: proxmox-cluster.yaml
 - import_playbook: apps/coredns.yaml
+- import_playbook: apps/mqtt.yaml
 - import_playbook: apps/pomerium.yaml
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/firewall-file.j2 b/roles/pve_firewall_common/templates/firewall-file.j2
index f2fcb80..0d348ba 100644
--- a/roles/pve_firewall_common/templates/firewall-file.j2
+++ b/roles/pve_firewall_common/templates/firewall-file.j2
@@ -7,7 +7,7 @@ enable: {{ '1' if pve_firewall_enabled else '0' }}
 
 {% for alias in pve_firewall_aliases %}
 {{ alias.name }} {{ alias.cidr }}
-{%- endfor %}
+{% endfor %}
 {%- endif %}
 
 {% for ipset in pve_firewall_ipsets | default([]) %}
@@ -17,12 +17,12 @@ enable: {{ '1' if pve_firewall_enabled else '0' }}
 
 {% for group in pve_firewall_security_groups | default([]) %}
 {{ lookup('template', 'security-group.j2', template_vars=dict(group=group, default_scope=pve_firewall_default_scope)) }}
-{%- endfor %}
+{% endfor %}
 
 {%- if pve_firewall_rules | default([]) | length > 0 %}
 
 [RULES]
 {% for rule in pve_firewall_rules %}
 {{ lookup('template', 'firewall-rule.j2', template_vars=dict(rule=rule, default_scope=pve_firewall_default_scope)) }}
-{%- endfor %}
+{% endfor %}
 {%- endif %}
diff --git a/roles/pve_firewall_common/templates/ipset.j2 b/roles/pve_firewall_common/templates/ipset.j2
index 36a7764..71bd185 100644
--- a/roles/pve_firewall_common/templates/ipset.j2
+++ b/roles/pve_firewall_common/templates/ipset.j2
@@ -1,6 +1,6 @@
 [IPSET {{ ipset.name }}]
 
-{% for item in ipset["items"] %}
+{% for item in ipset["items"] | default([]) %}
 {% if item.type | default("") == "alias" %}
 {{ item.scope | default(default_scope) }}/{{ item.name }}
 {% else %}
diff --git a/roles/pve_firewall_common/templates/partials/destination.j2 b/roles/pve_firewall_common/templates/partials/destination.j2
index 1d03c40..9355658 100644
--- a/roles/pve_firewall_common/templates/partials/destination.j2
+++ b/roles/pve_firewall_common/templates/partials/destination.j2
@@ -1,3 +1,3 @@
-{%- if rule.source is defined %}
- -dest {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.source, default_scope=default_scope))) }}
+{%- if rule.destination is defined %}
+ -dest {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.destination, default_scope=default_scope))) }}
 {%- endif %}
\ No newline at end of file

From f680370848c576aa06d93bd016561b9ae021fb63 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Mon, 11 Mar 2024 21:03:46 +0100
Subject: [PATCH 25/51] Pihole working

---
 .../lab/host_vars/app_pihole_single.yaml      |  4 +-
 playbooks/apps/pihole.yaml                    | 44 +++++++++++++++++++
 roles/app-pihole/handlers/main.yaml           |  3 ++
 roles/app-pihole/tasks/dns.yaml               | 17 +++++++
 roles/app-pihole/tasks/install.yaml           | 17 +++++++
 roles/app-pihole/tasks/main.yaml              | 30 +++++++++++++
 roles/app-pihole/templates/custom-hosts.j2    |  3 ++
 roles/app-pihole/templates/dnsmasq-local.j2   |  2 +
 roles/app-pihole/templates/setup-vars.j2      | 16 +++++++
 9 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/apps/pihole.yaml
 create mode 100644 roles/app-pihole/handlers/main.yaml
 create mode 100644 roles/app-pihole/tasks/dns.yaml
 create mode 100644 roles/app-pihole/tasks/install.yaml
 create mode 100644 roles/app-pihole/tasks/main.yaml
 create mode 100644 roles/app-pihole/templates/custom-hosts.j2
 create mode 100644 roles/app-pihole/templates/dnsmasq-local.j2
 create mode 100644 roles/app-pihole/templates/setup-vars.j2

diff --git a/environments/lab/host_vars/app_pihole_single.yaml b/environments/lab/host_vars/app_pihole_single.yaml
index 18e3c3f..902642a 100644
--- a/environments/lab/host_vars/app_pihole_single.yaml
+++ b/environments/lab/host_vars/app_pihole_single.yaml
@@ -18,6 +18,8 @@ app_container_pve_ha_group_name: unrestricted-priority-pve1
 app_container_pve_replication_nodes:
   - pve2
 
+app_pihole_version: 5.17.3
 app_pihole_forwarders:
   - 1.1.1.1
-  - 1.0.0.1
\ No newline at end of file
+  - 1.0.0.1
+app_pihole_local_domain: homecentr.one
\ No newline at end of file
diff --git a/playbooks/apps/pihole.yaml b/playbooks/apps/pihole.yaml
new file mode 100644
index 0000000..aab3f53
--- /dev/null
+++ b/playbooks/apps/pihole.yaml
@@ -0,0 +1,44 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      loop: "{{ groups['app_pihole'] }}"
+      loop_control:
+        loop_var: container_inventory_name
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "{{ container_inventory_name }}"
+      tags: [ container ]
+
+- name: Setup Pihole containers
+  hosts: app_pihole
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.import_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Create pihole group
+      ansible.builtin.group:
+        name: pihole
+      tags: [ pihole ]
+
+    - name: Create pihole user
+      ansible.builtin.user:
+        name: pihole
+        group: pihole
+        create_home: true
+      tags: [ pihole ]
+
+    - name: Install pihole
+      ansible.builtin.import_role:
+        name: ../../roles/app-pihole
+      tags: [ pihole ]
+    
\ No newline at end of file
diff --git a/roles/app-pihole/handlers/main.yaml b/roles/app-pihole/handlers/main.yaml
new file mode 100644
index 0000000..6456335
--- /dev/null
+++ b/roles/app-pihole/handlers/main.yaml
@@ -0,0 +1,3 @@
+- name: restart_dns
+  ansible.builtin.command:
+    cmd: pihole restartdns
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/dns.yaml b/roles/app-pihole/tasks/dns.yaml
new file mode 100644
index 0000000..5b3b451
--- /dev/null
+++ b/roles/app-pihole/tasks/dns.yaml
@@ -0,0 +1,17 @@
+- name: Configure custom hosts
+  notify: restart_dns
+  ansible.builtin.copy:
+    dest: /etc/pihole/custom.list
+    owner: pihole
+    group: pihole
+    mode: 0644
+    content: "{{ lookup('template', 'custom-hosts.j2') }}"
+
+- name: Configure local domain
+  notify: restart_dns
+  ansible.builtin.copy:
+    dest: /etc/dnsmasq.d/local-domain.conf
+    owner: pihole
+    group: pihole
+    mode: 0644
+    content: "{{ lookup('template', 'dnsmasq-local.j2') }}"
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/install.yaml b/roles/app-pihole/tasks/install.yaml
new file mode 100644
index 0000000..1ab9ab6
--- /dev/null
+++ b/roles/app-pihole/tasks/install.yaml
@@ -0,0 +1,17 @@
+- name: Download pihole
+  ansible.builtin.get_url:
+    url: https://github.com/pi-hole/pi-hole/archive/refs/tags/v{{ app_pihole_version }}.zip
+    dest: /tmp/pihole.zip
+
+- name: Extract pihole
+  ansible.builtin.unarchive:
+    src: /tmp/pihole.zip
+    dest: /tmp
+    remote_src: yes
+
+- name: Install pihole
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      set -o pipefail
+      cat '/tmp/pi-hole-{{ app_pihole_version }}/automated install/basic-install.sh' | bash /dev/stdin --unattended
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/main.yaml b/roles/app-pihole/tasks/main.yaml
new file mode 100644
index 0000000..20dc9e7
--- /dev/null
+++ b/roles/app-pihole/tasks/main.yaml
@@ -0,0 +1,30 @@
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: /etc/pihole
+    state: directory
+    owner: pihole
+    group: pihole
+    mode: 0750
+
+- name: Create setupvars
+  ansible.builtin.copy:
+    dest: /etc/pihole/setupVars.conf
+    owner: pihole
+    group: pihole
+    mode: 0640
+    force: true
+    content: "{{ lookup('template', 'setup-vars.j2') }}"
+
+- name: Check if pihole already installed
+  register: app_pihole_bin
+  ansible.builtin.stat:
+    path: /usr/local/bin/pihole
+    
+- name: Install pihole
+  when: not app_pihole_bin.stat.exists
+  ansible.builtin.include_tasks:
+    file: install.yaml
+
+- name: Configure DNS
+  ansible.builtin.include_tasks:
+    file: dns.yaml
\ No newline at end of file
diff --git a/roles/app-pihole/templates/custom-hosts.j2 b/roles/app-pihole/templates/custom-hosts.j2
new file mode 100644
index 0000000..e13fd32
--- /dev/null
+++ b/roles/app-pihole/templates/custom-hosts.j2
@@ -0,0 +1,3 @@
+{%- for host in groups['all'] %}
+{{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }}
+{% endfor %}
\ No newline at end of file
diff --git a/roles/app-pihole/templates/dnsmasq-local.j2 b/roles/app-pihole/templates/dnsmasq-local.j2
new file mode 100644
index 0000000..d511d62
--- /dev/null
+++ b/roles/app-pihole/templates/dnsmasq-local.j2
@@ -0,0 +1,2 @@
+domain={{ app_pihole_local_domain }}
+local=/{{ app_pihole_local_domain }}/
\ No newline at end of file
diff --git a/roles/app-pihole/templates/setup-vars.j2 b/roles/app-pihole/templates/setup-vars.j2
new file mode 100644
index 0000000..12e79d7
--- /dev/null
+++ b/roles/app-pihole/templates/setup-vars.j2
@@ -0,0 +1,16 @@
+WEBPASSWORD=
+QUERY_LOGGING=true
+INSTALL_WEB=true
+DNSMASQ_LISTENING=single
+{% for forwarder in app_pihole_forwarders %}
+PIHOLE_DNS_{{ loop.index }}={{ forwarder }}
+{% endfor %}
+DNS_FQDN_REQUIRED=true
+DNS_BOGUS_PRIV=true
+DNSSEC=true
+TEMPERATUREUNIT=C
+WEBUIBOXEDLAYOUT=traditional
+API_EXCLUDE_DOMAINS=
+API_EXCLUDE_CLIENTS=
+API_QUERY_LOG_SHOW=all
+API_PRIVACY_MODE=false
\ No newline at end of file

From 5aff8fb15a0c112ef43127e96b1448a41f416252 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Tue, 12 Mar 2024 16:53:02 +0100
Subject: [PATCH 26/51] Checkpoiunt

---
 environments/lab/group_vars/all/general.yaml  |  1 +
 .../lab/group_vars/app_coredns/coredns.yaml   | 17 -------
 .../group_vars/app_pomerium/container.yaml    |  9 ----
 .../lab/group_vars/app_pomerium/getssl.yaml   |  8 ----
 .../lab/group_vars/app_pomerium/pomerium.yaml |  5 ---
 .../cloudflared_containers/container.yaml     |  5 +++
 .../cloudflared_containers/secrets.sops.yaml  | 44 +++++++++++++++++++
 .../lab/host_vars/app_coredns_primary.yaml    | 19 --------
 .../lab/host_vars/app_pomerium_primary.yaml   | 14 ------
 .../lab/host_vars/app_pomerium_secondary.yaml | 14 ------
 environments/lab/host_vars/cloudflared1.yaml  | 13 ++++++
 environments/lab/host_vars/cloudflared2.yaml  | 13 ++++++
 ...pp_coredns_secondary.yaml => frigate.yaml} | 16 ++++---
 environments/lab/host_vars/monitoring.yaml    | 36 +++++++++++++++
 .../{app_mqtt_single.yaml => mqtt.yaml}       | 15 ++++---
 .../{app_pihole_single.yaml => pihole.yaml}   | 14 +++---
 .../lab/host_vars/pomerium/container.yaml     | 34 ++++++++++++++
 .../lab/host_vars/pomerium/pomerium.yaml      | 16 +++++++
 .../pomerium}/secrets.sops.yaml               |  8 ++--
 environments/lab/host_vars/pve1.yaml          |  1 -
 environments/lab/host_vars/pve2.yaml          |  1 -
 environments/lab/host_vars/pve3.yaml          |  1 -
 environments/lab/hosts.yaml                   | 24 +++++-----
 playbooks/_all.yaml                           | 11 ++---
 playbooks/{apps => containers}/_common.yaml   |  4 ++
 .../cloudflared.yaml}                         | 12 ++---
 playbooks/containers/frigate.yaml             | 33 ++++++++++++++
 playbooks/containers/monitoring.yaml          | 37 ++++++++++++++++
 playbooks/{apps => containers}/mqtt.yaml      |  7 +--
 playbooks/{apps => containers}/pihole.yaml    |  7 +--
 playbooks/{apps => containers}/pomerium.yaml  |  5 +--
 .../cluster.yaml}                             |  5 ---
 .../nodes.yaml}                               |  0
 requirements.yaml                             |  2 +
 roles/app-cloudflared/tasks/configure.yaml    | 27 ++++++++++++
 roles/app-cloudflared/tasks/install.yaml      | 16 +++++++
 roles/app-cloudflared/tasks/main.yaml         | 20 +++++++++
 roles/app-cloudflared/tasks/systemd.yaml      | 14 ++++++
 roles/app-cloudflared/templates/config.j2     | 12 +++++
 .../app-cloudflared/templates/credentials.j2  |  5 +++
 .../app-cloudflared/templates/systemd-unit.j2 | 17 +++++++
 roles/app-container/tasks/docker.yaml         |  4 ++
 roles/app-container/tasks/main.yaml           |  5 +++
 roles/app-container/tasks/start.yaml          |  8 +++-
 roles/app-container/templates/pct-set.j2      |  2 +-
 roles/app-frigate/tasks/main.yaml             |  2 +
 roles/app-gatus/tasks/main.yaml               | 22 ++++++++++
 roles/app-gatus/templates/config.j2           |  3 ++
 roles/app-gatus/templates/docker-compose.j2   | 12 +++++
 roles/app-pihole/handlers/main.yaml           |  7 ++-
 roles/app-pihole/tasks/http.yaml              |  6 +++
 roles/app-pihole/tasks/main.yaml              |  8 +++-
 roles/app-pihole/templates/custom-hosts.j2    | 16 ++++++-
 roles/app-pihole/templates/dnsmasq-local.j2   |  4 +-
 roles/app-pomerium/templates/config.j2        | 23 ++++++++--
 roles/docker/tasks/main.yaml                  |  8 ++++
 roles/hosts/tasks/main.yml                    |  4 +-
 57 files changed, 528 insertions(+), 168 deletions(-)
 delete mode 100644 environments/lab/group_vars/app_coredns/coredns.yaml
 delete mode 100644 environments/lab/group_vars/app_pomerium/container.yaml
 delete mode 100644 environments/lab/group_vars/app_pomerium/getssl.yaml
 delete mode 100644 environments/lab/group_vars/app_pomerium/pomerium.yaml
 create mode 100644 environments/lab/group_vars/cloudflared_containers/container.yaml
 create mode 100644 environments/lab/group_vars/cloudflared_containers/secrets.sops.yaml
 delete mode 100644 environments/lab/host_vars/app_coredns_primary.yaml
 delete mode 100644 environments/lab/host_vars/app_pomerium_primary.yaml
 delete mode 100644 environments/lab/host_vars/app_pomerium_secondary.yaml
 create mode 100644 environments/lab/host_vars/cloudflared1.yaml
 create mode 100644 environments/lab/host_vars/cloudflared2.yaml
 rename environments/lab/host_vars/{app_coredns_secondary.yaml => frigate.yaml} (57%)
 create mode 100644 environments/lab/host_vars/monitoring.yaml
 rename environments/lab/host_vars/{app_mqtt_single.yaml => mqtt.yaml} (66%)
 rename environments/lab/host_vars/{app_pihole_single.yaml => pihole.yaml} (69%)
 create mode 100644 environments/lab/host_vars/pomerium/container.yaml
 create mode 100644 environments/lab/host_vars/pomerium/pomerium.yaml
 rename environments/lab/{group_vars/app_pomerium => host_vars/pomerium}/secrets.sops.yaml (86%)
 rename playbooks/{apps => containers}/_common.yaml (75%)
 rename playbooks/{apps/coredns.yaml => containers/cloudflared.yaml} (75%)
 create mode 100644 playbooks/containers/frigate.yaml
 create mode 100644 playbooks/containers/monitoring.yaml
 rename playbooks/{apps => containers}/mqtt.yaml (78%)
 rename playbooks/{apps => containers}/pihole.yaml (82%)
 rename playbooks/{apps => containers}/pomerium.yaml (85%)
 rename playbooks/{proxmox-cluster.yaml => proxmox/cluster.yaml} (86%)
 rename playbooks/{proxmox-nodes.yaml => proxmox/nodes.yaml} (100%)
 create mode 100644 roles/app-cloudflared/tasks/configure.yaml
 create mode 100644 roles/app-cloudflared/tasks/install.yaml
 create mode 100644 roles/app-cloudflared/tasks/main.yaml
 create mode 100644 roles/app-cloudflared/tasks/systemd.yaml
 create mode 100644 roles/app-cloudflared/templates/config.j2
 create mode 100644 roles/app-cloudflared/templates/credentials.j2
 create mode 100644 roles/app-cloudflared/templates/systemd-unit.j2
 create mode 100644 roles/app-container/tasks/docker.yaml
 create mode 100644 roles/app-frigate/tasks/main.yaml
 create mode 100644 roles/app-gatus/tasks/main.yaml
 create mode 100644 roles/app-gatus/templates/config.j2
 create mode 100644 roles/app-gatus/templates/docker-compose.j2
 create mode 100644 roles/app-pihole/tasks/http.yaml
 create mode 100644 roles/docker/tasks/main.yaml

diff --git a/environments/lab/group_vars/all/general.yaml b/environments/lab/group_vars/all/general.yaml
index a05fc20..b293eca 100644
--- a/environments/lab/group_vars/all/general.yaml
+++ b/environments/lab/group_vars/all/general.yaml
@@ -1 +1,2 @@
 ansible_python_interpreter: "/usr/bin/python3"
+domain: homecentr.one
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_coredns/coredns.yaml b/environments/lab/group_vars/app_coredns/coredns.yaml
deleted file mode 100644
index bfda1c5..0000000
--- a/environments/lab/group_vars/app_coredns/coredns.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-app_coredns_version: 1.11.1
-
-app_coredns_forwarders_tls_servername: cloudflare-dns.com
-
-app_coredns_forwarders:
-  - 1.1.1.1
-  - 1.0.0.1
-
-app_coredns_records:
-  - name: dns1-lab.homecentr.one
-    ip: 10.1.8.128
-  - name: dns2-lab.homecentr.one
-    ip: 10.1.8.129
-  - name: login-lab.homecentr.one
-    ip: 10.1.8.132
-  - name: gatus-lab.homecentr.one
-    ip: 10.1.8.132
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/container.yaml b/environments/lab/group_vars/app_pomerium/container.yaml
deleted file mode 100644
index 4cd4579..0000000
--- a/environments/lab/group_vars/app_pomerium/container.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 2
-app_container_pve_replication_cron_expression: "*/5"
-app_container_mapped_uids:
-  - 7000
-app_container_mapped_gids:
-  - 7000
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/getssl.yaml b/environments/lab/group_vars/app_pomerium/getssl.yaml
deleted file mode 100644
index 14aa535..0000000
--- a/environments/lab/group_vars/app_pomerium/getssl.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-app_container_getssl_certificates:
-  - name: "*.homecentr.one"
-    fullchain_filename: "wildcard_fullchain.crt"
-    cert_filename: "wildcard.crt"
-    key_filename: "wildcard.key"
-    user: 7000
-    group: 7000
-    mode: 0440
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/pomerium.yaml b/environments/lab/group_vars/app_pomerium/pomerium.yaml
deleted file mode 100644
index e0a1ca9..0000000
--- a/environments/lab/group_vars/app_pomerium/pomerium.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-app_pomerium_hostname: login-lab.homecentr.one
-
-app_pomeriums_certificates:
-  - fullchain_path: /getssl/wildcard_fullchain.crt
-    key_path: /getssl/wildcard.key
\ No newline at end of file
diff --git a/environments/lab/group_vars/cloudflared_containers/container.yaml b/environments/lab/group_vars/cloudflared_containers/container.yaml
new file mode 100644
index 0000000..d804072
--- /dev/null
+++ b/environments/lab/group_vars/cloudflared_containers/container.yaml
@@ -0,0 +1,5 @@
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 10
+app_container_pve_replication_cron_expression: "*/5"
\ No newline at end of file
diff --git a/environments/lab/group_vars/cloudflared_containers/secrets.sops.yaml b/environments/lab/group_vars/cloudflared_containers/secrets.sops.yaml
new file mode 100644
index 0000000..dc7bf41
--- /dev/null
+++ b/environments/lab/group_vars/cloudflared_containers/secrets.sops.yaml
@@ -0,0 +1,44 @@
+app_cloudflared_tunnel_credentials:
+    account_id: ENC[AES256_GCM,data:lHYUZQtyoElAaCmI+UFgmpuvOf2Wc9HMISigDXtG1f8=,iv:N3eWIzlCqwdgg0loMYgwq728sLXI3QeGEO1zenSniyE=,tag:NDWGpbN6GvhKYg+CBlywyA==,type:str]
+    tunnel_secret: ENC[AES256_GCM,data:lzQYiB8iCWx1Egf4Xiwmly43S3ezwSjczDJjptnv6a6HzW4zmcG49JvEI9mqlf9kivhJUCuLFGnPNwbTt6FBsKC5hTrmQ9av9Tp124TEhNyOFog/sBuEsM7reUzCyi8K5sOEBtMALwyZaOrb3Ub2N/wUjJ5/4+KqLo68uv6YRCE=,iv:BSDr9ag0RGQth8ht2+VIlcstaLw3Nfd16T17Hmu9Ex4=,tag:wq5DlS99ByOAWpTiilovug==,type:str]
+    tunnel_id: ENC[AES256_GCM,data:ybOeL0E/jS0aUq7fgZnhLoy3BQENOaJ2TJLFNjYR7iT2wPf5,iv:8lxdXASk9hC7MC8tNdlH1dLwOIqdkZaXakzIGCPfqcg=,tag:QZmT8ph/v0ySkDx4TFiYow==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTNpMjB2V3h2a2pJeWNB
+            QmtZRTVDeERpSTBDYnpsYzVoMkpXTnpTRmtZClpXcTRKQzBUN010OWIzMERoMEhZ
+            dVJYME5HTmwxeFpIUHNiU3EyazFFRGMKLS0tIC9vZGpsN0d5dWc0RzhLdXk2bnpy
+            SklacmRSa2ZZOHREdTR0ekRGc0ZmVlEK/qmTVEdCSNwWwciH448cJ4HjCqwFixkV
+            mqJoQLFUFv5u7sggZ3tKOp+ykwmlsVT6mjuhI3BVJALtUPBKQ35tyQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-11T21:32:23Z"
+    mac: ENC[AES256_GCM,data:fHEWzn3rr7CIoizYRRmBYNRXBjuhpKVopNTGGkzsi15SAKZtb691KswoZxcDiWFyGvNiWal7kC7zzKbhk5NEnkYfgf2OPFDUm3AfkhEK/wUepWCbk76RwbV3VDlGVoZVYnHNmB02fwnbHHEdaVqM/VJLgWIA/lzh1UvcP2ucdKc=,iv:ovA3llpgXuQ9tU1UFSb8gEC7G3bq7Sg4NiC9dg0BMvY=,tag:3CK0HEIfVkujxyNE9+4Z1A==,type:str]
+    pgp:
+        - created_at: "2024-03-11T21:28:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//TM7gncqbBG572oPVgHhGzJITC/0VnmCaeau7I1TWLGyz
+            vCe094qMCkBFBTKzpnkQIVvhyK186yojpiSwZkW69OntXXdj14pGVQS20LBhBdxr
+            5RZ++wrx+IQxaT+tRWhUPQTA5249Ywo8HxcpTXk4pbAC9w5Ruakgb3ssNdpkIx+g
+            +v5DTPajpI52f2bP1tNAet5a34Bcz5jxkzQjVVrVcigVw/YO/cFCtZtCoAPA567v
+            QRYa7OOj4GkVePgl+IjDtGi0G+gsTA9cZWnUb2qyE6XLLJs5j1lct/6wmGzQvi5b
+            0ZrSrPoYuCKEHv2nojKP0yfye+HLcfo84Mudz9dm0UbJvLcSHK9Wa5x0XLaPtB6o
+            Vg2Vy5cxDQQpyosc1WBS1wrTwRSntPQhyFjd5CfgSbYHh3Q4Ms9J+HlIodHK63+U
+            ZGArCHdD7a9ezVhNyLp1jmymBI3d3A+zy8a3ZbfsuHjaDIr0dahbO0hgvoDLN8jE
+            zna4aMDbbfxrL1xQAXfyxhD7jZGoBcLPDQ8uADe5qjyP+p+15+UfUXtRgzTiEEvU
+            1ARra95iFpnpXyc9g66ODYa5LmCYv4QnBDbcDUWXCzHK80sFzuk/ak7pgjRoAHUo
+            rFFk48Bufy1r2rztpG+fWUfGRjAtuHhitBvU8D6aFEn5VuTNxASlLO84kfAArZXS
+            XAG44iMMhwmww7HeKHfBtI7ZE6aoi8/1qnsTDuRUCXP8qg+z6E1H8ik1c9215EOG
+            2qeUzhcu3x5H+CyFwISbp4gR8P1BczUL8cevkjGP1TamQXUVYCeCsaHSTr3e
+            =Uq6G
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/lab/host_vars/app_coredns_primary.yaml b/environments/lab/host_vars/app_coredns_primary.yaml
deleted file mode 100644
index 0b9d55a..0000000
--- a/environments/lab/host_vars/app_coredns_primary.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-ansible_host: 10.1.8.128
-ansible_hostname: dns1-lab
-fqdn: dns1-lab.homecentr.one
-
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 10
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.128/24
-    ipv4_gateway: 10.1.8.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: unrestricted-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
diff --git a/environments/lab/host_vars/app_pomerium_primary.yaml b/environments/lab/host_vars/app_pomerium_primary.yaml
deleted file mode 100644
index e7bbac2..0000000
--- a/environments/lab/host_vars/app_pomerium_primary.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-ansible_host: 10.1.8.130
-ansible_hostname: pomerium1-lab
-fqdn: pomerium1-lab.homecentr.one
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.130/24
-    ipv4_gateway: 10.1.8.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: unrestricted-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
diff --git a/environments/lab/host_vars/app_pomerium_secondary.yaml b/environments/lab/host_vars/app_pomerium_secondary.yaml
deleted file mode 100644
index 4ed41e3..0000000
--- a/environments/lab/host_vars/app_pomerium_secondary.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-ansible_host: 10.1.8.131
-ansible_hostname: pomerium2-lab
-fqdn: pomerium2-lab.homecentr.one
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.131/24
-    ipv4_gateway: 10.1.8.1
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: unrestricted-priority-pve2
-app_container_pve_replication_nodes:
-  - pve1
diff --git a/environments/lab/host_vars/cloudflared1.yaml b/environments/lab/host_vars/cloudflared1.yaml
new file mode 100644
index 0000000..37b66fc
--- /dev/null
+++ b/environments/lab/host_vars/cloudflared1.yaml
@@ -0,0 +1,13 @@
+ansible_host: 10.1.8.70
+ansible_hostname: ct-cloudflared1-lab
+
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.70/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
\ No newline at end of file
diff --git a/environments/lab/host_vars/cloudflared2.yaml b/environments/lab/host_vars/cloudflared2.yaml
new file mode 100644
index 0000000..5d2ea3b
--- /dev/null
+++ b/environments/lab/host_vars/cloudflared2.yaml
@@ -0,0 +1,13 @@
+ansible_host: 10.1.8.71
+ansible_hostname: ct-cloudflared2-lab
+
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.71/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: critical-priority-pve2
+app_container_pve_replication_nodes:
+  - pve1
\ No newline at end of file
diff --git a/environments/lab/host_vars/app_coredns_secondary.yaml b/environments/lab/host_vars/frigate.yaml
similarity index 57%
rename from environments/lab/host_vars/app_coredns_secondary.yaml
rename to environments/lab/host_vars/frigate.yaml
index 2cc04b3..cd6dbb0 100644
--- a/environments/lab/host_vars/app_coredns_secondary.yaml
+++ b/environments/lab/host_vars/frigate.yaml
@@ -1,19 +1,23 @@
-ansible_host: 10.1.8.129
-ansible_hostname: dns2-lab
-fqdn: dns2-lab.homecentr.one
+ansible_host: 10.1.8.69
+ansible_hostname: ct-frigate-lab
 
+app_container_docker_support: true
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
 app_container_storage_name: dpool
-app_container_storage_size_gb: 10
+app_container_storage_size_gb: 5
 app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.129/24
+    ipv4_address: 10.1.8.69/24
     ipv4_gateway: 10.1.8.1
 
 app_container_pve_node: pve2
-app_container_pve_ha_group_name: unrestricted-priority-pve2
+app_container_pve_ha_group_name: noncritical
 app_container_pve_replication_nodes:
   - pve1
+
+app_pihole_records:
+  - hostname: frigate-lab
+    type: pomerium_proxy
\ No newline at end of file
diff --git a/environments/lab/host_vars/monitoring.yaml b/environments/lab/host_vars/monitoring.yaml
new file mode 100644
index 0000000..9cd7519
--- /dev/null
+++ b/environments/lab/host_vars/monitoring.yaml
@@ -0,0 +1,36 @@
+ansible_host: 10.1.8.68
+ansible_hostname: ct-monitoring-lab
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.68/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: noncritical
+app_container_pve_replication_nodes:
+  - pve1
+
+app_gatus_image_tag: v5.7.0
+app_gatus_monitored_endpoints:
+- name: example
+  url: https://example.com/
+  interval: 1m
+  conditions:
+    - "[STATUS] == 200"
+
+app_pomerium_routes:
+  - hostname: gatus-lab
+    type: ansible_host
+    port: 8080
+    auth_mode: public
+
+app_pihole_records:
+  - hostname: gatus-lab
+    type: pomerium_proxy
diff --git a/environments/lab/host_vars/app_mqtt_single.yaml b/environments/lab/host_vars/mqtt.yaml
similarity index 66%
rename from environments/lab/host_vars/app_mqtt_single.yaml
rename to environments/lab/host_vars/mqtt.yaml
index 429a9a9..6e8ba77 100644
--- a/environments/lab/host_vars/app_mqtt_single.yaml
+++ b/environments/lab/host_vars/mqtt.yaml
@@ -1,19 +1,24 @@
-ansible_host: 10.1.8.132
-ansible_hostname: mqtt-lab
-fqdn: mqtt-lab.homecentr.one
+ansible_host: 10.1.8.67
+ansible_hostname: ct-mqtt-lab
 
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
 app_container_storage_name: dpool
-app_container_storage_size_gb: 10
+app_container_storage_size_gb: 5
 app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.132/24
+    ipv4_address: 10.1.8.67/24
     ipv4_gateway: 10.1.8.1
 
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: non-critical
 app_container_pve_replication_nodes:
   - pve2
+
+app_pihole_records:
+  - hostname: mqtt-lab
+    type: ansible_host
+
+# TODO: Gatus monitoring
\ No newline at end of file
diff --git a/environments/lab/host_vars/app_pihole_single.yaml b/environments/lab/host_vars/pihole.yaml
similarity index 69%
rename from environments/lab/host_vars/app_pihole_single.yaml
rename to environments/lab/host_vars/pihole.yaml
index 902642a..b98f7a3 100644
--- a/environments/lab/host_vars/app_pihole_single.yaml
+++ b/environments/lab/host_vars/pihole.yaml
@@ -1,6 +1,5 @@
-ansible_host: 10.1.8.128
-ansible_hostname: dns-lab
-fqdn: dns-lab.homecentr.one
+ansible_host: 10.1.8.64
+ansible_hostname: ct-pihole-lab
 
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
@@ -10,11 +9,11 @@ app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.128/24
+    ipv4_address: 10.1.8.64/24
     ipv4_gateway: 10.1.8.1
 
 app_container_pve_node: pve1
-app_container_pve_ha_group_name: unrestricted-priority-pve1
+app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
   - pve2
 
@@ -22,4 +21,7 @@ app_pihole_version: 5.17.3
 app_pihole_forwarders:
   - 1.1.1.1
   - 1.0.0.1
-app_pihole_local_domain: homecentr.one
\ No newline at end of file
+
+app_pihole_records:
+  - hostname: pihole-lab
+    type: ansible_host
\ No newline at end of file
diff --git a/environments/lab/host_vars/pomerium/container.yaml b/environments/lab/host_vars/pomerium/container.yaml
new file mode 100644
index 0000000..c4ab4a3
--- /dev/null
+++ b/environments/lab/host_vars/pomerium/container.yaml
@@ -0,0 +1,34 @@
+ansible_host: 10.1.8.66
+ansible_hostname: ct-pomerium1-lab
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 2
+app_container_pve_replication_cron_expression: "*/5"
+app_container_mapped_uids:
+  - 7000
+app_container_mapped_gids:
+  - 7000
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.66/24
+    ipv4_gateway: 10.1.8.1
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
+
+app_container_getssl_certificates:
+  - name: "*.homecentr.one"
+    fullchain_filename: "wildcard_fullchain.crt"
+    cert_filename: "wildcard.crt"
+    key_filename: "wildcard.key"
+    user: 7000
+    group: 7000
+    mode: 0440
+
+app_pihole_records:
+  - hostname: login-lab
+    type: ansible_host
\ No newline at end of file
diff --git a/environments/lab/host_vars/pomerium/pomerium.yaml b/environments/lab/host_vars/pomerium/pomerium.yaml
new file mode 100644
index 0000000..dd5f3da
--- /dev/null
+++ b/environments/lab/host_vars/pomerium/pomerium.yaml
@@ -0,0 +1,16 @@
+app_pomerium_hostname: login-lab.homecentr.one
+
+app_pomerium_groups_administrators: b77c210d-8ae3-4292-9e95-c7d42a2f254f
+app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
+
+app_pomerium_certificates:
+  - fullchain_path: /getssl/wildcard_fullchain.crt
+    key_path: /getssl/wildcard.key
+
+app_pomerium_routes:
+  - from: https://pihole-lab.homecentr.one
+    to: http://10.1.8.128
+    auth_mode: administrators
+  # - from: https://gatus-lab.homecentr.one
+  #   to: http://10.1.8.128
+  #   auth_mode: administrators
\ No newline at end of file
diff --git a/environments/lab/group_vars/app_pomerium/secrets.sops.yaml b/environments/lab/host_vars/pomerium/secrets.sops.yaml
similarity index 86%
rename from environments/lab/group_vars/app_pomerium/secrets.sops.yaml
rename to environments/lab/host_vars/pomerium/secrets.sops.yaml
index 3d9b863..7e655d7 100644
--- a/environments/lab/group_vars/app_pomerium/secrets.sops.yaml
+++ b/environments/lab/host_vars/pomerium/secrets.sops.yaml
@@ -1,6 +1,6 @@
 app_pomerium_letsencrypt_email: ENC[AES256_GCM,data:o32R3ulDZVq4QlaZJmOkrx/aG4yHUwg=,iv:9Ul6KltiHnfPs9SLdNvktTR1iwtEz7jrKJ9RzS3ZUyE=,tag:iycUBPx8SVbZQVLxgOZCNg==,type:str]
 app_pomerium_letsencrypt_use_staging: ENC[AES256_GCM,data:CqCEgQ==,iv:EdyGmD3jhs4t6qOwsWo6fMPqYuBZ2E3UsF1OFZi8h68=,tag:1vjpbPJmKrPpvzUnMxWnuw==,type:bool]
-app_pomerium_idp_provider: ENC[AES256_GCM,data:BeWU9TwJMg==,iv:Lt6g9zKPVdeq3e3RbKlyaOnX4IyndcxNOqS//Zsxams=,tag:07vgPtg9W8agifG7QrdHcQ==,type:str]
+app_pomerium_idp_provider: ENC[AES256_GCM,data:VpQAf9E=,iv:PIREcAiLh9nrTUp6yLwnvyfnAXmnvetoCQWqLswrKXo=,tag:y3b77ECYZ5XgRH2f7lifyA==,type:str]
 app_pomerium_idp_client_id: ENC[AES256_GCM,data:Wpz/jOMkBel3eUsrpfiRUz7qOdMBSE3/FIYwbXrmKdw8pS5j,iv:bJd0Hwf2Z14oXayoB1Zf0tYxJqupvr3GjMNXuzzrebU=,tag:lmjnOH/jLM87+GuBE/kBLg==,type:str]
 app_pomerium_idp_client_secret: ENC[AES256_GCM,data:RUAcrW/hIBPpPffbX3XTZDQHqdrYyF1/eByga1yZSiARUl/cdSsNYA==,iv:KPpimeDMB7oxpFMDb8AFZpySGfJtIAnB0ZXaDgzAlyQ=,tag:16b8scdDn8t9nNqKBVRgAw==,type:str]
 app_pomerium_idp_provider_url: ENC[AES256_GCM,data:HxSh2Xu4EvYn3fGgpTc5ZnoEv2hL62Lg/gMX3aO3PuasMM+Y0b8ixLDNz2QGMzzWmMhJlYvTzS24+M2RDBFWnakYLpfELT404evz,iv:zxQ2M25o2HbzBbKyrNCL2i32gXEc0WZiDwdA4OD4uoU=,tag:NuLhRcVakfEFE3RrYRNo6A==,type:str]
@@ -20,8 +20,8 @@ sops:
             SHpnRHlnWnBwWUQwTk5jVHJSdEdCUUkK59zwMk1ZNsBdvo4I26Hv7lrrkmJ5jeVE
             TwbEthfwlCwmCOtId+zuolCZwZbAxrayIdWgtlOCpX0myDrGX0qx4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-07T21:04:42Z"
-    mac: ENC[AES256_GCM,data:rcv/fORx0QvRnhgETP7crsDb2c0cLSoMqa0v9fQPRpMqGL++Pc99LNjvK9nheGoSHnb2WqsemXeLIwGxvqbrzdbkuDZliS7pX+BwvoRtqH6obtDvk+Gv3yYtSAFMlcKU5uVddq0h+ABlLEYm86zAuKP6eQwA+OxnqJpBkrW+K3w=,iv:mWlUWzBUzYDojxwG/volsWd5eacnxN0jlwy5yAZu0c0=,tag:liPO9M9N4PpMnjSYPqwL5g==,type:str]
+    lastmodified: "2024-03-11T20:28:12Z"
+    mac: ENC[AES256_GCM,data:FBMF5d/OPVNE3BtjbWDQv/QfsBeSH5MSjzEWSZJD4IG2B8FOIFFlFkbDkw6jL9ll20yUlbSd3vSWjsMgMp5/BSn8EBMedCxjZyOmE4AeDbGiT2qdW/14dbCcC2nH62MjMlnwD4D338Rr/CP+Qx9Icm2BZ3sis8fYle/bwlVr2PM=,iv:HmLrKAQotxljdBCLdCY9I9yZOE0AlxlwLKHpBRmuVak=,tag:KMFgSlpEEhZS+LUgtbrDrg==,type:str]
     pgp:
         - created_at: "2024-03-07T21:01:19Z"
           enc: |
@@ -44,4 +44,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/environments/lab/host_vars/pve1.yaml b/environments/lab/host_vars/pve1.yaml
index 5675e3b..fe9cfc9 100644
--- a/environments/lab/host_vars/pve1.yaml
+++ b/environments/lab/host_vars/pve1.yaml
@@ -1,7 +1,6 @@
 # Common
 ansible_host: 10.1.8.11
 ansible_hostname: pve1-lab
-fqdn: pve1-lab.homecentr.one
 
 # UPS
 ups_name: dummy-ups1
diff --git a/environments/lab/host_vars/pve2.yaml b/environments/lab/host_vars/pve2.yaml
index 52eda15..02a39c0 100644
--- a/environments/lab/host_vars/pve2.yaml
+++ b/environments/lab/host_vars/pve2.yaml
@@ -1,7 +1,6 @@
 # Common
 ansible_host: 10.1.8.12
 ansible_hostname: pve2-lab
-fqdn: pve2-lab.homecentr.one
 
 # UPS
 ups_name: dummy-ups1
diff --git a/environments/lab/host_vars/pve3.yaml b/environments/lab/host_vars/pve3.yaml
index 2ee611f..b396f58 100644
--- a/environments/lab/host_vars/pve3.yaml
+++ b/environments/lab/host_vars/pve3.yaml
@@ -1,7 +1,6 @@
 # Common
 ansible_host: 10.1.8.13
 ansible_hostname: pve3-lab
-fqdn: pve3-lab.homecentr.one
 
 # UPS
 ups_name: dummy-ups1
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index ace58fd..3aad0eb 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -5,19 +5,15 @@ all:
         pve1:
         pve2:
         pve3:
-    app_containers:
+    containers:
+      hosts:
+        pihole:
+        pomerium:
+        mqtt:
+        monitoring:
+        frigate:
       children:
-        # app_coredns:
-        #   hosts:
-        #     app_coredns_primary:
-        #     app_coredns_secondary:
-        app_pihole:
-          hosts:
-            app_pihole_single:
-        app_pomerium:
-          hosts:
-            app_pomerium_primary:
-            app_pomerium_secondary:
-        app_mqtt:
+        cloudflared_containers:
           hosts:
-            app_mqtt_single:
\ No newline at end of file
+            cloudflared1:
+            cloudflared2:
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index df8462c..9428812 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -1,5 +1,6 @@
-- import_playbook: proxmox-nodes.yaml
-- import_playbook: proxmox-cluster.yaml
-- import_playbook: apps/coredns.yaml
-- import_playbook: apps/mqtt.yaml
-- import_playbook: apps/pomerium.yaml
\ No newline at end of file
+- import_playbook: proxmox/nodes.yaml
+- import_playbook: proxmox/cluster.yaml
+- import_playbook: containers/pihole.yaml
+- import_playbook: containers/cloudflared.yaml
+- import_playbook: containers/mqtt.yaml
+- import_playbook: containers/pomerium.yaml
\ No newline at end of file
diff --git a/playbooks/apps/_common.yaml b/playbooks/containers/_common.yaml
similarity index 75%
rename from playbooks/apps/_common.yaml
rename to playbooks/containers/_common.yaml
index 6f08cc7..cc2451c 100644
--- a/playbooks/apps/_common.yaml
+++ b/playbooks/containers/_common.yaml
@@ -1,3 +1,7 @@
+- name: Configure hosts
+  ansible.builtin.import_role:
+    name: ../../roles/hosts
+
 - name: Configure users
   ansible.builtin.import_role:
     name: homecentr.system.users
diff --git a/playbooks/apps/coredns.yaml b/playbooks/containers/cloudflared.yaml
similarity index 75%
rename from playbooks/apps/coredns.yaml
rename to playbooks/containers/cloudflared.yaml
index f5abfa6..502d919 100644
--- a/playbooks/apps/coredns.yaml
+++ b/playbooks/containers/cloudflared.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      loop: "{{ groups['app_coredns'] }}"
+      loop: "{{ groups['cloudflared_containers'] }}"
       loop_control:
         loop_var: container_inventory_name
       ansible.builtin.include_role:
@@ -14,8 +14,8 @@
         container_inventory_name: "{{ container_inventory_name }}"
       tags: [ container ]
 
-- name: Setup Coredns containers
-  hosts: app_coredns
+- name: Setup Cloudflared containers
+  hosts: cloudflared_containers
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
@@ -25,8 +25,8 @@
         file: _common.yaml
       tags: [ common ]
 
-    - name: Install coredns
+    - name: Install cloudflared
       ansible.builtin.import_role:
-        name: ../../roles/app-coredns
-      tags: [ coredns ]
+        name: ../../roles/app-cloudflared
+      tags: [ cloudflared ]
     
\ No newline at end of file
diff --git a/playbooks/containers/frigate.yaml b/playbooks/containers/frigate.yaml
new file mode 100644
index 0000000..8cc90d2
--- /dev/null
+++ b/playbooks/containers/frigate.yaml
@@ -0,0 +1,33 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "frigate"
+      tags: [ container ]
+
+- name: Setup Frigate container
+  hosts: frigate
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.include_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install Docker
+      ansible.builtin.import_role:
+        name: ../../roles/docker
+      tags: [ docker ]
+
+    - name: Install Frigate
+      ansible.builtin.import_role:
+        name: ../../roles/app-frigate
+      tags: [ frigate ]
diff --git a/playbooks/containers/monitoring.yaml b/playbooks/containers/monitoring.yaml
new file mode 100644
index 0000000..975aac2
--- /dev/null
+++ b/playbooks/containers/monitoring.yaml
@@ -0,0 +1,37 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "monitoring"
+      tags: [ container ]
+
+- name: Setup Monitoring container
+  hosts: monitoring
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.import_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install Docker
+      ansible.builtin.import_role:
+        name: ../../roles/docker
+      tags: [ docker ]
+
+    - name: Install gatus
+      ansible.builtin.import_role:
+        name: ../../roles/app-gatus
+      tags: [ gatus ]
+
+    # TODO: Prometheus
+    # TODO: Grafana
+    
\ No newline at end of file
diff --git a/playbooks/apps/mqtt.yaml b/playbooks/containers/mqtt.yaml
similarity index 78%
rename from playbooks/apps/mqtt.yaml
rename to playbooks/containers/mqtt.yaml
index d9e99ec..8cadbb5 100644
--- a/playbooks/apps/mqtt.yaml
+++ b/playbooks/containers/mqtt.yaml
@@ -5,17 +5,14 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      loop: "{{ groups['app_mqtt'] }}"
-      loop_control:
-        loop_var: container_inventory_name
       ansible.builtin.include_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: "{{ container_inventory_name }}"
+        container_inventory_name: "mqtt"
       tags: [ container ]
 
 - name: Setup Pomerium containers
-  hosts: app_mqtt
+  hosts: mqtt
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
diff --git a/playbooks/apps/pihole.yaml b/playbooks/containers/pihole.yaml
similarity index 82%
rename from playbooks/apps/pihole.yaml
rename to playbooks/containers/pihole.yaml
index aab3f53..c06c397 100644
--- a/playbooks/apps/pihole.yaml
+++ b/playbooks/containers/pihole.yaml
@@ -5,17 +5,14 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      loop: "{{ groups['app_pihole'] }}"
-      loop_control:
-        loop_var: container_inventory_name
       ansible.builtin.include_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: "{{ container_inventory_name }}"
+        container_inventory_name: "pihole"
       tags: [ container ]
 
 - name: Setup Pihole containers
-  hosts: app_pihole
+  hosts: pihole
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
diff --git a/playbooks/apps/pomerium.yaml b/playbooks/containers/pomerium.yaml
similarity index 85%
rename from playbooks/apps/pomerium.yaml
rename to playbooks/containers/pomerium.yaml
index 6b3f9e7..272c723 100644
--- a/playbooks/apps/pomerium.yaml
+++ b/playbooks/containers/pomerium.yaml
@@ -5,13 +5,10 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      loop: "{{ groups['app_pomerium'] }}"
-      loop_control:
-        loop_var: container_inventory_name
       ansible.builtin.include_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: "{{ container_inventory_name }}"
+        container_inventory_name: "pomerium"
       tags: [ container ]
 
 - name: Setup Pomerium containers
diff --git a/playbooks/proxmox-cluster.yaml b/playbooks/proxmox/cluster.yaml
similarity index 86%
rename from playbooks/proxmox-cluster.yaml
rename to playbooks/proxmox/cluster.yaml
index f09bb78..fd6d6a8 100644
--- a/playbooks/proxmox-cluster.yaml
+++ b/playbooks/proxmox/cluster.yaml
@@ -17,11 +17,6 @@
         name: ../roles/pve_cluster_options
       tags: cluster_options
 
-    - name: Configure container vxlan sdn networks
-      ansible.builtin.import_role:
-        name: ../roles/pve_cluster_vxlan
-      tags: vxlan
-
     - name: Configure cluster-level firewall
       ansible.builtin.import_role:
         name: ../roles/pve_cluster_firewall
diff --git a/playbooks/proxmox-nodes.yaml b/playbooks/proxmox/nodes.yaml
similarity index 100%
rename from playbooks/proxmox-nodes.yaml
rename to playbooks/proxmox/nodes.yaml
diff --git a/requirements.yaml b/requirements.yaml
index ddecc7a..4fe015e 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -28,6 +28,8 @@ roles:
   - name: geerlingguy.security
     version: 2.2.0
   - name: geerlingguy.clamav
+  - name: geerlingguy.docker
+    version: 7.1.0
   - name: geerlingguy.helm
     version: 1.0.1
   - name: geerlingguy.node_exporter
diff --git a/roles/app-cloudflared/tasks/configure.yaml b/roles/app-cloudflared/tasks/configure.yaml
new file mode 100644
index 0000000..e216186
--- /dev/null
+++ b/roles/app-cloudflared/tasks/configure.yaml
@@ -0,0 +1,27 @@
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/cloudflared
+    owner: cloudflared
+    group: cloudflared
+    mode: "0750"
+    state: directory
+
+- name: Create config file
+  register: app_cloudflared_config
+  ansible.builtin.copy:
+    dest: /etc/cloudflared/config.yaml
+    owner: cloudflared
+    group: cloudflared
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', 'config.j2') }}"
+
+- name: Create credentials file
+  register: app_cloudflared_credentials
+  ansible.builtin.copy:
+    dest: /etc/cloudflared/tunnel-credentials.json
+    owner: cloudflared
+    group: cloudflared
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', 'credentials.j2') }}"
\ No newline at end of file
diff --git a/roles/app-cloudflared/tasks/install.yaml b/roles/app-cloudflared/tasks/install.yaml
new file mode 100644
index 0000000..d46585d
--- /dev/null
+++ b/roles/app-cloudflared/tasks/install.yaml
@@ -0,0 +1,16 @@
+- name: Download repository key
+  ansible.builtin.get_url:
+    url: https://pkg.cloudflare.com/cloudflare-main.gpg
+    dest: /usr/share/keyrings/cloudflare-main.gpg
+
+- name: Add repository
+  ansible.builtin.apt_repository:
+    repo: deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main
+    filename: cloudflared
+    update_cache: true
+    state: present
+
+- name: Install cloudflared package
+  ansible.builtin.apt:
+    name: cloudflared
+    state: present
diff --git a/roles/app-cloudflared/tasks/main.yaml b/roles/app-cloudflared/tasks/main.yaml
new file mode 100644
index 0000000..37672f4
--- /dev/null
+++ b/roles/app-cloudflared/tasks/main.yaml
@@ -0,0 +1,20 @@
+- name: Create cloudflared group
+  ansible.builtin.group:
+    name: cloudflared
+
+- name: Create cloudflared user
+  ansible.builtin.user:
+    name: cloudflared
+    group: cloudflared
+
+- name: Install cloudflared
+  ansible.builtin.include_tasks:
+    file: install.yaml
+
+- name: Configure cloudflared
+  ansible.builtin.include_tasks:
+    file: configure.yaml
+
+- name: Configure systemd
+  ansible.builtin.include_tasks:
+    file: systemd.yaml
\ No newline at end of file
diff --git a/roles/app-cloudflared/tasks/systemd.yaml b/roles/app-cloudflared/tasks/systemd.yaml
new file mode 100644
index 0000000..f4370d0
--- /dev/null
+++ b/roles/app-cloudflared/tasks/systemd.yaml
@@ -0,0 +1,14 @@
+- name: Create systemd unit file
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/cloudflared.service
+    owner: root
+    group: root
+    mode: "0644"
+    content: "{{ lookup('template', 'systemd-unit.j2') }}"
+
+- name: (Re)start service
+  ansible.builtin.systemd_service:
+    name: cloudflared
+    enabled: true
+    daemon_reload: true
+    state: "{{ 'restarted' if app_cloudflared_config.changed or app_cloudflared_credentials.changed else 'started' }}"
diff --git a/roles/app-cloudflared/templates/config.j2 b/roles/app-cloudflared/templates/config.j2
new file mode 100644
index 0000000..2af6a85
--- /dev/null
+++ b/roles/app-cloudflared/templates/config.j2
@@ -0,0 +1,12 @@
+tunnel: "{{ app_cloudflared_tunnel_credentials.tunnel_id }}"
+credentials-file: /etc/cloudflared/tunnel-credentials.json
+
+ingress:
+    {% for route in app_cloudflared_routes | default([]) %}
+    - hostname: {{ route.hostname }}
+      service: {{ route.backend }}
+      originRequest:
+          noTLSVerify: true
+    {% endfor %}
+
+    - service: http_status:404
\ No newline at end of file
diff --git a/roles/app-cloudflared/templates/credentials.j2 b/roles/app-cloudflared/templates/credentials.j2
new file mode 100644
index 0000000..04b5e78
--- /dev/null
+++ b/roles/app-cloudflared/templates/credentials.j2
@@ -0,0 +1,5 @@
+{
+    "AccountTag": "{{ app_cloudflared_tunnel_credentials.account_id }}",
+    "TunnelSecret":"{{ app_cloudflared_tunnel_credentials.tunnel_secret | b64encode }}",
+    "TunnelID": "{{ app_cloudflared_tunnel_credentials.tunnel_id }}"
+}
\ No newline at end of file
diff --git a/roles/app-cloudflared/templates/systemd-unit.j2 b/roles/app-cloudflared/templates/systemd-unit.j2
new file mode 100644
index 0000000..3b6a26c
--- /dev/null
+++ b/roles/app-cloudflared/templates/systemd-unit.j2
@@ -0,0 +1,17 @@
+[Unit]
+Description=Cloudflared
+Documentation=https://coredns.io/manual/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=cloudflared
+Group=cloudflared
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+Restart=always
+WorkingDirectory=/etc/cloudflared
+ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yaml --metrics 0.0.0.0:3333 run
+ExecReload=/usr/bin/kill -USR1 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/app-container/tasks/docker.yaml b/roles/app-container/tasks/docker.yaml
new file mode 100644
index 0000000..ae34b1f
--- /dev/null
+++ b/roles/app-container/tasks/docker.yaml
@@ -0,0 +1,4 @@
+- name: Install overlayfs fuse
+  ansible.builtin.apt:
+    name: fuse-overlayfs
+    state: present
\ No newline at end of file
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index cf96cd1..3ebfebe 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -1,3 +1,8 @@
+- name: Install Docker dependencies
+  when: app_container_docker_support | default(false)
+  ansible.builtin.include_tasks:
+    file: container.yaml
+
 - name: Create container
   ansible.builtin.include_tasks:
     file: container.yaml
diff --git a/roles/app-container/tasks/start.yaml b/roles/app-container/tasks/start.yaml
index 0736d08..bd2bd1f 100644
--- a/roles/app-container/tasks/start.yaml
+++ b/roles/app-container/tasks/start.yaml
@@ -23,4 +23,10 @@
     port: 22
     timeout: 400
     sleep: 2
-    msg: "Container {{ container_vars.ansible_hostname }} did not start responding on SSH in time."
\ No newline at end of file
+    msg: "Container {{ container_vars.ansible_hostname }} did not start responding on SSH in time."
+
+- name: Run outbound ping to workaround the bug when new containers are not reachable
+  changed_when: false
+  ansible.builtin.command:
+    cmd: "pct exec {{ app_container_info.vmid }} -- bash -c 'ping -c 5 google.com'"
+
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index ba65a0f..008fa6a 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -2,7 +2,7 @@ pct set {{ app_container_id }}
 {%- raw %} --hostname {% endraw %}{{ ansible_hostname }}
 {%- raw %} --memory {% endraw %} {{ app_container_memory }}
 {%- if app_container_cpu_cores is defined %} --cores {{ app_container_cpu_cores }}{% endif -%}
- {%- raw %} --features nesting=1{% endraw %}{% if app_container_fuse_enabled | default(false) == true %},fuse=1{% endif -%}
+ {%- raw %} --features nesting=1{% endraw %}{% if app_container_fuse_enabled | default(false) == true %},fuse=1{% endif -%}{% if app_container_docker_support | default(false) == true %},keyctl=1,fuse=1{% endif %}
  {%- for mount in (app_container_mounts | default([])) %}
  {%- if mount.type == "bind" %}
  --mp{{ loop.index - 1 }} "{{ mount.hostpath }},mp={{ mount.target_path }}"
diff --git a/roles/app-frigate/tasks/main.yaml b/roles/app-frigate/tasks/main.yaml
new file mode 100644
index 0000000..bf6de71
--- /dev/null
+++ b/roles/app-frigate/tasks/main.yaml
@@ -0,0 +1,2 @@
+# Create compose file
+# Start the compose stack
\ No newline at end of file
diff --git a/roles/app-gatus/tasks/main.yaml b/roles/app-gatus/tasks/main.yaml
new file mode 100644
index 0000000..a6eedec
--- /dev/null
+++ b/roles/app-gatus/tasks/main.yaml
@@ -0,0 +1,22 @@
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/gatus
+    state: directory
+
+- name: Create config file
+  register: app_gatus_config
+  ansible.builtin.copy:
+    dest: /etc/gatus/config.yaml
+    force: true
+    content: "{{ lookup('template', 'config.j2') }}"
+
+- name: Create compose file
+  ansible.builtin.copy:
+    dest: /etc/gatus/docker-compose.yaml
+    force: true
+    content: "{{ lookup('template', 'docker-compose.j2') }}"
+
+- name: Tear down existing services
+  community.docker.docker_compose_v2:
+    project_src: /etc/gatus
+    state: "{{ 'restarted' if app_gatus_config.changed else 'present' }}"
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
new file mode 100644
index 0000000..ef409a2
--- /dev/null
+++ b/roles/app-gatus/templates/config.j2
@@ -0,0 +1,3 @@
+metrics: true
+endpoints:
+{{ app_gatus_monitored_endpoints | to_yaml }}
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
new file mode 100644
index 0000000..e767ff2
--- /dev/null
+++ b/roles/app-gatus/templates/docker-compose.j2
@@ -0,0 +1,12 @@
+version: "3.9"
+services:
+  gatus:
+    container_name: gatus
+    image: twinproduction/gatus:{{ app_gatus_image_tag }}
+    restart: always
+    ports:
+      - "8080:8080"
+    volumes:
+      - /etc/gatus/config.yaml:/config/config.yaml
+
+# TODO: Mount directory with metrics state
\ No newline at end of file
diff --git a/roles/app-pihole/handlers/main.yaml b/roles/app-pihole/handlers/main.yaml
index 6456335..887bc8a 100644
--- a/roles/app-pihole/handlers/main.yaml
+++ b/roles/app-pihole/handlers/main.yaml
@@ -1,3 +1,8 @@
 - name: restart_dns
   ansible.builtin.command:
-    cmd: pihole restartdns
\ No newline at end of file
+    cmd: pihole restartdns
+
+- name: restart_lighttpd
+  ansible.builtin.systemd_service:
+    name: lighttpd
+    state: restarted
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/http.yaml b/roles/app-pihole/tasks/http.yaml
new file mode 100644
index 0000000..ee23726
--- /dev/null
+++ b/roles/app-pihole/tasks/http.yaml
@@ -0,0 +1,6 @@
+- name: Add redirect from root to /admin
+  notify: restart_lighttpd
+  ansible.builtin.lineinfile:
+    path: /etc/lighttpd/lighttpd.conf
+    line: url.redirect = ("^/$" => "/admin" )
+    create: false
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/main.yaml b/roles/app-pihole/tasks/main.yaml
index 20dc9e7..dc09b05 100644
--- a/roles/app-pihole/tasks/main.yaml
+++ b/roles/app-pihole/tasks/main.yaml
@@ -25,6 +25,10 @@
   ansible.builtin.include_tasks:
     file: install.yaml
 
-- name: Configure DNS
+- name: Configure dns server
   ansible.builtin.include_tasks:
-    file: dns.yaml
\ No newline at end of file
+    file: dns.yaml
+
+- name: Configure http server
+  ansible.builtin.include_tasks:
+    file: http.yaml
\ No newline at end of file
diff --git a/roles/app-pihole/templates/custom-hosts.j2 b/roles/app-pihole/templates/custom-hosts.j2
index e13fd32..fddb84c 100644
--- a/roles/app-pihole/templates/custom-hosts.j2
+++ b/roles/app-pihole/templates/custom-hosts.j2
@@ -1,3 +1,17 @@
 {%- for host in groups['all'] %}
-{{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }}
+{{ hostvars[host].ansible_host }} {{ hostvars[host].ansible_hostname }}.{{ domain }}
+{% endfor %}
+
+{% for host in groups['all'] %}
+{% for record in hostvars[host].app_pihole_records | default([]) %}
+
+{% if record.type == "pomerium_proxy" %}
+{{ hostvars[host].ansible_host }} {{ hostvars[host].ansible_hostname }}.{{ domain }}
+{% elif record.type == "ansible_host" %}
+{{ hostvars[host].ansible_host }} {{ record.hostname }}.{{ domain }}
+{% else %}
+{{ record.value }} {{ record.hostname }}.{{ domain }}
+{% endif %}
+
+{% endfor %}
 {% endfor %}
\ No newline at end of file
diff --git a/roles/app-pihole/templates/dnsmasq-local.j2 b/roles/app-pihole/templates/dnsmasq-local.j2
index d511d62..c21b803 100644
--- a/roles/app-pihole/templates/dnsmasq-local.j2
+++ b/roles/app-pihole/templates/dnsmasq-local.j2
@@ -1,2 +1,2 @@
-domain={{ app_pihole_local_domain }}
-local=/{{ app_pihole_local_domain }}/
\ No newline at end of file
+domain={{ domain }}
+local=/{{ domain }}/
\ No newline at end of file
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
index 349f9c3..639f981 100644
--- a/roles/app-pomerium/templates/config.j2
+++ b/roles/app-pomerium/templates/config.j2
@@ -3,7 +3,7 @@ authenticate_service_url: https://{{ app_pomerium_hostname }}
 autocert: false
 
 certificates:
-{% for cert in app_pomeriums_certificates %}
+{% for cert in app_pomerium_certificates %}
   - cert: '{{ cert.fullchain_path }}'
     key: '{{ cert.key_path }}'
 {% endfor %}
@@ -18,6 +18,21 @@ cookie_secret: {{ app_pomerium_cookie_secret }}
 # TODO: metrics_address: :9090
 
 routes:
-  - from: https://google-lab.homecentr.one
-    to: https://google.com
-    pass_identity_headers: false
\ No newline at end of file
+{% for host in groups['all'] %}
+{% for record in hostvars[host].app_pomerium_routes | default([]) %}
+  - from: {{ route.from }}
+    to: {{ route.to }}
+    {% if route.auth_mode == 'administrators' -%}
+    policy:
+      - allow:
+          or:
+            - claim/groups: "{{ app_pomerium_groups_administrators }}"
+    {% elif route.auth_mode == 'users' %}
+    policy:
+      - allow:
+          or:
+            - claim/groups: "{{ app_pomerium_groups_users }}"
+    {% endif %}
+
+{% endfor %}
+{% endfor %}
diff --git a/roles/docker/tasks/main.yaml b/roles/docker/tasks/main.yaml
new file mode 100644
index 0000000..9574a8a
--- /dev/null
+++ b/roles/docker/tasks/main.yaml
@@ -0,0 +1,8 @@
+- name: Install docker management pip module
+  ansible.builtin.apt:
+    name: python3-docker
+    state: present
+
+- name: Install docker
+  ansible.builtin.import_role:
+    name: geerlingguy.docker
diff --git a/roles/hosts/tasks/main.yml b/roles/hosts/tasks/main.yml
index dd919d4..80d0cf9 100644
--- a/roles/hosts/tasks/main.yml
+++ b/roles/hosts/tasks/main.yml
@@ -1,8 +1,8 @@
 - name: Add host entries for other nodes (FQDN and hostname)
   ansible.builtin.lineinfile:
     path: /etc/hosts
-    regexp: "^.*\\W+{{ item | replace('.', '\\.') }}\\W+{{ hostvars[item].fqdn | replace('.', '\\.') }}\\W*$"
-    line: "{{ hostvars[item]['ansible_host'] }} {{ hostvars[item]['ansible_hostname'] }} {{ hostvars[item].fqdn }}"
+    regexp: "^.*\\W+{{ item | replace('.', '\\.') }}.*"
+    line: "{{ hostvars[item]['ansible_host'] }} {{ hostvars[item]['ansible_hostname'] }} {{ hostvars[item]['ansible_hostname'] }}.{{ domain }}"
   with_items: "{{ groups['all'] }}"
 
 - name: Add additional hosts

From 4c79347f12b99fefabc413a932964d1639ce6bb0 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 14 Mar 2024 16:34:08 +0100
Subject: [PATCH 27/51] Frigate not working, probably due to missing gpu

---
 .../lab/group_vars/pve_nodes/firewall.yaml    |  28 ++++++--
 environments/lab/host_vars/frigate.yaml       |  23 -------
 .../lab/host_vars/frigate/cameras.sops.yaml   |  46 ++++++++++++++
 .../lab/host_vars/frigate/container.yaml      |  50 +++++++++++++++
 .../lab/host_vars/homepage/bookmarks.yaml     |  39 ++++++++++++
 .../lab/host_vars/homepage/container.yaml     |  40 ++++++++++++
 .../lab/host_vars/homepage/services.yaml      |   4 ++
 .../lab/host_vars/homepage/settings.yaml      |   8 +++
 .../lab/host_vars/homepage/widgets.yaml       |   4 ++
 environments/lab/host_vars/monitoring.yaml    |   9 +--
 environments/lab/host_vars/mqtt.yaml          |   2 -
 environments/lab/host_vars/pihole.yaml        |  19 +++++-
 .../lab/host_vars/pomerium/container.yaml     |  10 ++-
 .../lab/host_vars/pomerium/pomerium.yaml      |   8 ---
 environments/lab/host_vars/pve1.yaml          |  12 +++-
 environments/lab/host_vars/pve2.yaml          |  12 +++-
 environments/lab/host_vars/pve3.yaml          |  12 +++-
 environments/lab/hosts.yaml                   |   9 +--
 playbooks/containers/homepage.yaml            |  33 ++++++++++
 playbooks/containers/pomerium.yaml            |  16 +----
 playbooks/proxmox/cluster.yaml                |   8 +--
 .../app-container/tasks/container-disks.yaml  |  14 ++++
 roles/app-container/tasks/container.yaml      |   2 +-
 roles/app-container/tasks/main.yaml           |   7 ++
 roles/app-container/tasks/zfs.yaml            |   7 ++
 roles/app-container/templates/pct-set.j2      |   2 -
 roles/app-coredns/tasks/configure.yaml        |  16 -----
 roles/app-coredns/tasks/install.yaml          |  25 --------
 roles/app-coredns/tasks/main.yaml             |  21 ------
 roles/app-coredns/tasks/systemd.yaml          |  14 ----
 roles/app-coredns/templates/corefile.j2       |  20 ------
 roles/app-coredns/templates/systemd-unit.j2   |  17 -----
 roles/app-frigate/tasks/docker.yaml           |  10 +++
 roles/app-frigate/tasks/main.yaml             |  22 ++++++-
 roles/app-frigate/templates/config.j2         |  46 ++++++++++++++
 roles/app-frigate/templates/docker-compose.j2 |  23 +++++++
 roles/app-gatus/tasks/main.yaml               |   7 +-
 roles/app-gatus/templates/config.j2           |  60 +++++++++++++++++-
 roles/app-gatus/templates/docker-compose.j2   |   1 +
 roles/app-homepage/defaults/main.yaml         |   2 +
 roles/app-homepage/files/dynadot.png          | Bin 0 -> 8429 bytes
 roles/app-homepage/files/favicon.ico          | Bin 0 -> 101869 bytes
 roles/app-homepage/files/homecentr.png        | Bin 0 -> 1532 bytes
 roles/app-homepage/files/onedrive.png         | Bin 0 -> 13675 bytes
 roles/app-homepage/files/sendgrid.png         | Bin 0 -> 1066 bytes
 roles/app-homepage/tasks/configure.yaml       |  13 ++++
 roles/app-homepage/tasks/docker.yaml          |  10 +++
 roles/app-homepage/tasks/icons.yaml           |   9 +++
 roles/app-homepage/tasks/main.yaml            |  28 ++++++++
 roles/app-homepage/tasks/user.yaml            |  11 ++++
 .../app-homepage/templates/docker-compose.j2  |  14 ++++
 roles/app-mosquitto/tasks/main.yaml           |  14 +++-
 roles/app-mosquitto/templates/config.j2       |   7 ++
 roles/app-pihole/templates/custom-hosts.j2    |   4 +-
 roles/app-pomerium/defaults/main.yaml         |   2 +
 roles/app-pomerium/tasks/user.yaml            |  11 ++++
 roles/app-pomerium/templates/config.j2        |  15 +++--
 .../templates/getssl-root.j2                  |   3 +-
 58 files changed, 641 insertions(+), 208 deletions(-)
 delete mode 100644 environments/lab/host_vars/frigate.yaml
 create mode 100644 environments/lab/host_vars/frigate/cameras.sops.yaml
 create mode 100644 environments/lab/host_vars/frigate/container.yaml
 create mode 100644 environments/lab/host_vars/homepage/bookmarks.yaml
 create mode 100644 environments/lab/host_vars/homepage/container.yaml
 create mode 100644 environments/lab/host_vars/homepage/services.yaml
 create mode 100644 environments/lab/host_vars/homepage/settings.yaml
 create mode 100644 environments/lab/host_vars/homepage/widgets.yaml
 create mode 100644 playbooks/containers/homepage.yaml
 create mode 100644 roles/app-container/tasks/container-disks.yaml
 create mode 100644 roles/app-container/tasks/zfs.yaml
 delete mode 100644 roles/app-coredns/tasks/configure.yaml
 delete mode 100644 roles/app-coredns/tasks/install.yaml
 delete mode 100644 roles/app-coredns/tasks/main.yaml
 delete mode 100644 roles/app-coredns/tasks/systemd.yaml
 delete mode 100644 roles/app-coredns/templates/corefile.j2
 delete mode 100644 roles/app-coredns/templates/systemd-unit.j2
 create mode 100644 roles/app-frigate/tasks/docker.yaml
 create mode 100644 roles/app-frigate/templates/config.j2
 create mode 100644 roles/app-frigate/templates/docker-compose.j2
 create mode 100644 roles/app-homepage/defaults/main.yaml
 create mode 100644 roles/app-homepage/files/dynadot.png
 create mode 100644 roles/app-homepage/files/favicon.ico
 create mode 100644 roles/app-homepage/files/homecentr.png
 create mode 100644 roles/app-homepage/files/onedrive.png
 create mode 100644 roles/app-homepage/files/sendgrid.png
 create mode 100644 roles/app-homepage/tasks/configure.yaml
 create mode 100644 roles/app-homepage/tasks/docker.yaml
 create mode 100644 roles/app-homepage/tasks/icons.yaml
 create mode 100644 roles/app-homepage/tasks/main.yaml
 create mode 100644 roles/app-homepage/tasks/user.yaml
 create mode 100644 roles/app-homepage/templates/docker-compose.j2
 create mode 100644 roles/app-mosquitto/templates/config.j2
 create mode 100644 roles/app-pomerium/defaults/main.yaml
 create mode 100644 roles/app-pomerium/tasks/user.yaml

diff --git a/environments/lab/group_vars/pve_nodes/firewall.yaml b/environments/lab/group_vars/pve_nodes/firewall.yaml
index 685f7c3..34fcd15 100644
--- a/environments/lab/group_vars/pve_nodes/firewall.yaml
+++ b/environments/lab/group_vars/pve_nodes/firewall.yaml
@@ -13,18 +13,28 @@ pve_cluster_firewall_aliases:
   - name: pve3
     cidr: 10.1.8.13/32
 
+  - name: cloudflared1
+    cidr: 10.1.8.70/32
+  - name: cloudflared2
+    cidr: 10.1.8.71/32
+
   - name: mqtt
-    cidr: 10.1.8.132/32
+    cidr: 10.1.8.67/32
+
+  - name: homepage
+    cidr: 10.1.8.72/32
+
   - name: pomerium1
-    cidr: 10.1.8.130/32
-  - name: pomerium2
-    cidr: 10.1.8.131/32
+    cidr: 10.1.8.66/32
+
 
 pve_cluster_firewall_ipsets:
   - name: management
     items:
       - type: alias
         name: subnet-home
+      - type: alias
+        name: monitoring
   - name: proxmox
     items:
       - type: alias
@@ -37,12 +47,18 @@ pve_cluster_firewall_ipsets:
     items:
       - type: alias
         name: pomerium1
-      - type: alias
-        name: pomerium2
   - name: mqtt
     items:
       - type: alias
         name: mqtt
+  - name: monitoring
+    items:
+      - type: alias
+        name: monitoring
+  - name: homepage
+    items:
+      - type: alias
+        name: homepage
 
 pve_cluster_firewall_security_groups: []
   # - name: my-group
diff --git a/environments/lab/host_vars/frigate.yaml b/environments/lab/host_vars/frigate.yaml
deleted file mode 100644
index cd6dbb0..0000000
--- a/environments/lab/host_vars/frigate.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-ansible_host: 10.1.8.69
-ansible_hostname: ct-frigate-lab
-
-app_container_docker_support: true
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.69/24
-    ipv4_gateway: 10.1.8.1
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
-app_container_pve_replication_nodes:
-  - pve1
-
-app_pihole_records:
-  - hostname: frigate-lab
-    type: pomerium_proxy
\ No newline at end of file
diff --git a/environments/lab/host_vars/frigate/cameras.sops.yaml b/environments/lab/host_vars/frigate/cameras.sops.yaml
new file mode 100644
index 0000000..af4724e
--- /dev/null
+++ b/environments/lab/host_vars/frigate/cameras.sops.yaml
@@ -0,0 +1,46 @@
+app_frigate_cameras:
+    - name: ENC[AES256_GCM,data:K25rEW2YZ9k=,iv:3F+cPXgvnpqDX3Jul8Bd+CpgUVK4EBk6SSqK/7nsiTk=,tag:MjTIJKnJNRrm9r1C5DAILw==,type:str]
+      type: ENC[AES256_GCM,data:VWA/UV1mWA==,iv:wnOsUQPwYyluSKd+pgzBXrNlFNYdsUuV7iMOEg3zLCY=,tag:Bf90sQ0Xi/6GY6gGnAm2Sw==,type:str]
+      ip: ENC[AES256_GCM,data:bcgx95kQUEEF,iv:URoVES75H5OaTjoPnwrTacxvoS0pWrIdDopMDo1qRpk=,tag:yS/IoVOFbunyXFxET3lubQ==,type:str]
+      username: ENC[AES256_GCM,data:Jb/lH4qKqw==,iv:N6rrdzEnaS6IkvyuH/GVsNsutzkrx1wZ2kWnVo37NE4=,tag:kbWDUwIZNcSPzJsTv9E7ZQ==,type:str]
+      password: ENC[AES256_GCM,data:IvToLCZj1wq5KH2MQaaTu7dCQcSWW8LdxLnykcs=,iv:yB03KVTEtB5PwXvv4zfj/zMQLKIr76fNjjv3rcyc2bA=,tag:CKw79/Hye5imT3v4Blp0sw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWWFad3hDUi8vWFpIQ3E1
+            QktDNVVtdXluVlQ1UzJjQ1BZWFRXUlpUc1NjClV2WEd0bFRhK2JlcDBwOUVUWmNo
+            RHBFbWFsY1lRYWtaRE5ScXBrZ0UzanMKLS0tIDByNmd0K3drUUpGU3hmcmJUQmpu
+            L0w0ZXlhN2hPS0xWR0lITW96Mm5kMU0KgOqDc2YVPVQtP2+5lfjUXyFLMj0idIEn
+            NnVcBcGCpRaU2NOh2vTSIJTPDF8oq1wCR1MCxycKV4U9Za5caPurbw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-14T15:14:03Z"
+    mac: ENC[AES256_GCM,data:vqkakCWFV2k9zct5w2vDpvJTsdsrU86TVTplcrMOZm3e9dPMDARpHXZI4vYBTBPtU7JNhDNFgQNPUB/D/A+Ig5BGvL3C1iPmKTvmGjv/w4NaEn8yRj4k0+2h5XSZNEaIQoq65Ymzbbkz714kuTRn2ctrQxfJCbj8Tas9aoDbM/0=,iv:FaTwuWFR7FPpNMuufSUsiL5AhgMWc+9KLr3tfRMpyK0=,tag:GT/yiuF5LY1RS2uql2OIlA==,type:str]
+    pgp:
+        - created_at: "2024-03-14T15:10:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//chnODy6vHHlkjG7FCrZIk3sL6OgnSjadjNhoxTvuYEuK
+            WNIiS1zMw3aVVrqVYq1+SXeUgwPTB63GP1fzNrLYY9B4g1zvxq4ySjQ1l5AFtKse
+            PmOcPWQrkSzahquMFsNDiJlwEIlVmoAm1V14uI85TehIBmXjlBIJcckvikkf2xBi
+            /7FGoLqXdnrpCdeEYWIiujujJF1saIuhBWLEcPyzzL7fgtlrOQH+IcTkqLvEP92k
+            p0FA4152ohwP2duAsH4By3AR5iWTywP19tKzp7E/cu16g0cbqbD/L7kpoMB1wkmI
+            6nXJ5SHrSZ1RD7PppX/PQbeTOaYRbW6jnqLvI/2AOx8ChNO6DdXJr4qi/TuTyAQR
+            RSapnAyYVyfxffQdozT0vjJPrHR7AQSlz6q3/3O0b4VL3SkUDH8eoLjaIIAt0oz5
+            57Fjrrr9gtRdLZM+DrxFqmUk+q0PFEmriYY0gqBjDeTMS/gWJ7r4DoBgsH5QeN4p
+            zti3fEEysaVUVs5GaDKeV2yXgT3j3DqVdiLGoO7YeLiO4uAU4Z2gOPZs+vy7Xptb
+            UVGgQqm6BQe9pkEq94zbGqSe9+6+16pZ/PGeGZ+riE8XvioJ2r+O9M/zaSO8dSn6
+            IKkxeWDcvDD4LL6KJyqT8uWtYncKEorMp6TRa7ZGaj6gbPQXhhPKUVqt79Yj1lfS
+            XgFpmG+dMte5yG5aX5WyFzfk9GqVJck2LU3HoQyOb7KqA5KblSZc54jESc1mkH2d
+            tALRYJzfO18P9RNv9HWtVKBgr4GZ42XR13r3rOJAF9mypPkOp9bCoCvT8kAGmF0=
+            =ltPj
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/lab/host_vars/frigate/container.yaml b/environments/lab/host_vars/frigate/container.yaml
new file mode 100644
index 0000000..3aee5d0
--- /dev/null
+++ b/environments/lab/host_vars/frigate/container.yaml
@@ -0,0 +1,50 @@
+ansible_host: 10.1.8.69
+ansible_hostname: ct-frigate-lab
+
+app_container_docker_support: true
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 2048
+app_container_storage_name: dpool
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.69/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_mounts:
+  - type: disk
+    storage_name: dpool
+    index: 2
+    size_gb: 2
+    target_path: /nvr
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: noncritical
+app_container_pve_replication_nodes:
+  - pve1
+
+app_frigate_image_tag: 0.13.2
+app_frigate_cache_size_gb: 1
+app_frigate_shm_size_gb: 1
+
+app_pihole_records:
+  - hostname: frigate-lab
+    type: pomerium_proxy
+
+app_pomerium_routes:
+  - hostname: frigate-lab
+    target_port: 5000
+    auth_mode: users
+
+app_gatus_monitored_endpoints:
+  - name: Web UI / container
+    group: Frigate
+    type: http
+    host: ct-frigate-lab
+    port: 5000
+  - name: Web UI / via proxy
+    group: Frigate
+    type: https-pomerium-proxy
+    host: frigate-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/host_vars/homepage/bookmarks.yaml b/environments/lab/host_vars/homepage/bookmarks.yaml
new file mode 100644
index 0000000..75da61f
--- /dev/null
+++ b/environments/lab/host_vars/homepage/bookmarks.yaml
@@ -0,0 +1,39 @@
+app_homepage_bookmarks:
+  - Homelab:
+      - "Homecentr documentation":
+          - icon: /icons/homecentr.png
+            href: https://docs.homecentr.one
+
+      - "Homecentr on Github":
+          - icon: github-light
+            href: https://github.com/homecentr/
+
+  - "Cloud tools":
+      - OneDrive:
+          - icon: /icons/onedrive.png
+            href: https://onedrive.com
+
+      - Gmail:
+          - icon: gmail
+            href: https://gmail.com
+
+  - "Cloud infrastructure":
+      - Azure:
+          - icon: azure
+            href: https://portal.azure.com
+
+      - Cloudflare:
+          - icon: cloudflare
+            href: https://cloudflare.com
+
+      - PagerDuty:
+          - icon: pagerduty
+            href: https://pagerduty.com
+
+      - SendGrid:
+          - icon: /icons/sendgrid.png
+            href: https://sendgrid.com
+
+      - Dynadot:
+          - icon: /icons/dynadot.png
+            href: https://dynadot.com
\ No newline at end of file
diff --git a/environments/lab/host_vars/homepage/container.yaml b/environments/lab/host_vars/homepage/container.yaml
new file mode 100644
index 0000000..efd0a5d
--- /dev/null
+++ b/environments/lab/host_vars/homepage/container.yaml
@@ -0,0 +1,40 @@
+ansible_host: 10.1.8.72
+ansible_hostname: ct-homepage-lab
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.72/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: noncritical
+app_container_pve_replication_nodes:
+  - pve1
+
+app_homepage_image_tag: v0.8.9
+
+app_pomerium_routes:
+  - hostname: homepage-lab
+    target_port: 3000
+    auth_mode: users
+
+app_pihole_records:
+  - hostname: homepage-lab
+    type: pomerium_proxy
+
+app_gatus_monitored_endpoints:
+  - name: Homepage / container
+    group: Homepage
+    type: http
+    host: ct-homepage-lab
+    port: 3000
+  - name: Homepage / via proxy
+    group: Homepage
+    type: https-pomerium-proxy
+    host: homepage-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/host_vars/homepage/services.yaml b/environments/lab/host_vars/homepage/services.yaml
new file mode 100644
index 0000000..5e25c93
--- /dev/null
+++ b/environments/lab/host_vars/homepage/services.yaml
@@ -0,0 +1,4 @@
+app_homepage_services:
+  - Apps: []
+  - Development: []
+  - Infrastructure: []
\ No newline at end of file
diff --git a/environments/lab/host_vars/homepage/settings.yaml b/environments/lab/host_vars/homepage/settings.yaml
new file mode 100644
index 0000000..33cf2f1
--- /dev/null
+++ b/environments/lab/host_vars/homepage/settings.yaml
@@ -0,0 +1,8 @@
+app_homepage_settings:
+  title: Homecentr
+  favicon: /icons/favicon.ico
+  background: https://images.unsplash.com/photo-1519681393784-d120267933ba
+  backgroundOpacity: 0.3
+  theme: dark
+  color: neutral
+  headerStyle: clean
\ No newline at end of file
diff --git a/environments/lab/host_vars/homepage/widgets.yaml b/environments/lab/host_vars/homepage/widgets.yaml
new file mode 100644
index 0000000..6ab1887
--- /dev/null
+++ b/environments/lab/host_vars/homepage/widgets.yaml
@@ -0,0 +1,4 @@
+app_homepage_widgets:
+    - search:
+        provider: google
+        target: _blank
\ No newline at end of file
diff --git a/environments/lab/host_vars/monitoring.yaml b/environments/lab/host_vars/monitoring.yaml
index 9cd7519..8ccd434 100644
--- a/environments/lab/host_vars/monitoring.yaml
+++ b/environments/lab/host_vars/monitoring.yaml
@@ -18,17 +18,10 @@ app_container_pve_replication_nodes:
   - pve1
 
 app_gatus_image_tag: v5.7.0
-app_gatus_monitored_endpoints:
-- name: example
-  url: https://example.com/
-  interval: 1m
-  conditions:
-    - "[STATUS] == 200"
 
 app_pomerium_routes:
   - hostname: gatus-lab
-    type: ansible_host
-    port: 8080
+    target_port: 8080
     auth_mode: public
 
 app_pihole_records:
diff --git a/environments/lab/host_vars/mqtt.yaml b/environments/lab/host_vars/mqtt.yaml
index 6e8ba77..96edda1 100644
--- a/environments/lab/host_vars/mqtt.yaml
+++ b/environments/lab/host_vars/mqtt.yaml
@@ -20,5 +20,3 @@ app_container_pve_replication_nodes:
 app_pihole_records:
   - hostname: mqtt-lab
     type: ansible_host
-
-# TODO: Gatus monitoring
\ No newline at end of file
diff --git a/environments/lab/host_vars/pihole.yaml b/environments/lab/host_vars/pihole.yaml
index b98f7a3..8192f2d 100644
--- a/environments/lab/host_vars/pihole.yaml
+++ b/environments/lab/host_vars/pihole.yaml
@@ -22,6 +22,23 @@ app_pihole_forwarders:
   - 1.1.1.1
   - 1.0.0.1
 
+app_pomerium_routes:
+  - hostname: pihole-lab
+    auth_mode: administrators
+
 app_pihole_records:
   - hostname: pihole-lab
-    type: ansible_host
\ No newline at end of file
+    type: pomerium_proxy
+
+app_gatus_monitored_endpoints:
+  - name: Web UI
+    group: Pi-hole
+    type: https-pomerium-proxy
+    host: pihole-lab.homecentr.one
+  - name: DNS
+    group: Pi-hole
+    type: dns
+    host: 10.1.8.64
+    dns_query_name: "login-lab.homecentr.one"
+    dns_query_type: "A"
+    dns_query_answer: 10.1.8.66
\ No newline at end of file
diff --git a/environments/lab/host_vars/pomerium/container.yaml b/environments/lab/host_vars/pomerium/container.yaml
index c4ab4a3..1c5c4bd 100644
--- a/environments/lab/host_vars/pomerium/container.yaml
+++ b/environments/lab/host_vars/pomerium/container.yaml
@@ -31,4 +31,12 @@ app_container_getssl_certificates:
 
 app_pihole_records:
   - hostname: login-lab
-    type: ansible_host
\ No newline at end of file
+    type: ansible_host
+
+app_gatus_monitored_endpoints:
+  - name: Pomerium
+    group: Pomerium
+    type: https
+    host: login-lab.homecentr.one
+    path: /healthz
+    
\ No newline at end of file
diff --git a/environments/lab/host_vars/pomerium/pomerium.yaml b/environments/lab/host_vars/pomerium/pomerium.yaml
index dd5f3da..ba9d439 100644
--- a/environments/lab/host_vars/pomerium/pomerium.yaml
+++ b/environments/lab/host_vars/pomerium/pomerium.yaml
@@ -6,11 +6,3 @@ app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
 app_pomerium_certificates:
   - fullchain_path: /getssl/wildcard_fullchain.crt
     key_path: /getssl/wildcard.key
-
-app_pomerium_routes:
-  - from: https://pihole-lab.homecentr.one
-    to: http://10.1.8.128
-    auth_mode: administrators
-  # - from: https://gatus-lab.homecentr.one
-  #   to: http://10.1.8.128
-  #   auth_mode: administrators
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve1.yaml b/environments/lab/host_vars/pve1.yaml
index fe9cfc9..8522d1f 100644
--- a/environments/lab/host_vars/pve1.yaml
+++ b/environments/lab/host_vars/pve1.yaml
@@ -6,4 +6,14 @@ ansible_hostname: pve1-lab
 ups_name: dummy-ups1
 
 # GetSSL
-getssl_cron_renewal_hour: 16
\ No newline at end of file
+getssl_cron_renewal_hour: 16
+
+# Monitoring
+app_gatus_monitored_endpoints:
+  - name: pve1 / ping
+    group: Proxmox VE
+    type: ping
+  - name: pve1 / http
+    group: Proxmox VE
+    type: https
+    host: pve1-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve2.yaml b/environments/lab/host_vars/pve2.yaml
index 02a39c0..2c6f1b9 100644
--- a/environments/lab/host_vars/pve2.yaml
+++ b/environments/lab/host_vars/pve2.yaml
@@ -6,4 +6,14 @@ ansible_hostname: pve2-lab
 ups_name: dummy-ups1
 
 # GetSSL
-getssl_cron_renewal_hour: 17
\ No newline at end of file
+getssl_cron_renewal_hour: 17
+
+# Monitoring
+app_gatus_monitored_endpoints:
+  - name: pve2 / ping
+    group: Proxmox VE
+    type: ping
+  - name: pve2 / http
+    group: Proxmox VE
+    type: https
+    host: pve2-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve3.yaml b/environments/lab/host_vars/pve3.yaml
index b396f58..4a025de 100644
--- a/environments/lab/host_vars/pve3.yaml
+++ b/environments/lab/host_vars/pve3.yaml
@@ -6,4 +6,14 @@ ansible_hostname: pve3-lab
 ups_name: dummy-ups1
 
 # GetSSL
-getssl_cron_renewal_hour: 18
\ No newline at end of file
+getssl_cron_renewal_hour: 18
+
+# Monitoring
+app_gatus_monitored_endpoints:
+  - name: pve3 / ping
+    group: Proxmox VE
+    type: ping
+  - name: pve3 / http
+    group: Proxmox VE
+    type: https
+    host: pve3-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index 3aad0eb..0b02a41 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -6,12 +6,13 @@ all:
         pve2:
         pve3:
     containers:
-      hosts:
+      hosts:      
+        frigate:
+        homepage:
+        monitoring:
+        mqtt:
         pihole:
         pomerium:
-        mqtt:
-        monitoring:
-        frigate:
       children:
         cloudflared_containers:
           hosts:
diff --git a/playbooks/containers/homepage.yaml b/playbooks/containers/homepage.yaml
new file mode 100644
index 0000000..05ed660
--- /dev/null
+++ b/playbooks/containers/homepage.yaml
@@ -0,0 +1,33 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: homepage
+      tags: [ container ]
+
+- name: Setup Monitoring container
+  hosts: homepage
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.import_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install Docker
+      ansible.builtin.import_role:
+        name: ../../roles/docker
+      tags: [ docker ]
+
+    - name: Install homepage
+      ansible.builtin.import_role:
+        name: ../../roles/app-homepage
+      tags: [ homepage ]
diff --git a/playbooks/containers/pomerium.yaml b/playbooks/containers/pomerium.yaml
index 272c723..055654e 100644
--- a/playbooks/containers/pomerium.yaml
+++ b/playbooks/containers/pomerium.yaml
@@ -12,7 +12,7 @@
       tags: [ container ]
 
 - name: Setup Pomerium containers
-  hosts: app_pomerium
+  hosts: pomerium
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
@@ -22,20 +22,6 @@
         file: _common.yaml
       tags: [ common ]
 
-    - name: Create pomerium group with fixed GID
-      ansible.builtin.group:
-        name: pomerium
-        gid: 7000
-      tags: [ pomerium ]
-
-    - name: Create pomerium user with fixed UID
-      ansible.builtin.user:
-        name: pomerium
-        group: pomerium
-        uid: 7000
-        create_home: true
-      tags: [ pomerium ]
-
     - name: Install pomerium
       ansible.builtin.import_role:
         name: ../../roles/app-pomerium
diff --git a/playbooks/proxmox/cluster.yaml b/playbooks/proxmox/cluster.yaml
index fd6d6a8..c76e90f 100644
--- a/playbooks/proxmox/cluster.yaml
+++ b/playbooks/proxmox/cluster.yaml
@@ -14,20 +14,20 @@
 
     - name: Configure cluster-level options
       ansible.builtin.import_role:
-        name: ../roles/pve_cluster_options
+        name: ../../roles/pve_cluster_options
       tags: cluster_options
 
     - name: Configure cluster-level firewall
       ansible.builtin.import_role:
-        name: ../roles/pve_cluster_firewall
+        name: ../../roles/pve_cluster_firewall
       tags: firewall
 
     - name: Configure HA
       ansible.builtin.import_role:
-        name: ../roles/pve_cluster_ha
+        name: ../../roles/pve_cluster_ha
       tags: ha
 
     - name: Install and configure getssl
       ansible.builtin.import_role:
-        name: ../roles/pve_cluster_getssl
+        name: ../../roles/pve_cluster_getssl
       tags: getssl
\ No newline at end of file
diff --git a/roles/app-container/tasks/container-disks.yaml b/roles/app-container/tasks/container-disks.yaml
new file mode 100644
index 0000000..38c4f1e
--- /dev/null
+++ b/roles/app-container/tasks/container-disks.yaml
@@ -0,0 +1,14 @@
+- name: Get container config
+  changed_when: false
+  register: app_container_config
+  ansible.builtin.command:
+    cmd: "pct config {{ app_container_info.vmid }}"
+
+- name: Add disks
+  loop: "{{ container_vars.app_container_mounts | selectattr('type', 'equalto', 'disk') }}"
+  loop_control:
+    loop_var: disk
+  when: not 'mp' + disk.index | string + ':' in app_container_config.stdout
+  changed_when: true
+  ansible.builtin.command:
+    cmd: "pct set {{ app_container_info.vmid }} --mp{{ disk.index }} \"{{ disk.storage_name }}:{{ disk.size_gb }},mp={{ disk.target_path }}\""
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
index 7a1d1dd..7675bc5 100644
--- a/roles/app-container/tasks/container.yaml
+++ b/roles/app-container/tasks/container.yaml
@@ -32,7 +32,7 @@
   when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   register: app_container_before_pct
   ansible.builtin.slurp:
-    src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
+    src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf" 
 
 - name: Update existing container values
   when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index 3ebfebe..194617a 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -9,6 +9,13 @@
   vars:
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
+- name: Add disks
+  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
+  ansible.builtin.include_tasks:
+    file: container-disks.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
 - name: Configure SSL certificates passthrough
   when: hostvars[container_inventory_name].app_container_getssl_certificates is defined
   ansible.builtin.include_tasks:
diff --git a/roles/app-container/tasks/zfs.yaml b/roles/app-container/tasks/zfs.yaml
new file mode 100644
index 0000000..6bc5c47
--- /dev/null
+++ b/roles/app-container/tasks/zfs.yaml
@@ -0,0 +1,7 @@
+- name: Create dataset
+  loop: "{{ container_vars.app_container_mounts | selectattr('type', 'equalto', 'zfs') }}"
+  loop_control:
+    loop_var: mount
+  community.general.zfs:
+    name: "{{ mount.zfs_pool_name }}/subvol-{{ app_container_info.vmid }}-disk-{{ mount.disk_index }}"
+    state: present
\ No newline at end of file
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index 008fa6a..45ef21c 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -6,8 +6,6 @@ pct set {{ app_container_id }}
  {%- for mount in (app_container_mounts | default([])) %}
  {%- if mount.type == "bind" %}
  --mp{{ loop.index - 1 }} "{{ mount.hostpath }},mp={{ mount.target_path }}"
- {%- else %}
- --mp{{ loop.index - 1 }} "{{ mount.zfs_pool }}:{{ zfs_dataset_name }},size={{ mount.size }},replicate={{ '1' if (mount.replicate | default(true)) else '0' }},,mp={{ mount.target_path }}"
  {%- endif %}
  {%- endfor %}
  {%- if app_container_getssl_certificates is defined %}
diff --git a/roles/app-coredns/tasks/configure.yaml b/roles/app-coredns/tasks/configure.yaml
deleted file mode 100644
index b0bad46..0000000
--- a/roles/app-coredns/tasks/configure.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-- name: Create etc directory
-  ansible.builtin.file:
-    path: /etc/coredns
-    owner: coredns
-    group: coredns
-    mode: "0770"
-    state: directory
-
-- name: Create config file
-  register: app_coredns_corefile
-  ansible.builtin.copy:
-    dest: /etc/coredns/Corefile
-    owner: coredns
-    group: coredns
-    mode: "0660"
-    content: "{{ lookup('template', 'corefile.j2') }}"
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/install.yaml b/roles/app-coredns/tasks/install.yaml
deleted file mode 100644
index f516d03..0000000
--- a/roles/app-coredns/tasks/install.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-- name: Check if version installed
-  failed_when: false
-  register: app_coredns_current_version
-  ansible.builtin.slurp:
-    path: /etc/coredns-version
-
-- name: Download coredns
-  when: (not app_coredns_current_version is succeeded) or (not 'content' in app_coredns_current_version) or (app_coredns_current_version.content | b64decode) != app_coredns_version
-  ansible.builtin.get_url:
-    dest: /tmp/coredns.tar.gz
-    url: "https://github.com/coredns/coredns/releases/download/v{{ app_coredns_version }}/coredns_{{ app_coredns_version }}_linux_amd64.tgz"
-    checksum: "sha256:https://github.com/coredns/coredns/releases/download/v{{ app_coredns_version }}/coredns_{{ app_coredns_version }}_linux_amd64.tgz.sha256"
-
-- name: Extract coredns
-  when: (not app_coredns_current_version is succeeded) or (not 'content' in app_coredns_current_version) or (app_coredns_current_version.content | b64decode) != app_coredns_version
-  ansible.builtin.unarchive:
-    src: /tmp/coredns.tar.gz
-    dest: /usr/bin
-    remote_src: true
-
-- name: Create marker file
-  ansible.builtin.copy:
-    dest: /etc/coredns-version
-    content: "{{ app_coredns_version }}"
-    force: true
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/main.yaml b/roles/app-coredns/tasks/main.yaml
deleted file mode 100644
index d9a5866..0000000
--- a/roles/app-coredns/tasks/main.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-- name: Create coredns group
-  ansible.builtin.user:
-    name: coredns
-
-- name: Create coredns user
-  ansible.builtin.user:
-    name: coredns
-    group: coredns
-    create_home: false
-
-- name: Install coredns
-  ansible.builtin.include_tasks:
-    file: install.yaml
-
-- name: Configure coredns
-  ansible.builtin.include_tasks:
-    file: configure.yaml
-
-- name: Configure systemd
-  ansible.builtin.include_tasks:
-    file: systemd.yaml
\ No newline at end of file
diff --git a/roles/app-coredns/tasks/systemd.yaml b/roles/app-coredns/tasks/systemd.yaml
deleted file mode 100644
index 5ca3b08..0000000
--- a/roles/app-coredns/tasks/systemd.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-- name: Create systemd unit file
-  ansible.builtin.copy:
-    dest: /etc/systemd/system/coredns.service
-    owner: root
-    group: root
-    mode: "0644"
-    content: "{{ lookup('template', 'systemd-unit.j2') }}"
-
-- name: (Re)start service
-  ansible.builtin.systemd_service:
-    name: coredns
-    enabled: true
-    daemon_reload: true
-    state: "{{ 'restarted' if app_coredns_corefile.changed else 'started' }}"
diff --git a/roles/app-coredns/templates/corefile.j2 b/roles/app-coredns/templates/corefile.j2
deleted file mode 100644
index 08f1000..0000000
--- a/roles/app-coredns/templates/corefile.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-. {
-    log
-    errors
-    hosts {
-        {% for host in app_coredns_records %}
-        {{ host.ip }} {{ host.name }}
-        {% endfor %}
-        fallthrough
-    }
-    forward . {% for forwarder in app_coredns_forwarders %}tls://{{ forwarder }} {% endfor %} {
-        tls_servername {{ app_coredns_forwarders_tls_servername }}
-        max_concurrent 1000
-    }
-    cache 30
-    # TODO: Use vxlan ip
-    prometheus localhost:9153
-    loop
-    reload
-    loadbalance
-}
\ No newline at end of file
diff --git a/roles/app-coredns/templates/systemd-unit.j2 b/roles/app-coredns/templates/systemd-unit.j2
deleted file mode 100644
index b9305c9..0000000
--- a/roles/app-coredns/templates/systemd-unit.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=CoreDNS Server
-Documentation=https://coredns.io/manual/
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-User=coredns
-Group=coredns
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-Restart=always
-WorkingDirectory=/etc/coredns
-ExecStart=/usr/bin/coredns 
-ExecReload=/usr/bin/kill -USR1 $MAINPID
-
-[Install]
-WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/app-frigate/tasks/docker.yaml b/roles/app-frigate/tasks/docker.yaml
new file mode 100644
index 0000000..b552487
--- /dev/null
+++ b/roles/app-frigate/tasks/docker.yaml
@@ -0,0 +1,10 @@
+- name: Create compose file
+  ansible.builtin.copy:
+    dest: /etc/frigate/docker-compose.yaml
+    force: true
+    content: "{{ lookup('template', 'docker-compose.j2') }}"
+
+- name: Start docker stack
+  community.docker.docker_compose_v2:
+    project_src: /etc/frigate
+    state: "{{ 'restarted' if app_frigate_config.changed or app_homepage_icons.changed else 'present' }}"
diff --git a/roles/app-frigate/tasks/main.yaml b/roles/app-frigate/tasks/main.yaml
index bf6de71..1c82e4f 100644
--- a/roles/app-frigate/tasks/main.yaml
+++ b/roles/app-frigate/tasks/main.yaml
@@ -1,2 +1,20 @@
-# Create compose file
-# Start the compose stack
\ No newline at end of file
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/frigate
+    owner: root
+    group: root
+    mode: "0750"
+    state: directory
+
+- name: Create config file
+  register: app_frigate_config
+  ansible.builtin.copy:
+    dest: /etc/frigate/config.yml
+    content: "{{ lookup('template', 'config.j2') }}"
+    owner: root
+    group: root
+    mode: "0640"
+
+- name: Create docker stack
+  ansible.builtin.include_tasks:
+    file: docker.yaml
diff --git a/roles/app-frigate/templates/config.j2 b/roles/app-frigate/templates/config.j2
new file mode 100644
index 0000000..33e602b
--- /dev/null
+++ b/roles/app-frigate/templates/config.j2
@@ -0,0 +1,46 @@
+mqtt:
+  enabled: False
+
+record:
+  enabled: True
+  retain:
+    days: 1
+  events:
+    retain:
+      default: 1
+      mode: motion
+
+detect:
+  enabled: false
+
+go2rtc:
+  streams:
+{% for camera in app_frigate_cameras %}
+{% if camera.type == "reolink" %}
+    {{ camera.name }}_main:
+      #- "rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h265Preview_01_main"
+      - "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user={{ camera.username }}&password={{ camera.password }}#video=copy#audio=copy"
+    {{ camera.name }}_sub:
+      #- "rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h264Preview_01_sub"
+      - "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_ext.bcs&user={{ camera.username }}&password={{ camera.password }}"
+{% else %}
+TBA: Doorbell
+{% endif %}
+{% endfor %}
+
+cameras:
+{% for camera in app_frigate_cameras %}
+  {{ camera.name }}:
+    ffmpeg:
+      inputs:
+        - path: rtsp://127.0.0.1:8554/{{ camera.name }}_main?video=copy&audio=aac
+          input_args: preset-rtsp-restream
+          roles:
+            - record
+        - path: rtsp://127.0.0.1:8554/{{ camera.name }}_sub?video=copy
+          input_args: preset-rtsp-restream
+          roles:
+            - detect
+    live:
+      stream_name: {{ camera.name }}_sub
+{% endfor %}
\ No newline at end of file
diff --git a/roles/app-frigate/templates/docker-compose.j2 b/roles/app-frigate/templates/docker-compose.j2
new file mode 100644
index 0000000..ee6fe37
--- /dev/null
+++ b/roles/app-frigate/templates/docker-compose.j2
@@ -0,0 +1,23 @@
+version: "3.9"
+services:
+  frigate:
+    image: ghcr.io/blakeblackshear/frigate:{{ app_frigate_image_tag }}
+    # privileged: true # this may not be necessary for all setups
+    container_name: frigate
+    shm_size: '{{ app_frigate_shm_size_gb }}gb'
+    # TODO: Devices
+    environment:
+      FRIGATE_RTSP_PASSWORD: "password"
+    ports:
+      - "5000:5000"
+      - "8554:8554"
+      - "8555:8555/tcp"
+      - "8555:8555/udp"
+    volumes:
+      - /etc/frigate:/config
+      - /nvr:/media/frigate
+      - type: tmpfs
+        target: /tmp/cache
+        tmpfs:
+          size: {{ app_frigate_cache_size_gb * 1000000000 }}
+      
diff --git a/roles/app-gatus/tasks/main.yaml b/roles/app-gatus/tasks/main.yaml
index a6eedec..8d4aae1 100644
--- a/roles/app-gatus/tasks/main.yaml
+++ b/roles/app-gatus/tasks/main.yaml
@@ -3,6 +3,11 @@
     path: /etc/gatus
     state: directory
 
+- name: Create state directory
+  ansible.builtin.file:
+    path: /var/lib/gatus
+    state: directory
+
 - name: Create config file
   register: app_gatus_config
   ansible.builtin.copy:
@@ -16,7 +21,7 @@
     force: true
     content: "{{ lookup('template', 'docker-compose.j2') }}"
 
-- name: Tear down existing services
+- name: Start docker stack
   community.docker.docker_compose_v2:
     project_src: /etc/gatus
     state: "{{ 'restarted' if app_gatus_config.changed else 'present' }}"
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
index ef409a2..090aff4 100644
--- a/roles/app-gatus/templates/config.j2
+++ b/roles/app-gatus/templates/config.j2
@@ -1,3 +1,61 @@
 metrics: true
+# storage:
+#     path: /var/lib/gatus/gatus.db
+#     type: sqlite
+    
 endpoints:
-{{ app_gatus_monitored_endpoints | to_yaml }}
+{% for host in groups['all'] %}
+{% for endpoint in hostvars[host].app_gatus_monitored_endpoints | default([]) %}
+- name: {{ endpoint.name }}
+{% if endpoint.group | default('') != '' %}
+  group: {{ endpoint.group }}
+{% endif %}
+  interval: {{ endpoint.interval | default('30s') }}
+  client:
+    dns-resolver: tcp://{{ hostvars['pihole'].ansible_host }}:53
+{% if endpoint.type == "ping" %}
+  url: "icmp://{{ endpoint.host | default(hostvars[host].ansible_host) }}"
+  conditions:
+    - "[CONNECTED] == true"
+{% elif endpoint.type == "http" %}
+  url: "http://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port | default(80) }}{{ endpoint.path | default('') }}"
+  conditions:
+    - "[STATUS] == 200"
+{% elif endpoint.type == "https" %}
+  url: "https://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port | default(443) }}{{ endpoint.path | default('') }}"
+  conditions:
+    - "[STATUS] == 200"
+    - "[CERTIFICATE_EXPIRATION] > 72h"
+{% elif endpoint.type == "https-pomerium-proxy"%}
+  url: "https://{{ endpoint.host }}{{ endpoint.path | default('') }}"
+  conditions:
+    - "[STATUS] == 200"
+    - "[CERTIFICATE_EXPIRATION] > 72h"
+{% elif endpoint.type == "tcp" %}
+  url: "tcp://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}"
+  conditions:
+    - "[CONNECTED] == true"
+{% elif endpoint.type == "wss" %}
+  url: "wss://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}"
+  body: "status"
+  conditions:
+    - "[CONNECTED] == true"
+    - "[BODY].result >= 0"
+{% elif endpoint.type == "ws" %}
+  url: "ws://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}"
+  body: "status"
+  conditions:
+    - "[CONNECTED] == true"
+    - "[BODY].result >= 0"
+{% elif endpoint.type == "dns" %}
+  url: {{ endpoint.host | default(hostvars[host].ansible_host) }}
+  dns:
+    query-name: "{{ endpoint.dns_query_name }}"
+    query-type: "{{ endpoint.dns_query_type }}"
+  conditions:
+    - "[BODY] == {{ endpoint.dns_query_answer }}"
+    - "[DNS_RCODE] == NOERROR"
+{% endif %}
+
+{% endfor %}
+{% endfor %}
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
index e767ff2..d26bbf4 100644
--- a/roles/app-gatus/templates/docker-compose.j2
+++ b/roles/app-gatus/templates/docker-compose.j2
@@ -8,5 +8,6 @@ services:
       - "8080:8080"
     volumes:
       - /etc/gatus/config.yaml:/config/config.yaml
+      - /var/lib/gatus:/var/lib/gatus
 
 # TODO: Mount directory with metrics state
\ No newline at end of file
diff --git a/roles/app-homepage/defaults/main.yaml b/roles/app-homepage/defaults/main.yaml
new file mode 100644
index 0000000..1a79368
--- /dev/null
+++ b/roles/app-homepage/defaults/main.yaml
@@ -0,0 +1,2 @@
+app_homepage_uid: 7000
+app_homepage_gid: 7000
\ No newline at end of file
diff --git a/roles/app-homepage/files/dynadot.png b/roles/app-homepage/files/dynadot.png
new file mode 100644
index 0000000000000000000000000000000000000000..58839b1db7cc45fbbbb14cfe1950955d200ccb5d
GIT binary patch
literal 8429
zcmV<JAQIn+P)<h*8VUda01Zh<L{b0%0Du4h0DuSv0002PK4HrM0004VQb$4nuFf3k
z00004XF*Lt006O%3;baP00009a7bBm000id000id0mpBsWB>plgGod|RCr$PT?u>?
zMb@vX?w-j^?u3LSNC>%u$R&shD2Rx{A`%f05EPKZU9V4BZ&`I!SY20Fko!)M0CI|`
zh{z$LfE=<R_d!mMgj_S3qmS>sp2Wp9i6NOuCSm?RnoL)BS69{h*L$zdCN8+(f(tIV
z;DQS-xZr{dE;JU;?agO3KV7))@W#nsg+FRr4z2m=LVL!TO&K(HZ5l`3ImO}m!XGX~
z4f`zHUA^c+`^JNxWvfE3#n6O|84qmDPM>?A$Pdq_>^|?(0__nUmz<-zg~`7PKW<g(
z?E%YE_699WQOLiN|AAov%TopQVjG0ZiKz!;cjVF@tJC-kv*VQNzjTwH+>>`#=<2l3
zFNn(bl#;uxP~WMRs)D~{krnl!HV791>cYRyvMr;#C}$pv7XSKbhTGjq*#|!@Fzz!*
z@<@&m5em%$Bp|_Bs+M1{TiezCE&^PI2Y2K!pQR}RdA7TZ=Y!X$KeM_@Jae+#JcuU>
z;R%tz7VwfnRFiOrzncmF_VL!>pEd~>0ctVy3;NmUFu812taVsoM&Iu1(l4Z%q<=9=
zq6Db*pyN@^bMT+cQNkHSrO2J}f5S)5RZ0^6ZHu_>2{0frgOO*BGO}-kGVefP$V~|u
zD^3`!2MSG6phO7@77aX9e)1bV4}s#!`){bm-&vIwHLNY-x+cJ&jakC?lOkpE;jMD~
zXIX#Vo@Xd1G>X#&M)ev-K>n(#|6LiODhSb1<(qGFRZ>KIB0t(Du1f;U`20La{&9vo
zG$Gvj^v>Lv+c#$ZwCA#UVS!O3D0sL<0U`gU-CqkVFatONah_VQp+iDd0u1e-!#`~j
z*Bt>umZ$P7{uC;azxI&EZO?sveNpwdsg>4#UK~|;Miub>Q1A`8^@;*lD-~r8rBo)5
z9iWRxg`!eulelgOFg7WRhAcbB7d{>%zIUiNDrRNs`X5S7?=eO~1WH7>g@P0t61)ny
zN6|nV@KBL)3!eKA2)d>+#2!O9oTl8b3j*A+A(P)SK3plB87JPdHa&iQc4b<Lq)ax+
zipWz{-8b5ZgMFYKp&2mPN9&2_5%9Y)`0#KM9g>vAuNxVvz#%&e3EDLQ4xK5X<l%4G
z!HE&#FW(jU1+GYW_7{`*S)NHG*tCPp^Np$XwZI#}{3|-1ktk2l8-OnEf6Sdxo3q$6
z1A~?Q<HJQoQ8*C(tw@4Lzi9pOgLX@RSN7&}gL-^K$ftM7y^^vb2BeiA2L1g3*m_xO
zv-Q{Px}&r}f}8}kzE7ZA6^4cR)ZYm-dq*ydTb(BCdMI4&Sem>&cfw68)4s2;$Ob&W
zY{Z5}>!Q^Y;0WCFX(spe!x3ud%>7%l-#c4reZIsj5jRGy5Y(K38wqL*cgZSm7Uy&u
zM;0aX<j>vEfA|gFJ5o#!7Z|x64~47OG=D$serJs5k#iN+9z3NRa;8O3@?D+IU3o03
z)jN>dod)Q&Hl0V|D;JFZvCC3EI8<VOzRV&idIlbQ^MtQLRU0z;i-h=qDfnLi;rO|?
z2Pr80Z@(`N=%1MRcb`CQ&QB%g9!S8)!aZKc`v!Vqr()})T@fI9UAk~;YLxiGSNXRM
z`L5_<IU&!2rIyia2kF}-uh{u7a2Oq!1GP)YhKIK0u#PKJ`JM4yMa5+Gn7S+Xt*0_7
zGqR1=S3qra(1W)b=Efz=8yu3^Z7rCEu{N{N+GrO9c>U`FO5XUHOPdm9y?IsIfTRM$
z_rH`|m<)~{*f@4Aj$T86c(BDl#surU@cb5EEqU&%JW3{iM>mfNlP^q<5#zVz^z59F
zxo!U?)2n%A(F>ZHBI*knoW~Ac!r$>ZFAe*h*=Q}ac>)Yg%I4m@r;|eF^^wSul!3*v
ze7IavsK6-NS9|u+V*d|s0WZ*B!!5*sDyz)?IlQw%5(X<TeVyOu=7fyxKbM(L85QO3
zYDuwz*-;sTjz@@||77FH&@A%W33l}1NaT@IpiL8?Z(;_wZ+utPks7`!YrhX8hp=k7
zQEaW%-Id!MfINvwAyprLl(`?zf0`7jjsiWjBWLsKe8Y)?YH_qtR3tDtGTbYGj)!_r
z_z*2;og3r52=9IA&LI5bG-$J}0PiK|xboR?Ap9TcP3wFQ7Fpzhz-AdTgn4pAzOXW*
zHa9Vj1YUS7wz5w`#?%WIX|7dPZbZg`nMeNps&ya{l0_!mumHF9Nn^sM+`TDF_-0%<
zDg>uNo74aueic3;o=d$CXPe}KP~Fv8S`g$2;j0B@07D+G<EtO>(guR|Ny#vZYfO@I
zBfL-qXA{->)xuY-io*G6IMUHwqk8_8k~+}jRB%XPITFz;Q@OP1F=|2T7N0xlEzm*m
z(+Z{U@QIl?F+j^xvsF^cWSMlNOzjsy$=79W6pO6T9v;F=2PQ_&C%Sc%R8K*YI2GC!
z0p2~$$V)wC<wOPF`KN+!%{(0hwzj#QJB<bw7OHxj4+w&9$j?BoFdd<%a%aT!Ca)gn
zp6DMSAHQNIx<-s0AWQV%a(+44@y=qKAwZ|)DO|zhvC`kZDR_F#`Kq_T%l3pOmINhj
zcW18=z&3on<`W84w916{AZ&Q<%;>Lcf}Ij=g8=hSG4f(B`K|8?pH0d$e2`}piH@f-
zcx6uK!$5(`BBTrcezz^od*qQyi&SitIe`(y7gWa|IRUD#f$9Td>c=#uQ6qvKss)^$
z0N#ti;hPgDy}7U8sZa9_ALW}Q*#q2dsQFGO{92&Ict)=TYnWA*6%8a5TPL<j2YACD
zgLx{{>>-lwUrdj>eAk+E`t74p4k3b56Tl0+{R;5*Cm+7dA4xAQE3ruKdZ_u%EPMnM
zDzpI9CL=+UUz^xk|DhqMlM~<`9~pRLRf1Cf9CtBxNeWAu9qW*;W2Y@h52*PleEgks
z`r_VFYugY$0_BX&LJcS?NG$R|J%9`fp4WGPGlTcwv~#o}mRf%i?TMoR?{z-hnwZI|
zK<(pix25O4_0h1w;60<m=alKK3rGSuFuf?gMjbWJsG6hZ+~IJ#0v)+2haH_1p{hHt
zr78P;I64HIdadN`w|h7h0p8zNM0bx1Q-$AWefmD|o(4lLXt8$w^$4dT!1F&|RMRtZ
zbM}|{X6de$?Buy#;WPx$g40J{?kTaQDgA!DVjd3OFgj579L{y24mbq?IxkCMW^nrM
z{4}#)Fe8Vt;S9B3b%<(ialt`obpnjqltuF_xcHWk^JY28M2H5QfNSV8aiKYAbpq_l
ztfJ&E-4(xO=U%TcOI>jeAF#ot`dbLCN`T($(s}Yy4|(io*)Kyo{|$k&O}ePL>_Q8m
z)d&#3C7Yg{5+(XQ^%H-j)clmm*3pTkz(s%-M5_?s{X@lc>)5WU-S2k0{}H32bi`%Z
z5YXx->3Tz}6!@-ugW9XtWkt$8X$EUQ4O9F0T|IrRfEFjfTi+IN2Of?PzdUt0&RfHM
zWr2DRiEyd?Rziyt;I;i1RMo#Ax%|mevqZFvVjIv!fL20_65!_b>6E<HM;`HMX83=q
z#hJLn5=g#9ReufB(B;I@M)W)Ea@52H|JoK>lmHo3qAKiPDlD&>C7ILM7H~MU_M=cB
zlenr!#11C2tcW<Q4B;Gvb2>QOnsL-V4;kYGTVC1}2^?DZSL4Q2sq8<~V&uN7(xVC`
zDMh3Xo#%iV!#)KW1ycnQ*HcP-;Eg7pl9FoajKLz6@s#p#-5vs?A|Y0HE!R!UNC2E;
zoK4CeJg7htsgF!7#Hw^oej@H-x1}j8d6r{l1hp6ed{?G&SEk2Ev1?M7U$QDQ1P3kO
z0$^>Ipr-RO2we*#i1QH2&Q@Aqy-~xN`-SK<?+@#=oKkh|pndU4%9;)WnTjifAa70T
z&1{zhxNTz=`(Z-3+-pN-c(%cMR!4~rGYXgN`hHO9vIW#T2%UKFjL3{7b<mL4)<t<=
zi0&IuVY|zQxV33~zEM=XK`UTFngfGE`LfxuX0|A0gP(>x3<7L2x!WZH$U7%F@^Wt}
zU|Gsy3sGk4Y@WZp`}?gHSrOcLrgYcy>*Is;|C}>8_)N_;LOwjp-QlYxu>o$Ry9X~n
zb%*_?TWc4m@a8$OBKssI(N7=~+Y$jB?gVyA$Y3b^o02j^wLG1TD`z3tp2A0!FM~c8
zg0<XbUxh^Ooe(h<g&(&jT?k&8%4TlQrR16J(!r@w(y|eqC3_0Lt;692s20^J@ua64
z|1M};g0p4qMP;llSk0iiF>v&rJvlfyCV6^H7J2&=H+N4Scka<BYti%=dD#P9Tmr8L
z4ktjV#kLdH50_1`I(VBM2l}yjM+HKuNhVL2X2yM}?c!N_+lCB|ywXd0@4n9Vck<dH
z97=!(KFi_CXU2)+x8;tlB&3f?QBY`h@%)iQCeSDst@518S+R?`rRVrb+jH0t6C+)M
zzXmvz0NZnHj(1X_p_5gTiH1>hj+zY+z7;eH?d`8UUOgvn3AgN=AkB&s6Cbe6D0ZRo
za2NsZ-<(Csb3LRb-xhlJ@)BNCC1ZyXKS;1_1aIGq=St^A`Ao*J@d5g4s`W2?ozG3!
zlFi?rn88ikk;^YQROHZ#;LLDX#*dU)R8zmGz!;Ei6#by-XWLt?c|Zq}36zRiCDwj}
zd-<h?txo4QjOp@+Q4iac&AgVUaM7#N_yzaeAZ;AmRopo#Qd%{-i}=EzV0q}KEJ3p*
z<+>w+!!q2@SF6T7z)!QlomY2h#9G=c{|_R>CE+AQ$8R9db;}A^nabxhX1C3GKeN5#
zy2=%g$4Y6BMT_&lD|+zJtvOGO+mJc^FQ1=(D(U2<{`<y-TP?F=<zXAM*u7h_t{Wma
zETcsR+g?Z~OUxSl;F3K6J|A=EC~@b=0z8k<HDb3-{KV@UedJfaEDY|yF>{@6$+=^z
za;vtSt+XymGfOKDT`_<3f2T^n?zTGZ*ti|JFYKKVE`K>TT)q!XL`@9s8V)1CxoTU*
z{ISYvHKN{D&zc3b1(|P>HXnUBGMRpoEFAp<kAGxRCQs(|mPaIIO!@4hq3~?E<&lm8
z?R(iQD%lpvnlH-Y`D)Q>6&0^5lH7M!v2lK<)u}5!`mQKu515FN|MRub_6Ua%;F0a;
zIrHo|aqbrdcSh*>F%mTYAh@}O$#5sAF`eAg@MK7UTZ48#c1;?;dwhgQ79~$SRw=H%
zU>1oNM<t^|BxsG`@@)Z>39n`F)7Cj9`EXPOZcP7oZsiYCcAdXz_k&%f0UI;hwK;G|
z<~}b`Kc+>N7a9C3MHy%PG^_asj)Q`OJYGDt^pve{VOX)jS}y_muTAGu9*q`9Bxb}1
zYFHwMVHY$!fJ^RGyHT5-n!o6qaB!W68%(7Z+4n$+>7RJv`%AXGv{yKU09TAQ&0JO`
zT1_DOKiU=JkAO84zs?$}=a0SoK!hr@djsqKP}9w;)98;=qtINClhxug_-@D~4n8$D
zuWmX<qzfi-*i8xP|3{weE|WhWZe|Xg7Y-qSTGtSgMD4Q6fkI?Z+vM;i(|eRsi|>jQ
z{(}*9f2ir43D=aWA9NmWlF1;D9D1YI<j^5!aVz+8i#$&aSTs-p=doRqz##;%hs>`A
z>XSeqKyMF0{Z3COhBLbAhD=p|1GEO6504<4;(Mr1mWwhsen-wg{N2x2<03$70T&CR
z1_;qIRkZ{)Ad8!8zTs187PTIbyLugk1^}^Ba5%+I0_U!n<>?saCAW>Tx>h)Srcl&a
zrLB-sFE^WT-L>^=^a7mv36L0(P4Hk-sx7_`oI#3v1E*Dql^B*&t-2NM4sC|js0FMx
z?T#OAQvcS4|JL~CPxZq0m}=f-ZZNW%iw&g9S>f~qz#>IYUVtCaq)@{|bNz}v04I9`
zsI16Zc&;fTL9GFAQ0EIq>v(qz>#D8al`vav>7tUlcXaciCK^<bdg55L2@QaWMBlDd
z#OVak%&bxKb>T`)_kg>=JhAQ9L=%87;>+NjUV830h6&pG9nT04L4A!RE5@4lHHCM-
zLM0$1z*OVwh}e7KAUK2o6qiXLaMryY(vFF|1UBGMrB(e_UxE7d-nx-xvQ0tbIrdKj
zZ~-cD{cLFf_|8g6DNT4FY%!kiF2oM)-{Zw^3Rvc}80(IoFULjtXvbiG1!$}$_j+RD
z(c6G@D`6U2G@fmZ07`A+A7ZaxRE-BjL2+?MPe08tJTI6QBfj}fL7g#2yV+{$jiRzn
zLr6Y&^E}*mO(cNwmMTGggu4reYJ$kbaJ2>cJEYYNdvD6F3f55S3xY#erOCO*2h9+H
zR?D=v1iGp5bo6lCxRgT((8tTRv)e#lLBaj;El~VTE)f7ol(}KG5|x=RtjbU$|EkES
zUi)99O^=cLC1eQuXT?<X^VKe7@Ep9p(Vysq`>fz%@a{Z4b9z$b0~i*vDwS>+Rrkcw
zt(lc-_z9ymu*@vs_W*2d)g}T6L@eM^_-nYrcl!97F|41Tw$69k0}dg;-~c!E@8}SB
zz5}Q++~yM<xuybhk5)FVTI4PV2oGWy!;XP^aBOm<m3(xT?Rlu{0#L~-K_Lm?(OYa>
zP^0@zfx?LzhQbH33VI-Ie31Tqyw)cngD;#G^PBsBgESifZq)M&aMYlgSyjo3&g(aM
zhIuqlU&j6WEdR#PPW8XPnQ#aJ{Ixi)@(!IlBxGB5wRliqln1S5bCsJ0G%BJVs`Jhw
zlUgf_3{r!7F~C!!7FyZku`^<I{A#FC8lzP~g+L+G7#|K$VVWc$7oKAewh-mU<&F;4
zPh0Y*(Diq3&gOoe99eG%z>J;eDOou{d3#^+4F^iiIyW?VHP@O7)p{a@1WwJL#2ovD
zQHK!Vl_4R@&FddhJ(vK>F1o{8nxhsGP$V2mOG}j7-`#mWFk@P@CBA{7+Dp@-l{>a%
ztJe=qj+}OXpl(X6r;t$zPC+@S17HG&he;t^B~*K!&;obH<{a(e6S?rd&Z`G)$mG6x
z$o5IP`tWIiZKsp1`IRq%lmg&p)qlgVrT{gE1tRhQ4Fn`q-+gZ&E_8Do96|s@2REAs
zJ1kh|Cjp~D12l`t@Gy?yixx&YuPd#diecZB+Z?d^aByr_`QBZ*luSLy-n*~!`c=0D
z_A?Y3{d@Si4ZJhJZC`I6&7SxW{YIliLcw--&z=#zg!T#$Z%@eJ4o$Rue7ZiwZ_8nZ
zIdS6Luk$;X$ntEQ^8h(+mbV6Z#I54_LW_K2$JnstWc26s%W>firlYxNumGEbZVBlu
zd2*CI>5KEjzsNK0afd1f>_$7=oOc3`K!q!$toZTme$WV09^9JEeHPzvO+`GiBZpr<
zI;_F|+@Pf?eDSQ<M)mmytxVMvPmi$-+L*QYWQAq67e^$pDK^$O9heU;fM=)AJ{sMt
z=el(M^c36Bwxi%M4d7lQ=aa>zqgcJL^Ue-zqfkR|TDVV#Wuw2q02KbbeFcA*4;22)
zFY+k)_&+RQWh%R4Qx@NELk2%^Qx+#IOlF}g(`aLbfBVKP9)(Zd|0U#Xg=I3DI1qlb
z%Mv0`o4Zk7g8HGUEHk<(j)lWCfQraXlw^!ke3qvykYwero;<ZjEkQ^iDQ<Y6ZcpN<
z(9!g^FC=nwWOLn&Mq&JpTp?+67whu91)=ZcRUIo8<v?&wC3v}A^5xDbS8S2H8fVAl
zM6OO_8IMIfG+z$W0Ei*)^i>PxCQl*Foo58JfUTRZnSeMrXm6Phm6+~(U`OsO6n^*h
z8Je2Q4#U_TxjYL0=d7xr6(y$QWs(wzOWo}ueC)9_NeX9>$&o{M1eao1Paj)L#*uKW
z2B-n}N1CwJX{pdA$F*C?=w=fS60WFiZiQT~lIc*x?3gp;?bCdhV0S5Zn*Bex2u(r_
zv<fV{PhGy@gY=4@j$bhcyMgfGl3lv#Ai-AnPtY>@R^IfO*SoDv7m}w&+2+<e5DwJ<
zi2e!b98Tj3VRXLQAygCIT%a?E9XlG1bbvO-QL-@QCh|&85rrSICY=Z8(=M+X1>Qax
zzn7u#U)x*Q>6PTNllB%q0NY3cWz_n7wD;#2Fe>EQmb*0-4krMIpFacm>-fDv0*A9R
z?J+!13kEF<NzW6VzZ*HzH!*V?24+4QB_@stRXT%Luin)JjNh5dkwwYet}&prl7`7c
zld^^<p07NZV-P!l+P~&`h7AGALq;}*>G|zX4+{DzZhbnpU|1)I+WuPDQ5JRM<HN=D
z$$>#&1r*vnA!B!bwRj&CAiB5qaGGkNnw2Vu72-a9yTA5dJL9{qRj<5tf^`e^V#(E_
z+*`|$SZ{%J^wyBhTBbZVFj#r}yF!|7l<1Xm3;D6qN}_x;^iW0xAusn*YhdSvr-eWt
z{gMk7d72Tdy@pZHWA?2$XcqO9vTzM|)BZ;y&vpmr@2rEJzgjq)0Ejue&vT1MhDtMb
z<_`brqUlR@p8)&McfdHYmBHgwupl=snHr@xQ)k5{)m;A_dL(2BXK>u04m`dmZ|vI4
ziq64${>@8P*#o?D9G1tSM!O0h3PCi<3hzb8=JPY-#*vTD^5n_xjcShC11&-T1T+Qt
zvd3e^KW)uEa=65No1PI7g;jIep1_emYLpemL-wj=<-{#M+M?4&ac(#v<}o398r4z9
zkMHG|1x|#hTr&E9oL=SspCW^}<+4c{+u8je2QHh#swDZADht$jlzNSZQEi!hfh&^K
zO_O?f@ICfVi2UW&gmiXva#V}deng8AfP8osH)>MI`t%N72Jx7Vr(qDP7OZ;R&cJ3B
z5Dc50JT55%LXZf75gmAqZdyjl&C=(;6q|MpxIsVHL`b9tgk5NnNEzI#gNLBSB565_
zEe$kP4k;&yRK)oT(eC_)A0|dlB6ELa<h}kaCVWK85daXfGF2#?9%H?EUHXgX&C<Id
zBzt<&^+BBr00-7!3K{{0D+^$A1xNsPwt-hF>ltM=Ge=b04?i6`3<vQ`Abd`i$uC!C
z#rD9k`;)Th&hg=neC_Yx@K(UpK;e@W=eQG7qULKAvII&Rh41LLE(#LIr`3^G+^E7=
zV9cGTKmsCq3RLmpDT82D9pU|WI9du2KiD6Icysh^JdaqF%D1%e5iLpp#CTuZn!YC@
zeLluH9Z&&ru1AZhJuG2(Cr;czjljcS)va$y!0Rla`k1$ddn;!~Oj78oG(K}$Op7^w
zSEI!Vkn~`fbOW&c<-3BC3r*7923f%=_c#Tjg~iZnz%A1?V1lxqi}YED0k`^VTcp#c
zF0?oS5c$CNJ_+dpd7|6CSPuagU}DEW!-M<n0I2Ce?eJh<@;Xta|I-5lFAms{$!!|l
zdK+1`3IPzayLhN7@8@A5i@WHB6W|Eo)E9^MeYX}+__)Q5OsOf~Al-aoTI}U+>(cq}
z|6t;YqtR*vm^mm|nXxOEqk;O0A8+*=5TN0HG03Vv(C$b8g^c?f$halRppLrb<e3{U
zxh+oSlN~(SqcLbT0w7k5>LSH&&E{yhuerO2TR%5OPl7{$tH3O9xn1}KSo6)YqG)->
z4-C*P-7+flDKcyiHO=YP>cU4jh1nglF_YUrAwp704VoUi3y&3;q#n2`3K)Q`gH|PJ
za{yV8pryxYIYtHrY8NN|sml`>{`&qx`sR=jry#gf6fO#XXi^qW{oF0Dg?kQ;)bm>^
zB*h9%gR7e7Z40QyuoqF0Ne*Kyu2%T-4-`3#@DWa-0csJyC5vqx8*UT$qU7No9Q_g(
z`|26RC7;-7<W%Xc3rJYZ0QNIzIF{3$r+vSk5>-MT+DCW4+>?y#-NC6$o6{BO{hP9A
zzF87}ek95=Dly}pB1*nGS7jycpbMb=jD_p8CIN+SwRJF&E_!~`W1Zap`qbdy+}jc}
zgdZl=J?hxnaM~IbwkD0wc{EzweCBe*b3c_lZ<NVnGLf|cqaq|43)yLi013f<ee6Hx
z+&Nkv<)wN0tA}j!5$@cO!5whoE$p3^0EnoSsa*Q>7+c}ZKNB1o>~_4wB8TAKAGl#O
zBp&<hTP+XpVw``#EQ&&J&~hY5%WdB`Az}<(^Ivw3zq5l*-Wu=RTi81_0T9o8ozFhZ
zs$^t#oT!vmyZ8S*|B>@1=|!2*F1T|vSOy&O#c5{hXkX1^jsj|Te4nc3tsr;?uMBe+
zjt%q`Uit98(7kw5_jT#q*(r_K#M%kq^aQ9yx3%dkd8%!qgrX>X_k_%u?v%WgXA*C~
zlE%-0^586jpP-rt6i^MClSeh0nh0<L3vMe*poKzWbsX{3a7Q|5xCPtd!*<$kA>_p`
z^Vs}*J3Do)zZz|Z0EowT<<h;SW|lK`9~AH$CH?3{w||#gp4nSmJ*?6y^#gU_iCfcZ
zKuS2akJ5uf1RJg96VFv&5`L(Xt$}(G><Vy5UALe<htmWg8gw*pqbLu!0cY(NTa?4G
z9^4OI^z4J3W5SIPR*l=%_x9lBaiJc{jN3Y19ktV=O%dQ~M6XTf(`vSaMSOCwsNX*_
zD<jJ##kZ%PpMSj4V&xe1Q@7cv5jgHFQ6(!P2o{%!L+;@s2p1}}x+f4cH`Ojk4xfR;
zAQ5wzz{JjaF864u<<0)SLeW<fA`jxDwV1Rcmroqs#VLCAnu0b<0K~+t*)+>6Gw=o2
zPZR&!%v!&%*z1v@K^0H!$(x>BW*M>nip3yVB+1*2_Ye2rN8$c|I5P+*0su*HR}at{
zjGVb*UJG$?-dau`8>06FCM;OFBlm>zVo!l~^;CC_4q2Wmn5ZJh=s4xxAiXlrftxq9
z1llwKuEuj<dv{+nv6MoCOkV6&uMPg>P|?s_qa^2>M8a8RqSNq7M;#~h@)fSc_YG8c
z1gi_3mZtDwpyt1y6xn9%dt=aU2yitfY|fz@3#!P78{AomNu<XsL=wnTTC^!wB;O3L
zx5jn=Az!gd=-iPz{I#UmD$6BRR^{G~I<lyqJ%ZXg+9d%R!rZU&xnh$<E?OkQf$`UX
zo97R0c(C)z--fo#Y8)3_aKQx^TyVh!7hG_`1s7a!!37swaKVL^1R?(qcSChF+brwi
P00000NkvXXu0mjfzRn>}

literal 0
HcmV?d00001

diff --git a/roles/app-homepage/files/favicon.ico b/roles/app-homepage/files/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..341116921654b32d6f7f70309d1bb491c5b29e90
GIT binary patch
literal 101869
zcmeHQ33wCL_Ma|L_9CdLMN_q9RRM9q2Q?K@UXj--QV@`~BC?9`Sc+00!KLhr1+jdH
zm0gOZU~Lh#Bnaxq16f2`_7+t5V~eSlE_BKLpEENFX~;5Z?lhD3&d24>oqO+De!nv(
zGn45J$N6xLIoy1>U{2eF<Ho?gRx7kSHSyst!?EyivE7&BTHWTub?+{;KM&=&Ctik`
z!D72L$6a{ahieTr${Xj;afu6kxP>o9_HTAiGmzXe;@|xSVJDU*sQJ~YpM%OK{UiE4
zGx+T@*UleYHoE`ai5I(l_91t_|ER?W(vpL?c|GoGK4XA3`9NHU9)))w2=2KcLjOQ^
zj~`oHYL*|l^ORqZe^AlU?>|Z#vVD8+u2Dmt|D^5FjBQK1_D+p_>QZ&okT*Jj9_ic8
z__Q+LBb)!a9GNsac5+lw&Y43U!y-?%jYt|<In9v1@SV&n-HOTOiL*58!__lqb<4lA
zYSQtsy>DC{AFCRW)JL<X*HEteu50J~KL2KANLnWOwERX?$V=Sx8QV^ia3B4FtijyF
z5yL0W_~lC8&k-pBV|S&GP1=-M`h6%F)`)96qB?_%E;$o2KCRkt;Hc(-h%e6$Y_Y5F
z$4}n~yqz2PW@e)oXBsBOq(3w(cxE+djOw`ORIxE|5NJGkNBH^dS(it}P96w0>mp~h
z&rth~OUpi0oQDQMcT#TboT{=7{d-iNII;Ia%BHi0n$NhnQQJFf6J}PIl_a9lE1Q1m
zQQ1?QbLNHY+!dX;<TDeR1s@!d{<Lx0@r}v6#?Y%zSE``rR1w%x{7uNgy%$!2pSqOm
zy~b!79~)jd((w4XC~!2fn>NJobwzpZbIV7SZrwU3Y|ZFo0fNMbwUuMY&^8*w(Qh(y
zjK>mM25tmH_TL$vwENXLv)>U_8UFL=Il;vJcj)Knic`SAb=McE$7r4hHLn{U@3Y8P
zyYT!|-+dpMu-8y<DKBAj%I}kgs-h~E>JkncuRm5U%zk}xRL55iB~*>92+Pmfkb2>x
zkkgs!l9)pqzxbn~3pmmxe%so+jA6#ok|PMg=CVOK;~M3b9UOfwuPR{$sAyT1z-=9V
zsMr{3JTZ9W`DhiX*m3E1^@{-OuH7esUfK8NxYF1-m@+5gm*JIj44cor53|yY_i0aS
z&Zh3T@XXk%f^Sn-^7Q|BVaW2G@18zZsM9ywVdyfJ_#x}p!nh2Q6@4-x>5GdMJN_}r
z&h39w_O{XA&8*nd8AqQF(`FtvMqF4IGULf-b&vRL9aeczpt7s>c<j|H`%ddpTNTXB
zD*L6^d)rTIuIE<tUX2EA;c_0WRKK08%PhUIz2wS->Z7GG4{kmCKM^L?*0N#yiofq4
zW{8bG8v2s&#0*VIdYcgwyOqTJ@2Sqnco~=TuS)eL-L$B<53=I_;ltq6PZP3wR>oGA
z?CID&YtEcth;7}q>{VwmwD#Yrf79^yle4c5oba&W@0ne|_@MZiLB@XHZPt~kj0K<m
z@S^}g&|hU-R_S+Ssj6(k<-xvlCRGa%TwHegV$|N|x}3bCyya=9b58)k3A@S$J@O0&
z*q(sym4%vXx+|aRpZj^LU{3d+t`&7W7o1+Kt|}X!R$8(TDcu4yB4EZhd4An1^QPSU
zSJQKgPDdIM`hvNItu#q3AFYfXTW-kvzYgoF@kIOLEE2LN2P8j`@o7~+Gp<9<weow7
z2kx0&sykAYm-|v-!5Wa9eJr7K7((+y^SG?sih?(~hVCpa=>9Jd{OxR?C37E5o6e6n
zJlJ{O+4X=(yR*?h8|QTPx$k)}=aHe@#+2}&wbki8t7h~{YSSwa=ar27wNTw5G<*XW
zH(_@yjCgG2VPo#y#)|e4O+UeDZ%xX5tTKIZo8*-k{xP6t!@#G}{(|_B&?)UfM(@f;
z#+T+b4(%R*4GoN#np{13ba}x$A)!T6z?t~0k;e;llLo}C1!oIqH|k!|^tDp;;*06U
zAFk4G$4vA0BjZX_R<=3S7$l5{0W18+kP(kpm8gIDA{43ZXqYud^Ve4Y9K<!UoA&t3
z*%_L4`^l^A$FFXKXGV}=>KM(k_5L|X)mtFJP&kIHZ$XNuZc1CN1<UWv-oB=KSl^~g
zP{J~lFeQU@X+fq<-;}lr2ZY79>sdK1XqEmhH1cmSGICOBZ01GH-eq6q@H!^Wd^kh>
z@h1NYR9MhF?)tr_3w06EB?Tb|cg*>^Z20O|UTBJ`s!M$5%P&Xk1|$`p=|3y|jfKZw
zz)YNYVcln`bJsvNSY8@)sLe*+s+N1Y?t3rw&vuyZUom7p)MGd=;l*!n>k}DW-6!J9
zi7G?(>d@yq`v5ROquRZ@HZ?URG$Q_5+w9yg`x(%z9*y*=(I=x;hJ0Ik@WRAl8-}8U
zWZ$^9seg7vv4cVEf3J!ow+ueH97kS-k(UPX&^FWlCpA@tGJAr|1Cu^RFgkNjq@~VH
z24mr*J=A7*v@g)Og-h-mT^$TYr4)csM@EVV2SkT`3?s)TfUna&5~gn%9Gw>h0JK8@
zHj9e3MV~B70_{Jb_Fn~)xQNt0zePI-p`9nhgJs)N4IyCCAv9^1FrB+^L+ajjpeX%1
zn6$hrLh>?K)Fiqj4GG8u0>0ki59AH>(chN(=UNmx9EAQICm^B?`aE?q3N1jP>&1~x
zQ~&%qJ9o;4-k41LZ{VbE$p?tfKhMtFl-;ZGyErG}xyXJy`o_K63HG&k04_W5vP9T?
zxc#j-zK91{#SmZ!Fa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=
zA;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3Sb5dlI-D;Y~0il#DAlo0^lKj2~r
zk+o2^nTex=0C1luEAJRrY*Qox!2Nv2y&|cR-6-IG0pnhFm=&o2xL?G$S0pvE8wK1i
zX57mTvmzA$_e&V}iljz%qk#LRjC<K(R-^*pemUb_k<`d;6mY+SaW6Z}ic|pHf5^C3
zBsH=d1>7ew?q!ErkqUtOm5h5uQX{)j!2L&zd)Z-Dqypf6HRE29)W~iWaQ`vmUUrxj
zsQ|c7X51^18rh8k?$<ExWrtaj3V{2yjC(~=BfC++{U=_{J>~b!0FQ9lL05<Z@O7P6
za}PN3d{K@8h0r6f8MHC8B~M-tZc4YM+l^!OJ_opgjpTfBlO5UjSPpOj;(Ert*>lQ%
z)yo_}86%syz)VQp?ywx-1n+vxz1efhKGvHYKp7V$o%d$$VTa`aOEkp&2Ex7BbISgD
zbq=76g;LLZGxxB=azFz;?=6FXa@>1e4xsG6H=OsD^f%}n(7?Gj#{p#=ydnos_SxIc
zdo%a2)8KLd<KB{fVV^Q4ip>F({q*MZ-ZBUpL=IrwTT*`OK4p9ql>;dIR$tD0%OI$?
zIe>9*Nwed9%2;_k2T=B>KA!iM0a34V0OQ`0TIu_gaq~zHpzK3^KkqGr!|QVZ<KB|a
z+U--uu+DM-WxE^Fd2bmgUYP?J_m&j8zfT!YS#tnoTWy~AF6sb(hq+IJ=OlPd4sekd
z8r({j;W_%~Xr_!U^&CLiKFPdF)C>N;LWc;?NKteSkjMdTPF<Gg8S3b1rHnI`96;G7
zmpOGoKg$6&e&@iQ=yU;lIeB$SwmbeRVJ>CNYn=lq+u;(2Zs-Pohbn=_+S<VL<%a(@
zady=h+WPBSo~!;UZ9HYXT*?8Ib=!<bnRS4_LzG6TEB1IS2guAzoyLMIfGcq<WiFiM
z0O*&09c{`!If^Hi1Ek*z)Hm+UaiPTX+7+89pD(s@K)vN2u!Aky6}Xi)7VHl<$1<&0
zuy7LO*Q=aw6DtdUy>gcp@1h(&rT~Zr!M%_J274v%qS12XfQG`oIUjg)0HEzM<p9OP
zLf>DO1FSJsEcyIr(@V5tUcv54GtHVmH`}J`0BOoSFv?B;tm6m#ec1zEP*W+#bpSQv
zWDo@Y4zcFY?Y0bd)~QJP=R|m&+V83|`u?&UV2!D(oYdiX$N_`gKIgs2UrEqf`{QPt
z|6Gxz*h7Qd^v^ne_?YsLD>T&dd{M@PhFx;W0DmK`Idr=%hp{ol$8E7FBZk}oKKnY9
zMVtQyCJ*p^$sxX;?2IA4VBZ~%On`p+-wQOb7;uEI$NN|gAa3V)C-JQC9MA~td%#f~
zvK(OJ{RStT-x5=f0QPiW3<&{_{T!O%s=sV}jl2T*4swXECp%*Z<^Yu=6Ic$Y_c@>~
zaLn!nWXxNDuX4W|6z&DuupB_)Ja-gBjsW&_Ukqu=a)7-21HQ_APY|97fqg9;g(38_
z=K+q+Zz+9_0QPjB@Hyc4`Jxmb*_ayF|CaZIa1JT@?*_p>hxdXk2T=Ho@br1^L_cuM
za)69E4DeO-IznKdzoQUgIiQ~BfEeNr9JA*E^5%dMj?OWU_6ht4JF<c0fO?(-9FfoZ
z7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoW
zfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07Jkj0`T5F+bAJm<T(7BXY*EN)h_2a
zKXWJS6meXDWjmka0xjEmj#F8-wH&9mYy-I(i#DjopT{t7Ua3Cc?1P^7{$^Xtdk>gt
z1P?iW&)gQh2aMHxzv#WWErJh+ReZk)zPSyG5PT3LaG)0kn%jbU_#+KY;7m|&Zkxf^
z3LKlk7u#m;^+Jr8xfk1_dO~0a?bDm=6x&*pU!udD2?wEVR!;<n&FaOrSv?UPHmeug
zphXNl!C^hf7lKJ>Yt3x|0BnjxARwsT)JBIv32bU~gkT%go7?CxsE19(_hUQXq7D1#
zJ#2zS`Owy4Q*5Kdd{ZO>+H)=2psSD27EU&3_p)q*ZLNj2aIy-v;t`=OIBX`u91-~<
zAf^aFJ9r1gh%mQrGOp(Pt=l5wpjXBB*Jx|Va!@30JOD?n+E+l4xbcx_-7W@)#f=BR
zx_!gSVe594KqfB&?XzwhMf7oi1_xNTby|Kd{-?%%>voFX+^@oZ>oy)^TOA?L3AhM{
zqJ`qa1;hWag>&5gRzl(1>_3J8Lx3T`5MT%}1Q-Gg0fvAVBQSCed86eRGGA)BZ9M7c
z#qQQH{k>h}J<IjOB<$;I2=L;@`@6{d68yDXYpve+{=t_dv7!2&m_g<@RNv=+MHVzv
z-xqvE7B*Dh7iE&g4cPZ34b}H0S!AhfzQ^$E^=d)B!_spudC?P>2}^gAWwQAW4#6YY
z)>7s3W9t%x7^0JEn>emk*Ea2^kQGw&@Z;*r|2py=-BDZ&)S>StIu#QG9`Ic;G2kKJ
z6%hj-_T8f~pa9=J76S_Mz0PAmVZPUC3@Ft1I*9=V`!0J7xb8bXySwGyr0)VU#AK@+
zwJg_!we#Kb*=3D=u<=egd^gFYdQC{#cf4Qe5KmT{Y?Y&?76UT)Zn|Gnd<@9wJ7N$z
zgM1_h_a>R{#6YikWTS~EIcp`xz<k%A&)3LpuHY4-uo$RI-%U6{3^@FqZc{whwwC%?
zFklJE0Gn?4ymsT5&g7$`T4^y*Tb!-u0k5|^^4qdcDKS9%IU%3pCH&3?#K0<R{AjiT
zUynR1=6RLiKgI$-R;tr6#PLYzzw=Gf*m986JOH-fc}p!1+%<`uu#9zk`wvd18w0bp
zljeY_`M0iMUvdoCvr+EjVB_tUoVm3Rzxg<CC#mtfuP($utv}P<!H9MYtk^?Zd0`CD
zyB>fT*!eRFu#6+6#{li?fx~(H?_HT8@RB@0_4$D1Ie<VYJqBn$AJC=~UrP+UBnH}<
zgVx<0;rD-=Sc>7_3!wNp4|$*3HG?QC+|pjQ&k$e;Fa#I^3;~7!Lx3T`5NN0f!2OF1
zTfVTy2+@n{=4i$Bam1xPjN+0XRpLq+<>HbeMdHdE7Spx3Rt8Mh;+hyRT@N)**Mmfy
zo)0xn&j(F7y$EWYUIYcTmqU%(%b^doS8*C%dljeVwHrA#tgC@CRl-6aoGPDR|AGtD
z^Xpt_1GPepk3Li&6d#3R4HdePZ>m9=78IZXdaTg^KceY{{a`>c*3kEfSRck3#vBpr
z%Y3aNWnx{-*J@I%#T_+xFUyAOM0AG|2gSTjL<n0a0^nd9Lx3T`5UAG(jQfn-4$sL$
z9hJ^+le?4%LfRn`df$J^DJS0(6+?fx((M2Ad(s7LKkvkL1N8S%n(gpCPzMRNBkqc`
zeb*7vQ8ksEae})dV`jqv@(|db=frkJ#!SXh(ka-v?TU<<%wweU{nN-fC%8L}8CaKM
z7RX4kRbVZO59Bz{pIb<t1lun<v0YNkfSgwy$${^I=$`MGKVk^t>gXK;$uaZ%BGNqI
zb#l_4Jm4S$ZnFHS@F3WZxH_{v+!cKf%_2h`$%OYFo^eH<&9TDY13SZAQp{M(M|_*V
zVgEC`)mX9z#`s##lia2pGq&`?dq}U@<G?qT+;~z;!fefRdQ7I6vDORtHU<uk+4G^r
z7;&Li>xquqGRBN8wN!Ia9mI^a57cr|9mR~b{n&Op7fFj5%%4Z0m_Ik$O@g&gC~R)!
zB55&WH}^j?pUyo=t#XmHn6Ya+=8bl5lCJ?je|KqcITuNf8He_x4-Y5MS^rCFE`s}}
zj)2>5sGCM<GoEB)47<yLlw6c`oOF?J-{g{CesQGY*##7?R{#KKxd{Fa=L5hzt~RCV
zXmZvbUxDMues}T5`EKPRCkAwRhxgkqH|j*9b|OMjcdc@f1j#Qakru!~u00Om{q)^V
zbCJFG++&FEj>Ez^<SZ9~evE^Z+7!61Jz~#(Jl^#k@~i|XZXE)C!CGMWemdXhEEhSl
z!JR(1clr)v_*Mg*9|?P(1Z@3@G{TY2a*;bWI-2WNE&>jA|039rJ~+!oj_h!!ueBSw
zX#D{KUrq{t<A6Lmx<_-zMrU)~xh`6x<9$F1I7hk2nGNpr!?kIxuZwao^Y54Q_rAbE
zW5{`UuV1UrEH~%1;6Y^nF$5R_3;~8fgGT^9k6`2PQ(UgA06m;tF4jfxmz3DfhpR=b
z_3&yH*4jX!=2UzQuV%sT*J$vSEvVHn9rSBe_=Xk7=~ejZ7u4`7SOC=dfiPXDITh4J
z0WckFKbQ`6xnDWFtp&AD5r^ZeeDdL~EUfi>ZG>OSLAm%NNm#=_u~r+gL9|e7IBvEU
zI-sr!hguEeO?8~mCc#jvVEhWG(H~Qd4iaeBvc~tcP;@vH^LtvY*?U?52iqDL0`UFH
ztVXYq{niD(+k0JZDEciV@7lRPNReCjbBpY*@h`jX{)_qNXSSXp$*wzMiQP5sZ_y3k
zLE~B(I?K{{6#u<$t)5jsFpaEqm2dd|Y^(L0+b585F2{%PtjT4}0fSD~`u$%czrjb3
zbPQ^#+vKBL7`Uk$ZKyQ{6m-`b1B$v`#=yRAj6eQ-YVtbCgcz!^7Kq7Ld$puEaICvV
z{NFQ~Oth!V)^TTX5I7dz%y;4Y7|11m00#WCN?ZDD9kYjlgM41YXKVZJev3@7rN`be
zTNuFe=tB7Jq94c(cT`|Zw6%V~;CEUW*t6O4I6T)(wYI@723F7chpZCTY_Np^$i#P8
z_}F$-gTKF8>z9lH*t0N`G(mrC#eub4SK4+lumlhG;hjhL0~BI2C%U4~daPs&zy|pK
zkY7KCHU>cw^TBV|gm;P{4)FTGVa&VOkAFVHHim#A5P<XC)~1Dn@coVv@<3GpJc$W}
z-|AM)Bl&7A(QEVs|A$}ep6f^Q`*50~UQk-|e;B8RXEv&;z;e|Tc$)DK6le!ji^Y~A
zd`<z6CHQ9*=I0b})#>fOI}G=n_rd+<Ygi!fMYuvXe9qtBY&6Li^XC<)5hh6+-22=Q
z-^JZB7p}!(K~A1eEI9{j@C4Zu2718W-)-rIJlM=PmR!ZYfKhOdW4)n`F$8VJYZ03^
z!}n9uu^((GuVI6Pxv0*j4K?SYZUfkPJ~W=Rw>A;mmNtOAKE83}57B0vYc4R(<{Gh<
zHULLkU{0`Q0h~1`2Yn2gZefFXoe{r{_?c{gag|W=EDOvt;ZJPY0H4i1PiSv)fx7G!
zv;o#Lx&;ULZ1aK7)jMEb4cqOs74h93cnQx!p%g*Mhq4cn%X?7ZS#TmeH+>&!d@ihq
RXT;%9^l<f%55+X^{{aX&J*xl!

literal 0
HcmV?d00001

diff --git a/roles/app-homepage/files/homecentr.png b/roles/app-homepage/files/homecentr.png
new file mode 100644
index 0000000000000000000000000000000000000000..a6d04bedd0ff01d0b490db35f56740d35d81bc41
GIT binary patch
literal 1532
zcmYLJX;4#V6n%NT054RCNl@FN$`V5AR6rvY9mIr169ORw5d@)t3svesjV!Xp2Lg^z
zBBa$KOMn8h!=R!~F^Q-MDk6(02t)+|M@ZB#p@9c|w$tg4d+#}O&i(H9>zwEF_7T1!
z006Lt!}bthQ}nrv4YA(o8u1VtIH6#l8_?8iF^dr>isi!sfYyAI<p?~+;aK)TApn?m
zelA>B%+(_RfG^;9u=Xd0%@ud|P(3N<+C~mgJSpu+bA^MY^L2v?llqo`!F5K1MzIQ<
zU2z@pl-1Z=j;}P|`t^aItn4%AHAfb<<W2N6^gOz`W81dZDg42X4*JT>a_{2@4dvFE
zL^orre;Y*+dFzlD$7@pJQs`C=oO8z!vO$U|o^G*FFM52;CLrJg!6tRx$CqAZ1~Z#9
z?)<FnJL!s_n=*!VDzy}veaZ!V=&ayaa**>=JElPmb5|@#;YncC##&zBby-|%(DF;|
zNpg5c*hJXwKNkIhw;@AL50zbvx6q<z>F6t^S!KK#*D1#t9BgvaJ8;{(zC)=wLnjuh
zBpEqQIQwqllA(C^vx(!hL5M3B23n!Kk=>V9V#O<;1g7`*13#`54X-9>8K~jlJg#<c
zM7+5uL$27Au)BXXYCt$0(|Nf>o<9ZMT$e9zl6<XEW&6n(g1q}4qPdyou{c>tdX%0+
zbk?PBnfjrDrg)sV{FKr-jT%<($sHN93n0D&Ez!U?`LeUa=nYGBg8gOYJ?Q3|{O_+I
zvpXu{b!_w8I-p?XA$zr|DdUMYJ42gpchqr&tfINxh*>;+M~j`4RS8%=z>B{=mCCoW
zS9OBA*b~W}G~$`O5Y6JrC9_aRG=g3uS5ET68)Rwa3CeGkN$R^v>EZ+U3k$)A@YgC!
zRz}9G0*dIHQW^qJPOB^JnV8Xe{R;Kysql_>mBGSkHDl%qtLwH=-<esRuKLrQ%Fhzz
zm`LU0$*totRsQ#ujjRbSx-w;wgI7H=l{BXVrb?Cq%+d<eYP}uJr3&F{sGu&wNuThX
zC;HgmEc5eE>QWPrB?A|Pdsf`XJEKbr?UN(l$GxYCSo*D|WusnvaBcrYxV32NmYf2&
z@P5%P<wr1Zxlhm+T&d=u{PtB7V)S%b8x$0xi9+=idvMnC%WV>AypC&*AF2l~l%$uH
zwCEd$;q$4N{1ZSAZ@F(zdzR7Ko#>hq;N4xigo_zakUCJX*F6UGmZX&(<PsOZmbYFt
zc8t@fzTJ#_R=-3O_@1UQ!CBpJCD8R`e%%aYA{JmG756Ne)iaanE4tgSW|+V<?{s%D
zP+L7=7YA2k_&LOOMqRtTh?-H?;N06}=b=zJG4kcs;(_tXh-K(9N1qyLQG9Fc*NwIc
zi(WL8j}+!!0T|wLGuy>{CHQD3>MBtYI_(sX2Gs7bAwkU5r+Qrqe-1sMqpr5xz7Ubc
zfZD$fLhYE<v$}8mkT7tvG_9<kI<o^uV9R|uBnxxt@7g7awekbZ55ktkDk)Hf{VxGF
z^%Wrl>cTdt1aw60x&x4TSfN#4tb`gdJ~l~XEkWUWvw}h>8RO^!PXxtu9nA>l87s7A
zQS+qYV!(TqeuFePZ*ttHr9iRVj&MQp=?vm-S|dC{u0c18a={vzElv5VY`>XDGKmiy
zwNw&FDfW$U5k?GDiZ@~v<G4>>fe74ygL~Z&-zq1TJ4gsOrY3@<6zfK~9P=HvR2GU=
zhmZRhUlf5J0LcXpyB0jlY$fqUY$j4;rOfUxa@-3Nh-=xJFQ|*mU~-lh6K8Dzm!5;v
z+~_+*n67}Bh)}H12KFvt5)CA6-xIgmbd9FPUi8L}Z6y6^(+GD_r2yFg4iiB!*qRkg
zXM#**y_GVgzo^d^hi5}<4T+lQA50#>j4%!k%YtIq(RWsDrNDWNorRjY(TD?PB(gP|
zsfj+p<am;XaTab1YmSlhBLl>_1OngL1^-XzVTdC7KOO%=-FbC-qtVBiHnQk}Tr9Ey
MjwjEf$t@iD8^aZ_EC2ui

literal 0
HcmV?d00001

diff --git a/roles/app-homepage/files/onedrive.png b/roles/app-homepage/files/onedrive.png
new file mode 100644
index 0000000000000000000000000000000000000000..ae14c4083497ba555a5c66dc259decfa339b6f5c
GIT binary patch
literal 13675
zcmeHu`8(9#ANHW~kz^~1EKS)GBV}L9$WEv%VJc+HzK>y)vP8B-_I0vT_I(JEA&fQq
z&P=vp#xlmt^X_{+zdrxL<GNhqn(NGY&v~8K>wew$eU7L{hFa%&&VxW879DM<2?#_F
z{7Db`?;P+#3>YN?FH9cV7TzEbGv~iwI#6216%a@eqyxSGI3QzdmdWQCDfOGD#6=f#
zjz1QmY}(f_QnOA<nSN6^Sy<uSk&!=Na2IAHFI8XaOYHLc@3|j+Qm@}+V*HuJNomPT
zeJ_9M2;P3d<S7eNXcn3#<cWV$u_NuBR$f58xfzf^w9y&d$ymRsp`c>=3_dSDTPhxX
z7Whj4{|6NM*mG+yH(9(CQrk>VbM!t-9bDU^&23+tvG+d_FhxH7GehMWJ5L&%C_#?r
zP+KpK{Wf=_g^+fL6d|*PP9tiydeG*)Sut&HOxFK-DtYH9e|9xHpSsUDHedK>M&_)a
z*}!0UgG<}X#->;Ah;j6wP@-qx=UJ~+tfw<O4Jxtpca&bz6muv<I#eVL`ten_qrA^v
zEUqi2&Cfli9X=qf`;cfms~T2guqw){V<)VdE(p~BtM;|s=4VP*d(tGm@5w~58f!G<
z;ON>lpW?7L@rt7Vb<N%X^7xcF`sA~+p67Q1a?eGO`kqxY!g0I+k9<_Q#_YP??(Hn*
z#tp+tZy7Txx)+5pR1Q2j)zj<1GNX_(AW+w!dvdl*2E;6y`l5E%d2H$Ly^cK@myZXN
zVrS6P(!)DR)G<2HkpJ0QjnUGnozhoVxQDyv=u=>2#g@%v1xZ;+ubN9OUnEXT&w>`r
z&r*l+PyRl^U#9LmJ8j8yEa~?sj=gDb#;+rujduyb)_H)yTrd+flb{sK`Y-U=tm>_}
z%cx#WSUo_dgwcW2UtYf5`bYv1=iEx6FF>!HuPIW~tG1GvUwjS%u?bYPd!&nde8fwT
zN~)hB{tU0LxIdk>ZPB=KIz$I5$l!N*dY?33swu7Hm!eESJ!JTGH2U6i;>V;lP>Ax^
zC#n*@H&1rEy%$Hfi@I$+Ve~S(D7K3<AYVTRl1jL~orY0`*CN}`U_Nk|?=;iDf$<7V
zB!$e-fo@)c44OnQoUdhjssj;9?45t@efGm`v?V@1M3f$sxR@g25JDUX{J5tV*>!i0
z<avy_jb@2S2yvtbaV(~#L=@jgM!;7O-yC7D-}RepFbp+f1*tblaiNtwQY@*>2H)&@
zDZV8PZ$4b-bZHYj9XboT@Qxs)>_*GH9m4ad6=vHqxm3|;PR_jm+K9%K8s1SoDG#rg
zY=erDypQ9qWV79A+qqB9WdX@&Exk;4&7+z5Np9yuSN3-9&KXx(83)%9HTXcg?90qA
zUT?Sa5QOeujaPf=eYRpni4mlZeFDj>4BvaOJ#6&rcSG)@@q+exR5m>*-Xf%$QZuPV
zZtxb+;X2`Qq#>5MuvjA|kap044ppFZ6|IRl;tbBfpr>Vv$(Dx9Aa!s9eW&f=-}S8!
zX(!nfnk(k>Sc<ON6Of>5k(n9#Q8Y4w7%D=Zv3jE+TTgr1_WD22x%|T?NYv3I5xj$}
zS&pQO2}!OX`vEB4YgD`#`Pemue+A0$dsVF@t)m%8LvFbznHAv<V(Vlv>#D|6aS1bt
zRKe3xdeBJUt)k;+q!MH`v0eB>P(^!0oeq_^Alnx7T(TQeJsR3F;fCN$C*}z2J_iy{
zVL7^_AlnNhxYLKfCUYr8hxJun!RnrzeIxyRQV5<d^h;TkUYpwm4Z<7!q|KN(W-nck
zy6}f!`${Dba|9dbue#nnOxj&kb{r@^;4CC7*M<a<?N|_!)|9P>RbP4>mlEPkufEhk
z-w2>ZE3sWj8b;+ih<YQSt)@vQxIG$wVkWcV_lwmMJmNRGw%3fxE(Nj4$@<rd`<dN4
zrqfHJKX%|1`1m<wj=o)xXg;RiY!s5ifqE)iKkuG;^uq!>_#CvMw!Egg-EM`uubWg-
z92ROB?ea$(S11i4&emcgrmU#WI6B>=y++FQHZ734v*>PIT_b&IH=~I0)Joh1&j~Bx
z)6sLGoZb?RP?oZX$8U6!{I+V1_Gsp0v5TPW1eszo@ApAz46AM)vH!As0hMBgTUP{8
zG?Po$l$@ou*ahODxcL{&7@7cfFc9?3&Y<i#Yc?RrBt(kCUN;j6@_F34YUqVm{%5Ji
zzU^li5=5)Lj^n0gsI<>nbRg+?9`$)M3{8V@UpuMMcgpGw?NioSkhJzVls5k-a5}s9
zg74I<3{6Od6J!^9owF2OVspH6uVdjx-rU9MS!%ZS;5iVkOfY^>>oijT3kD6rSf5JZ
z*y#lME+1)?no(a6?rTAN23O}@TQo#eZh;CuML{yUw}PWg1kG{=qzS9vu{Rjh6-A5q
z@{*D2h;Qu1u+n;~{XHq%Fr6TZWWMD_LvUWW2gYmRb54CRq_IL>BQ}s&-}d<#36<VR
z$IwRl%Rle85U<h2zXYo4CV}oDG)z||E*j;)6ng0;;_GC?SP^j-oY%3o^K@_(gK{_@
z`dA8hte;tqMu-QyF=B5=z+|_N8>Phzx_dIPH}cvISx#vO=QXUIe<yJk@=7o63P>1b
zBi7F;@EDpDKiYB1fmwaxhf`o^w;T0nu!O6#8|UrMLsVQqU$m3OcMY1wJ+wpQ*^OWB
z`<I4Ds(6FGbW|oQHuR_&pIbe@x#HKM{<XQK&&~V9rHhe+T}UQfd{=ma0d%#$K_`+Z
z2nH8Z{B;KfLG<C5j?l0CkK=k-uY);$UEZiNDx)S4Z_~%?|0};(s$3+iAUJX0vg2Yp
z!<!3vSx2a)u!zWh>;qit89}Da?KFXdkW1Q#4YmY}v`a@uxIbqE6V4}R+4>)+cSW$U
zr<ND3;?vl%H_ofSEfP6?z<GfOENxHK#a%rsNVmC-N2Ul!LG8Akse16IbQ^JbO)pA3
zlbw8FRhQh3l2Jv}9<I29>}2qkS@Mrsv#E;U_46kM?X9wAf;m|$AFUYFfnA?>Zp<UU
z#wDC<e{}7dbEAFd#Hch)V9cj>(!t`xTck;AId!f`v4}di-xydUNpc7y?_b6w`3jAv
z&oyKG23+c=tz~}7fyR4OId7{XBDIxM(E9LAx>Qud!3EMS>dt6lo1p|w0YA9vyjXwW
z)W~|vwbHrR9^b_HdZIPBG}vU|Li#i<oQGbkn~|MeXH=of+B=n~eFpo<lXW|<3G))u
zru{63T2>wKR*Mt8d2(d<M&zi?zOO0Bb)rqig73fn@6Ghn22x3pqB_OgbfrfXAVK~Z
z5$tGFWofsf1u4<8rn#FtIGgpqx5lJ(@bt$Wu0J1n|7)a|z;;GOa%3z1ca%xoIAbzW
zBctFPNPSAO(v_fmLMwe6Tq+i?Kc$v~PYTi${8Eth#CUKXbamcdEa1*FcoKba?xW@|
zX#?@cddT;dUow}Nm2#bwVwgEx&067~1}>Z5QY(uT-S)gM=)p1ax2NR2yn#el4#k8^
z=}G{`ud@#afPS2_qt6Fc3GfFaNg6u_iZ+G!)314&0tt&ai@&^^?tJWvfjqA+kg*W1
zY@2YK@r*ZOXF~zNNz=q7F!%1Cq1i~Bp0C}w_zUuk)4@tUz`LB_`NOOrf}6cNKTSY4
z4kmaU!%MhQc@X{fZx^=<zIGNqJIy+6{l;~VAtv%%+Q2HzMNG0zC(c$-L75j~Qc1*&
zic?jD%?pY%Ma*qmopG(e%Cm`rH}c-t158j0ew!gm#<i1s^oL~;*91GEJJp8oyS~NU
zK^wMR9ad>Dk9tM>E4Pd9h;}pX^X8P+!~PVTWL&zIOEs06dDU<Egt35;hn*yzuH^Ba
zSafcwr<xj_3@+D2+<9f0wQ%e2Sfy%Nc%Ka}_aQWR06k{XqO1ph%@B6ix3$`zuzyFj
zF$`3Wk+z=|*gE^>)^P_g>et!<?I|3=z+l=yrLRS-rLAH7wNbw2l|j>`HrB7>`Q4yI
zg+}`60B%q*D#tGp-W{m1Gcm6VQC4*0cP%GPtqM8!Zn6t_L4AI_{#1gzu7Z8jCRRfG
zZYjmv#eI!*y?k2QcPqM1M`rNPEY%GMKxOv8+CgQtIlK&;&nN#~Y$`x<SMSfkGbC+}
zK3yqChgAuzXfwmd_UiGBZ8dSO)g8^mb(KZfXqM}*3?_S_G$N}1^T5`jUL1VET(iT9
zR6=7RbZZh^`<jI6bo8iQPITb?dtKK1mvITK<}b}qTxV4f#zvO@?eOKk<2s!;By3n*
zWDLbfCoaUUDUT)4S)ok2<89u`==0Wt0S+02YP>)w^lFB<N3WN?Z!Gb=`qw>2^wX`o
z9VU5pW)0g0K^;}y&j0yFu|CMV0IX#GcI&x#r>}0xdJ=Cmm-HeFlwP)eA9wI(e5wPC
zi0N;*!zRE4#p;)zG{MKvV`nfC`k%&~Tek;##-#9U0+G<v@h-f8PUTrUdZSs$Si71a
z+M_q=a>X-Ow6g_@M>lgxBSBQ7s*!?BvSHD7_+Cn>y}HC4-k+`Yw`#7YWNNL#;)cqV
zC~0sCEpk;35|?PhsjVgF-uDzkdqU`bAeLO$37>ryJr?@m1FLr4y}`AMGor1x;@y-<
zuqR<HIw7f#`qqk{xuBhk37<PNxCC_{$=0Kv!mR}}ufUd;hYunlY`S4JZhsAGA=6ee
zJ9<Eu_Hm7zrpaMl7;rhFN4#U~$KCgx#zX#+#Ix#~OMG!Jbdo}jcM@#)w0&FaiCeNA
zRXIN8-`q;K@Mf@Y%@nQG2w~%?QOAFUQ^{74hbi6Uij&nsC_MUU*V^bOCdUr`0JCtT
z`J>F3OblKhGji)f&h+(O>@s9-U|`2B>HtiGUI_d5OmP8_k32sH)1I?G5|(>1?bb||
zSyo^8cEl#6JIm83BSroyAMk;v4ap%ug$l?84k*d`4@?VRDS(RoiH{nCeYTO1YF^rP
z0zm%5QM(A)hkxrEDf}?2w)u1b+nFS~>UF#mZv&CKyPTose)8#$c$v$34ak@V(80e2
zW*78JdrE9x3~&o<LxWxW@Q1G3LO}TNw#nitv7hGdN!>6S5?39HBBv9CG~~(<1KSmg
zHK5^jJMR;uNUQU6S<R`_rLYXgM`K$x*85HK+vl$(@>fA$8SsIWA+2uDg*7|US0m(%
zGt!zKRyVrLCGgikg<Xv{U1sR?j8D}{bN`5`)<i9(jq@o<EGz*t7h=53ka}>EdK%$#
z8^3Ed<(shX<EfD8+Df#W{|T!ut2MaV&imN?lZ{%u4<>w=%jla$h&rcGZn4XQy0<8C
z6eA?zYE>hHyH2H`c52JEKB>>~<Iy8wU9WN8xn~^)??k(mGJFTB_zLHC9}+JN_Nh3`
zwl$q>D*c83Zmn-~m}E$YhpRN892)uvyLD(gO11f+`=-Kr*7G>Rj#A6wj$S2LdjS(H
znm=;U!!pz)r=rXyd0W|a?*pI1Y~9ztGbggd3$)I<tj$CZE3W{J>CyY`da;Q^%33-{
z+ppa>4i$uQG1U&TA+D1#;ob!kmpD4|X9d+lqx6T8d=2W}3e^f<AwpFSbYvoo8mYCh
zcik;~Cj(@5zFhq<T_rF?_dusXgYQyHDV6F|Cx@uEeYMOw7}5~fKs?{6ei`WZo)BL`
zhn`(tnOvDwkHI@_@NzljZuHabXbD8+=8qlkIgd|@Qb(W2`wx5iU194t-WNaLYhrhv
z1e8M^^lN`U-*=nCH9!y2LWw3hKELNxR;J9xN-0xeKNSKA_Waogin>4Ov~-F*x;j~4
zNjAPmHB0>IJRX>?h}#K&#H}XWn(<?DtK4T%rWR-Q4tTgXQNvg@i-A9LyRWsJHrBb7
zXAn(9vWD@{4OR0f6Vbm0rQ_2gXL$;^8Brb;>J#yQZQ?S5*U7&(9|s1h{Z`O@z!<~K
z@-doOqPxSi!0g3ZqtMai-zS_bg3Eg06)-{@&&o+x3KL4-;uAfiQ8wjZ`vvQ3E?E25
zKHe#uDAOR{Hp^)_(X#)-guB8MmMTR8K>qtKSIpZtlWPxA+{~%XWiB>j5p#71@wTtR
zC{;2+b3+d!<W{bpMi~6Tx=05TNNrG041DC|+3QdA*KwK}!hM(Jz3?C1eXp1iq9J3K
z^!d(Q+YB}nL_`sr^dVUbtRL&8PyjZ-QNGVAVT7z;ljoI3d)L2L2}}I(el>g&v=nHY
z74w@H{}d_d+yD9~m5A35mTUEH;(0o~5+P)q_Ou}cy@j6`=N0&yX!9_sj51qjRc{q%
zJ!+Pi%1sg~{#=4gw#hFp)oz9%)H&?c$J5Q^07vD;@hX&QvmIwTH+SdtPhnj57Ym@r
z?Zv7i1ILlZEMIS6!xBV4RoT$|9!Z=xWG*nan7I9SAy4)A+T89lgjWvar5uH+?S{&Q
zDCw%=zpNgXf~!h!V4a%3TSX=%T8}m=_rja_gceH@=5{r)F5@lA9e=wc1dYQTGF#xy
z1J>2uXD~73FP?>}%UP68fwer<yX(8*sy+do{vWeu;o-z4nUwUmof4W;7jcVP(1(_B
zq;P-ynAabn)|rhimg89$@*jT>V^|65;+Y2us6}L=P4n6!lj<!sV&ujbWnZn=6D@7O
z8zjnzRrzsgm*fMclIs00AVZ_cCasfBZzAeG#@nE)zK*RvYuJtJt+5cPjGda%tBZo5
zFSzwS(euC9>MO%dLRshX0l7%it$d-NX<17Qy^%Ml_xC%MI&0u($b9pzBpwqV<InIr
zZEPvtrstPTIaO;f>|-R^YLP5CUF-h(F{XIr470QZ=2p?4pofcnDxCsTx7xmlMlsUO
zJqkML|A|bn!RTOZYXfR(ml%K#X8P`>W!9A@dszy`dKwD^6B9a2Fq>1?vAl}kzdF&b
zt8_&=dRVw4Ag|YJ+S`HWr?<T9*}aN5l?+Z){4d}}(5q!foJ^)5ehg{sk@-&_$*)+<
z4>-M{%B-Z>|I`d-<hvVKYt%Dn%;AhV2yYW<EnluIqIwZ>HKCpZ@cpz_02M!CF=I82
z^wxz|w1+#I!8XTdHHsf?Z0sh611-RhLY&+4ZzX;M=XKe&zOYZX3{dLkuF#R*9`%2?
z*labb#W2X5<tk>ACDhu+7-vR<;$XSswkNZ^&o(7##<;V$>y9cd#yy`Bnr^gA6$Y$`
zGBJh^ILd3m-?PSQ1sNd#g=JD@XyZNf^jnz@{HjR#Tr^qr%Fj%)D0^UMn(fn(K&%Vm
z`B$g;1b%I35~WP8Vsz`1GxlJFUZcXYZn^)NvzpKDd*!5sm-9lqyW>_k-#MgahXV>w
z3QViRa6mzfJ@-Ews}0#~=+X?nndCW=lTkI4f--~82g=$MgsT@Gv4O#VzLu#t1K^aT
zA~6(XEZ~p7fqS4-1pu)Dy!Oz*_!|_l%a-6&HP_%AVOb=g4I!#RLYDK|l*aki##B=a
zha~^uWs1#?h?!MTIQ+*>GQT|3t_p6%{LTPjxv=2$X@2{PY*;k8x9q*2eTuBLaO;{;
zKPRR9DCatOU)J8WaI3_A+Th!+?Nt~$XpK0<00g!;KL6&-ou$Qah;Ai$SsXjZ@lVN-
z%jCwkYmF?cH0%h?lv$06AQi9Q)|TAv`=))XEVZ%3a7d!fVb86p_`-{zCKMwxJ4*Ze
z2)+2!=mWz(r#F)mJBGpThr5jRy{w*j_krzj=Q|#%W5>GCI5j&MyBW{3qio*0G`pIi
z#}mJGBL}KtbL-1hesJ$SvRq|BXYXr!6cO?D=I5Ow%#}MLj|8vhB@MurOHP5FL{OCQ
zSgA=jLr86gNaFKrwg<oO%(6c*r<vjw??Z9%<F?Hq?+FPVoeWJymCvI*jpzRj>lgFM
z-lPlFN{6V)M~b@MvYN1MUX#g;CP%7@xED>|sV1CHU3G6cg%xbE30#3D`B}JI`ffny
zCE{g@Uu6T6e2Zu(ij!8-(%A^jFIeRLr3PBqLV|T2fmJK1ss7u~`Lxc9?qNrOqhvgg
zPx~gO)W`^GIW>YZ87LK$@KD=-K7*u<5UmWI0;-w9B@%EzXRb7d!^?hIQ2z~!a!GfE
ze-rgLo~|{7`M8GI*YxyS6xUndL)(Av<ed{y@rdeA&cCUwpuh;qBJZR=*Jd+rS{ZH{
zjsAdg7??Z=swE0|kcoT(5UNqi`iNO9yv8Z@pN;ioZZ}~OwdgKH1?7kaR35bp=8X<=
z&e)4hJ@Q+mJgv8+=<Nr?52Ltf-*MKQTz~Z*_MdmXB+vpC{sk1YHpSqr@{}{7<36<5
zYRk#rEo-SPa;C&)OOE7<L&`2^zK!OpITf3pZqR}saioIX1D-A=(*O<I>OK+0$_Cag
zhC}d})XQyHi>uZfWutKyd<e*c8ugm(mY#IVPlx<&MyUilyh8jk%jwNKj3CXa$`wW?
zc9cH9tIN1+y4#@jl~ysB1U^9GbZ}*)StLoz`C*c*mu0B5l6!+w04}+j(*wk2byM|G
zWbdYLNjGiXo8Qr+6a`x&Y90!`{`ahQ$>kb#L#Jgo!hQXlN%=Qd4BF{J$L-!OK7hXJ
z2Ld5cg0$PDOlln^3%lS14%Ks{d6a2{E#z-WCSM&^+q{Bx7T;GX;b<Q8s+#X|;1WZ4
zWWV{pP~7S-bwq1Pz^uIp$R?)C3H1+uJ6npY#z!S)%27fnZ8G1!ZKDmO93y)#1lEKl
z|5(V|&vI<Cl$g3zXry+lb<=3it(_X3?HnxBe6z+BA<8LKjeT?<aS`<4t<aK2M5G;n
z#m&JQo|}1Xy1`*YubqiEp+@fVNH+}g_j)Z9<6UD8ucUWM|B%jM7s!f*lcmmx$i#Uq
ze>|^hb%!~*I<svf0*gUNt$x;;yLPM{P)qa>)-}vMIag0{hp+p{{1+R^3I^-iWIgYK
z>z$t3a@SaA?nGC_+st?laI1I_OkD>{&9se==?sz@uFVZ~ybxmHzDNP(NF5mvUO=J0
zO8hoj)7=O5amYuQDh-5%$bq_`PsdEMvmx^%%XJntnO%lZr!>qN4Zz_T)8Zy&(z*`l
zYp;~<1;Y!EybNCkUMBY?#L0SFhGJ_TO?*pqg<YAX195{mP)<|HraO~9hwt8R`Il&3
zNw(=qyjm~9k1lf6@pH0;hCJu&ZXQ~q;|Dob_Oadqf6&WrDjJj*kZeT^Bq_2vHhZ{X
z_MIL1lLe-ro_)M{p8$>DQ~^-HTjPISDGb9IGwEKM9Y`?U8X3jHL|PpOvPKFkuaV40
zrkBFfMQunYmZ4%D#!F$*k>^aehJxxZtvz`t@VL^=Ul%g|xUZqZczekYY3NjBfC%7Z
zX&M?%u>Z(?xIBhDJ=B+Kk1T>Y1xaX<yd}Skz=Jp2D5|Z`;Hh7|e)l=rZGI|;D6}kU
z>}g~;E&$|`^>7)aeo{-3x{;^4IxL$FU;i2;eA^kV(K_XxY?I++_TEO0{QawcL4^Ep
z=zjPi@$~Oom5%A|2p;y#GDDJbuvl{q?k8fojq;hyPS8vp$5}V7CQNws{TNv4%y0y)
zCWTk*Ow*|wdt@=4yT%?YTt2JXI;Z4zKPX{@du)Z<_SGs8*ZlLhd+D9+8etVcXMF<T
z23zlbe&t3e^i}D>3}gN5SFRze<@D_W?iXJRLs&`cD&s8=;6<Dy5iO@9#^6B4oQ^XL
zaiX0g2bS(ks)0ZP{Q4eE*8ld8vEgPLSIJm*)M7a{EVIZcu#;Jh25QgeOBM)$UQN>)
zF>H3(uW8xq4L)vje2f?#Ug!I7lmGDXbo3vgk0)J>%ELN9j$h1JX2}jpT!jV29)WK5
z)x?Ck#U1njF@Jvy@DJ6~qNA7jA**GPZb~%5nmtw{YolP`wMX{K7Oly1sWV>GbkEUM
z!)<<puU^WeELl5@$dTWX@{B*w-Oi%nK4OTIPb5N)GOlwGRO24Ws+s3A$Z2(Fb1`1T
z&o~=G&Lv{=j$Tm=At5DW+15OB;wrmQu@a-JU&egqq9j2S5yGN&Qfy$23h-5IvtBn_
zNJRP<q+AkeYdNoi=-5m)t8UG8JMJ(Vo&Lvm41GWz?~ihB>J}<@d~}#=UCm-r4gP9L
z0s6g=ZV2bCsrjpSN<BXj7ew$9HIy^lbmuC$1-?LwZ2%O=aVOdu$SI1GQW_v?S799p
z!iXyd*y*4ZZjilSZbgRHkNnufi=kSG01lKhfB9C@wA}B$;HE8A2m2ah1TG%u_4MJ?
z&weM14kx<A+l4m~tAvXnH%@^(Xz_RtH|fbkZckVUUN5k%x5PM3c3cNS-`9UlDEGrM
zA81BGRX@t)dR$#k$lvf|+x6P{+;e0&?)`(}6whz+A;!~*o7kVM1>E%ZPh%53dK}Qa
z?VJd}q~}O&W^tISU!7yROzw0J-AS?mCy^Dz^Anh}XWDK~^Wu|iE+pOmENgv$V*ph$
zox7dTxaSyAK7!BYJ3TsRetEdMo~Np-9=MtylmANQTsJp^J+!lR(J5OM6z~`^$&o5t
zP8wB`Rn0i@Ihj5FO!mW_y^qWG<lUHg?~3v6`@x50ev1YAb`jZh0_14a3#j)FWy=(M
zODU<mGC~~!MvR+D$-XIV2(gy0B(VU%wRC<<@jx*Yyv0tKsNeks0$t|#cNc(8|K^C>
zi7PLc)jf3iq{UShT?hz#!y(YFbEAiM0s~>z?YU;Zh^U~;=^w~1S6$C_JzO~^209aV
zQuvRc*}n??*Cjuc^-8*qqPWkY%zEZn0n;bvNL^SrVCwo`V86LZI;;VCsw-uq{?_tn
z5@|DW$QTDWLWy$9CzY(A?au<gp-g?8uNAho4NyRhOUpb`DqvI`R`+_k!TV6{dob!~
zFK2X+7k*f2L^mU;S`f9A>S>&<wIBCoOlr2F2r^&jugmI@cYht|qqm)5cf6jOMjvtH
zCJijI>{Jtp=4y(dAvZRGNhra|KN;XWZ|hD*msq1%U+0~%v#R$Z&;xyR`8v-2LGd4L
z_oKYHdAg%=rgL(`&r4L+J6sRfj=}pe?$1B*4?%y4Rz6_OJ`C8u1&kJ(1T+aw1@z@9
z&0YA)0`yd0$xh<Ds@$vXgJz&XS>j&k-yD0lr@hr%<xzTMlA8qZj$4!s02SX*q(t!E
z)4y9BFdB`k@Zyoeop}B>=qqi$Gf2k_u18^~IYh7AOTE1CmP61&@`9PZ)M%8U6;LS)
zm>UAKAraN!rkImGPChl?M>9TD&gpq>n3Ns<+FU&P5cFKvBk3qqMA0T|p~7@~QrVv}
zBEfnk%mCiNfzsvdBaPh<aB_>cxo0>2fEUgRiaDVVdaKnPp)xEI>|>m5^8$fvB1#GA
zcE_y$K6=09ZkG~%h=E*_HU*rPH%6-G%?oPNo^O~wEaa;)U{zInWr$$_5Dt(}H+54o
z+8j^bd)H6sLinW3@^$N15D2;UCwt7H($aBtq?n*O%Js?z+2!ZPRR4K^6+rhM{|GPe
zOeZc~_rBLsL%_zlpCdXDG}Tid7y4SB>g5Z#v_$~x6oM?5R@fGv)%|f&z|F=aSH0LQ
zkWK%^=`BhfmmQ)@_^I_%ZC3Wid||ydt45x_0pEWcwre$Iy$9h<-Q4U^E4$&et>tDq
z>hCj{H`qF|Wl#UP%4+al2H`vue#CC<j#p^(9JL+D;Ogz=v2JAqy`M5#NjZah!oQVs
zTKBQ-`@ZGQQ$4f|e29HG3fue>@}Z2!7{E((lBk73OK!2iEVDW<q)kfH09%(qYOkwm
z`EXG9vH8<4Ryi<U&k$xeF&XIU?vV1XsUU?@=(_vHLEQG)Z_0YDFO_bil|?oG*39Ld
z1`_iP{MS$N#0wa&va=``8qLd-zpudwXEm7yj5(Tm_P8}We1*+#Cg}#gO}M)~cQ1&t
z)NAYP;iJte3I1TJ+N$JlY^P~x5fDMl%X>#!5cx-(9uVF?5W@l$SbTq2OcgjUxvmgQ
z-ez8}ZA&oa*uK~CBTs&9H(Za32dSsuLYw#20DR7(-mR!9;Qq5Ho(nH<9RL~9XU(Ps
z><i;inx31G`Tu%F=r-N~sR9dJDF#p`l=APm&I>a=5i9CKQAY$CD_;chpRRzOTh3}9
z+iQI7<y3Y~=SM8QRgkzl25=G;pU7Ti1@Sz_pOTKjkmj3RPH!%4Pnv>S{m)#8h6p5D
zQ4&UWrtbAL6b)Jw?<DcxgWAo-RBosuWwW`o|FkSd#HxUH9WMh;`c2DBQ?5Nl@qA27
zDe`|}%@BZ(+8eKA{30Ru@D8~rs-%nRvpWXgVnoH9f{Yr2m-C{zYm$o0P6n_V?;=g)
zVZ`=sW=q(hB#S^Y?Dc3$cu?nvYVi35-o5B3jx?=l#BTu}e*dQ%kfLrR6yd=JoL3Vy
zr+fPUROmqD$dqeBi!O00p#L4*c7+gxGzr_0uJGOCJKmPGoUEKQV!U7;QL<9G$!+w;
zfGbun*3b(i1xPZCL%==Y(1NR5sQi=|RNtTZO<sE5;_56!<x-@mxAfeLYllA5_zdjN
z8(2(itUqXIw|bBtbjitdg`1m2_-_q)>_*>@xGqWj-3~#)y#4{)2<eV@+JqiNnLJ9T
zuG1+OyMIyr)C|Rah2^H}j#zg(SKPB9vUwYX=W_^_ll|0}v(MLcCI4eNHaZT@Ytyv)
z_TTh}lcUnOc$nj8JzkClDSyw5&t9!k@z&{05wN21&ln!yI|cngePl#&KYzuIuj;Sh
z+xx>1IyVAZ-HZNc_(cmaf2YIO0WBZ=Sf!Y!AbS)FJ^f{oyTh|@$1KOr(YMH=6^Ev<
zyq|(}rCj54C)BgFA~B|%ebbo#(RrhnzyWoV8T%ha{P(Y1xc6V)lq(bHLJJSBEkF5s
z^dsMV+^NI=q3V>psl=&&LH0K&lwh#KgO=Y5@v{g3qG|gO(Bn@sjzBqw_u5Tx-6_KW
zbt#;0{Uzu2Vp_TONG%?j2ply_0+kiK_^EtH57MKr4fKESJqD1`E}S6rC1I@6yZ`mB
zqBzlc8)F1beQKlWGhNh^o`y=XQ%o`CXxm$11l7O3QqE;kNO{m7sywxLy?z2MfAA~0
z5um{NM9%m~?R%u99(f6%2YY4{tMq$fk*uME8R!0!<c7sMWsdVS7gd7yZXd1!F_k5~
z-RK0cWunxqY!<6`H~75oM?}$Sf7><CrC!J{B1X2AI=j#Bo(f2paUHde$jJVz>Id$s
zJ5g)jD0}*+K=ut}qbatGAm7fTd+He<tVipQQ$3BevL06+`0J|WMn;;HGezGZ-OvNh
zZLZAFwF{j1frd^b+oP8-ci&eVmcr6ac|yRI50D=L!yxip$_Tg0a{vS-nLI6@3o?S{
zhDO^2K>DRLIh;_MSGOd7nytAAf;O3#JbiZ^tXm&5Lcb2Q=W5~ugT|KJ9nvW%Cm=A{
zlTnd?O5<=UcTj8a4Y6sYI{XV}($W8gh$*o)bJOeYMb+-yAbxKi_4Mm#D}yxPtZLR0
zJp<G{E_z%~?P_GCv;^tx-`#Gb`m^4;oz_cw<NbjewWrUh;l(7*(fjK4M^!RUrebps
zU9FRv<(IslK0MS@qXRysLIUffpZ`8^U5XyBdB6RaMi<(_S(X56+OsHha`Ea*d)4!=
zZWyv6BV#2hm8)K?-1w-p!d=nml@yMY`o<8NM+QvbwzriBteNnhpZM?0Q@6&#N;SwG
z22iNTU_;|nL*dl;DxgnM+?7`W4u7zo?55!RoDr1FU)s$%BZ`js^rf)Peo~-L;vV36
z9^x{wtd3wX9)?%XS$?Z9@T`FQo6kk}BNUw^EiT|KniJN?1S4CTjhB-!gW0XY_kl7^
z4B6#iA6~$SySraGb~OE&#nmguVy)J|5W2MRXn9GFAe8x~o7ORObvo;}_2`;uG;pR6
z_Bk?gDRWN7?Zq>x!ZN});sZmf66pH+!bQ*p&5oA@d%m8sk+&`nRj~KwanThiNDmI+
z(uOygI17;b*;}nipOWQf<d0U}cSp1Gxz^oq-6{<=8iljp8_9WvQ(UEtKQ7`JZ?Llq
zp#fD>HykIU*~RU%6eOj}2>Koty1=lfhY%cd_YUYZT7BZv@;mrADzbO->@s&<B>=C5
zTTXBOIfu*sAgOY<0^m}>qmbOg>v7{UD+eF-Br`@7VSp~=Kz?IqPr#X+ycql<@=SIm
zsShw7*I34S+>ep{oArzbXZ%@O-Af_$R<uuqz(+VnZg%!mHDAGRDw&4N^144X32Gow
zo1luTYV6O`ZP0#1+kxm&$Q{vBbuc(@^tQk8$r^ig+C?46?)^6M4nK|sc8SIS3e#%V
zgfAX`<x|}HJwWwjo-WO3+fc<ZUSwxSh2Y<>ya8%d&Y^I_iH?M)eeAl8>|F76C|RAB
ztUUtg{6|Qzd4^doTJlu=IyjGbd$6!RHl(G|8lHRD47eUkK=eo6eo72-n{Oy`?@YIS
zRe$^UAx;9zdI1dXixIvZdqykiz1k(%X0Xf7x2r7cHxEEL4Lx7E_DgQwMxM?@)IC{~
zh;3OS;<Qi#|3RTi34GU-Dt%j-xG2BosfXdOg#C_@WsgqkP}+YDyO!z=<^jtNhHC3L
zgAM=|&F}D@pYN_iP&6@5&28?HgQ3&N(aJT@73GdT`L+S%ZhugHi*$(bNwp!2sDXps
zV`m>G^hw0M<|k;6gb+|j{oM7$dJ4-(?VV(>>rM{f+Xyu%G~cUf$BoQ?qM|t1*-1i$
z5HFt@Q&(P~PG|QpFd2ZI{Zau*1=R4K^D>?n^M7r1$1mh>HJ<U$_0#B^U@*^fJ|GIO
zQ>>@}rNpm5kYS$pb3~2|=edwl8~{FAAr$~dpSHlQ1%=+*5Khvn`{(&(_tLfZ{}i|T
z7f*a!0T(5KQz8VAE#uZw&BqFbkSWnqJuu+;Kz|mFB?eozFS5M94IFH(0OR?$+KgHU
z&^!Gn^~!P~o+kqP!NUw#^c5gJb}MB={&A_(*rcQ|koytRJ_Wr<mMFAT?jSiIy9<!C
zy@mc^b)LRt<%4<Yz2P<MD5XPzis;O6x%WTFXyZysw*OQ709FkMHu#uW0c4NdTGIRG
zr4Tlt(ZdQRsNa=+(T{2Qr+aEXz!2{On=3n4@74=lLz~fZFJu2wt0gO|)>Sx<QAF1C
z$jIK;2BLBAv{a_<ZH&+ZAaMeWc()f!R>lbcdy{|zY=>p8I(L3!p6zQ3r8H+8AJW8@
z`<;>ZQ@l$TatI2A3isop`5ShBZ4D@(KAr}yB72Rwey7Y4vj1XlshIKMHj}B>If1gN
zZ8_iSO5_|+Itc)IL=fF}?mE~Ly>J4Oz+?XK0)EtVZ`E$XC&Z?EDPg;bXtR@ofYs=e
z8TFu0yMqkX(}hWqXFOGUaX};5*}6OXA<Z=<>q!*d;6@^Aa%80FWk9@1tgFnGA*(1F
ztJr2lyJY#4it>D+dm=R#NE?)HWAv0<oT$spBH%Y<5%~p@tg=;Avny#r09JYjwr#jz
zPn0D0ZjpA1X!jXW$Q)p8uLf}={tCfc+&Vkk4Znhf$@4!yvK1f!Dggbuom#}ywgvf}
z@p<@J_y68{HBdPCX>N>ZnW!niMx*<;=-agd^@^|!c|Ew1h@ny3lhZiFV=^NE>~_hc
zHZv)(Kh(3h%b5Y+!$85YMAnQ*;JQ`zoa@YeGq{Y1(UUk8v<ZZp)&b0<vlcxk*_!wX
z;>X5T&OuuQ-eLl%VYb}d<rJG9uvck)2EHstRpe9;V8^<zoR2G8Yjg!}wMN)KAx$<4
zhXReND4e1>JdFK2aV>_KK|KGi{;uA2V5}8j7kw6K^)u+fMbEYKF+@d*s*D^KsiB2i
zT@1u&sT((a*@nbu(LgeNc*dC77Q3UjV?Kh}*9@5pvOPn9T>(mXVNa7)UYwMzy)&M)
zSoQ&7d^+@C2`vxgJKa~C{*VA2`;{K7lFaG~t++d3X9V_%diGx>%Q@KlAZ;{zSW*5?
zedLH$6$^ZXydIfb2MQgXh*=#}pvnI_^t}Ykd;^Pq49xZk<@e-S$dev>Y|!0u{UY*0
z`teVeOZvOa!eB7j2mcwlo7nAYi#oKo<T0z=zgB2;s6$JPij1Tx)>2Y}kB_a_b$5Q%
z0Iq)J9aYQgr_3T?u!%&&YrjD@-0YV-!bhqN(9@xb^aXAsDD>)=kwSriLmWRY_)CIh
z(05YIoDtK8HJ0@ZfTKAGc(fwusE)|rAMg`${|ST|DhST2G1^L(lPt$->FlT?Zq~yw
z#lLk=B~>N0p-?8kwonWnK8Xn$)!tFQrWIm;!VP53VV8g?fU$<}_e=9=g00KDfhF+G
zpA*bV;-pOBfFU+^<C0ehgH|Kt682Vb5z$#g?aI8!bE})Zz?~v69tn5Jf{;yd*5UVi
z4>k8kA=SE6KtMs)29NAgRi_({Gl<j&8CFZt6m7l>WuK59K&grC<7$7FucHnxbL5uv
zRK#wEl!yFE?-FnXa`FSvhZv6sp&}L^f?i`?&PRO>`SrUmHXG1z&NxPXcJ^NdT(pSa
zeH$^5<Q;zD*5vrtDk@Kx)dkTeFricRn_%G1QjlkZ>a@kMXBLs?ZH>{zGd3TCH#^U;
zJ_54GTea1+R(_%|F2zPk>iV)N!_Q|AX0$>hMGb)TDQ;{V`m%#nIw#hC{Gi9;xGnZA
zqRlrxQuN7RDVw2H$cNbEIWcWxLs-w@7=zROHlumhw~PQpW!@}=kSoX|t_YVhB2_(Y
z;}n}4n|;+?sQ5rntv4#NNDkoN_EwYrPM@ilan^6{r8IAZRofn3DvBXD&PuT-sJCs<
zk(_CPq(j&h$WXx{z4TBDS6z1CznsN~=8Rfgb-jc%VPi+R{KQs{!lZ3NuR^*C*3~>>
z^lnYjep>vwW5JgyDN~_(8TkVk<wHKVjG5g-BxJ)LjRE%~Vi?JGn{RiW46~_Qln)yQ
z$Ev4SNr%G6BAo0AQTv)2_`$P*gV2y)mnqufKN%F!;JuyiafOc`p0=|3E%O%X?{?h)
z>$<&=VaR@R*CP#{K%~V~dZlCytD9VPce!d-X|ohfje|e9q!io)$k$3wa^BXpYi!0P
z2g9!Z&&IOdOElGB12s5&HVs@^wag0(37KfbR&z_$m+&_$%3t|x#(r$_FNv0yQuJ<-
z9+05$_M=I?+u76@xXF`Z5%czj1Hl6Y^K2UzW!%dN@Z*QD$kX+orx#*^o}1zC+U}?y
z<<%D>2lJaG{g!Wl^WGf9P<drcsWNEkJqej=uSRXw|Nk#I|E~!2Y6BN@pG`5@7iB{J
PjnUCGgjPIw{`UU>{MCpk

literal 0
HcmV?d00001

diff --git a/roles/app-homepage/files/sendgrid.png b/roles/app-homepage/files/sendgrid.png
new file mode 100644
index 0000000000000000000000000000000000000000..b93be701dfec197a5a4432762740e4b28b8925e1
GIT binary patch
literal 1066
zcmeAS@N?&q;$mQ6;Pv!y31VPi1Tq;JIGBM{_L_(g5U)7M-HBn{IhmJ04okYDuOkD)
z#(wTUiL5}rM1W6-Yr^iA40CTWtb8ER_;}`{uMC?XZ+`s^D7pE9h!BwCC<*cl{tp2R
z_nP-c0>wBBJR*x382Ao@Fyrz36)6l1%pIOCjv*CsZ|5BJi*^)Xc`M%Y|9^jS>#5GG
zS}(6wnfgpUp#0M$HtSg<|DAbf0~t2!awTkYWjwP@qv56)tHJF>3~A9K2XeZZX5`|M
zymRtx-P(`YQ$0_WbNtvLr~hwH&Ev1{u3tC*x9@M&&dJKpHZ<JUxc@&O_CPqZSj0cc
z755mDp4?zClMGnIc#omzNJu_|VNnjlY#xn^4WIUNOjJH5y}_%L@u{>!-;8hdJX_(?
ziU&YKmzhooI`_<Z#k7a<NykRU9HRv;%pDVpBO2zjm+WUW1FD%IlFwk71Thh(RSY0C
ze&!7_hDT0V>VkFI3#+*Md}R|*KF+q`WP=c|Mm_T%+XO*W$BH}j$VeYhW4@;Z)LJJ8
zauDx}I_8`MtH36%GH;NuG;8o>o08E0GW;s5fO2}^f#XX3zm+ODcCLH9rs2G_Wm1^*
z7mGU#tP_-%?P&Na-*{9xf%%kqLg;~q%NuwtfTlToWvgK35K3nDFgn0ykUl~AC{RMd
zy~n&k!SJf|16~CWphHE(6PWw%Ge`&Q1&8AehDkgd7|%#P@%X5jz<fe*v(|zAtgFny
zf%b}5L+=2ajQE4#1y#&{d?p~70<tF<WJ1#sbQ6MOkX&;@5UdImUtph^HK;J>Fch;{
z2Gwv~$v^O1>NW2Uu}I;9$M+46+_78f#MPbiFqbLq{%7;Ljt0?)6mG5rzW`vEi!5Mh
zTC(AUn8<-S3xKh&;lRk^nK)5bqruV<7@>g;OdOLADMbe`6gL4QdNBj5fJ&?Dwgn8&
zSb(AB#>l1M0W{c=@eC&yFgTb*fRQbBvx#Yju!uvS1gl1af~L+UR#pRb4Pe-F1u!@U
yQEqWdDx<h%640Fg3J=m36V4A<GRu_bpUor1asp&x%2xw3Dubu1pUXO@geCx(;*SFW

literal 0
HcmV?d00001

diff --git a/roles/app-homepage/tasks/configure.yaml b/roles/app-homepage/tasks/configure.yaml
new file mode 100644
index 0000000..ddea1c0
--- /dev/null
+++ b/roles/app-homepage/tasks/configure.yaml
@@ -0,0 +1,13 @@
+- name: Create config files
+  register: app_homepage_config
+  ansible.builtin.copy:
+    dest: "/etc/homepage/config/{{ item.name }}"
+    force: true
+    content: "{{ item.content }}"
+  loop:
+    - name: bookmarks.yaml
+      content: "{{ app_homepage_bookmarks | to_yaml }}"
+    - name: settings.yaml
+      content: "{{ app_homepage_settings | to_yaml }}"
+    - name: widgets.yaml
+      content: "{{ app_homepage_widgets | to_yaml }}"
\ No newline at end of file
diff --git a/roles/app-homepage/tasks/docker.yaml b/roles/app-homepage/tasks/docker.yaml
new file mode 100644
index 0000000..69d4f83
--- /dev/null
+++ b/roles/app-homepage/tasks/docker.yaml
@@ -0,0 +1,10 @@
+- name: Create compose file
+  ansible.builtin.copy:
+    dest: /etc/homepage/docker-compose.yaml
+    force: true
+    content: "{{ lookup('template', 'docker-compose.j2') }}"
+
+- name: Start docker stack
+  community.docker.docker_compose_v2:
+    project_src: /etc/homepage
+    state: "{{ 'restarted' if app_homepage_config.changed or app_homepage_icons.changed else 'present' }}"
diff --git a/roles/app-homepage/tasks/icons.yaml b/roles/app-homepage/tasks/icons.yaml
new file mode 100644
index 0000000..d65cd5e
--- /dev/null
+++ b/roles/app-homepage/tasks/icons.yaml
@@ -0,0 +1,9 @@
+- name: Copy icon
+  register: app_homepage_icons
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/homepage/icons/{{ item | basename }}"
+    owner: homepage
+    group: homepage
+    mode: "0440"
+  with_fileglob: "files/*"
\ No newline at end of file
diff --git a/roles/app-homepage/tasks/main.yaml b/roles/app-homepage/tasks/main.yaml
new file mode 100644
index 0000000..4ca2b50
--- /dev/null
+++ b/roles/app-homepage/tasks/main.yaml
@@ -0,0 +1,28 @@
+- name: Create user
+  ansible.builtin.include_tasks:
+    file: user.yaml
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: homepage
+    group: homepage
+    mode: "0750"
+    state: directory
+  loop:
+    - /etc/homepage
+    - /etc/homepage/config
+    - /etc/homepage/icons
+    - /var/log/homepage
+
+- name: Copy icons
+  ansible.builtin.include_tasks:
+    file: icons.yaml
+
+- name: Configure homepage
+  ansible.builtin.include_tasks:
+    file: configure.yaml
+
+- name: Start docker stack
+  ansible.builtin.include_tasks:
+    file: docker.yaml
diff --git a/roles/app-homepage/tasks/user.yaml b/roles/app-homepage/tasks/user.yaml
new file mode 100644
index 0000000..3b3ec51
--- /dev/null
+++ b/roles/app-homepage/tasks/user.yaml
@@ -0,0 +1,11 @@
+- name: Create homepage group with fixed GID
+  ansible.builtin.group:
+    name: homepage
+    gid: "{{ app_homepage_gid }}"
+
+- name: Create homepage user with fixed UID
+  ansible.builtin.user:
+    name: homepage
+    group: homepage
+    uid: "{{ app_homepage_uid }}"
+    create_home: true
\ No newline at end of file
diff --git a/roles/app-homepage/templates/docker-compose.j2 b/roles/app-homepage/templates/docker-compose.j2
new file mode 100644
index 0000000..34e6314
--- /dev/null
+++ b/roles/app-homepage/templates/docker-compose.j2
@@ -0,0 +1,14 @@
+version: "3.9"
+services:
+  homepage:
+    image: ghcr.io/gethomepage/homepage:{{ app_homepage_image_tag }}
+    container_name: homepage
+    environment:
+      PUID: {{ app_homepage_uid }}
+      PGID: {{ app_homepage_gid }}
+    ports:
+      - 3000:3000
+    volumes:
+      - /etc/homepage/config:/app/config
+      - /etc/homepage/icons:/app/public/icons
+      - /var/log/homepage:/app/config/logs
diff --git a/roles/app-mosquitto/tasks/main.yaml b/roles/app-mosquitto/tasks/main.yaml
index b44673a..189ce72 100644
--- a/roles/app-mosquitto/tasks/main.yaml
+++ b/roles/app-mosquitto/tasks/main.yaml
@@ -3,4 +3,16 @@
     name: mosquitto
     state: present
 
-# TODO: Config file
\ No newline at end of file
+- name: Create config directory
+  register: app_mosquitto_config
+  ansible.builtin.copy:
+    dest: /etc/mosquitto/conf.d/custom.conf
+    content: "{{ lookup('template', 'config.j2') }}"
+    owner: mosquitto
+    group: mosquitto
+    mode: "0644"
+
+- name: (Re)start service
+  ansible.builtin.systemd_service:
+    name: mosquitto
+    state: "{{ 'restarted' if app_mosquitto_config.changed else 'started' }}"
\ No newline at end of file
diff --git a/roles/app-mosquitto/templates/config.j2 b/roles/app-mosquitto/templates/config.j2
new file mode 100644
index 0000000..ae1703e
--- /dev/null
+++ b/roles/app-mosquitto/templates/config.j2
@@ -0,0 +1,7 @@
+allow_anonymous true
+    
+listener 1883 0.0.0.0
+protocol mqtt
+
+listener 9001 0.0.0.0
+protocol websockets
\ No newline at end of file
diff --git a/roles/app-pihole/templates/custom-hosts.j2 b/roles/app-pihole/templates/custom-hosts.j2
index fddb84c..b590ff8 100644
--- a/roles/app-pihole/templates/custom-hosts.j2
+++ b/roles/app-pihole/templates/custom-hosts.j2
@@ -4,14 +4,12 @@
 
 {% for host in groups['all'] %}
 {% for record in hostvars[host].app_pihole_records | default([]) %}
-
 {% if record.type == "pomerium_proxy" %}
-{{ hostvars[host].ansible_host }} {{ hostvars[host].ansible_hostname }}.{{ domain }}
+{{ hostvars['pomerium'].ansible_host }} {{ record.hostname }}.{{ domain }}
 {% elif record.type == "ansible_host" %}
 {{ hostvars[host].ansible_host }} {{ record.hostname }}.{{ domain }}
 {% else %}
 {{ record.value }} {{ record.hostname }}.{{ domain }}
 {% endif %}
-
 {% endfor %}
 {% endfor %}
\ No newline at end of file
diff --git a/roles/app-pomerium/defaults/main.yaml b/roles/app-pomerium/defaults/main.yaml
new file mode 100644
index 0000000..42d9eab
--- /dev/null
+++ b/roles/app-pomerium/defaults/main.yaml
@@ -0,0 +1,2 @@
+app_pomerium_gid: 7000
+app_pomerium_uid: 7000
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/user.yaml b/roles/app-pomerium/tasks/user.yaml
new file mode 100644
index 0000000..26e07aa
--- /dev/null
+++ b/roles/app-pomerium/tasks/user.yaml
@@ -0,0 +1,11 @@
+- name: Create pomerium group with fixed GID
+  ansible.builtin.group:
+    name: pomerium
+    gid: "{{ app_pomerium_gid }}"
+
+- name: Create pomerium user with fixed UID
+  ansible.builtin.user:
+    name: pomerium
+    group: pomerium
+    uid: "{{ app_pomerium_uid }}"
+    create_home: true
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
index 639f981..727d959 100644
--- a/roles/app-pomerium/templates/config.j2
+++ b/roles/app-pomerium/templates/config.j2
@@ -19,20 +19,21 @@ cookie_secret: {{ app_pomerium_cookie_secret }}
 
 routes:
 {% for host in groups['all'] %}
-{% for record in hostvars[host].app_pomerium_routes | default([]) %}
-  - from: {{ route.from }}
-    to: {{ route.to }}
-    {% if route.auth_mode == 'administrators' -%}
+{% for route in hostvars[host].app_pomerium_routes | default([]) %}
+  - from: https://{{ route.hostname }}.{{ domain }}
+    to: {{ route.protocol | default("http") }}://{{ hostvars[host].ansible_host }}:{{ route.target_port | default(80) }}
+{% if route.auth_mode == 'administrators' %}
     policy:
       - allow:
           or:
             - claim/groups: "{{ app_pomerium_groups_administrators }}"
-    {% elif route.auth_mode == 'users' %}
+{% elif route.auth_mode == 'users' %}
     policy:
       - allow:
           or:
             - claim/groups: "{{ app_pomerium_groups_users }}"
-    {% endif %}
-
+{% else %}
+    allow_public_unauthenticated_access: true
+{% endif %}
 {% endfor %}
 {% endfor %}
diff --git a/roles/pve_cluster_getssl/templates/getssl-root.j2 b/roles/pve_cluster_getssl/templates/getssl-root.j2
index 1943b04..3365261 100644
--- a/roles/pve_cluster_getssl/templates/getssl-root.j2
+++ b/roles/pve_cluster_getssl/templates/getssl-root.j2
@@ -1,5 +1,4 @@
-CA="https://acme-staging-v02.api.letsencrypt.org"
-#CA="https://acme-v02.api.letsencrypt.org"
+CA="https://acme-v02.api.letsencrypt.org"
 
 ACCOUNT_EMAIL="{{ getssl_acme_email }}"
 ACCOUNT_KEY_LENGTH=4096

From 7fbfb97fe5bf786947d63220c4e42b2a9c9ce98e Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 15 Mar 2024 00:28:25 +0100
Subject: [PATCH 28/51] Prod deployment checkpoint

---
 environments/lab/group_vars/all/general.yaml  |  1 +
 .../cloudflared_containers/container.yaml     |  4 +-
 .../lab/group_vars/pve_nodes/general.yaml     | 16 +----
 .../lab/group_vars/pve_nodes/getssl.sops.yaml | 47 --------------
 .../group_vars/pve_nodes/secrets.sops.yaml    | 20 +++---
 .../lab/group_vars/pve_nodes/ups.sops.yaml    | 41 ------------
 .../lab/host_vars/homepage/container.yaml     |  4 +-
 .../lab/host_vars/pomerium/secrets.sops.yaml  |  6 +-
 .../all/{general.yml => general.yaml}         |  1 +
 .../prod/group_vars/all/node-exporter.yml     |  1 -
 environments/prod/group_vars/all/ups.sops.yml | 41 ------------
 .../all/{users.sops.yml => users.sops.yaml}   |  0
 .../cloudflared_containers/container.yaml     |  5 ++
 .../cloudflared_containers/secrets.sops.yaml  | 44 +++++++++++++
 .../group_vars/k8s_cluster/argocd.sops.yml    | 48 --------------
 .../prod/group_vars/k8s_cluster/argocd.yml    | 12 ----
 .../prod/group_vars/pve_nodes/firewall.yaml   | 65 +++++++++++++++++++
 .../prod/group_vars/pve_nodes/general.yaml    | 55 ++++++++++++++++
 .../prod/group_vars/pve_nodes/general.yml     | 22 -------
 .../{secrets.sops.yml => secrets.sops.yaml}   | 20 +++---
 .../{all/ups.yml => pve_nodes/ups.yaml}       |  0
 environments/prod/host_vars/cloudflared1.yaml | 13 ++++
 environments/prod/host_vars/cloudflared2.yaml | 13 ++++
 .../prod/host_vars/frigate/cameras.sops.yaml  | 46 +++++++++++++
 .../prod/host_vars/frigate/container.yaml     | 50 ++++++++++++++
 .../prod/host_vars/homepage/bookmarks.yaml    | 39 +++++++++++
 .../prod/host_vars/homepage/container.yaml    | 40 ++++++++++++
 .../prod/host_vars/homepage/services.yaml     |  4 ++
 .../prod/host_vars/homepage/settings.yaml     |  8 +++
 .../prod/host_vars/homepage/widgets.yaml      |  4 ++
 environments/prod/host_vars/kube1.yml         |  7 --
 environments/prod/host_vars/kube2.yml         | 11 ----
 environments/prod/host_vars/kube3.yml         |  8 ---
 environments/prod/host_vars/monitoring.yaml   | 29 +++++++++
 environments/prod/host_vars/mqtt.yaml         | 22 +++++++
 environments/prod/host_vars/pihole.yaml       | 44 +++++++++++++
 .../prod/host_vars/pomerium/container.yaml    | 42 ++++++++++++
 .../prod/host_vars/pomerium/pomerium.yaml     |  8 +++
 .../prod/host_vars/pomerium/secrets.sops.yaml | 45 +++++++++++++
 environments/prod/host_vars/pve1.yaml         | 22 +++++++
 environments/prod/host_vars/pve1.yml          | 37 -----------
 environments/prod/host_vars/pve2.yaml         | 22 +++++++
 environments/prod/host_vars/pve2.yml          | 37 -----------
 environments/prod/host_vars/pve3.yaml         | 19 ++++++
 environments/prod/host_vars/pve3.yml          | 34 ----------
 environments/prod/hosts.yaml                  | 20 ++++++
 environments/prod/hosts.yml                   | 23 -------
 package.json                                  |  4 +-
 playbooks/_all.yaml                           |  5 +-
 playbooks/local/ssh.yaml                      |  2 +-
 .../app-container/tasks/container-disks.yaml  |  2 +-
 51 files changed, 698 insertions(+), 415 deletions(-)
 delete mode 100644 environments/lab/group_vars/pve_nodes/getssl.sops.yaml
 delete mode 100644 environments/lab/group_vars/pve_nodes/ups.sops.yaml
 rename environments/prod/group_vars/all/{general.yml => general.yaml} (75%)
 delete mode 100644 environments/prod/group_vars/all/node-exporter.yml
 delete mode 100644 environments/prod/group_vars/all/ups.sops.yml
 rename environments/prod/group_vars/all/{users.sops.yml => users.sops.yaml} (100%)
 create mode 100644 environments/prod/group_vars/cloudflared_containers/container.yaml
 create mode 100644 environments/prod/group_vars/cloudflared_containers/secrets.sops.yaml
 delete mode 100644 environments/prod/group_vars/k8s_cluster/argocd.sops.yml
 delete mode 100644 environments/prod/group_vars/k8s_cluster/argocd.yml
 create mode 100644 environments/prod/group_vars/pve_nodes/firewall.yaml
 create mode 100644 environments/prod/group_vars/pve_nodes/general.yaml
 delete mode 100644 environments/prod/group_vars/pve_nodes/general.yml
 rename environments/prod/group_vars/pve_nodes/{secrets.sops.yml => secrets.sops.yaml} (76%)
 rename environments/prod/group_vars/{all/ups.yml => pve_nodes/ups.yaml} (100%)
 create mode 100644 environments/prod/host_vars/cloudflared1.yaml
 create mode 100644 environments/prod/host_vars/cloudflared2.yaml
 create mode 100644 environments/prod/host_vars/frigate/cameras.sops.yaml
 create mode 100644 environments/prod/host_vars/frigate/container.yaml
 create mode 100644 environments/prod/host_vars/homepage/bookmarks.yaml
 create mode 100644 environments/prod/host_vars/homepage/container.yaml
 create mode 100644 environments/prod/host_vars/homepage/services.yaml
 create mode 100644 environments/prod/host_vars/homepage/settings.yaml
 create mode 100644 environments/prod/host_vars/homepage/widgets.yaml
 delete mode 100644 environments/prod/host_vars/kube1.yml
 delete mode 100644 environments/prod/host_vars/kube2.yml
 delete mode 100644 environments/prod/host_vars/kube3.yml
 create mode 100644 environments/prod/host_vars/monitoring.yaml
 create mode 100644 environments/prod/host_vars/mqtt.yaml
 create mode 100644 environments/prod/host_vars/pihole.yaml
 create mode 100644 environments/prod/host_vars/pomerium/container.yaml
 create mode 100644 environments/prod/host_vars/pomerium/pomerium.yaml
 create mode 100644 environments/prod/host_vars/pomerium/secrets.sops.yaml
 create mode 100644 environments/prod/host_vars/pve1.yaml
 delete mode 100644 environments/prod/host_vars/pve1.yml
 create mode 100644 environments/prod/host_vars/pve2.yaml
 delete mode 100644 environments/prod/host_vars/pve2.yml
 create mode 100644 environments/prod/host_vars/pve3.yaml
 delete mode 100644 environments/prod/host_vars/pve3.yml
 create mode 100644 environments/prod/hosts.yaml
 delete mode 100644 environments/prod/hosts.yml

diff --git a/environments/lab/group_vars/all/general.yaml b/environments/lab/group_vars/all/general.yaml
index b293eca..7f1af01 100644
--- a/environments/lab/group_vars/all/general.yaml
+++ b/environments/lab/group_vars/all/general.yaml
@@ -1,2 +1,3 @@
+ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
 domain: homecentr.one
\ No newline at end of file
diff --git a/environments/lab/group_vars/cloudflared_containers/container.yaml b/environments/lab/group_vars/cloudflared_containers/container.yaml
index d804072..9cdff6d 100644
--- a/environments/lab/group_vars/cloudflared_containers/container.yaml
+++ b/environments/lab/group_vars/cloudflared_containers/container.yaml
@@ -1,5 +1,5 @@
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
 app_container_storage_name: dpool
-app_container_storage_size_gb: 10
-app_container_pve_replication_cron_expression: "*/5"
\ No newline at end of file
+app_container_storage_size_gb: 1
+app_container_pve_replication_cron_expression: "*/5"
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
index 0c5468f..26352bf 100644
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -1,5 +1,3 @@
-ansible_user: lholota
-
 # This is required for VNC proxy between the nodes
 ssh_allow_root_login_trusted_clients:
   - pve1
@@ -10,18 +8,6 @@ pve_zfs_max_arc_size_gb: 0.5
 
 pve_cluster_options_migration_network: 192.168.8.0/24
 
-pve_cluster_vxlans:
-  - name: overlay
-    peer_hosts:
-      - pve1
-      - pve2
-      - pve3
-    vnets:
-      - name: cont
-        tag: 8
-        subnets:
-          - cidr: 10.1.9.0/24
-
 pve_cluster_ha_groups:
   - name: critical-priority-pve1
     nodes:
@@ -66,4 +52,4 @@ pve_smtp_port: 25
 pve_smtp_tls: false
 
 pve_ct_templates:
-- http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
\ No newline at end of file
+- http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
diff --git a/environments/lab/group_vars/pve_nodes/getssl.sops.yaml b/environments/lab/group_vars/pve_nodes/getssl.sops.yaml
deleted file mode 100644
index 9d646ae..0000000
--- a/environments/lab/group_vars/pve_nodes/getssl.sops.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-getssl_version: ENC[AES256_GCM,data:ypZgdw==,iv:pktvgmp96bQdFnxa9whJXIyRvjscf93UaZQrPpvk448=,tag:od6ICPAH05wqxE6JFR5fhw==,type:float]
-getssl_acme_email: ENC[AES256_GCM,data:vW1i9Q6FCzicUEkWb0mocVQv8/jVzZc=,iv:wFoCCJYnwC8X/cxXF8MmwpoNYzNuhi3f0/uB+XZrcN8=,tag:bk2FcpQsfZb7Ig7E7jS4mw==,type:str]
-getssl_certificates:
-    - domain: ENC[AES256_GCM,data:IL2U60AOP4Qe2s/Q4JpA,iv:m/Al38Q9+Hfoqbp65rZxcQC3davsj1hCF8sFUILor1Q=,tag:bEvmOKVjk0o6f26FBum4YQ==,type:str]
-      pveproxy: ENC[AES256_GCM,data:Z3PlWw==,iv:G+GeW6QuTS9JcEKJxBKeHvc0mOs6vS4FBpadjnL3swA=,tag:PazIu8PuVI+mwdZTFKNkaw==,type:bool]
-getssl_cloudflare_email: ENC[AES256_GCM,data:g8ra8XdIC3yq9J1zWD+h9C8oqK51hQ==,iv:i8ldg/fJLD3N3Ivrl9jm2PtRUZrbjVRGzv3F1FFT/Qk=,tag:C9HTM5pC9LGo1TWQypv0mA==,type:str]
-getssl_cloudflare_api_token: ENC[AES256_GCM,data:XTT1bBWsslV/LZNg+1G+TXwmhSxlIcy8iA4G268TfX0RaJPHuNmoiQ==,iv:kYnJA1nbVCsxZ45pCub/QFX1hWtoPqYoUuc5pJ7819g=,tag:5rlk9oOHXc7auOG1BbgXcQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1clBQeVhsWVBBNG05V0NH
-            ejZTQ2RJcFpFMm1DUG16cGFDT2VreDI3dUdzCkdqdTJoL3VVSTV6TGp6Y1FKRUpR
-            UGNQVjYvN1BMek83U29HaHRVeG1TYVUKLS0tIGZMcEtwSUt2UkxhamtRa1c1MUx1
-            NTVRVTlXdlltaHFRN2o0cVV3UFZHa2sKyVnFYLdIIlM4HAnu5UT8zuf0spT70P7t
-            CQA28nBLIEBim+fc7y1iO+1DdFmFK6igoDFx8Rf6IPfihsWjfKs2Cg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-08T18:21:39Z"
-    mac: ENC[AES256_GCM,data:dkmcK47/AwyECu300oXilnb/7KZdDUUrimNa3eVNUuhPXa549b9TUJ4TKzQzvCwdU4VtTKE08guyeqalsc2eJVCd1b9HrVYxiIRFUYJWm9pCXoYckq4Fi21o4jaLWgdaBQpR1MiCMt3uDSpKNQwU+lYveWjbEzf2DVFMyp+2d8w=,iv:h3HtWjDT3fgm6Bpkjo1tjZtDfLYoJUobaPohbwfu8Ig=,tag:5b3+IomU+0VWT82YfqhSAw==,type:str]
-    pgp:
-        - created_at: "2024-03-08T17:36:39Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//YMTZz/Hm3udKdJ+o+Lk2o5Y3/KZxU32pndkwIiOQHbQl
-            tu0WIuDLrsMh+wmTDcNYXVjNqs46u+iRYgJoKKABvYAGOI0qXJyZr56KVqewmZ5I
-            i9wdADrUYznAs/0J2UPOocBRGcW/40nR7i0tBOHY3JH6/UUyzqjQTJ8bwkAmIECF
-            p9MiPCyubjcL88Fl9xjae5BFLgT615Gq8ii3N2Aloavalxtge6qRgxIxbGpI3kZ4
-            P26PVTWj/KqCi2SxfWm9E4R5/7/Wb6puYGS8Ey4QPGwnpNgPpEJOu8GnAOfOwgV5
-            KPcJP3alZdQPvQD8ta4Fasm36l+/7YAe4TfZ+9WqdKi9pYZ5p6vpE0rc6u8aELZm
-            38JUva401PE8JWgQdzkXFckMQ3+Dl5gAuZQCUBZi73uG6cEIZxXjPBzVExoIWB7/
-            C+ZCJhb/4q1K8v+ZFuxduMa07W505SnnmL8HVs4cnM9ijvDBn1ZUiq3KDEm9IBdZ
-            CGEfGHrLeL+wlF46s45u/D/ESGiUlTyt+qPl7vvMgQhdn9AIGnHb6qD8zlXE8hVj
-            QfjgyLp8L2TwQaRb1oXltePZyuG3PZOchhCfe18jNzINtPzl9XvFTkAAzIE1fTtz
-            2oXnUgL8DcYH0agzKe7LH6U7j/ZVVJAiuj7y8h3lkgWKsMunAk29o/49FMspDFzS
-            XAFmJ40anJ/M5jbj5Sfeqslm0XaBQYO8t3PO07rSkIiDNeUHwVe5/uB0IICNgteK
-            zsQKDfmCGMKLVMMQqG7K6uXXN5wL0M+3oaIc6cPHfevNT/OG0QL8J3jm4vQu
-            =JxcY
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
index 743a595..a613e83 100644
--- a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
+++ b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
@@ -20,12 +20,14 @@ pve_users:
         - scope: ENC[AES256_GCM,data:yw==,iv:AwDmZEE54njW5k3Uh1XOxOGq9/9RCHPiFiw2+iNylQM=,tag:WZW3X8vDKPGydmJkDJsNmA==,type:str]
           roles:
             - ENC[AES256_GCM,data:KmlkRgsHCidvqtudDg==,iv:dUcsKM7NaJDSoDm5l8ksfawAQs/XGJfrcdKATPix0U8=,tag:VykuXfFbLnyVpGM8yYqmbA==,type:str]
-pve_acme_use_staging: ENC[AES256_GCM,data:ZB1O9GM=,iv:PX/JlrEUE9m2zUhiECyFSSFmJYwJkpdGe+IDCYLCmM4=,tag:0S62rlm/rKmsA4ktEFhGbw==,type:bool]
-pve_acme_account_email: ENC[AES256_GCM,data:HtpEEi3kj7qnZFwxtW+pHHm8+vQ70w==,iv:jhO9IM5jIWir4uauIJvUyo1/2bK86hjONSDkZ5Zsa6c=,tag:ROKEzmyE6Hmw23zUDJp2YA==,type:str]
-pve_acme_proxmox_hostname: ENC[AES256_GCM,data:og0/2+qKLA==,iv:beR8zZYUS3aKQ1+0OpLPAkSNkvtUTDBBU9cyCth8hJU=,tag:ebSVQmtjMF4rkbjLlf5Tjg==,type:str]
-pve_acme_root_domain: ENC[AES256_GCM,data:Jfd5QsfUKhCF3VJ3VQ==,iv:S/c0NfOY80HrLQmxkJodze6em1wKi6ShVoesQZrYs8g=,tag:RGOpx00MKRb+7WatZu2N9g==,type:str]
-pve_acme_cloudflare_account_id: ENC[AES256_GCM,data:hujtk8md8IGaZUoLkYRa57ifx22VNBsl6Ed5UQo5AOk=,iv:ey9O2AMv542RO1ZLHraOc8sTSpfv6MU0jJyW5hLYxKo=,tag:n/KyJJDsWOJBUd4IlX9NdA==,type:str]
-pve_acme_cloudflare_token: ENC[AES256_GCM,data:6GsDcZiRFd5TpZu20DcOYPsMuXCkgHoi9n24/LMY8ZF9eu2Gu1mYPA==,iv:ZSQK8qVNtAZ4V1vM/EqkbDSzt3fg2/uDuiFFjMxtAc4=,tag:eMC1V8y4LQYhrT9X5X/i0A==,type:str]
+getssl_version: ENC[AES256_GCM,data:6ohx8A==,iv:CKY6tt3+3x3yt7hElnn9R3y+6EdH4iGfyLv6yMJvW+4=,tag:Frius2gEErin2yzT4dObmA==,type:float]
+getssl_acme_email: ENC[AES256_GCM,data:3YxxDwf4yHZq3tbyfCsJM+3SNMAqyOY=,iv:JaO2Po08nnnM8GOvxxsE7eX65W4CuwabZX4bl6YA8EM=,tag:Jy3NVizrHL9ER8pzeviTfg==,type:str]
+getssl_certificates:
+    - domain: ENC[AES256_GCM,data:p0oK4ut4fng3aibtD+ZB,iv:GAKzyETL6nZJLPH92plmEmHGJyGq2eIxstLhuBwDv6w=,tag:rdYAFOI7jjVPm1coIcrX1A==,type:str]
+      pveproxy: ENC[AES256_GCM,data:3SJdBQ==,iv:qPywxGpK/FCJLLaTMJ9j/x9z/GptLHfmqhlo1VnBYuk=,tag:yzASyPIqetiaZmp9/D2Ngg==,type:bool]
+getssl_cloudflare_email: ENC[AES256_GCM,data:G6Ixtl6Lf8I4T8HupxePJlBLvv0CqQ==,iv:L4i+g6908jnf03HcikeM9f3Zoa5jhDP2IHkvDxWhO3M=,tag:8Oc046w1pYAVVsPd5NAEYw==,type:str]
+getssl_cloudflare_api_token: ENC[AES256_GCM,data:++P52Hl/14yekKI/pTfMKlQKHqISkotNFj7SToHzqUk0Z6wiL/eL4g==,iv:UFD41XQNKJz2tHDB5IG+PmhgoXFYPqHZC0DkeZpSkjY=,tag:23aditConHxuY3AaW2owWA==,type:str]
+ups_slave_password: ENC[AES256_GCM,data:LSkvc2D5JLs=,iv:kfdGQjVMi4Ujle6WzL1XN+6kV6tZdKdUKpEA6K3s4BQ=,tag:XX3BibPR3MZH58uUpH7aOA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -41,11 +43,11 @@ sops:
             QWU4OTVNQU9nRU12REp3dkpYdWpjbVEKkKpnxWW2iUkjQv3UzO8b0pUXJ2s72HdQ
             tQkvIENt6fns2f3WwAoMsouPsTzZSn4PXGrG9OAIWVcfkGtF/RRdHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-13T12:55:19Z"
-    mac: ENC[AES256_GCM,data:EFo6mvq/mv+0nlB9+y+SVYysQkxWXtoHUhfzpl8K1lmTZCZAD8sYUCIYtdKsQ4mXf8+4ycpg/FfGxB0ebs8pvHUWgPz4VETTCU9s+FE7onp8FNYnKIOlfUDe6NDDI5z093fki11wFa8RuG6a8SUKYp4BZr28nf425q3nLTWPUxo=,iv:iq8Fd7nZwgiQlRZ4da61vmT2JKTpeU87PYTB/fMGIUg=,tag:f2fAiZ5pb7B3ggjEoafgZA==,type:str]
+    lastmodified: "2024-03-14T15:54:14Z"
+    mac: ENC[AES256_GCM,data:U5uGpkdQyDPcrxUElr2sWu/pf1enhzs8Ld96NvUcIKo7bJNex7RZ38Zm1lhw0QRH/E4fjtO0bPJ4YYCHTJdPmNzIJAz6S9L69vk+v0oOddpb/bCIQCBIPlSnhlUrBNx6804UnzvfhzF4iWH2/rJ+QR8stnJMI2BcPwNqfD66xwY=,iv:C7xoLAFXyCe/ac5276nmGu/fxOxaHNjaIr5pexUu/QM=,tag:n0E/Tcbyhmnouporam6i7w==,type:str]
     pgp:
         - created_at: "2023-06-05T08:57:01Z"
           enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//a0vf1Oh3Tiyv++/rqq6X00JVXl2CZjoQ8BOKeGsX1wOY\r\nHIV7on7BJ4kW9gjIwOGIhsMLPryVIR7yJAJPu/qjQiQFBEk5To8xjoaMib0f3yvI\r\nQRDB2nvgChd04NHE7rYbwl+0aZcK1E88LA2uzXietlri4VzcmoMA9JBZn5/65Eaj\r\n+f2Ari4TKWTomYhseYPUVFCqtm5W64FehtGKao7iNcMAX/vxIupWUwRRDg6EsZu7\r\nP0nGszRVWwiucJ8BfDU2FQVrJKJuoEyerSUYW0tHEhAai+HTV47j2ST/ZvK18D5c\r\n+16RJzp1a3QFCViM3PlOAAVtunoUFQxMwfiLgniUB8kCjFBOMQ5wST8xZFUHrmjw\r\n07tkmV5/eRVA9/Vl5jRqM4sRf2f3Ou0YXbeOeJ3fzLrZgWOliUtTq7YzvN4AnNhg\r\nJfHSQsMR5nYi9wHfq6doTWXArXKp82Z2u/pZoVY5xlAaU9uerxgs6GTs7iRbW4BM\r\n+7WkqxnRo/agFzhLpDWBxehpP0XKx49JgxPdmQXlYDQY6AYc5jPswBsePSYL1LNz\r\nhoPUbCfgPik5nrdAy4pVW6ijBcf8KqgVH8eZAQa1M2GpdyO8tIL5paTLaM+oiyWN\r\nFEjT+GDjxAoxFvDW8ZSOTSlu9GdrLquFMF2hp3zZ0bZ6EfHr3K3cyRXAhkVuLUTS\r\nXgEQAAk4rZa7lH9ODHkKNzOhIfm69V2sAgH5oWHgiBAAJU44ZE5voZSQokVZPu+b\r\nK9ldX8+2W8XoE1CGuWXNtb5GYlWlVFpShFfhPCm1l5b4w9Y5lDhXmEXf8Opdw3c=\r\n=t7MQ\r\n-----END PGP MESSAGE-----\r\n"
           fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/environments/lab/group_vars/pve_nodes/ups.sops.yaml b/environments/lab/group_vars/pve_nodes/ups.sops.yaml
deleted file mode 100644
index 38e2209..0000000
--- a/environments/lab/group_vars/pve_nodes/ups.sops.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-ups_slave_password: ENC[AES256_GCM,data:4EF8xPVN1X8=,iv:7s0hBFfFAI3eIZyrpsfLjP90Ui7uxW4t6JoV1GrSgUc=,tag:58g1iHJwYt5nwWXwYsWRfQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKK0MzSm9FZGR5cmdPMUxL
-            MmlrcFg5UzBuUFhVMUVCZEdmWWQ0NC83OWowCi84ZXlKL01BUmJvVDU2dmo4ZzNN
-            WWhnUTFXa0krK3I3NlRrZHlDQmZZUlUKLS0tIHUzQWxwMkxDUFp1RnIzYk5ueW9v
-            TVN0SkROcWs0UE5XdUpRS3BLdEo2QWcKacenLVm1t0er6ZRqqCiemgeWF5Sj2P6Z
-            KqHXoEbI2CNm/qbh929GkBRC2CCrLdyGfv4SzIN4XY1sZNk8bg6Czw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-30T11:26:30Z"
-    mac: ENC[AES256_GCM,data:JI6wvyMrrxonBddvgkfcQMwRT8d9tYuNZZQRVhJUWT4Yeq4lrF9JGgoheSx/BdafJwL+jtc4JOx1yhTRg1Gui8TQ4iBG1wzlD9M2U+DCdKiF3sN7nupJtvPiyIWEeCBA7K8pMfpNSpuFeH4AuWwPpXkB54LDx9v94uVUZH9rrh4=,iv:U7TbTEEBUDpkm4QjVl09vR0JlGs4XOo5PfAHnNcgEf4=,tag:ItvdsTd3OZ0sqxQQhXIHAg==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:52Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ/+La3rd50pS2HpKAXuR83B15f5lXHRylbDkwgZtQiOro/B
-            XzKLxC88x1X3QZLyn6URHX9YmIRPWXZO+X0Uo7cmDKH0R20xa3MVG2bVyMyXtxpl
-            /Kow9z/uYIiXOMtGPKtuObFuzwKQ5cPDd54DNb/7RYR8fhHMMf4FyqKigR+Y8nzy
-            wezqDs4kZjRbwUxnRnEU2dSnU2SkWs3Tymv8hNRbEIffeAIaY2k98m4lcv+MiwIY
-            QXjuAmL33U8hiC0ex/dToeGOv2JQG6uVdpiRRrPncoMaiw01kdoTSxYxtjbhLTxd
-            joHCgyJIxOCzABR0A78EwW+pZNa/nG9+2ouRRr0zQzTRnZbI9aUxFv1Fw54kX4Yz
-            5jZCMfI3JZYCzJUzzTON11SGzlw+Mz4HLV8wtuRhMZ7OgiYjKCRXqibPi1XwVJNY
-            VgfCAa/jFnLvm/C9T2SQrQIgjt5lTfUa14huobTRWzDtGsYdVnAfqnFDfSNU2kaa
-            +viv274O/akCg0HICPyTfdpzwsGmPen9ilfsHpbUvtTJiY2nq5SZBwhCMQQKBZnw
-            y41rEj0M1BYmOGQtQNV7pDBNfFHPQ0x1VKXxFb4nQ/Me2odpZU60oLvAPpDQLpO6
-            n6rM9pArY06ZgwpVhTL+nllmWag8QPQQTReZHuwvXeKXWcDGDhGjmJHsLYDiEovS
-            XgFTbcmaix7iVfRaqZNXTsNG3t9kEl6xfLqou5t1TFBhba6W1CRy4Qs34Mc2MX/t
-            3vua0A3+vwsf3EauDn0squTSWKvMxkFfsKFJZZoCUZYq3GN8ZTiuTPvoVc/nVPk=
-            =ltbl
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/host_vars/homepage/container.yaml b/environments/lab/host_vars/homepage/container.yaml
index efd0a5d..52f4c31 100644
--- a/environments/lab/host_vars/homepage/container.yaml
+++ b/environments/lab/host_vars/homepage/container.yaml
@@ -4,7 +4,7 @@ ansible_hostname: ct-homepage-lab
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
 app_container_storage_name: dpool
-app_container_storage_size_gb: 5
+app_container_storage_size_gb: 1
 app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
@@ -37,4 +37,4 @@ app_gatus_monitored_endpoints:
   - name: Homepage / via proxy
     group: Homepage
     type: https-pomerium-proxy
-    host: homepage-lab.homecentr.one
\ No newline at end of file
+    host: homepage-lab.homecentr.one
diff --git a/environments/lab/host_vars/pomerium/secrets.sops.yaml b/environments/lab/host_vars/pomerium/secrets.sops.yaml
index 7e655d7..bba55ce 100644
--- a/environments/lab/host_vars/pomerium/secrets.sops.yaml
+++ b/environments/lab/host_vars/pomerium/secrets.sops.yaml
@@ -1,5 +1,3 @@
-app_pomerium_letsencrypt_email: ENC[AES256_GCM,data:o32R3ulDZVq4QlaZJmOkrx/aG4yHUwg=,iv:9Ul6KltiHnfPs9SLdNvktTR1iwtEz7jrKJ9RzS3ZUyE=,tag:iycUBPx8SVbZQVLxgOZCNg==,type:str]
-app_pomerium_letsencrypt_use_staging: ENC[AES256_GCM,data:CqCEgQ==,iv:EdyGmD3jhs4t6qOwsWo6fMPqYuBZ2E3UsF1OFZi8h68=,tag:1vjpbPJmKrPpvzUnMxWnuw==,type:bool]
 app_pomerium_idp_provider: ENC[AES256_GCM,data:VpQAf9E=,iv:PIREcAiLh9nrTUp6yLwnvyfnAXmnvetoCQWqLswrKXo=,tag:y3b77ECYZ5XgRH2f7lifyA==,type:str]
 app_pomerium_idp_client_id: ENC[AES256_GCM,data:Wpz/jOMkBel3eUsrpfiRUz7qOdMBSE3/FIYwbXrmKdw8pS5j,iv:bJd0Hwf2Z14oXayoB1Zf0tYxJqupvr3GjMNXuzzrebU=,tag:lmjnOH/jLM87+GuBE/kBLg==,type:str]
 app_pomerium_idp_client_secret: ENC[AES256_GCM,data:RUAcrW/hIBPpPffbX3XTZDQHqdrYyF1/eByga1yZSiARUl/cdSsNYA==,iv:KPpimeDMB7oxpFMDb8AFZpySGfJtIAnB0ZXaDgzAlyQ=,tag:16b8scdDn8t9nNqKBVRgAw==,type:str]
@@ -20,8 +18,8 @@ sops:
             SHpnRHlnWnBwWUQwTk5jVHJSdEdCUUkK59zwMk1ZNsBdvo4I26Hv7lrrkmJ5jeVE
             TwbEthfwlCwmCOtId+zuolCZwZbAxrayIdWgtlOCpX0myDrGX0qx4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-11T20:28:12Z"
-    mac: ENC[AES256_GCM,data:FBMF5d/OPVNE3BtjbWDQv/QfsBeSH5MSjzEWSZJD4IG2B8FOIFFlFkbDkw6jL9ll20yUlbSd3vSWjsMgMp5/BSn8EBMedCxjZyOmE4AeDbGiT2qdW/14dbCcC2nH62MjMlnwD4D338Rr/CP+Qx9Icm2BZ3sis8fYle/bwlVr2PM=,iv:HmLrKAQotxljdBCLdCY9I9yZOE0AlxlwLKHpBRmuVak=,tag:KMFgSlpEEhZS+LUgtbrDrg==,type:str]
+    lastmodified: "2024-03-14T16:00:08Z"
+    mac: ENC[AES256_GCM,data:hrwepSok3V6wN90N6bDWsujXg4s0B1ZL/TuTQE8SEy3yboC44ORDgWbN+EDh5em3+2BC+S/3Ai5GhjGlWAlrPI2UU8/YLVM5VpbI1pD7KmnuWh+bzihewGkNlxfkCzVpX35czd1lDZFMXZkuRY5IScT16WQdk8k2hwGR/7+G63w=,iv:L0FE6/xKCzckL+FGbWn1n4wr+pnVa6APFlUKdPyMwW8=,tag:GvulVRmHZYJK6a29rGplHQ==,type:str]
     pgp:
         - created_at: "2024-03-07T21:01:19Z"
           enc: |
diff --git a/environments/prod/group_vars/all/general.yml b/environments/prod/group_vars/all/general.yaml
similarity index 75%
rename from environments/prod/group_vars/all/general.yml
rename to environments/prod/group_vars/all/general.yaml
index 50df83a..78bfffd 100644
--- a/environments/prod/group_vars/all/general.yml
+++ b/environments/prod/group_vars/all/general.yaml
@@ -1,2 +1,3 @@
 ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
+domain: homecentr.one
diff --git a/environments/prod/group_vars/all/node-exporter.yml b/environments/prod/group_vars/all/node-exporter.yml
deleted file mode 100644
index 105c404..0000000
--- a/environments/prod/group_vars/all/node-exporter.yml
+++ /dev/null
@@ -1 +0,0 @@
-node_exporter_version: '0.18.1'
diff --git a/environments/prod/group_vars/all/ups.sops.yml b/environments/prod/group_vars/all/ups.sops.yml
deleted file mode 100644
index 94c18b7..0000000
--- a/environments/prod/group_vars/all/ups.sops.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-ups_slave_password: ENC[AES256_GCM,data:IUBe3pMMfxinTFdrPneIf7Rh,iv:J4qRP3TOH+OL1lNsjLSLXi9d1rE8YdGBl2G+Q1v2F6U=,tag:GsLvm6dz2M5jjKRO75k8wA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RXhJZTVqM0tKalQ5RWQz
-            cUFUM0lsdlFjVi9wZlBtZmZpZzZkMC9hUlVjClI2VW5XdE5talFsemovaitxbjFM
-            TVAxbHRaSysvcXo1VnhWa3gyckl1R3cKLS0tIFlJNllOcE9OVmFydHlWMk1nbm1x
-            czhTc3hjY2diUmZuaFdOMDRKVmVZZncKoQ1GwgWjY773aUPwIno02YMr43VI+gge
-            FV5SPn/6dBuGtycIHc1V6Fh23xbRTTQGZgPaQW19koKVMrJQQ9ravA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-13T20:42:43Z"
-    mac: ENC[AES256_GCM,data:5j6bhdTSFBJQz3SzXSncKqqpGrbr5pG81nS6B1353iZi6ME8Cj6ehvehF59jpI5kFAgSdnqY3y9m5DAK4+JqW/O2g9rYas6ObS5BLsKxgl6/MYxoRcjUaN0dEx7gxTgmuuyR2AWVooR/jHjRaCgathNIYyZGNwNv5joEk4sNF4U=,iv:HSD1cNCKFFn5MbA0E3D25KrNsn/sMSzxYoKVqCKnVqc=,tag:hHCB1JBqA+H2I5Qdjwak8A==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:58Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//SGwbtb8MrrOyr/bN0MOsLGIRzDMJGPsbOGw9nGNC6bm2
-            n7SKyD3fZGIiq5MlF2LeqgWge6dDACdkkMD51S37Fddtiuy/u30q/InmyjsMjjR1
-            XBLhicdqXpmLRm1dJzUeS+uv/tq0prIdKNT+70RxRd47XB92QReC7EnSFx/YOG+r
-            URMVYeEE4qZPP608WFZ6u1QXouYnMb/QRQo3gGKdxif8Q4vJDtmErPehz4gaa8fh
-            h97bSR85393gvkygDgvJ5bSg+Zl9H/KFO3OI/R5PYWfBhHwBZ8xyKtugCow4qt6I
-            1N0SIOtSb4VXQk4Xo0O23T7zPcL6VWRmMOWaq1QsVoCWj9GPxD9EP/XVIvX+AslN
-            4QL/OW6Z4M+opTrmyKPO5QlJvrl5QiXMLpmTdX8sFAEz2a0/eRCmz84sbAradpee
-            U92GMhmrO6T952+NHPaSOwNelOiF0LqAkguxsVwrtBB7NjWGJHuotWAruYUjrlF2
-            HbQMuFxNyp8ILwm3aDk2ujQ2Jzy3CAcTbVn/WoufiiOAc9CG4BLquhXT0Td8LZJ4
-            xFKf/V+JUpV6W4a7Q8BL8xiYoC8mXFP4guSmKNAYPOkuLv+flVJMEsHlOi4usR88
-            fBS3OZz39AOHRZMubKycF6vTmCeZ+skX1/CUooMie7jJHWja/D2ZQIJDpg7SbpHS
-            XgFwQlC73NhXiftdn/n03eGO6lbWxVkGTUoHwXY6G65sLHzb2J8L/YgrzjdptHdK
-            n8M/uLOoqKXVAKfmVdewYbwvl54F7QylBLJ8Gi0lpg2EQeUpEOzSZ00cBLWZfCg=
-            =r4qP
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/prod/group_vars/all/users.sops.yml b/environments/prod/group_vars/all/users.sops.yaml
similarity index 100%
rename from environments/prod/group_vars/all/users.sops.yml
rename to environments/prod/group_vars/all/users.sops.yaml
diff --git a/environments/prod/group_vars/cloudflared_containers/container.yaml b/environments/prod/group_vars/cloudflared_containers/container.yaml
new file mode 100644
index 0000000..315d523
--- /dev/null
+++ b/environments/prod/group_vars/cloudflared_containers/container.yaml
@@ -0,0 +1,5 @@
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 1024
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 1
+app_container_pve_replication_cron_expression: "*/5"
diff --git a/environments/prod/group_vars/cloudflared_containers/secrets.sops.yaml b/environments/prod/group_vars/cloudflared_containers/secrets.sops.yaml
new file mode 100644
index 0000000..05769c4
--- /dev/null
+++ b/environments/prod/group_vars/cloudflared_containers/secrets.sops.yaml
@@ -0,0 +1,44 @@
+app_cloudflared_tunnel_credentials:
+    account_id: ENC[AES256_GCM,data:lHYUZQtyoElAaCmI+UFgmpuvOf2Wc9HMISigDXtG1f8=,iv:N3eWIzlCqwdgg0loMYgwq728sLXI3QeGEO1zenSniyE=,tag:NDWGpbN6GvhKYg+CBlywyA==,type:str]
+    tunnel_secret: ENC[AES256_GCM,data:zYWl/KGhRhIqekDlICtqkuHb+T/Me4xCfoqTCPrExQRb14NCABhqKH0ySelH2pIAlxY/uB3LPZRXAOp2Z/oE7b2FSaH0amK+yiOomZJ55dZ81m/9VSXA/SWD2hFJ3ZfFJ+4RTirVkqIuujM9VFdvbRa4L1vAd9iWW/DlC3KM1/o=,iv:hM6B/KzFl1TkS+vuq15oYs6j1z0beS8gWsc9bACG7xA=,tag:1NN63rJiSVADlV4qJAIk/A==,type:str]
+    tunnel_id: ENC[AES256_GCM,data:59gMzw70zaDo1vBW4gQe9K+UgZGFuJNlSaoYFZzTAOgBovhN,iv:yQC44RH+DdrXA9YYvCr4jn0FsHueuah5wmtcjQiCk00=,tag:8QtLFjCbJ0vomLlEDaFGAw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTNpMjB2V3h2a2pJeWNB
+            QmtZRTVDeERpSTBDYnpsYzVoMkpXTnpTRmtZClpXcTRKQzBUN010OWIzMERoMEhZ
+            dVJYME5HTmwxeFpIUHNiU3EyazFFRGMKLS0tIC9vZGpsN0d5dWc0RzhLdXk2bnpy
+            SklacmRSa2ZZOHREdTR0ekRGc0ZmVlEK/qmTVEdCSNwWwciH448cJ4HjCqwFixkV
+            mqJoQLFUFv5u7sggZ3tKOp+ykwmlsVT6mjuhI3BVJALtUPBKQ35tyQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-14T22:37:26Z"
+    mac: ENC[AES256_GCM,data:FTn7487oIN5J5sS+9Stm8DcAvJAarGl9z+2bdtB5nu9kRvhD4JYRt00yy8aH5cSXywfyh89mbQq1ZtJXtGB1H0wPJgwMDngVv31TGnGKEIRJyub2ynGjMukOopDcs99ctlndmHVP1DxiOCASYt2HU/snuN3u8sOhput/JiowysY=,iv:IUqst4pi3ZNTuClNr0Ot1r23OZM+qdjsZKD8iRlPHcw=,tag:4Qt/Vix+J/0436zkMsr4mQ==,type:str]
+    pgp:
+        - created_at: "2024-03-11T21:28:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//TM7gncqbBG572oPVgHhGzJITC/0VnmCaeau7I1TWLGyz
+            vCe094qMCkBFBTKzpnkQIVvhyK186yojpiSwZkW69OntXXdj14pGVQS20LBhBdxr
+            5RZ++wrx+IQxaT+tRWhUPQTA5249Ywo8HxcpTXk4pbAC9w5Ruakgb3ssNdpkIx+g
+            +v5DTPajpI52f2bP1tNAet5a34Bcz5jxkzQjVVrVcigVw/YO/cFCtZtCoAPA567v
+            QRYa7OOj4GkVePgl+IjDtGi0G+gsTA9cZWnUb2qyE6XLLJs5j1lct/6wmGzQvi5b
+            0ZrSrPoYuCKEHv2nojKP0yfye+HLcfo84Mudz9dm0UbJvLcSHK9Wa5x0XLaPtB6o
+            Vg2Vy5cxDQQpyosc1WBS1wrTwRSntPQhyFjd5CfgSbYHh3Q4Ms9J+HlIodHK63+U
+            ZGArCHdD7a9ezVhNyLp1jmymBI3d3A+zy8a3ZbfsuHjaDIr0dahbO0hgvoDLN8jE
+            zna4aMDbbfxrL1xQAXfyxhD7jZGoBcLPDQ8uADe5qjyP+p+15+UfUXtRgzTiEEvU
+            1ARra95iFpnpXyc9g66ODYa5LmCYv4QnBDbcDUWXCzHK80sFzuk/ak7pgjRoAHUo
+            rFFk48Bufy1r2rztpG+fWUfGRjAtuHhitBvU8D6aFEn5VuTNxASlLO84kfAArZXS
+            XAG44iMMhwmww7HeKHfBtI7ZE6aoi8/1qnsTDuRUCXP8qg+z6E1H8ik1c9215EOG
+            2qeUzhcu3x5H+CyFwISbp4gR8P1BczUL8cevkjGP1TamQXUVYCeCsaHSTr3e
+            =Uq6G
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/prod/group_vars/k8s_cluster/argocd.sops.yml b/environments/prod/group_vars/k8s_cluster/argocd.sops.yml
deleted file mode 100644
index 9a7e0ce..0000000
--- a/environments/prod/group_vars/k8s_cluster/argocd.sops.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-argocd_oauth_url: ENC[AES256_GCM,data:0On09iKQFK6HfpqjbEImeYWZKAdVqmCAa0yRPmHzHzPpE7dEZH5YewOZxascKQ/ZWDysWggSOL+4A/yzl/CBzXc6wbni6hJL+uAX,iv:W1+C10y43RytcXBhhxtazJql4fYTWTCTzFaps3wfWCc=,tag:CntulaSnDT4Kt0khirgCcA==,type:str]
-argocd_oauth_client_id: ENC[AES256_GCM,data:InFqqsfEfGyDxGaUkzA4oBStkPIo0+bR1xE2WXAKX33jVXQq,iv:/vjzP5kwcqo6lbbSjUxqm6ugJxETnclRETGFxz4z1q4=,tag:iJybxeKvSirDhUVD3rzXDQ==,type:str]
-argocd_oauth_client_secret: ENC[AES256_GCM,data:pv4rjz4i62rch+7xAliVLtWXH2YrHOF4xVWuVooBitvcXoVUrcweDA==,iv:JI9EqSre7P35M0vfInvbefG56vUAv5XKfvusOMYVIt8=,tag:OEKLR8QN5UdL6LCW2TnFpA==,type:str]
-argocd_sops:
-    public_key: ENC[AES256_GCM,data:z2nluQHqqGFwsb1EcyIa34y8rDlYRp7aJmrsZ7ILpmGi8maNJiAPsUTa5Ev8lDsPQbeO/Xh66r0XdjUS0OY=,iv:5vTm0EuaeJqwEgEtOmpIII72/Ik3OJtunYzzi5SxlB0=,tag:gmq7VP7nP+p5Frv2KsYPpA==,type:str]
-    private_key: ENC[AES256_GCM,data:d398ZqrSzUbmyNuRt8gdkiHmp8rMM3Jt2AhXRhzEcHmGj+qZMdwJcnVX8H0PySFaaaBNo0885jR3PawAQkDddSBgiVdni51JNCM=,iv:ypBefMkJYmEsN0pGEIgXDzH8Gu4rUWwTRGOJ0VBrQ40=,tag:uvyLZSG8c9HH9k54GhQd9Q==,type:str]
-argocd_github:
-    token: ENC[AES256_GCM,data:c6r2pzVCaRrEptbbwDW4bg4hitnQlBbw7vyq/XqM8Spw3Zo6fRCXuHbmT3qDbbgxRvc9J1TTTFI3pYBROvB2xsNgbxZ2Q+zmSGSqHtXtKf1EMRA41GIBa8a/cnZP,iv:sBxdszp4K2h9owXAfqFafGRSbr7ENUnliFmjwKqpSM4=,tag:atP8xZAZZ7XXVTr9eD9yqw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoa25FZ2kzeDJUa3R2eWRa
-            akV6bjNjbzFVdWdZQ1ZFSDJCUGNIV3VmeHlrCjZKTzVvZWFXd3ZHNk1yMWJoZDhZ
-            SG9RTGViS0o5MmRYMEh1Y3dCS1U3alEKLS0tIFFoL0pKT2dlMnZZVnJEQ3dId3ND
-            Vm5WbkVvTU5lY1FtRnRudEpJZmxvOGMK/wHIisN0llv5njFAQMj18Sj0gLFi4jM+
-            0Nh+g3hnDB8IUwmvBopFvkPQUGruqT1S/ggzp51Z0AM9q61MfFB25g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-22T13:09:59Z"
-    mac: ENC[AES256_GCM,data:77+mwbTt539JR9AXvBHtXj/U5hnHX0FYjdLieOsZM9bEzzn4LS0mDXefRl+lxFTEjLEy9JTTRbHIYd3W0N29FvdXXz1/ML9NN013eBemw4wlHwYh8pTx4HX7seDLCEvWyHKNZjj0ta+P9fcdeST5Pip4MmfvlHDMwVH+d6mi7gU=,iv:B/mG3bOG/McuBfjieey9aMnmIuLKMu6fFUu+I17FnHY=,tag:2ziwL3cH3NTVGn5gwM7exQ==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:02:01Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CARAAnGWpDSIdPLuIOeRE6edMp753HkJZL4SBFswJ8JZq3PY4
-            YmLynPMxX1f4mJjyxGGuheV7lKUwpPsHV6GvH9gSQVS4xwqImhI0EHRZPlefZhW9
-            zNEiJxF7wW67v4EZs9goWnmPTyG9kuqb2MvYC7uENfFMKMEGohRJTuWURM681YUR
-            +D/gRwL9gs74K5uB+4PiVG2t5VGJxbOpsOe02oWbLmApJTToLXDukFv4spQ0sVuG
-            fAS2gkzHoE4I+KOLmHyvQpLEWnpsOBS5f+dV1OtHcsdWvwyRyvGutX7litUTiSwB
-            gh+B06fx2fLV2vvSusU4u3RsG9JLbY4suJhlod9Xr/quuMe3/oyrnWxilNYT7Af1
-            jvfohDVFqat5URkGgTVXMokjp09CDswCbm6+gKIYxtHvFcoZPKUwXrlGpkqFvLZO
-            SPuy8Pq+nZ6CmPMK9Ab0zxf9+2LnK3UtsEF5oo94qK4G21z7GlGP02L7g/sQAYs/
-            NQoWp0pr9i0QjYa0xELqDBFab4fU2BJuyHmcIA0ll38BDlfxletgggyyoBKjQVm7
-            lUeDCtwiub2GuMm272eEaQZVTYuuSUkBfc1TQPm9ahGocOGEfbFpHMIac9mWoBBW
-            cZBZKAcFSYDbR2YtyZ3XlfwAlcWmURPJG/UaJICDZdVBOO2arta/9ubmlNfRPv/S
-            XgEEVvRat0F2HGoqcJytU5I4TBKTKgVmcdkO3m7LjcxRfj+rWW4hpuyPvV5eQ8/9
-            MIX3iPsaG8b+z6u5FbthPEHtSfYBu931asuEDsBTbmCYQrmIiH0p+/RBLqSVR2o=
-            =0DU2
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/prod/group_vars/k8s_cluster/argocd.yml b/environments/prod/group_vars/k8s_cluster/argocd.yml
deleted file mode 100644
index ff108ba..0000000
--- a/environments/prod/group_vars/k8s_cluster/argocd.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-argocd_kubeconfig_path: /etc/rancher/rke2/rke2.yaml
-argocd_url: https://argocd.homecentr.one
-argocd_admin_group_id: 64d004bd-9218-4fae-9919-0505ff5eeb8e
-argocd_git_repository_url: https://github.com/homecentr/kubernetes.git
-argocd_git_ref: master
-argocd_git_refresh_interval: 30s
-argocd_environment: prod
-
-# Make sure the chart version contains the app version below
-# The app version drives the CRDs and should be bumped before upgrading the app itself
-argocd_chart_version: 5.24.0
-argocd_app_version: v2.6.7
diff --git a/environments/prod/group_vars/pve_nodes/firewall.yaml b/environments/prod/group_vars/pve_nodes/firewall.yaml
new file mode 100644
index 0000000..3ee9c6d
--- /dev/null
+++ b/environments/prod/group_vars/pve_nodes/firewall.yaml
@@ -0,0 +1,65 @@
+pve_cluster_firewall_enabled: false
+
+pve_cluster_firewall_aliases:
+  - name: subnet-home
+    cidr: 10.1.3.0/24
+  - name: subnet-services
+    cidr: 10.1.2.0/24
+
+  - name: pve1
+    cidr: 10.1.2.11/32
+  - name: pve2
+    cidr: 10.1.2.12/32
+  - name: pve3
+    cidr: 10.1.2.13/32
+
+  - name: cloudflared1
+    cidr: 10.1.2.70/32
+  - name: cloudflared2
+    cidr: 10.1.2.71/32
+
+  - name: mqtt
+    cidr: 10.1.2.67/32
+
+  - name: homepage
+    cidr: 10.1.2.72/32
+
+  - name: pomerium1
+    cidr: 10.1.2.66/32
+
+
+pve_cluster_firewall_ipsets:
+  - name: management
+    items:
+      - type: alias
+        name: subnet-home
+      - type: alias
+        name: monitoring
+  - name: proxmox
+    items:
+      - type: alias
+        name: pve1
+      - type: alias
+        name: pve2
+      - type: alias
+        name: pve3
+  - name: pomerium
+    items:
+      - type: alias
+        name: pomerium1
+  - name: mqtt
+    items:
+      - type: alias
+        name: mqtt
+  - name: monitoring
+    items:
+      - type: alias
+        name: monitoring
+  - name: homepage
+    items:
+      - type: alias
+        name: homepage
+
+pve_cluster_firewall_security_groups: []
+
+pve_cluster_firewall_rules: []
diff --git a/environments/prod/group_vars/pve_nodes/general.yaml b/environments/prod/group_vars/pve_nodes/general.yaml
new file mode 100644
index 0000000..5b89d7c
--- /dev/null
+++ b/environments/prod/group_vars/pve_nodes/general.yaml
@@ -0,0 +1,55 @@
+# This is required for VNC proxy between the nodes
+ssh_allow_root_login_trusted_clients:
+  - pve1
+  - pve2
+  - pve3
+
+pve_zfs_max_arc_size_gb: 4
+
+pve_cluster_options_migration_network: 10.1.7.0/24
+
+pve_cluster_ha_groups:
+  - name: critical-priority-pve1
+    nodes:
+      - name: pve1
+        priority: 1000
+      - name: pve2
+        priority: 1
+    restricted: false
+    nofailback: false
+  - name: critical-priority-pve2
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1000
+    restricted: false
+    nofailback: false
+  - name: critical
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1
+    restricted: false
+    nofailback: false
+  - name: non-critical
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1
+    restricted: true
+    nofailback: false
+
+pve_domain: homecentr.one
+pve_nameservers:
+  - 1.1.1.1
+  - 1.0.0.1
+
+pve_smtp_host: 10.1.2.130
+pve_smtp_port: 25
+pve_smtp_tls: false
+
+pve_ct_templates:
+- http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
diff --git a/environments/prod/group_vars/pve_nodes/general.yml b/environments/prod/group_vars/pve_nodes/general.yml
deleted file mode 100644
index 5b45956..0000000
--- a/environments/prod/group_vars/pve_nodes/general.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-# This is required for VNC proxy between the nodes
-ssh_allow_root_login_trusted_clients:
-  - pve1
-  - pve2
-  - pve3
-
-pve_zfs_max_arc_size_gb: 4
-
-pve_domain: homecentr.one
-pve_nameservers:
-  - 1.1.1.1
-  - 1.0.0.1
-
-pve_smtp_host: 10.1.2.130
-pve_smtp_port: 25
-pve_smtp_tls: false
-
-pve_vm_cloud_images:
-  - filename: debian-12.1.0.qcow2
-    url: https://cloud.debian.org/images/cloud/bookworm/20230723-1450/debian-12-generic-amd64-20230723-1450.qcow2
-    format: qcow2
-    checksum: sha512:398589d1baa0c1a79358d2c6f14ba9212c25419df2693c513645cb493e15e19952f873703f27d87c491272a478f51a957fb26b21f485dca5933db6be37207d59
diff --git a/environments/prod/group_vars/pve_nodes/secrets.sops.yml b/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
similarity index 76%
rename from environments/prod/group_vars/pve_nodes/secrets.sops.yml
rename to environments/prod/group_vars/pve_nodes/secrets.sops.yaml
index 5de24cc..d44bb08 100644
--- a/environments/prod/group_vars/pve_nodes/secrets.sops.yml
+++ b/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
@@ -21,12 +21,14 @@ pve_users:
         - scope: ENC[AES256_GCM,data:Cg==,iv:2RvUL3kotpA/kcwh+PobdoWWSaqgfpnLUgqlDzfvIAw=,tag:UZZ88ahjivHWniJrhEJyvQ==,type:str]
           roles:
             - ENC[AES256_GCM,data:aHCPHTCOUwVcoZ7jSg==,iv:MjsGcG5XBi0mhsXuAIKgpkrxq+omCFTDtdDLuKYwAtA=,tag:WPnV29kkE51om/JIvX08Lw==,type:str]
-pve_acme_use_staging: ENC[AES256_GCM,data:ZyF358A=,iv:mde9StnxYgLGNnDLZQaI2D3DK8cQcI3yHgQdV00EJFU=,tag:K4K2aPqt7387Xj1if5HbQQ==,type:bool]
-pve_acme_account_email: ENC[AES256_GCM,data:QoJGpYPNciEyiHp0291Z3PcMCG1Cfw==,iv:7fq7z/nVGT/RUBK9HB3nfxOKBsbaGQBQJ6aToSuhjTM=,tag:Lw6s3K/FpiRRHMFzxXh87g==,type:str]
-pve_acme_root_domain: ENC[AES256_GCM,data:Q90ej5F+P+BRgonXgQ==,iv:N4BlGzRWiiLdFy8vLQihUrCepSGaMDdcs5iiPH5uDLk=,tag:OAo4tXasIly7ZHcLo0Kw4A==,type:str]
-pve_acme_proxmox_hostname: ENC[AES256_GCM,data:xhXA,iv:pbKgDfDjn8CT3IedxRltQnj5UX86DYRJjXTZ5JhmLgw=,tag:K2cgi92WIMcS4/G+8aZv5A==,type:str]
-pve_acme_cloudflare_account_id: ENC[AES256_GCM,data:cco7I6c6EydDXEkfCGIfRHy4U2a36uRRoAn5CqxH1Ms=,iv:hyfNl/3MTtkNgZJJgQ4JG6fB180RWou/LhRQELYorW8=,tag:mEr8XhjytE0L691PTXTyNA==,type:str]
-pve_acme_cloudflare_token: ENC[AES256_GCM,data:eaNqaExttS5YY17WV4FhwnoKcPJz87MyctB8oX073WOMTlbSbfvkWw==,iv:BvhlqCrZq2HKjUuySCghbnSldyo8aDB8FFlbGbOGoqE=,tag:bDgkgZk1K/Hbj31GKJg0JQ==,type:str]
+getssl_version: ENC[AES256_GCM,data:z19Gww==,iv:LR3j0Qs3cKM6RqPggKjclbnlilKv4PMZZWjjL98kt3k=,tag:4fVk2UQWLe5PP7CCaxxvRA==,type:float]
+getssl_acme_email: ENC[AES256_GCM,data:6K86ki50K+ySrvTqQFG5n2DuAkY6ShA=,iv:EKfpa/RMVNm5qmfzRQXvQ3MgINSp44MsnIkk2nrBrpI=,tag:6ZdNE9SQ1sxyTg94Zf2rYw==,type:str]
+getssl_certificates:
+    - domain: ENC[AES256_GCM,data:1dSKHfcpBvXqqevb1CIZ,iv:vmNvV/1kdgpFXa6fD122sW+zg2Ohninl0lphB7jaUEY=,tag:hB+BCpvY9NUXRpbAQeo8/Q==,type:str]
+      pveproxy: ENC[AES256_GCM,data:nce3Yw==,iv:vgv/qEJAgBRroHv2SEP1pfJbuUg9IvKGmdnmxasYWok=,tag:K1Rnv3hXr2dQnnkttyQXRw==,type:bool]
+getssl_cloudflare_email: ENC[AES256_GCM,data:8oS0LQt1MVH8dPwZ7Xwq+2vAs799Mw==,iv:rgjAafCDLtKQfGSKOXG6Sv7foFvoCOdv9n6mI+hmbro=,tag:n4qkIbDkC92lcym8CD13pg==,type:str]
+getssl_cloudflare_api_token: ENC[AES256_GCM,data:YEG3q5gMQ405UNqal6o4sQ95CNLMFrxjnBdlbHwxEvMEerhkRVMOzg==,iv:maYf2UCkIwwYKOLvy+PDSsG1LDgR8AbvGeduXcVKVms=,tag:i2f8PyLgv3wFe+Ir86aaCw==,type:str]
+ups_slave_password: ENC[AES256_GCM,data:lmUebjuRsVL0qnP7g53bnGb6PMONZI1OzikV,iv:vPzdPgjMA5AMXXbI9f2K/zE2OgbbNSOJgxntKGuYcPI=,tag:YDBva18phZQG+FOD42wGJA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -42,11 +44,11 @@ sops:
             K2p6NzNleVJLVXIwR3gvdFk3VjNuSnMKVoTukJFUyfcpAi2Sihnhzy8zpFBiHJrM
             Mhsg+k/UeeDGy8dntttNwwLUiDoZSy2q4yWjJo2ZL8dNJIfxx0UWxA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-24T08:32:22Z"
-    mac: ENC[AES256_GCM,data:oFWJinolU7h4j6Mh8KmYg9wZXLfZ040QHIMTF9t5VPUaDp4gVfEsETXzqZM2NAJbEfjGlcg4UBfGdlUiq6P4r7876KIymG5w4HCME/qLItTRqvV+gTgzbrCZ+GH6sIERGkvAueVUq04NmpRSJCecjcKZGqnrXsOIWV76STjggtE=,iv:fEXbNPfN+mY7+5796CTK0gN6Js/5nEk818EocZ7XI+A=,tag:F/FnCrtSynURhdEiZQxQiQ==,type:str]
+    lastmodified: "2024-03-14T15:54:37Z"
+    mac: ENC[AES256_GCM,data:24kUMCacmUZQKR8eXJm48AqyYLVWQyYk06QMMIlcAzFQT2HPLYJ07Zk0eXeNzq4A4qrBaw6SOx4Sl06K5HduHL7eLbP4s074nOfmus1IgDZQPYPgjLcH6GL0m/SF1cBMbTUxVMyTCktxgdTxuYk3TacGhhocbychkTuGC2mBAQs=,iv:vv34m8IVyeo2qgdTjtOIN8Xqh/WidNn0BkAPtqmlZpE=,tag:yagwLgxfqLrrn0XHtaVdvg==,type:str]
     pgp:
         - created_at: "2023-06-05T08:58:32Z"
           enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//e3QKIVOOfBuOF2Q3avCCJNjI8PEJ93pTo/FzTQYYGUOU\r\nOacmnaizo/c3f9IUjax0jbtt2TepYyU0xNmQLZPMjH+mv3l5fzShjUjbtyJyrEJN\r\ncDSV9uktt5BCYKU7wfixK+aNlu8v+5TSPh67DzfX8gnObp5FuZl9lZfFG34nKTuM\r\nIQ2/1h+jiqX1YzTlen43oYGw2vl9AN+irWaKHFXcp4MrJ09RmwdNN6BQERXyBggq\r\nvYyOO46D2zfB6LpvZOsYsLIQ5r2Q5HkT6iYIBQdiiYcXXblkFub4QX1Xidhqbye8\r\nkF3xWPSM4Ah2E/Vle8K0WaECBEjEgntGQUG9Ox1Rx4TZu2dE/kYzbSSZJEAjOrdq\r\nLmjjoeZb9GgulVx8bosB+nu5uBLFENUFRAX13/OIV3wFMgWNq4GEuFx4o1bAYGyY\r\nQJBQPPTNWAg7KILXHJGurkPJQFm+97wJr6movUbYIm8kZQddUltoHuU+WF2ziTii\r\ntlavjA5+YBlww3fLvxAwOGbMLDew7QVdS+jlytAFE/WiY4+DevhCscZ0HMFC8gxF\r\nHGTHQoGMmrDRbceuOLfjAriGJGteAzFTA92U8tFNiHMDtOOI6A0ZWy3qdSWVECid\r\nD9vj0i/eLei30Fsx8Cy572oTqt8aP2/hEZLtxUfLj3JDWq/D1AAStuUEFPFvqKrS\r\nXgFqcNjohYoLdsm2ARos+Jpp0UIQn8pnqLlqzdaj3Lg6OymMwaP+NoTg8vKs9WCb\r\n53ui5uz1ds2oQRkFAFibUap+Mb9iNo4xgSjtRenS7KoGqQr1xWVHASSHffP7kgk=\r\n=/TSI\r\n-----END PGP MESSAGE-----\r\n"
           fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
diff --git a/environments/prod/group_vars/all/ups.yml b/environments/prod/group_vars/pve_nodes/ups.yaml
similarity index 100%
rename from environments/prod/group_vars/all/ups.yml
rename to environments/prod/group_vars/pve_nodes/ups.yaml
diff --git a/environments/prod/host_vars/cloudflared1.yaml b/environments/prod/host_vars/cloudflared1.yaml
new file mode 100644
index 0000000..7c4c42f
--- /dev/null
+++ b/environments/prod/host_vars/cloudflared1.yaml
@@ -0,0 +1,13 @@
+ansible_host: 10.1.2.70
+ansible_hostname: ct-cloudflared1
+
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.70/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
diff --git a/environments/prod/host_vars/cloudflared2.yaml b/environments/prod/host_vars/cloudflared2.yaml
new file mode 100644
index 0000000..b413cbc
--- /dev/null
+++ b/environments/prod/host_vars/cloudflared2.yaml
@@ -0,0 +1,13 @@
+ansible_host: 10.1.2.71
+ansible_hostname: ct-cloudflared2
+
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.71/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: critical-priority-pve2
+app_container_pve_replication_nodes:
+  - pve1
diff --git a/environments/prod/host_vars/frigate/cameras.sops.yaml b/environments/prod/host_vars/frigate/cameras.sops.yaml
new file mode 100644
index 0000000..af4724e
--- /dev/null
+++ b/environments/prod/host_vars/frigate/cameras.sops.yaml
@@ -0,0 +1,46 @@
+app_frigate_cameras:
+    - name: ENC[AES256_GCM,data:K25rEW2YZ9k=,iv:3F+cPXgvnpqDX3Jul8Bd+CpgUVK4EBk6SSqK/7nsiTk=,tag:MjTIJKnJNRrm9r1C5DAILw==,type:str]
+      type: ENC[AES256_GCM,data:VWA/UV1mWA==,iv:wnOsUQPwYyluSKd+pgzBXrNlFNYdsUuV7iMOEg3zLCY=,tag:Bf90sQ0Xi/6GY6gGnAm2Sw==,type:str]
+      ip: ENC[AES256_GCM,data:bcgx95kQUEEF,iv:URoVES75H5OaTjoPnwrTacxvoS0pWrIdDopMDo1qRpk=,tag:yS/IoVOFbunyXFxET3lubQ==,type:str]
+      username: ENC[AES256_GCM,data:Jb/lH4qKqw==,iv:N6rrdzEnaS6IkvyuH/GVsNsutzkrx1wZ2kWnVo37NE4=,tag:kbWDUwIZNcSPzJsTv9E7ZQ==,type:str]
+      password: ENC[AES256_GCM,data:IvToLCZj1wq5KH2MQaaTu7dCQcSWW8LdxLnykcs=,iv:yB03KVTEtB5PwXvv4zfj/zMQLKIr76fNjjv3rcyc2bA=,tag:CKw79/Hye5imT3v4Blp0sw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWWFad3hDUi8vWFpIQ3E1
+            QktDNVVtdXluVlQ1UzJjQ1BZWFRXUlpUc1NjClV2WEd0bFRhK2JlcDBwOUVUWmNo
+            RHBFbWFsY1lRYWtaRE5ScXBrZ0UzanMKLS0tIDByNmd0K3drUUpGU3hmcmJUQmpu
+            L0w0ZXlhN2hPS0xWR0lITW96Mm5kMU0KgOqDc2YVPVQtP2+5lfjUXyFLMj0idIEn
+            NnVcBcGCpRaU2NOh2vTSIJTPDF8oq1wCR1MCxycKV4U9Za5caPurbw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-14T15:14:03Z"
+    mac: ENC[AES256_GCM,data:vqkakCWFV2k9zct5w2vDpvJTsdsrU86TVTplcrMOZm3e9dPMDARpHXZI4vYBTBPtU7JNhDNFgQNPUB/D/A+Ig5BGvL3C1iPmKTvmGjv/w4NaEn8yRj4k0+2h5XSZNEaIQoq65Ymzbbkz714kuTRn2ctrQxfJCbj8Tas9aoDbM/0=,iv:FaTwuWFR7FPpNMuufSUsiL5AhgMWc+9KLr3tfRMpyK0=,tag:GT/yiuF5LY1RS2uql2OIlA==,type:str]
+    pgp:
+        - created_at: "2024-03-14T15:10:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//chnODy6vHHlkjG7FCrZIk3sL6OgnSjadjNhoxTvuYEuK
+            WNIiS1zMw3aVVrqVYq1+SXeUgwPTB63GP1fzNrLYY9B4g1zvxq4ySjQ1l5AFtKse
+            PmOcPWQrkSzahquMFsNDiJlwEIlVmoAm1V14uI85TehIBmXjlBIJcckvikkf2xBi
+            /7FGoLqXdnrpCdeEYWIiujujJF1saIuhBWLEcPyzzL7fgtlrOQH+IcTkqLvEP92k
+            p0FA4152ohwP2duAsH4By3AR5iWTywP19tKzp7E/cu16g0cbqbD/L7kpoMB1wkmI
+            6nXJ5SHrSZ1RD7PppX/PQbeTOaYRbW6jnqLvI/2AOx8ChNO6DdXJr4qi/TuTyAQR
+            RSapnAyYVyfxffQdozT0vjJPrHR7AQSlz6q3/3O0b4VL3SkUDH8eoLjaIIAt0oz5
+            57Fjrrr9gtRdLZM+DrxFqmUk+q0PFEmriYY0gqBjDeTMS/gWJ7r4DoBgsH5QeN4p
+            zti3fEEysaVUVs5GaDKeV2yXgT3j3DqVdiLGoO7YeLiO4uAU4Z2gOPZs+vy7Xptb
+            UVGgQqm6BQe9pkEq94zbGqSe9+6+16pZ/PGeGZ+riE8XvioJ2r+O9M/zaSO8dSn6
+            IKkxeWDcvDD4LL6KJyqT8uWtYncKEorMp6TRa7ZGaj6gbPQXhhPKUVqt79Yj1lfS
+            XgFpmG+dMte5yG5aX5WyFzfk9GqVJck2LU3HoQyOb7KqA5KblSZc54jESc1mkH2d
+            tALRYJzfO18P9RNv9HWtVKBgr4GZ42XR13r3rOJAF9mypPkOp9bCoCvT8kAGmF0=
+            =ltPj
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/prod/host_vars/frigate/container.yaml b/environments/prod/host_vars/frigate/container.yaml
new file mode 100644
index 0000000..7c38e03
--- /dev/null
+++ b/environments/prod/host_vars/frigate/container.yaml
@@ -0,0 +1,50 @@
+ansible_host: 10.1.2.69
+ansible_hostname: ct-frigate
+
+app_container_docker_support: true
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 2048
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.69/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_mounts:
+  - type: disk
+    storage_name: nvr-pool
+    index: 0
+    size_gb: 2500
+    target_path: /nvr
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: noncritical
+app_container_pve_replication_nodes:
+  - pve1
+
+app_frigate_image_tag: 0.13.2
+app_frigate_cache_size_gb: 4
+app_frigate_shm_size_gb: 1
+
+app_pihole_records:
+  - hostname: frigate
+    type: pomerium_proxy
+
+app_pomerium_routes:
+  - hostname: frigate
+    target_port: 5000
+    auth_mode: users
+
+app_gatus_monitored_endpoints:
+  - name: Web UI / container
+    group: Frigate
+    type: http
+    host: ct-frigate
+    port: 5000
+  - name: Web UI / via proxy
+    group: Frigate
+    type: https-pomerium-proxy
+    host: frigate.homecentr.one
diff --git a/environments/prod/host_vars/homepage/bookmarks.yaml b/environments/prod/host_vars/homepage/bookmarks.yaml
new file mode 100644
index 0000000..75da61f
--- /dev/null
+++ b/environments/prod/host_vars/homepage/bookmarks.yaml
@@ -0,0 +1,39 @@
+app_homepage_bookmarks:
+  - Homelab:
+      - "Homecentr documentation":
+          - icon: /icons/homecentr.png
+            href: https://docs.homecentr.one
+
+      - "Homecentr on Github":
+          - icon: github-light
+            href: https://github.com/homecentr/
+
+  - "Cloud tools":
+      - OneDrive:
+          - icon: /icons/onedrive.png
+            href: https://onedrive.com
+
+      - Gmail:
+          - icon: gmail
+            href: https://gmail.com
+
+  - "Cloud infrastructure":
+      - Azure:
+          - icon: azure
+            href: https://portal.azure.com
+
+      - Cloudflare:
+          - icon: cloudflare
+            href: https://cloudflare.com
+
+      - PagerDuty:
+          - icon: pagerduty
+            href: https://pagerduty.com
+
+      - SendGrid:
+          - icon: /icons/sendgrid.png
+            href: https://sendgrid.com
+
+      - Dynadot:
+          - icon: /icons/dynadot.png
+            href: https://dynadot.com
\ No newline at end of file
diff --git a/environments/prod/host_vars/homepage/container.yaml b/environments/prod/host_vars/homepage/container.yaml
new file mode 100644
index 0000000..d93d860
--- /dev/null
+++ b/environments/prod/host_vars/homepage/container.yaml
@@ -0,0 +1,40 @@
+ansible_host: 10.1.2.72
+ansible_hostname: ct-homepage
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 512
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 1
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.72/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: noncritical
+app_container_pve_replication_nodes:
+  - pve1
+
+app_homepage_image_tag: v0.8.9
+
+app_pomerium_routes:
+  - hostname: homepage
+    target_port: 3000
+    auth_mode: users
+
+app_pihole_records:
+  - hostname: homepage
+    type: pomerium_proxy
+
+app_gatus_monitored_endpoints:
+  - name: Homepage / container
+    group: Homepage
+    type: http
+    host: ct-homepage
+    port: 3000
+  - name: Homepage / via proxy
+    group: Homepage
+    type: https-pomerium-proxy
+    host: homepage.homecentr.one
diff --git a/environments/prod/host_vars/homepage/services.yaml b/environments/prod/host_vars/homepage/services.yaml
new file mode 100644
index 0000000..5e25c93
--- /dev/null
+++ b/environments/prod/host_vars/homepage/services.yaml
@@ -0,0 +1,4 @@
+app_homepage_services:
+  - Apps: []
+  - Development: []
+  - Infrastructure: []
\ No newline at end of file
diff --git a/environments/prod/host_vars/homepage/settings.yaml b/environments/prod/host_vars/homepage/settings.yaml
new file mode 100644
index 0000000..33cf2f1
--- /dev/null
+++ b/environments/prod/host_vars/homepage/settings.yaml
@@ -0,0 +1,8 @@
+app_homepage_settings:
+  title: Homecentr
+  favicon: /icons/favicon.ico
+  background: https://images.unsplash.com/photo-1519681393784-d120267933ba
+  backgroundOpacity: 0.3
+  theme: dark
+  color: neutral
+  headerStyle: clean
\ No newline at end of file
diff --git a/environments/prod/host_vars/homepage/widgets.yaml b/environments/prod/host_vars/homepage/widgets.yaml
new file mode 100644
index 0000000..6ab1887
--- /dev/null
+++ b/environments/prod/host_vars/homepage/widgets.yaml
@@ -0,0 +1,4 @@
+app_homepage_widgets:
+    - search:
+        provider: google
+        target: _blank
\ No newline at end of file
diff --git a/environments/prod/host_vars/kube1.yml b/environments/prod/host_vars/kube1.yml
deleted file mode 100644
index b5390ff..0000000
--- a/environments/prod/host_vars/kube1.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# Common
-ansible_host: 10.1.2.21
-ansible_hostname: kube1
-fqdn: kube1.homecentr.one
-
-# nVidia drivers
-nvidia_drivers_install_containers: true
diff --git a/environments/prod/host_vars/kube2.yml b/environments/prod/host_vars/kube2.yml
deleted file mode 100644
index ad78dc8..0000000
--- a/environments/prod/host_vars/kube2.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-# Common
-ansible_host: 10.1.2.22
-ansible_hostname: kube2
-fqdn: kube2.homecentr.one
-
-# Kubernetes
-k8s_node_label:
-  - homecentr.one/coral=true
-
-# nVidia drivers
-nvidia_drivers_install_containers: true
\ No newline at end of file
diff --git a/environments/prod/host_vars/kube3.yml b/environments/prod/host_vars/kube3.yml
deleted file mode 100644
index f918ed4..0000000
--- a/environments/prod/host_vars/kube3.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# Common
-ansible_host: 10.1.2.23
-ansible_hostname: kube3
-fqdn: kube3.homecentr.one
-
-# Kubernetes
-rke2_server_node_taints:
-  - 'CriticalAddonsOnly=true:NoSchedule'
diff --git a/environments/prod/host_vars/monitoring.yaml b/environments/prod/host_vars/monitoring.yaml
new file mode 100644
index 0000000..b29d953
--- /dev/null
+++ b/environments/prod/host_vars/monitoring.yaml
@@ -0,0 +1,29 @@
+ansible_host: 10.1.2.68
+ansible_hostname: ct-monitoring
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 4096
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 50
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.68/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: noncritical
+app_container_pve_replication_nodes:
+  - pve1
+
+app_gatus_image_tag: v5.7.0
+
+app_pomerium_routes:
+  - hostname: gatus
+    target_port: 8080
+    auth_mode: public
+
+app_pihole_records:
+  - hostname: gatus
+    type: pomerium_proxy
diff --git a/environments/prod/host_vars/mqtt.yaml b/environments/prod/host_vars/mqtt.yaml
new file mode 100644
index 0000000..867ddd7
--- /dev/null
+++ b/environments/prod/host_vars/mqtt.yaml
@@ -0,0 +1,22 @@
+ansible_host: 10.1.2.67
+ansible_hostname: ct-mqtt
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 1024
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.67/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: non-critical
+app_container_pve_replication_nodes:
+  - pve2
+
+app_pihole_records:
+  - hostname: mqtt
+    type: ansible_host
diff --git a/environments/prod/host_vars/pihole.yaml b/environments/prod/host_vars/pihole.yaml
new file mode 100644
index 0000000..ccc67f4
--- /dev/null
+++ b/environments/prod/host_vars/pihole.yaml
@@ -0,0 +1,44 @@
+ansible_host: 10.1.2.64
+ansible_hostname: ct-pihole
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 1024
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.64/24
+    ipv4_gateway: 10.1.2.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
+
+app_pihole_version: 5.17.3
+app_pihole_forwarders:
+  - 1.1.1.1
+  - 1.0.0.1
+
+app_pomerium_routes:
+  - hostname: pihole
+    auth_mode: administrators
+
+app_pihole_records:
+  - hostname: pihole
+    type: pomerium_proxy
+
+app_gatus_monitored_endpoints:
+  - name: Web UI
+    group: Pi-hole
+    type: https-pomerium-proxy
+    host: pihole.homecentr.one
+  - name: DNS
+    group: Pi-hole
+    type: dns
+    host: 10.1.2.64
+    dns_query_name: "login.homecentr.one"
+    dns_query_type: "A"
+    dns_query_answer: 10.1.2.66
diff --git a/environments/prod/host_vars/pomerium/container.yaml b/environments/prod/host_vars/pomerium/container.yaml
new file mode 100644
index 0000000..8604c04
--- /dev/null
+++ b/environments/prod/host_vars/pomerium/container.yaml
@@ -0,0 +1,42 @@
+ansible_host: 10.1.2.66
+ansible_hostname: ct-pomerium
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 1024
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 3
+app_container_pve_replication_cron_expression: "*/5"
+app_container_mapped_uids:
+  - 7000
+app_container_mapped_gids:
+  - 7000
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.2.66/24
+    ipv4_gateway: 10.1.2.1
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
+
+app_container_getssl_certificates:
+  - name: "*.homecentr.one"
+    fullchain_filename: "wildcard_fullchain.crt"
+    cert_filename: "wildcard.crt"
+    key_filename: "wildcard.key"
+    user: 7000
+    group: 7000
+    mode: 0440
+
+app_pihole_records:
+  - hostname: login
+    type: ansible_host
+
+app_gatus_monitored_endpoints:
+  - name: Pomerium
+    group: Pomerium
+    type: https
+    host: login.homecentr.one
+    path: /healthz
+    
diff --git a/environments/prod/host_vars/pomerium/pomerium.yaml b/environments/prod/host_vars/pomerium/pomerium.yaml
new file mode 100644
index 0000000..dadb34d
--- /dev/null
+++ b/environments/prod/host_vars/pomerium/pomerium.yaml
@@ -0,0 +1,8 @@
+app_pomerium_hostname: login.homecentr.one
+
+app_pomerium_groups_administrators: 64d004bd-9218-4fae-9919-0505ff5eeb8e
+app_pomerium_groups_users: aac23af7-2d73-497f-b93c-b8ca4007638d
+
+app_pomerium_certificates:
+  - fullchain_path: /getssl/wildcard_fullchain.crt
+    key_path: /getssl/wildcard.key
diff --git a/environments/prod/host_vars/pomerium/secrets.sops.yaml b/environments/prod/host_vars/pomerium/secrets.sops.yaml
new file mode 100644
index 0000000..ec84077
--- /dev/null
+++ b/environments/prod/host_vars/pomerium/secrets.sops.yaml
@@ -0,0 +1,45 @@
+app_pomerium_idp_provider: ENC[AES256_GCM,data:VpQAf9E=,iv:PIREcAiLh9nrTUp6yLwnvyfnAXmnvetoCQWqLswrKXo=,tag:y3b77ECYZ5XgRH2f7lifyA==,type:str]
+app_pomerium_idp_client_id: ENC[AES256_GCM,data:f+/xseMu8sfxGCYSZQBgeyRNV+5r2Agl77Vjgj1NX56iru3A,iv:KT/bdCe/Kq3p0G5d7EtS9l+6Sm/nJ9RuEI+TTA+x4Ho=,tag:hTR4/olk/2X+84EjttjWyQ==,type:str]
+app_pomerium_idp_client_secret: ENC[AES256_GCM,data:r/mfqDZTd7KWVlpYgDy2iUwLQdb17x8fLkoyJ9Mx8BMP027vWAX0VA==,iv:+sZBP+85lRB55a9bkvcaM2E2GXso/NdK7EMFGEZqREM=,tag:Vx/5DoZDNyCc/MnFFtktGQ==,type:str]
+app_pomerium_idp_provider_url: ENC[AES256_GCM,data:bSKc/XqRKhRmWuR1yRU4kDDARJ1j+jcnjDmNaM+pdqJJ+pOLHnTnO21BiItwx1+vokhS+OAIgudMisT32327NVawBcLN0cqWFfIs,iv:sq2ipwCpce6P24xKCwznetJB0xiW76A4T3AfWT9wZo4=,tag:1rSLMf+gAqwSaNb04NR+pg==,type:str]
+app_pomerium_cookie_secret: ENC[AES256_GCM,data:AxSiccltyyhamL/ddS3656P7wfVZVnA7lsdogOhO6/l9GHZO+RWERCVhcnc=,iv:KApzn0Ce5Zp49FIa2rqEwPHqD+vrbETM59GL3pIdj4g=,tag:vXY0jb54xR6tFh6QNEU6zg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSHZGZnQ2Szh3OXk1MVlJ
+            dTQydEZxSWRGRXczcDdEb1J4S1VPR3JqbXlnCndyOExGZDJqQUpneXdCMC8vcndK
+            QklvS3Rtc1ZHOFRBTnp6NzdNZ3JmdDgKLS0tIExJTTF1SUxlN0psbmpYdXV5c0Fh
+            SHpnRHlnWnBwWUQwTk5jVHJSdEdCUUkK59zwMk1ZNsBdvo4I26Hv7lrrkmJ5jeVE
+            TwbEthfwlCwmCOtId+zuolCZwZbAxrayIdWgtlOCpX0myDrGX0qx4g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-14T16:01:18Z"
+    mac: ENC[AES256_GCM,data:xlzxneWrPjW2Mj3iJawvzWoHHVo2kZ2t+dZHIqXvqA4Z5kboPDEzZ85/+ci+RM2ig7VqZ69AVw99oFawXV+Zn49nRH4Ol5BCARD/dauNpvmXcZDt6PcXgSpRnHFREBNDM7NGj0SFpoDvJxNwJ8REofy6MtYkIYsmyVfP5E2rl1I=,iv:WUEA+TvES30zuG/NedwGChu0TIZb4idHA4Qh8put3WM=,tag:DpL0kx2RD1FMdBJBqFl/mg==,type:str]
+    pgp:
+        - created_at: "2024-03-07T21:01:19Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//TaWYnk0QfSwq39kQKGNkH3C1pq0DHjjDcosttXRKVT6A
+            dBo+hjvfrxHWOaRrP2ABuNzmkbcZ98Os8qk+Z0NFioZllL42mGrB8+p4TyZl9n9D
+            ai9tGncA/ByWEgdzBCqp8utZk6nG0BJ+PfyA9014mAU0GROek5y+OUwjNDkZXZ6u
+            YbPQsoUj316rONWtSgf/8+SDeu7J5k9gKwhkDcj2V6KDVC6VdCF6NAXQKvrYTKfh
+            X2MAABCE/yn6Gs7pYymjJJGxPYGxjh5huk0C89nZW1kcmW/DaDh1e5o0CYR/p8RK
+            iaJmF8i6N6DNFrI3GcCMHb4wqBzDTCBkm+jsFT5f+VUkivANxb/IqfuDJZn54OFz
+            hke4g0oLnB+JueGVU/wfzYKviVegCVbEbM0dYmSjI24Bp8DDHv/FroUoPAA87lE6
+            veTt5mEaayHCBI4ivhQtuPlHBL2ij6DDHSdx4Roi5gGxUmLtUqSg5nQwiItSNdn5
+            eaRGfKCaKrpurDECobqTjUZpubxbDbKE52vvJDphB0+TTxVaiTnWjXt/pJ2nhMvS
+            9RMiOyJQttrKkDuRR9TOMEVg+urtTlix8Cp7UuCF9RTMqwQu1oQenBHOByHVVrXn
+            k3Lf5Ue55G9CWtBiUekP4ohsd1JBiz2QDXnkJ6wEA88srzMY8YgrH0ukBnHFOM7S
+            XgFQig9vICka+uxescA7IbP8g7adUaduepOCewa4HU0Vrun59JZr1b0JzNp8oHVk
+            Fspn4I9u/EG27gSIdf4M2cEhhvugG5O5n5WWSPv4ovUOFTVEHGk7+tTU1gdMGS0=
+            =jN6m
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/prod/host_vars/pve1.yaml b/environments/prod/host_vars/pve1.yaml
new file mode 100644
index 0000000..af7341e
--- /dev/null
+++ b/environments/prod/host_vars/pve1.yaml
@@ -0,0 +1,22 @@
+# Common
+ansible_host: 10.1.2.11
+ansible_hostname: pve1
+
+# UPS
+ups_name: ups1
+
+# GetSSL
+getssl_cron_renewal_hour: 16
+
+# PVE
+pve_pci_passhthrough_enabled: true
+
+# Monitoring
+app_gatus_monitored_endpoints:
+  - name: pve1 / ping
+    group: Proxmox VE
+    type: ping
+  - name: pve1 / http
+    group: Proxmox VE
+    type: https
+    host: pve1.homecentr.one
diff --git a/environments/prod/host_vars/pve1.yml b/environments/prod/host_vars/pve1.yml
deleted file mode 100644
index f9788ee..0000000
--- a/environments/prod/host_vars/pve1.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-# Common
-ansible_host: 10.1.2.11
-ansible_hostname: pve1
-fqdn: pve1.homecentr.one
-
-# UPS
-ups_name: ups1
-
-# PVE
-pve_pci_passhthrough_enabled: true
-
-pve_vm_machines:
-  - vmid: 101
-    name: kube1
-    protection: false
-    cloud_image_filename: debian-12.1.0.qcow2
-    bios: efi
-    shutdown_timeout_seconds: 120
-    nic_bridge: vmbr0
-    os_storage: local-zfs
-    os_disk_size: 128G
-    cpu_type: "cputype=host,flags=+aes"
-    cpu_count: 2
-    cpu_cores_per_cpu: 20
-    min_memory: 16384
-    max_memory: 98304
-    nic_ipv4_address: 10.1.2.21
-    nic_ipv4_subnet: 255.255.255.0
-    nic_ipv4_gateway: 10.1.2.1
-    nameservers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-# ClamAV
-# clamav_scanned_dirs:
-#   - /user-data0
-#   - /user-data1
diff --git a/environments/prod/host_vars/pve2.yaml b/environments/prod/host_vars/pve2.yaml
new file mode 100644
index 0000000..7f6ef9c
--- /dev/null
+++ b/environments/prod/host_vars/pve2.yaml
@@ -0,0 +1,22 @@
+# Common
+ansible_host: 10.1.2.12
+ansible_hostname: pve2
+
+# UPS
+ups_name: ups2
+
+# GetSSL
+getssl_cron_renewal_hour: 17
+
+# PVE
+pve_pci_passhthrough_enabled: true
+
+# Monitoring
+app_gatus_monitored_endpoints:
+  - name: pve2 / ping
+    group: Proxmox VE
+    type: ping
+  - name: pve2 / http
+    group: Proxmox VE
+    type: https
+    host: pve2-lab.homecentr.one
diff --git a/environments/prod/host_vars/pve2.yml b/environments/prod/host_vars/pve2.yml
deleted file mode 100644
index 0c44299..0000000
--- a/environments/prod/host_vars/pve2.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-# Common
-ansible_host: 10.1.2.12
-ansible_hostname: pve2
-fqdn: pve2.homecentr.one
-
-# UPS
-ups_name: ups2
-
-# PVE
-pve_pci_passhthrough_enabled: true
-
-pve_vm_machines:
-  - vmid: 201
-    name: kube2
-    protection: false
-    cloud_image_filename: debian-12.1.0.qcow2
-    bios: efi
-    shutdown_timeout_seconds: 120
-    nic_bridge: vmbr0
-    os_storage: local-zfs
-    os_disk_size: 128G
-    cpu_type: "cputype=host,flags=+aes"
-    cpu_count: 2
-    cpu_cores_per_cpu: 13
-    min_memory: 16384
-    max_memory: 98304
-    nic_ipv4_address: 10.1.2.22
-    nic_ipv4_subnet: 255.255.255.0
-    nic_ipv4_gateway: 10.1.2.1
-    nameservers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-# ClamAV
-# clamav_scanned_dirs:
-#   - /user-data0
-#   - /user-data1
diff --git a/environments/prod/host_vars/pve3.yaml b/environments/prod/host_vars/pve3.yaml
new file mode 100644
index 0000000..e03da49
--- /dev/null
+++ b/environments/prod/host_vars/pve3.yaml
@@ -0,0 +1,19 @@
+# Common
+ansible_host: 10.1.2.13
+ansible_hostname: pve3
+
+# UPS
+ups_name: ups1
+
+# GetSSL
+getssl_cron_renewal_hour: 18
+
+# Monitoring
+app_gatus_monitored_endpoints:
+  - name: pve3 / ping
+    group: Proxmox VE
+    type: ping
+  - name: pve3 / http
+    group: Proxmox VE
+    type: https
+    host: pve3-lab.homecentr.one
diff --git a/environments/prod/host_vars/pve3.yml b/environments/prod/host_vars/pve3.yml
deleted file mode 100644
index 511b6fa..0000000
--- a/environments/prod/host_vars/pve3.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Common
-ansible_host: 10.1.2.13
-ansible_hostname: pve3
-fqdn: pve3.homecentr.one
-
-# UPS
-ups_name: ups1
-
-# PVE
-pve_vm_machines:
-  - vmid: 301
-    name: kube3
-    protection: false
-    cloud_image_filename: debian-12.1.0.qcow2
-    bios: efi
-    shutdown_timeout_seconds: 120
-    nic_bridge: vmbr0
-    os_storage: local-zfs
-    os_disk_size: 32G
-    cpu_type: "cputype=host,flags=+aes"
-    cpu_count: 1
-    cpu_cores_per_cpu: 3
-    min_memory: 8192
-    max_memory: 8192
-    nic_ipv4_address: 10.1.2.23
-    nic_ipv4_subnet: 255.255.255.0
-    nic_ipv4_gateway: 10.1.2.1
-    nameservers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-# ClamAV
-# clamav_scanned_dirs:
-#   - /usr/local/gfs
diff --git a/environments/prod/hosts.yaml b/environments/prod/hosts.yaml
new file mode 100644
index 0000000..eccc34d
--- /dev/null
+++ b/environments/prod/hosts.yaml
@@ -0,0 +1,20 @@
+all:
+  children:
+    pve_nodes:
+      hosts:
+        pve1:
+        pve2:
+        pve3:
+    containers:
+      hosts:      
+        frigate:
+        homepage:
+        monitoring:
+        mqtt:
+        pihole:
+        pomerium:
+      children:
+        cloudflared_containers:
+          hosts:
+            cloudflared1:
+            cloudflared2:
\ No newline at end of file
diff --git a/environments/prod/hosts.yml b/environments/prod/hosts.yml
deleted file mode 100644
index 24630f4..0000000
--- a/environments/prod/hosts.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-all:
-  children:
-    pve_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
-    k8s_cluster:
-      children:
-        masters:
-          hosts:
-            pve1:
-            pve2:
-            pve3:
-        workers:
-          hosts:
-            pve1:
-            pve2:
-            pve3:
-    nvidia_gpu_nodes:
-      hosts:
-        pve1:
-        pve2:
\ No newline at end of file
diff --git a/package.json b/package.json
index 92e6767..c7b2658 100644
--- a/package.json
+++ b/package.json
@@ -9,9 +9,9 @@
     "install": "./tools/install.sh",
     "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint",
     "lab:clear-keys": "./tools/clearkeys.sh",
-    "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox-nodes -u root -e ansible_user=root --tags init -k",
+    "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox/nodes -u root -e ansible_user=root --tags init -k",
     "lab:apply": "./tools/apply.sh lab",
-    "prod:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh prod proxmox-nodes -u root -e ansible_user=root --tags init -k",
+    "prod:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh prod proxmox/nodes -u root -e ansible_user=root --tags init -k",
     "prod:apply": "./tools/apply.sh prod",
     "validate-values": "node ./tools/validations.js"
   },
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index 9428812..71bbd24 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -3,4 +3,7 @@
 - import_playbook: containers/pihole.yaml
 - import_playbook: containers/cloudflared.yaml
 - import_playbook: containers/mqtt.yaml
-- import_playbook: containers/pomerium.yaml
\ No newline at end of file
+- import_playbook: containers/pomerium.yaml
+- import_playbook: containers/homepage.yaml
+- import_playbook: containers/monitoring.yaml
+- import_playbook: containers/frigate.yaml
\ No newline at end of file
diff --git a/playbooks/local/ssh.yaml b/playbooks/local/ssh.yaml
index b675a40..c22668b 100644
--- a/playbooks/local/ssh.yaml
+++ b/playbooks/local/ssh.yaml
@@ -21,7 +21,7 @@
       community.general.ssh_config:
         user: "{{ ansible_user }}"
         host: "{{ hostvars[item].ansible_hostname }}"
-        hostname: "{{ hostvars[item].fqdn }}"
+        hostname: "{{ hostvars[item].ansible_hostname }}.{{ domain }}"
         forward_agent: true # To enable YubiKey forwarding
         proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh %h %r"
         remote_user: "{{ ansible_user }}"
diff --git a/roles/app-container/tasks/container-disks.yaml b/roles/app-container/tasks/container-disks.yaml
index 38c4f1e..1f3f976 100644
--- a/roles/app-container/tasks/container-disks.yaml
+++ b/roles/app-container/tasks/container-disks.yaml
@@ -5,7 +5,7 @@
     cmd: "pct config {{ app_container_info.vmid }}"
 
 - name: Add disks
-  loop: "{{ container_vars.app_container_mounts | selectattr('type', 'equalto', 'disk') }}"
+  loop: "{{ container_vars.app_container_mounts | default([]) | selectattr('type', 'equalto', 'disk') }}"
   loop_control:
     loop_var: disk
   when: not 'mp' + disk.index | string + ':' in app_container_config.stdout

From 12f1ce897f5e62ada8bc4eedb820b008b0ae1de3 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Tue, 16 Apr 2024 11:16:16 +0200
Subject: [PATCH 29/51] Checkpoint

---
 environments/prod/host_vars/frigate/container.yaml  |  2 +-
 environments/prod/host_vars/homepage/container.yaml |  3 ++-
 environments/prod/host_vars/pve2.yaml               |  2 +-
 environments/prod/host_vars/pve3.yaml               |  2 +-
 roles/app-container/tasks/main.yaml                 |  3 +--
 roles/app-frigate/tasks/docker.yaml                 |  2 +-
 roles/app-frigate/templates/config.j2               | 11 ++++++-----
 roles/app-pomerium/tasks/main.yaml                  |  4 ++++
 8 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/environments/prod/host_vars/frigate/container.yaml b/environments/prod/host_vars/frigate/container.yaml
index 7c38e03..92f4de1 100644
--- a/environments/prod/host_vars/frigate/container.yaml
+++ b/environments/prod/host_vars/frigate/container.yaml
@@ -15,7 +15,7 @@ app_container_network_interfaces:
 
 app_container_mounts:
   - type: disk
-    storage_name: nvr-pool
+    storage_name: dpool-nvr
     index: 0
     size_gb: 2500
     target_path: /nvr
diff --git a/environments/prod/host_vars/homepage/container.yaml b/environments/prod/host_vars/homepage/container.yaml
index d93d860..9605dc2 100644
--- a/environments/prod/host_vars/homepage/container.yaml
+++ b/environments/prod/host_vars/homepage/container.yaml
@@ -1,10 +1,11 @@
 ansible_host: 10.1.2.72
 ansible_hostname: ct-homepage
 
+app_container_docker_support: true
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
 app_container_storage_name: dpool1
-app_container_storage_size_gb: 1
+app_container_storage_size_gb: 2
 app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
diff --git a/environments/prod/host_vars/pve2.yaml b/environments/prod/host_vars/pve2.yaml
index 7f6ef9c..dd68962 100644
--- a/environments/prod/host_vars/pve2.yaml
+++ b/environments/prod/host_vars/pve2.yaml
@@ -19,4 +19,4 @@ app_gatus_monitored_endpoints:
   - name: pve2 / http
     group: Proxmox VE
     type: https
-    host: pve2-lab.homecentr.one
+    host: pve2.homecentr.one
diff --git a/environments/prod/host_vars/pve3.yaml b/environments/prod/host_vars/pve3.yaml
index e03da49..1a2eb38 100644
--- a/environments/prod/host_vars/pve3.yaml
+++ b/environments/prod/host_vars/pve3.yaml
@@ -16,4 +16,4 @@ app_gatus_monitored_endpoints:
   - name: pve3 / http
     group: Proxmox VE
     type: https
-    host: pve3-lab.homecentr.one
+    host: pve3.homecentr.one
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index 194617a..544e11c 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -1,7 +1,6 @@
 - name: Install Docker dependencies
-  when: app_container_docker_support | default(false)
   ansible.builtin.include_tasks:
-    file: container.yaml
+    file: docker.yaml
 
 - name: Create container
   ansible.builtin.include_tasks:
diff --git a/roles/app-frigate/tasks/docker.yaml b/roles/app-frigate/tasks/docker.yaml
index b552487..33503bc 100644
--- a/roles/app-frigate/tasks/docker.yaml
+++ b/roles/app-frigate/tasks/docker.yaml
@@ -7,4 +7,4 @@
 - name: Start docker stack
   community.docker.docker_compose_v2:
     project_src: /etc/frigate
-    state: "{{ 'restarted' if app_frigate_config.changed or app_homepage_icons.changed else 'present' }}"
+    state: "{{ 'restarted' if app_frigate_config.changed else 'present' }}"
diff --git a/roles/app-frigate/templates/config.j2 b/roles/app-frigate/templates/config.j2
index 33e602b..10831d5 100644
--- a/roles/app-frigate/templates/config.j2
+++ b/roles/app-frigate/templates/config.j2
@@ -19,10 +19,11 @@ go2rtc:
 {% if camera.type == "reolink" %}
     {{ camera.name }}_main:
       #- "rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h265Preview_01_main"
-      - "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user={{ camera.username }}&password={{ camera.password }}#video=copy#audio=copy"
+      - "ffmpeg:rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h264Preview_01_main"
+      #- "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user={{ camera.username }}&password={{ camera.password }}#video=copy#audio=copy"
     {{ camera.name }}_sub:
-      #- "rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h264Preview_01_sub"
-      - "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_ext.bcs&user={{ camera.username }}&password={{ camera.password }}"
+      - "ffmpeg:rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h264Preview_01_sub"
+      #- "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_ext.bcs&user={{ camera.username }}&password={{ camera.password }}"
 {% else %}
 TBA: Doorbell
 {% endif %}
@@ -41,6 +42,6 @@ cameras:
           input_args: preset-rtsp-restream
           roles:
             - detect
-    live:
-      stream_name: {{ camera.name }}_sub
+    # live:
+    #   stream_name: {{ camera.name }}_sub
 {% endfor %}
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/main.yaml b/roles/app-pomerium/tasks/main.yaml
index 474204e..44a3b7e 100644
--- a/roles/app-pomerium/tasks/main.yaml
+++ b/roles/app-pomerium/tasks/main.yaml
@@ -1,3 +1,7 @@
+- name: Create user with fixed UID/GID
+  ansible.builtin.include_tasks:
+    file: user.yaml
+
 - name: Install pomerium
   ansible.builtin.include_tasks:
     file: install.yaml

From 790ea90dcd8cdeaace0375e84dcb3e076b0d3325 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Tue, 16 Apr 2024 13:04:02 +0200
Subject: [PATCH 30/51] Prod dns can forward to lab dns

---
 environments/prod/host_vars/pihole.yaml          |  5 +++++
 roles/app-pihole/tasks/dns.yaml                  | 11 ++++++++++-
 roles/app-pihole/templates/dnsmasq-forwarders.j2 |  3 +++
 roles/app-pihole/templates/dnsmasq-local.j2      |  2 +-
 4 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 roles/app-pihole/templates/dnsmasq-forwarders.j2

diff --git a/environments/prod/host_vars/pihole.yaml b/environments/prod/host_vars/pihole.yaml
index ccc67f4..6555dc5 100644
--- a/environments/prod/host_vars/pihole.yaml
+++ b/environments/prod/host_vars/pihole.yaml
@@ -22,6 +22,11 @@ app_pihole_forwarders:
   - 1.1.1.1
   - 1.0.0.1
 
+app_pihole_custom_forwarders:
+  # Forward lab queries to lab nameserver
+  - domain_pattern: "*-lab.homecentr.one"
+    nameserver: 10.1.8.64
+
 app_pomerium_routes:
   - hostname: pihole
     auth_mode: administrators
diff --git a/roles/app-pihole/tasks/dns.yaml b/roles/app-pihole/tasks/dns.yaml
index 5b3b451..77f2f07 100644
--- a/roles/app-pihole/tasks/dns.yaml
+++ b/roles/app-pihole/tasks/dns.yaml
@@ -14,4 +14,13 @@
     owner: pihole
     group: pihole
     mode: 0644
-    content: "{{ lookup('template', 'dnsmasq-local.j2') }}"
\ No newline at end of file
+    content: "{{ lookup('template', 'dnsmasq-local.j2') }}"
+
+- name: Configure explicit domain specific forwarders
+  notify: restart_dns
+  ansible.builtin.copy:
+    dest: /etc/dnsmasq.d/custom-forwarders.conf
+    owner: pihole
+    group: pihole
+    mode: 0644
+    content: "{{ lookup('template', 'dnsmasq-forwarders.j2') }}"
\ No newline at end of file
diff --git a/roles/app-pihole/templates/dnsmasq-forwarders.j2 b/roles/app-pihole/templates/dnsmasq-forwarders.j2
new file mode 100644
index 0000000..6b7a41f
--- /dev/null
+++ b/roles/app-pihole/templates/dnsmasq-forwarders.j2
@@ -0,0 +1,3 @@
+{% for custom_forwarder in app_pihole_custom_forwarders | default([]) %}
+server=/{{ custom_forwarder.domain_pattern }}/{{ custom_forwarder.nameserver }}
+{% endfor %}
diff --git a/roles/app-pihole/templates/dnsmasq-local.j2 b/roles/app-pihole/templates/dnsmasq-local.j2
index c21b803..74dbb7c 100644
--- a/roles/app-pihole/templates/dnsmasq-local.j2
+++ b/roles/app-pihole/templates/dnsmasq-local.j2
@@ -1,2 +1,2 @@
 domain={{ domain }}
-local=/{{ domain }}/
\ No newline at end of file
+local=/{{ domain }}/

From cb8c82bfa81046e97cb4389ee32b2223ab787294 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 17 Apr 2024 12:36:58 +0200
Subject: [PATCH 31/51] Unifi controller

---
 .../lab/host_vars/unifi_controller.yaml       | 42 +++++++++++++++++++
 environments/lab/hosts.yaml                   |  1 +
 .../prod/host_vars/homepage/container.yaml    | 14 +++++--
 environments/prod/host_vars/pihole.yaml       |  8 ++--
 .../prod/host_vars/pomerium/container.yaml    | 20 +++++++++
 playbooks/containers/unifi-controller.yaml    | 28 +++++++++++++
 roles/app-container/tasks/main.yaml           |  2 +-
 roles/app-gatus/templates/config.j2           | 13 ++++--
 roles/app-gatus/templates/docker-compose.j2   |  2 -
 roles/app-homepage/tasks/configure.yaml       |  8 ++--
 .../app-homepage/templates/docker-compose.j2  |  5 +++
 roles/app-pomerium/templates/config.j2        | 18 +++++++-
 roles/app-unifi-controller/tasks/main.yaml    |  7 ++++
 roles/app-unifi-controller/tasks/mongodb.yaml | 16 +++++++
 roles/app-unifi-controller/tasks/unifi.yaml   | 16 +++++++
 15 files changed, 182 insertions(+), 18 deletions(-)
 create mode 100644 environments/lab/host_vars/unifi_controller.yaml
 create mode 100644 playbooks/containers/unifi-controller.yaml
 create mode 100644 roles/app-unifi-controller/tasks/main.yaml
 create mode 100644 roles/app-unifi-controller/tasks/mongodb.yaml
 create mode 100644 roles/app-unifi-controller/tasks/unifi.yaml

diff --git a/environments/lab/host_vars/unifi_controller.yaml b/environments/lab/host_vars/unifi_controller.yaml
new file mode 100644
index 0000000..ea686e8
--- /dev/null
+++ b/environments/lab/host_vars/unifi_controller.yaml
@@ -0,0 +1,42 @@
+ansible_host: 10.1.8.73
+ansible_hostname: ct-unifi-controller-lab
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 1024
+app_container_swap: 1024
+app_container_storage_name: dpool
+app_container_storage_size_gb: 5
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.73/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: non-critical
+app_container_pve_replication_nodes:
+  - pve2
+
+app_pihole_records:
+  - hostname: unifi-lab
+    type: pomerium_proxy
+
+app_pomerium_routes:
+  - hostname: unifi-lab
+    protocol: https
+    tls_skip_verify: true
+    target_port: 8443
+    auth_mode: public # Controller has its own authentication
+
+app_gatus_monitored_endpoints:
+  - name: Web UI / container
+    group: Unifi Controller
+    type: https
+    host: ct-unifi-controller-lab
+    insecure: true
+    port: 8443
+  - name: Web UI / via proxy
+    group: Unifi Controller
+    type: https-pomerium-proxy
+    host: unifi-lab.homecentr.one
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index 0b02a41..996b7b0 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -13,6 +13,7 @@ all:
         mqtt:
         pihole:
         pomerium:
+        unifi_controller:
       children:
         cloudflared_containers:
           hosts:
diff --git a/environments/prod/host_vars/homepage/container.yaml b/environments/prod/host_vars/homepage/container.yaml
index 9605dc2..b3ec628 100644
--- a/environments/prod/host_vars/homepage/container.yaml
+++ b/environments/prod/host_vars/homepage/container.yaml
@@ -18,9 +18,14 @@ app_container_pve_ha_group_name: noncritical
 app_container_pve_replication_nodes:
   - pve1
 
-app_homepage_image_tag: v0.8.9
+app_homepage_image_tag: v0.8.11
 
 app_pomerium_routes:
+  - hostname: homepage
+    target_port: 3000
+    path: /api/healthcheck
+    auth_mode: public
+
   - hostname: homepage
     target_port: 3000
     auth_mode: users
@@ -30,12 +35,15 @@ app_pihole_records:
     type: pomerium_proxy
 
 app_gatus_monitored_endpoints:
-  - name: Homepage / container
+  - name: Web UI / container
     group: Homepage
     type: http
     host: ct-homepage
     port: 3000
-  - name: Homepage / via proxy
+    path: /api/healthcheck
+
+  - name: Web UI / via proxy
     group: Homepage
     type: https-pomerium-proxy
     host: homepage.homecentr.one
+    path: /api/healthcheck
diff --git a/environments/prod/host_vars/pihole.yaml b/environments/prod/host_vars/pihole.yaml
index 6555dc5..3489a98 100644
--- a/environments/prod/host_vars/pihole.yaml
+++ b/environments/prod/host_vars/pihole.yaml
@@ -36,10 +36,12 @@ app_pihole_records:
     type: pomerium_proxy
 
 app_gatus_monitored_endpoints:
-  - name: Web UI
+  - name: Web UI / container
     group: Pi-hole
-    type: https-pomerium-proxy
-    host: pihole.homecentr.one
+    type: http
+    host: ct-pihole
+    port: 80
+
   - name: DNS
     group: Pi-hole
     type: dns
diff --git a/environments/prod/host_vars/pomerium/container.yaml b/environments/prod/host_vars/pomerium/container.yaml
index 8604c04..07db7fd 100644
--- a/environments/prod/host_vars/pomerium/container.yaml
+++ b/environments/prod/host_vars/pomerium/container.yaml
@@ -29,14 +29,34 @@ app_container_getssl_certificates:
     group: 7000
     mode: 0440
 
+app_pomerium_routes:
+  - hostname: pve
+    auth_mode: public # Proxmox has its own authentication
+    protocol: https
+    target_port: 8006
+    tls_upstream_server_name: pve.homecentr.one
+    backend:
+      - 10.1.2.11
+      - 10.1.2.12
+      - 10.1.2.13
+
 app_pihole_records:
   - hostname: login
     type: ansible_host
 
+  - hostname: pve
+    type: pomerium_proxy
+
 app_gatus_monitored_endpoints:
   - name: Pomerium
     group: Pomerium
     type: https
     host: login.homecentr.one
     path: /healthz
+
+  # Can check directly root because the site is not authenticated by pomerium
+  - name: Web UI balancing proxy
+    group: Proxmox VE
+    type: https-pomerium-proxy
+    host: pve.homecentr.one
     
diff --git a/playbooks/containers/unifi-controller.yaml b/playbooks/containers/unifi-controller.yaml
new file mode 100644
index 0000000..7a193ae
--- /dev/null
+++ b/playbooks/containers/unifi-controller.yaml
@@ -0,0 +1,28 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "unifi_controller"
+      tags: [ container ]
+
+- name: Setup Unifi Controller container
+  hosts: unifi_controller
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.include_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install Unifi Controller
+      ansible.builtin.import_role:
+        name: ../../roles/app-unifi-controller
+      tags: [ unifi, unifi-controller ]
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index 544e11c..c5b6607 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -1,4 +1,4 @@
-- name: Install Docker dependencies
+- name: Install Docker dependencies on Proxmox host
   ansible.builtin.include_tasks:
     file: docker.yaml
 
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
index 090aff4..869f787 100644
--- a/roles/app-gatus/templates/config.j2
+++ b/roles/app-gatus/templates/config.j2
@@ -1,8 +1,8 @@
 metrics: true
 # storage:
-#     path: /var/lib/gatus/gatus.db
-#     type: sqlite
-    
+#   path: /var/lib/gatus/gatus.db
+#   type: sqlite
+
 endpoints:
 {% for host in groups['all'] %}
 {% for endpoint in hostvars[host].app_gatus_monitored_endpoints | default([]) %}
@@ -13,6 +13,9 @@ endpoints:
   interval: {{ endpoint.interval | default('30s') }}
   client:
     dns-resolver: tcp://{{ hostvars['pihole'].ansible_host }}:53
+{% if endpoint.insecure | default(false) == true %}
+    insecure: true
+{% endif %}
 {% if endpoint.type == "ping" %}
   url: "icmp://{{ endpoint.host | default(hostvars[host].ansible_host) }}"
   conditions:
@@ -25,8 +28,10 @@ endpoints:
   url: "https://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port | default(443) }}{{ endpoint.path | default('') }}"
   conditions:
     - "[STATUS] == 200"
+{% if not (endpoint.insecure | default(false)) %}
     - "[CERTIFICATE_EXPIRATION] > 72h"
-{% elif endpoint.type == "https-pomerium-proxy"%}
+{% endif %}
+{% elif endpoint.type == "https-pomerium-proxy"%} 
   url: "https://{{ endpoint.host }}{{ endpoint.path | default('') }}"
   conditions:
     - "[STATUS] == 200"
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
index d26bbf4..aa65bd9 100644
--- a/roles/app-gatus/templates/docker-compose.j2
+++ b/roles/app-gatus/templates/docker-compose.j2
@@ -9,5 +9,3 @@ services:
     volumes:
       - /etc/gatus/config.yaml:/config/config.yaml
       - /var/lib/gatus:/var/lib/gatus
-
-# TODO: Mount directory with metrics state
\ No newline at end of file
diff --git a/roles/app-homepage/tasks/configure.yaml b/roles/app-homepage/tasks/configure.yaml
index ddea1c0..31d87ed 100644
--- a/roles/app-homepage/tasks/configure.yaml
+++ b/roles/app-homepage/tasks/configure.yaml
@@ -3,11 +3,11 @@
   ansible.builtin.copy:
     dest: "/etc/homepage/config/{{ item.name }}"
     force: true
-    content: "{{ item.content }}"
+    content: "{{ item.content | to_nice_yaml }}"
   loop:
     - name: bookmarks.yaml
-      content: "{{ app_homepage_bookmarks | to_yaml }}"
+      content: "{{ app_homepage_bookmarks }}"
     - name: settings.yaml
-      content: "{{ app_homepage_settings | to_yaml }}"
+      content: "{{ app_homepage_settings }}"
     - name: widgets.yaml
-      content: "{{ app_homepage_widgets | to_yaml }}"
\ No newline at end of file
+      content: "{{ app_homepage_widgets }}"
\ No newline at end of file
diff --git a/roles/app-homepage/templates/docker-compose.j2 b/roles/app-homepage/templates/docker-compose.j2
index 34e6314..329f42c 100644
--- a/roles/app-homepage/templates/docker-compose.j2
+++ b/roles/app-homepage/templates/docker-compose.j2
@@ -3,6 +3,11 @@ services:
   homepage:
     image: ghcr.io/gethomepage/homepage:{{ app_homepage_image_tag }}
     container_name: homepage
+    restart: unless-stopped
+    working_dir: /app
+    entrypoint: ["node", "server.js"]
+    healthcheck:
+      disable: true
     environment:
       PUID: {{ app_homepage_uid }}
       PGID: {{ app_homepage_gid }}
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
index 727d959..a783aac 100644
--- a/roles/app-pomerium/templates/config.j2
+++ b/roles/app-pomerium/templates/config.j2
@@ -21,7 +21,23 @@ routes:
 {% for host in groups['all'] %}
 {% for route in hostvars[host].app_pomerium_routes | default([]) %}
   - from: https://{{ route.hostname }}.{{ domain }}
+    tls_skip_verify: {{ route.tls_skip_verify | default(false) }}
+{% if route.backend | default(none) is none %}
     to: {{ route.protocol | default("http") }}://{{ hostvars[host].ansible_host }}:{{ route.target_port | default(80) }}
+{% elif route.backend is string %}
+    to: {{ route.protocol | default("http") }}://{{ route.backend }}:{{ route.target_port | default(80) }}
+{% else %}
+    to:
+{% for backend_host in route.backend %}
+      - {{ route.protocol | default("http") }}://{{ backend_host }}:{{ route.target_port | default(80) }}
+{% endfor%}
+{% endif %}
+{% if route.path | default('') != '' %}
+    path: {{ route.path }}
+{% endif %}
+{% if route.tls_upstream_server_name | default(none) is not none %}
+    tls_upstream_server_name: {{ route.tls_upstream_server_name }}
+{% endif %}
 {% if route.auth_mode == 'administrators' %}
     policy:
       - allow:
@@ -32,7 +48,7 @@ routes:
       - allow:
           or:
             - claim/groups: "{{ app_pomerium_groups_users }}"
-{% else %}
+{% elif route.auth_mode == 'public' %}
     allow_public_unauthenticated_access: true
 {% endif %}
 {% endfor %}
diff --git a/roles/app-unifi-controller/tasks/main.yaml b/roles/app-unifi-controller/tasks/main.yaml
new file mode 100644
index 0000000..368a8da
--- /dev/null
+++ b/roles/app-unifi-controller/tasks/main.yaml
@@ -0,0 +1,7 @@
+- name: Install MongoDB
+  ansible.builtin.include_tasks:
+    file: mongodb.yaml
+
+- name: Install Unifi Controller
+  ansible.builtin.include_tasks:
+    file: unifi.yaml
diff --git a/roles/app-unifi-controller/tasks/mongodb.yaml b/roles/app-unifi-controller/tasks/mongodb.yaml
new file mode 100644
index 0000000..e7d10bb
--- /dev/null
+++ b/roles/app-unifi-controller/tasks/mongodb.yaml
@@ -0,0 +1,16 @@
+- name: Download MongoDB apt key
+  ansible.builtin.get_url:
+    url: https://www.mongodb.org/static/pgp/server-7.0.asc
+    dest: /etc/apt/keyrings/mongodb-7.0.asc
+
+- name: Add apt repository
+  ansible.builtin.apt_repository:
+    repo: "deb [ signed-by=/etc/apt/keyrings/mongodb-7.0.asc ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main"
+    state: present
+    filename: mongodb-7.0
+    update_cache: true
+
+- name: Install MongoDB
+  ansible.builtin.apt:
+    name: mongodb-org-server
+    state: present
diff --git a/roles/app-unifi-controller/tasks/unifi.yaml b/roles/app-unifi-controller/tasks/unifi.yaml
new file mode 100644
index 0000000..e8aa688
--- /dev/null
+++ b/roles/app-unifi-controller/tasks/unifi.yaml
@@ -0,0 +1,16 @@
+- name: Download MongoDB apt key
+  ansible.builtin.get_url:
+    url: https://dl.ui.com/unifi/unifi-repo.gpg
+    dest: /usr/share/keyrings/unifi-repo.gpg
+
+- name: Add apt repository
+  ansible.builtin.apt_repository:
+    repo: "deb [ signed-by=/usr/share/keyrings/unifi-repo.gpg ] https://www.ui.com/downloads/unifi/debian stable ubiquiti"
+    state: present
+    filename: ubnt-unifi
+    update_cache: true
+
+- name: Install Unifi Controller
+  ansible.builtin.apt:
+    name: unifi
+    state: present

From 0c46947f085de61c98091daaf7a25c593b4fb4a1 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 17 Apr 2024 21:30:54 +0200
Subject: [PATCH 32/51] Haraka

---
 .../lab/group_vars/pve_nodes/general.yaml     | 10 ++++
 .../lab/host_vars/smtp_relay/container.yaml   | 37 +++++++++++++++
 .../lab/host_vars/smtp_relay/dns.yaml         |  3 ++
 .../lab/host_vars/smtp_relay/haraka.sops.yaml | 47 +++++++++++++++++++
 .../lab/host_vars/smtp_relay/monitoring.yaml  | 12 +++++
 environments/lab/hosts.yaml                   |  1 +
 playbooks/containers/smtp-relay.yaml          | 33 +++++++++++++
 roles/app-gatus/tasks/main.yaml               |  2 +-
 roles/app-gatus/templates/config.j2           |  7 +--
 roles/app-gatus/templates/docker-compose.j2   |  2 +-
 roles/app-haraka/tasks/main.yaml              | 37 +++++++++++++++
 roles/app-haraka/tasks/user.yaml              | 11 +++++
 roles/app-haraka/templates/config_auth.j2     |  7 +++
 roles/app-haraka/templates/config_relay.j2    |  4 ++
 roles/app-haraka/templates/docker-compose.j2  | 13 +++++
 15 files changed, 221 insertions(+), 5 deletions(-)
 create mode 100644 environments/lab/host_vars/smtp_relay/container.yaml
 create mode 100644 environments/lab/host_vars/smtp_relay/dns.yaml
 create mode 100644 environments/lab/host_vars/smtp_relay/haraka.sops.yaml
 create mode 100644 environments/lab/host_vars/smtp_relay/monitoring.yaml
 create mode 100644 playbooks/containers/smtp-relay.yaml
 create mode 100644 roles/app-haraka/tasks/main.yaml
 create mode 100644 roles/app-haraka/tasks/user.yaml
 create mode 100644 roles/app-haraka/templates/config_auth.j2
 create mode 100644 roles/app-haraka/templates/config_relay.j2
 create mode 100644 roles/app-haraka/templates/docker-compose.j2

diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
index 26352bf..e2986c4 100644
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -25,6 +25,16 @@ pve_cluster_ha_groups:
         priority: 1000
     restricted: false
     nofailback: false
+  - name: critical-priority-pve3
+    nodes:
+      - name: pve1
+        priority: 1
+      - name: pve2
+        priority: 1
+      - name: pve3
+        priority: 1000
+    restricted: false
+    nofailback: false
   - name: critical
     nodes:
       - name: pve1
diff --git a/environments/lab/host_vars/smtp_relay/container.yaml b/environments/lab/host_vars/smtp_relay/container.yaml
new file mode 100644
index 0000000..57f3c4f
--- /dev/null
+++ b/environments/lab/host_vars/smtp_relay/container.yaml
@@ -0,0 +1,37 @@
+ansible_host: 10.1.8.65
+ansible_hostname: ct-smtp-relay-lab
+
+app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_memory: 256
+app_container_storage_name: dpool
+app_container_storage_size_gb: 2
+app_container_pve_replication_cron_expression: "*/5"
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: 10.1.8.65/24
+    ipv4_gateway: 10.1.8.1
+
+app_container_pve_node: pve3
+app_container_pve_ha_group_name: critical-priority-pve3
+app_container_pve_replication_nodes:
+  - pve1
+  - pve2
+
+app_container_mapped_uids:
+  - 7000
+app_container_mapped_gids:
+  - 7000
+
+app_container_getssl_certificates:
+  - name: "*.homecentr.one"
+    fullchain_filename: "wildcard_fullchain.crt"
+    cert_filename: "wildcard.crt"
+    key_filename: "wildcard.key"
+    user: 7000
+    group: 7000
+    mode: 0440
+
+app_haraka_uid: 7000
+app_haraka_gid: 7000
+app_haraka_image_tag: 1.1.0
\ No newline at end of file
diff --git a/environments/lab/host_vars/smtp_relay/dns.yaml b/environments/lab/host_vars/smtp_relay/dns.yaml
new file mode 100644
index 0000000..8002ecd
--- /dev/null
+++ b/environments/lab/host_vars/smtp_relay/dns.yaml
@@ -0,0 +1,3 @@
+app_pihole_records:
+  - hostname: smtp-lab
+    type: ansible_host
\ No newline at end of file
diff --git a/environments/lab/host_vars/smtp_relay/haraka.sops.yaml b/environments/lab/host_vars/smtp_relay/haraka.sops.yaml
new file mode 100644
index 0000000..a424736
--- /dev/null
+++ b/environments/lab/host_vars/smtp_relay/haraka.sops.yaml
@@ -0,0 +1,47 @@
+app_haraka_users:
+    - username: ENC[AES256_GCM,data:wIFb,iv:/n/Zv39xiZKWl+TsiWq/+xPfpS/bMxLmmvcludsfOMA=,tag:sL8/YeRNq/w5+nxVjIRATA==,type:str]
+      password: ENC[AES256_GCM,data:5xQSIu1SKQ2YICc9k2TgH/gZzKQ=,iv:QZ/wW7hoYd9HyrIEXZxG2EePyE2XV06pRpM7hOoBqXU=,tag:h57JAYLn+r49D66JKjrV3g==,type:str]
+app_haraka_smtp_username: ENC[AES256_GCM,data:W88iwjJhJFMdxJ1s5BaqtU1eQXxvWQ==,iv:fxIOt+0LBjjoLB1xo0KWOBJ9R8g4Q2U+gB+ujT7KXu0=,tag:cJjMQnjTJTtB6Gx0o3QWvw==,type:str]
+app_haraka_smtp_password: ENC[AES256_GCM,data:SZDS4dCriQArJ7DaRzyRZLFvWJZLYgZD3c/kxjRzQo0AnjlwDN1KVipCIQE7n8xe7lqeMeM7hemtTOg5XeO4VHUfY6cGJHfyR90+H7LcDKxnRwuL61K7IIfG,iv:RcIHxnyLeu6/2mVDeJQR2eMP0dPJpN4QL3RyT7GoUmg=,tag:knIuTFyo2YcZeu+61F4ueQ==,type:str]
+app_haraka_smtp_host: ENC[AES256_GCM,data:BSaVrZGb++wnK39Dt3+UrAqbfSI=,iv:hlipTNIV5PJ4wIsH/ORTHp8C5V8kjzsX7dQyG+tvqno=,tag:xQgicmiGvMRBreLAdDlvTQ==,type:str]
+app_haraka_smtp_port: ENC[AES256_GCM,data:bqtZ,iv:RC8tIIBHvOWXNGs7NDGi46ss92oyq6C9vnbnyPGr5hw=,tag:DTd3Wd706FR48MDXza55OA==,type:int]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNjdnUWhha0JvUkVkQ1J0
+            K2RVclB0NTljWkx0SXo2QjM0S290TVcxb0JZCit5SVBxanRsNFJ6aTRKYUZ5ZHpK
+            T3czaHBISTl1N1pJeUhqWVBrdEFRSzgKLS0tIHQvT255a1dhQjBON0tOaHl3Zmkr
+            U1RuL2xVbC9pRFppQ3BEUmFkV1ZDTzAKgBEI44mfeId4G4VrnOTi20q0jeLPLvEI
+            Xpy6J8rcP/ixbN+bns2Y8dC55+uFEpQQdVObCBzyYgSqapFM9cYpHQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-17T13:30:25Z"
+    mac: ENC[AES256_GCM,data:O5tiqklG+puBWPNH2nLaRbRGN8WoQ6ToZ8R/bpnG9Olxa9HDS18Rtzotvc+Q4nT3HxzjJZrznR3MYCGfw3mO3DK0njSP0NBKvwXIyC2H9LPTpLIalALrPh1xA0Ebgwrl/ILzduCVi/B5vvgdaa8rbav3Fe/nVpnjQbcevgbFdQc=,iv:bptYFWdv6jz/yoRBKGIzqi5RF/PD+KNIyyPUhjnkWAk=,tag:6M9hkvCsyyul6BsdyofXSQ==,type:str]
+    pgp:
+        - created_at: "2024-04-17T13:26:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CARAAkUwBdOFb6cNMqPIHyxrKLrh6syCc0Icu/OnvyBsINnV0
+            qT7l8sneOVd0g6YKuJXTXH87iUxS01fXSZBa5A5NZhohGSufhMhpy2AbtpiDeWBg
+            zQuEwwjb0l/T4AVUVNPWHrC5ctFXuA1xF4e4pFPmyY2aCXURPR8vjWpIDwMIXWdp
+            nxHDwQADoE2MtM5mzHBKjL1HVJDtfh2fzvKl6R0SVg9a9gEL8tVbheNnwo5FfSU4
+            6RX5T7xNo5nDLwXaHKfQttlMCHbMqEDeQxQaXJ2fg2byz8C+HaOvNdUAhvI8dHRA
+            tPwavu8l0dTLYMU77/+mQo17+LWql29uCZFHQRhvEB88kLbJ8T2KKLE4jqdzFiuk
+            c3lfMEmMoq0XZ1L7S2Us+IPZOz03mvAYeKaBiJwsAcUyy+qhoZ2UVm7pV6TIrSxw
+            6W/iKjXCczfmIjgjkLEJCYys6P3dHdOnBlp0XnLnr4QRvb415oRyAzNIkO6iYdy3
+            qy7bf7k61mk1GYR7EoZt4p0CYAlK1T8SYOOVO0AlaPIqX9l6jhI55D5HwbzXsLP4
+            y2AbIj/rQ6ZzmeLtAkcMapmZduvz7Qv0VSsLS6c2MiMMChW6P6qcR/w9K/zE/VCF
+            RHIAm7vzsT+A/6bbq1ECORMIn7qry+5hSPgqYJxbhuRpZuL8FtydZoAAw47gPkrS
+            XgHqmQsENy6eCGaPmkA769tgw+7C9/k1ZBRiuoAFw2xASiryfjPrF1DNNOrEm4OS
+            MgJW9EiGMc/WCY5KVrBdMU1KKfvQrOi+9KNNelOgOYaTcRRclR5LAP80AynUOd4=
+            =4mv+
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/lab/host_vars/smtp_relay/monitoring.yaml b/environments/lab/host_vars/smtp_relay/monitoring.yaml
new file mode 100644
index 0000000..b42688d
--- /dev/null
+++ b/environments/lab/host_vars/smtp_relay/monitoring.yaml
@@ -0,0 +1,12 @@
+# TBA using STARTTLS (?)
+# app_gatus_monitored_endpoints:
+#   - name: Web UI / container
+#     group: Unifi Controller
+#     type: https
+#     host: ct-unifi-controller-lab
+#     insecure: true
+#     port: 8443
+#   - name: Web UI / via proxy
+#     group: Unifi Controller
+#     type: https-pomerium-proxy
+#     host: unifi-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/hosts.yaml b/environments/lab/hosts.yaml
index 996b7b0..d40dbe1 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/lab/hosts.yaml
@@ -13,6 +13,7 @@ all:
         mqtt:
         pihole:
         pomerium:
+        smtp_relay:
         unifi_controller:
       children:
         cloudflared_containers:
diff --git a/playbooks/containers/smtp-relay.yaml b/playbooks/containers/smtp-relay.yaml
new file mode 100644
index 0000000..e120131
--- /dev/null
+++ b/playbooks/containers/smtp-relay.yaml
@@ -0,0 +1,33 @@
+- name: Create application container
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create application container
+      ansible.builtin.include_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "smtp_relay"
+      tags: [ container ]
+
+- name: Setup SMTP relay container
+  hosts: smtp_relay
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Run common set up
+      ansible.builtin.include_tasks:
+        file: _common.yaml
+      tags: [ common ]
+
+    - name: Install Docker
+      ansible.builtin.import_role:
+        name: ../../roles/docker
+      tags: [ docker ]
+
+    - name: Install Haraka relay
+      ansible.builtin.import_role:
+        name: ../../roles/app-haraka
+      tags: [ haraka ]
diff --git a/roles/app-gatus/tasks/main.yaml b/roles/app-gatus/tasks/main.yaml
index 8d4aae1..49b954c 100644
--- a/roles/app-gatus/tasks/main.yaml
+++ b/roles/app-gatus/tasks/main.yaml
@@ -5,7 +5,7 @@
 
 - name: Create state directory
   ansible.builtin.file:
-    path: /var/lib/gatus
+    path: /var/gatus
     state: directory
 
 - name: Create config file
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
index 869f787..0751c4c 100644
--- a/roles/app-gatus/templates/config.j2
+++ b/roles/app-gatus/templates/config.j2
@@ -1,7 +1,8 @@
 metrics: true
-# storage:
-#   path: /var/lib/gatus/gatus.db
-#   type: sqlite
+
+storage:
+  type: sqlite
+  path: /var/gatus/gatus.db
 
 endpoints:
 {% for host in groups['all'] %}
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
index aa65bd9..5c6f014 100644
--- a/roles/app-gatus/templates/docker-compose.j2
+++ b/roles/app-gatus/templates/docker-compose.j2
@@ -8,4 +8,4 @@ services:
       - "8080:8080"
     volumes:
       - /etc/gatus/config.yaml:/config/config.yaml
-      - /var/lib/gatus:/var/lib/gatus
+      - /var/gatus:/var/gatus
diff --git a/roles/app-haraka/tasks/main.yaml b/roles/app-haraka/tasks/main.yaml
new file mode 100644
index 0000000..81285ce
--- /dev/null
+++ b/roles/app-haraka/tasks/main.yaml
@@ -0,0 +1,37 @@
+- name: Create user with fixed UID/GID
+  ansible.builtin.include_tasks:
+    file: user.yaml
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/haraka
+    state: directory
+    owner: haraka
+    group: haraka
+    mode: "0750"
+
+- name: Create config file
+  register: app_haraka_config
+  ansible.builtin.copy:
+    dest: "/etc/haraka/{{ item.dest }}"
+    owner: haraka
+    group: haraka
+    mode: "0640"
+    force: true
+    content: "{{ lookup('template', item.template) }}"
+  loop:
+    - template: config_auth.j2
+      dest: auth_flat_file.ini
+    - template: config_relay.j2
+      dest: relay_via_external.ini
+
+- name: Create compose file
+  ansible.builtin.copy:
+    dest: /etc/haraka/docker-compose.yaml
+    force: true
+    content: "{{ lookup('template', 'docker-compose.j2') }}"
+
+- name: Start docker stack
+  community.docker.docker_compose_v2:
+    project_src: /etc/haraka
+    state: "{{ 'restarted' if app_haraka_config.changed else 'present' }}"
\ No newline at end of file
diff --git a/roles/app-haraka/tasks/user.yaml b/roles/app-haraka/tasks/user.yaml
new file mode 100644
index 0000000..e0b193c
--- /dev/null
+++ b/roles/app-haraka/tasks/user.yaml
@@ -0,0 +1,11 @@
+- name: Create haraka group with fixed GID
+  ansible.builtin.group:
+    name: haraka
+    gid: "{{ app_haraka_gid }}"
+
+- name: Create pomerium user with fixed UID
+  ansible.builtin.user:
+    name: haraka
+    group: haraka
+    uid: "{{ app_haraka_uid }}"
+    create_home: true
diff --git a/roles/app-haraka/templates/config_auth.j2 b/roles/app-haraka/templates/config_auth.j2
new file mode 100644
index 0000000..d6aab49
--- /dev/null
+++ b/roles/app-haraka/templates/config_auth.j2
@@ -0,0 +1,7 @@
+[core]
+methods=PLAIN,LOGIN,CRAM-MD5
+
+[users]
+{% for user in app_haraka_users %}
+{{ user.username }}={{ user.password }}
+{% endfor %}
\ No newline at end of file
diff --git a/roles/app-haraka/templates/config_relay.j2 b/roles/app-haraka/templates/config_relay.j2
new file mode 100644
index 0000000..30281ba
--- /dev/null
+++ b/roles/app-haraka/templates/config_relay.j2
@@ -0,0 +1,4 @@
+auth_user={{ app_haraka_smtp_username }}
+auth_pass={{ app_haraka_smtp_password }}
+exchange={{ app_haraka_smtp_host }}
+port={{ app_haraka_smtp_port }}
\ No newline at end of file
diff --git a/roles/app-haraka/templates/docker-compose.j2 b/roles/app-haraka/templates/docker-compose.j2
new file mode 100644
index 0000000..3239c64
--- /dev/null
+++ b/roles/app-haraka/templates/docker-compose.j2
@@ -0,0 +1,13 @@
+services:
+  haraka:
+    container_name: haraka
+    image: homecentr/haraka-relay:{{ app_haraka_image_tag }}
+    restart: unless-stopped
+    ports:
+      - "25:2525"
+      - "9904:9904"
+    volumes:
+      - /getssl/wildcard.crt:/haraka/config/tls_cert.pem:ro
+      - /getssl/wildcard.key:/haraka/config/tls_key.pem:ro
+      - /etc/haraka/auth_flat_file.ini:/haraka/config/auth_flat_file.ini:ro
+      - /etc/haraka/relay_via_external.ini:/haraka/config/relay_via_external.ini:ro
\ No newline at end of file

From db73d8ac96a735d7e9e5a03b1d194b1ab88acfe8 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 18 Apr 2024 11:37:14 +0200
Subject: [PATCH 33/51] Haraka health check

---
 .../group_vars/containers/app_container.yaml   |  1 +
 environments/lab/host_vars/pihole.yaml         |  1 +
 .../lab/host_vars/smtp_relay/monitoring.yaml   | 18 ++++++------------
 playbooks/containers/_common.yaml              |  4 ----
 playbooks/containers/cloudflared.yaml          | 16 ++++++++++------
 playbooks/containers/frigate.yaml              |  2 +-
 playbooks/containers/homepage.yaml             |  4 ++--
 playbooks/containers/monitoring.yaml           |  2 +-
 playbooks/containers/mqtt.yaml                 |  2 +-
 playbooks/containers/pihole.yaml               |  2 +-
 playbooks/containers/pomerium.yaml             |  2 +-
 playbooks/containers/smtp-relay.yaml           |  4 ++--
 playbooks/containers/unifi-controller.yaml     |  2 +-
 playbooks/proxmox/nodes.yaml                   |  2 ++
 roles/app-container/templates/pct-set.j2       |  3 +++
 roles/app-gatus/templates/config.j2            |  8 ++++++--
 roles/app-gatus/templates/docker-compose.j2    |  2 +-
 roles/app-haraka/tasks/disable-postfix.yaml    |  8 ++++++++
 roles/app-haraka/tasks/main.yaml               |  4 ++++
 roles/app-haraka/templates/docker-compose.j2   |  2 +-
 roles/hosts/tasks/main.yml                     | 10 +---------
 21 files changed, 54 insertions(+), 45 deletions(-)
 create mode 100644 environments/lab/group_vars/containers/app_container.yaml
 create mode 100644 roles/app-haraka/tasks/disable-postfix.yaml

diff --git a/environments/lab/group_vars/containers/app_container.yaml b/environments/lab/group_vars/containers/app_container.yaml
new file mode 100644
index 0000000..fa6f336
--- /dev/null
+++ b/environments/lab/group_vars/containers/app_container.yaml
@@ -0,0 +1 @@
+app_container_nameserver: 10.1.8.64
\ No newline at end of file
diff --git a/environments/lab/host_vars/pihole.yaml b/environments/lab/host_vars/pihole.yaml
index 8192f2d..9690e21 100644
--- a/environments/lab/host_vars/pihole.yaml
+++ b/environments/lab/host_vars/pihole.yaml
@@ -1,6 +1,7 @@
 ansible_host: 10.1.8.64
 ansible_hostname: ct-pihole-lab
 
+app_container_nameserver: 1.1.1.1
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
 app_container_storage_name: dpool
diff --git a/environments/lab/host_vars/smtp_relay/monitoring.yaml b/environments/lab/host_vars/smtp_relay/monitoring.yaml
index b42688d..0ddbab5 100644
--- a/environments/lab/host_vars/smtp_relay/monitoring.yaml
+++ b/environments/lab/host_vars/smtp_relay/monitoring.yaml
@@ -1,12 +1,6 @@
-# TBA using STARTTLS (?)
-# app_gatus_monitored_endpoints:
-#   - name: Web UI / container
-#     group: Unifi Controller
-#     type: https
-#     host: ct-unifi-controller-lab
-#     insecure: true
-#     port: 8443
-#   - name: Web UI / via proxy
-#     group: Unifi Controller
-#     type: https-pomerium-proxy
-#     host: unifi-lab.homecentr.one
\ No newline at end of file
+app_gatus_monitored_endpoints:
+  - name: Haraka
+    group: SMTP Relay
+    type: starttls
+    host: smtp-lab.homecentr.one
+    port: 25
\ No newline at end of file
diff --git a/playbooks/containers/_common.yaml b/playbooks/containers/_common.yaml
index cc2451c..6f08cc7 100644
--- a/playbooks/containers/_common.yaml
+++ b/playbooks/containers/_common.yaml
@@ -1,7 +1,3 @@
-- name: Configure hosts
-  ansible.builtin.import_role:
-    name: ../../roles/hosts
-
 - name: Configure users
   ansible.builtin.import_role:
     name: homecentr.system.users
diff --git a/playbooks/containers/cloudflared.yaml b/playbooks/containers/cloudflared.yaml
index 502d919..c9b48bf 100644
--- a/playbooks/containers/cloudflared.yaml
+++ b/playbooks/containers/cloudflared.yaml
@@ -4,14 +4,18 @@
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tasks:
-    - name: Create application container
-      loop: "{{ groups['cloudflared_containers'] }}"
-      loop_control:
-        loop_var: container_inventory_name
-      ansible.builtin.include_role:
+    - name: Create application container cloudflared1
+      ansible.builtin.import_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "cloudflared1"
+      tags: [ container ]
+
+    - name: Create application container cloudflared2
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: "{{ container_inventory_name }}"
+        container_inventory_name: "cloudflared2"
       tags: [ container ]
 
 - name: Setup Cloudflared containers
diff --git a/playbooks/containers/frigate.yaml b/playbooks/containers/frigate.yaml
index 8cc90d2..aa74406 100644
--- a/playbooks/containers/frigate.yaml
+++ b/playbooks/containers/frigate.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: "frigate"
diff --git a/playbooks/containers/homepage.yaml b/playbooks/containers/homepage.yaml
index 05ed660..0d1614a 100644
--- a/playbooks/containers/homepage.yaml
+++ b/playbooks/containers/homepage.yaml
@@ -5,13 +5,13 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: homepage
       tags: [ container ]
 
-- name: Setup Monitoring container
+- name: Setup Homepage container
   hosts: homepage
   become: true
   become_method: ansible.builtin.sudo
diff --git a/playbooks/containers/monitoring.yaml b/playbooks/containers/monitoring.yaml
index 975aac2..9cc93dd 100644
--- a/playbooks/containers/monitoring.yaml
+++ b/playbooks/containers/monitoring.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: "monitoring"
diff --git a/playbooks/containers/mqtt.yaml b/playbooks/containers/mqtt.yaml
index 8cadbb5..42ab6a4 100644
--- a/playbooks/containers/mqtt.yaml
+++ b/playbooks/containers/mqtt.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: "mqtt"
diff --git a/playbooks/containers/pihole.yaml b/playbooks/containers/pihole.yaml
index c06c397..afc75f1 100644
--- a/playbooks/containers/pihole.yaml
+++ b/playbooks/containers/pihole.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: "pihole"
diff --git a/playbooks/containers/pomerium.yaml b/playbooks/containers/pomerium.yaml
index 055654e..6913f73 100644
--- a/playbooks/containers/pomerium.yaml
+++ b/playbooks/containers/pomerium.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: "pomerium"
diff --git a/playbooks/containers/smtp-relay.yaml b/playbooks/containers/smtp-relay.yaml
index e120131..4185ad8 100644
--- a/playbooks/containers/smtp-relay.yaml
+++ b/playbooks/containers/smtp-relay.yaml
@@ -5,10 +5,10 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: "smtp_relay"
+        container_inventory_name: smtp_relay
       tags: [ container ]
 
 - name: Setup SMTP relay container
diff --git a/playbooks/containers/unifi-controller.yaml b/playbooks/containers/unifi-controller.yaml
index 7a193ae..dfef620 100644
--- a/playbooks/containers/unifi-controller.yaml
+++ b/playbooks/containers/unifi-controller.yaml
@@ -5,7 +5,7 @@
   any_errors_fatal: true
   tasks:
     - name: Create application container
-      ansible.builtin.include_role:
+      ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
         container_inventory_name: "unifi_controller"
diff --git a/playbooks/proxmox/nodes.yaml b/playbooks/proxmox/nodes.yaml
index afed3e8..6c696af 100644
--- a/playbooks/proxmox/nodes.yaml
+++ b/playbooks/proxmox/nodes.yaml
@@ -72,6 +72,8 @@
     - name: Create host records for servers
       ansible.builtin.import_role:
         name: ../../roles/hosts
+      vars:
+        hosts_group_name: pve_nodes
       tags:
         - hosts
 
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index 45ef21c..c758b9a 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -25,4 +25,7 @@ pct set {{ app_container_id }}
  {%- endif %}
  {%- if app_container_swap is defined %}
  --swap {{ app_container_swap }}
+ {%- endif %}
+ {%- if app_container_nameserver is defined %}
+ --nameserver {{ app_container_nameserver }}
  {%- endif %}
\ No newline at end of file
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
index 0751c4c..c17071c 100644
--- a/roles/app-gatus/templates/config.j2
+++ b/roles/app-gatus/templates/config.j2
@@ -12,9 +12,8 @@ endpoints:
   group: {{ endpoint.group }}
 {% endif %}
   interval: {{ endpoint.interval | default('30s') }}
-  client:
-    dns-resolver: tcp://{{ hostvars['pihole'].ansible_host }}:53
 {% if endpoint.insecure | default(false) == true %}
+  client:
     insecure: true
 {% endif %}
 {% if endpoint.type == "ping" %}
@@ -61,6 +60,11 @@ endpoints:
   conditions:
     - "[BODY] == {{ endpoint.dns_query_answer }}"
     - "[DNS_RCODE] == NOERROR"
+{% elif endpoint.type == "starttls" %}
+  url: starttls://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}
+  conditions:
+    - "[CONNECTED] == true"
+#    - "[CERTIFICATE_EXPIRATION] > 48h"
 {% endif %}
 
 {% endfor %}
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
index 5c6f014..3334e74 100644
--- a/roles/app-gatus/templates/docker-compose.j2
+++ b/roles/app-gatus/templates/docker-compose.j2
@@ -7,5 +7,5 @@ services:
     ports:
       - "8080:8080"
     volumes:
-      - /etc/gatus/config.yaml:/config/config.yaml
       - /var/gatus:/var/gatus
+      - /etc/gatus/config.yaml:/config/config.yaml:ro
diff --git a/roles/app-haraka/tasks/disable-postfix.yaml b/roles/app-haraka/tasks/disable-postfix.yaml
new file mode 100644
index 0000000..f5147e8
--- /dev/null
+++ b/roles/app-haraka/tasks/disable-postfix.yaml
@@ -0,0 +1,8 @@
+- name: Stop & disable postfix services
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
+    enabled: false
+    state: stopped
+  loop:
+    - "postfix"
+    - "postfix@-"
diff --git a/roles/app-haraka/tasks/main.yaml b/roles/app-haraka/tasks/main.yaml
index 81285ce..84b8c20 100644
--- a/roles/app-haraka/tasks/main.yaml
+++ b/roles/app-haraka/tasks/main.yaml
@@ -2,6 +2,10 @@
   ansible.builtin.include_tasks:
     file: user.yaml
 
+- name: Disable postfix
+  ansible.builtin.include_tasks:
+    file: disable-postfix.yaml
+
 - name: Create config directory
   ansible.builtin.file:
     path: /etc/haraka
diff --git a/roles/app-haraka/templates/docker-compose.j2 b/roles/app-haraka/templates/docker-compose.j2
index 3239c64..f07b0ed 100644
--- a/roles/app-haraka/templates/docker-compose.j2
+++ b/roles/app-haraka/templates/docker-compose.j2
@@ -7,7 +7,7 @@ services:
       - "25:2525"
       - "9904:9904"
     volumes:
-      - /getssl/wildcard.crt:/haraka/config/tls_cert.pem:ro
+      - /getssl/wildcard_fullchain.crt:/haraka/config/tls_cert.pem:ro
       - /getssl/wildcard.key:/haraka/config/tls_key.pem:ro
       - /etc/haraka/auth_flat_file.ini:/haraka/config/auth_flat_file.ini:ro
       - /etc/haraka/relay_via_external.ini:/haraka/config/relay_via_external.ini:ro
\ No newline at end of file
diff --git a/roles/hosts/tasks/main.yml b/roles/hosts/tasks/main.yml
index 80d0cf9..03d6c81 100644
--- a/roles/hosts/tasks/main.yml
+++ b/roles/hosts/tasks/main.yml
@@ -3,12 +3,4 @@
     path: /etc/hosts
     regexp: "^.*\\W+{{ item | replace('.', '\\.') }}.*"
     line: "{{ hostvars[item]['ansible_host'] }} {{ hostvars[item]['ansible_hostname'] }} {{ hostvars[item]['ansible_hostname'] }}.{{ domain }}"
-  with_items: "{{ groups['all'] }}"
-
-- name: Add additional hosts
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    regexp: "^.*\\W+{{ item.ip | replace('.', '\\.') }}\\W+{{ item.host | replace('.', '\\.') }}\\W*$"
-    line: "{{ item.ip }} {{ item.host }}"
-  with_items: "{{ hosts_additional }}"
-  when: hosts_additional is defined and hosts_additional | length
+  with_items: "{{ groups[hosts_group_name] }}"

From e721d0ada51d208016770a55c3a6126f6b651aa8 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 19 Apr 2024 10:49:27 +0200
Subject: [PATCH 34/51] Shared vars checkpoint

---
 ansible.cfg                                   |  2 +-
 .../lab/group_vars/all/environment.yaml       | 13 ++++
 .../secrets.sops.yaml                         |  0
 .../group_vars/containers/app_container.yaml  |  3 +-
 .../lab/group_vars/pve_nodes/firewall.yaml    | 48 --------------
 .../lab/group_vars/pve_nodes/general.yaml     | 59 +-----------------
 .../lab/group_vars/pve_nodes/ups.yaml         |  2 +
 environments/lab/host_vars/cloudflared1.yaml  | 13 ----
 .../lab/host_vars/frigate/container.yaml      | 42 +------------
 environments/lab/host_vars/mqtt.yaml          | 22 -------
 .../secrets.sops.yaml => pomerium.sops.yaml}  |  0
 .../lab/host_vars/pomerium/pomerium.yaml      |  8 ---
 environments/lab/host_vars/pve3.yaml          | 19 ------
 .../haraka.sops.yaml => smtp_relay.sops.yaml} |  0
 .../lab/host_vars/smtp_relay/dns.yaml         |  3 -
 .../lab/host_vars/smtp_relay/monitoring.yaml  |  6 --
 environments/prod/group_vars/all/general.yaml |  3 -
 .../prod/group_vars/all/users.sops.yaml       | 53 ----------------
 .../cloudflared_containers/container.yaml     |  5 --
 .../prod/group_vars/pve_nodes/ups.yaml        | 16 -----
 environments/prod/host_vars/cloudflared1.yaml | 13 ----
 environments/prod/host_vars/cloudflared2.yaml | 13 ----
 .../prod/host_vars/homepage/bookmarks.yaml    | 39 ------------
 .../prod/host_vars/homepage/container.yaml    | 49 ---------------
 .../prod/host_vars/homepage/services.yaml     |  4 --
 .../prod/host_vars/homepage/settings.yaml     |  8 ---
 .../prod/host_vars/homepage/widgets.yaml      |  4 --
 environments/prod/host_vars/monitoring.yaml   | 29 ---------
 environments/prod/host_vars/mqtt.yaml         | 22 -------
 environments/prod/host_vars/pihole.yaml       | 51 ---------------
 .../prod/host_vars/pomerium/container.yaml    | 62 -------------------
 .../prod/host_vars/pomerium/pomerium.yaml     |  8 ---
 environments/prod/host_vars/pve1.yaml         | 22 -------
 environments/prod/host_vars/pve2.yaml         | 22 -------
 environments/prod/hosts.yaml                  | 20 ------
 environments/shared/group_vars/all/env.yaml   |  5 ++
 .../group_vars/all/general.yaml               |  1 +
 .../group_vars/containers/app_container.yaml} |  4 +-
 .../group_vars/pve_nodes/firewall.yaml        | 30 +++++----
 .../group_vars/pve_nodes/general.yaml         |  9 ---
 .../shared/host_vars/cloudflared1.yaml        | 16 +++++
 .../host_vars/cloudflared2.yaml               |  7 ++-
 .../host_vars/frigate.yaml}                   | 28 ++++-----
 .../host_vars/homepage/bookmarks.yaml         |  0
 .../host_vars/homepage/container.yaml         | 20 +++---
 .../host_vars/homepage/services.yaml          |  0
 .../host_vars/homepage/settings.yaml          |  2 +-
 .../host_vars/homepage/widgets.yaml           |  0
 .../{lab => shared}/host_vars/monitoring.yaml | 16 +++--
 environments/shared/host_vars/mqtt.yaml       | 19 ++++++
 .../{lab => shared}/host_vars/pihole.yaml     | 23 +++----
 .../host_vars/pomerium.yaml}                  | 24 ++++---
 .../{lab => shared}/host_vars/pve1.yaml       |  9 +--
 .../{lab => shared}/host_vars/pve2.yaml       |  9 +--
 .../{prod => shared}/host_vars/pve3.yaml      |  9 +--
 .../host_vars/smtp_relay.yaml}                | 25 +++++---
 .../host_vars/unifi_controller.yaml           | 19 +++---
 environments/{lab => shared}/hosts.yaml       |  2 +-
 58 files changed, 173 insertions(+), 787 deletions(-)
 create mode 100644 environments/lab/group_vars/all/environment.yaml
 rename environments/lab/group_vars/{cloudflared_containers => cloudflared}/secrets.sops.yaml (100%)
 delete mode 100644 environments/lab/host_vars/cloudflared1.yaml
 delete mode 100644 environments/lab/host_vars/mqtt.yaml
 rename environments/lab/host_vars/{pomerium/secrets.sops.yaml => pomerium.sops.yaml} (100%)
 delete mode 100644 environments/lab/host_vars/pomerium/pomerium.yaml
 delete mode 100644 environments/lab/host_vars/pve3.yaml
 rename environments/lab/host_vars/{smtp_relay/haraka.sops.yaml => smtp_relay.sops.yaml} (100%)
 delete mode 100644 environments/lab/host_vars/smtp_relay/dns.yaml
 delete mode 100644 environments/lab/host_vars/smtp_relay/monitoring.yaml
 delete mode 100644 environments/prod/group_vars/all/general.yaml
 delete mode 100644 environments/prod/group_vars/all/users.sops.yaml
 delete mode 100644 environments/prod/group_vars/cloudflared_containers/container.yaml
 delete mode 100644 environments/prod/group_vars/pve_nodes/ups.yaml
 delete mode 100644 environments/prod/host_vars/cloudflared1.yaml
 delete mode 100644 environments/prod/host_vars/cloudflared2.yaml
 delete mode 100644 environments/prod/host_vars/homepage/bookmarks.yaml
 delete mode 100644 environments/prod/host_vars/homepage/container.yaml
 delete mode 100644 environments/prod/host_vars/homepage/services.yaml
 delete mode 100644 environments/prod/host_vars/homepage/settings.yaml
 delete mode 100644 environments/prod/host_vars/homepage/widgets.yaml
 delete mode 100644 environments/prod/host_vars/monitoring.yaml
 delete mode 100644 environments/prod/host_vars/mqtt.yaml
 delete mode 100644 environments/prod/host_vars/pihole.yaml
 delete mode 100644 environments/prod/host_vars/pomerium/container.yaml
 delete mode 100644 environments/prod/host_vars/pomerium/pomerium.yaml
 delete mode 100644 environments/prod/host_vars/pve1.yaml
 delete mode 100644 environments/prod/host_vars/pve2.yaml
 delete mode 100644 environments/prod/hosts.yaml
 create mode 100644 environments/shared/group_vars/all/env.yaml
 rename environments/{lab => shared}/group_vars/all/general.yaml (98%)
 rename environments/{lab/group_vars/cloudflared_containers/container.yaml => shared/group_vars/containers/app_container.yaml} (58%)
 rename environments/{prod => shared}/group_vars/pve_nodes/firewall.yaml (57%)
 rename environments/{prod => shared}/group_vars/pve_nodes/general.yaml (84%)
 create mode 100644 environments/shared/host_vars/cloudflared1.yaml
 rename environments/{lab => shared}/host_vars/cloudflared2.yaml (59%)
 rename environments/{prod/host_vars/frigate/container.yaml => shared/host_vars/frigate.yaml} (58%)
 rename environments/{lab => shared}/host_vars/homepage/bookmarks.yaml (100%)
 rename environments/{lab => shared}/host_vars/homepage/container.yaml (55%)
 rename environments/{lab => shared}/host_vars/homepage/services.yaml (100%)
 rename environments/{lab => shared}/host_vars/homepage/settings.yaml (81%)
 rename environments/{lab => shared}/host_vars/homepage/widgets.yaml (100%)
 rename environments/{lab => shared}/host_vars/monitoring.yaml (51%)
 create mode 100644 environments/shared/host_vars/mqtt.yaml
 rename environments/{lab => shared}/host_vars/pihole.yaml (52%)
 rename environments/{lab/host_vars/pomerium/container.yaml => shared/host_vars/pomerium.yaml} (53%)
 rename environments/{lab => shared}/host_vars/pve1.yaml (58%)
 rename environments/{lab => shared}/host_vars/pve2.yaml (58%)
 rename environments/{prod => shared}/host_vars/pve3.yaml (58%)
 rename environments/{lab/host_vars/smtp_relay/container.yaml => shared/host_vars/smtp_relay.yaml} (52%)
 rename environments/{lab => shared}/host_vars/unifi_controller.yaml (61%)
 rename environments/{lab => shared}/hosts.yaml (91%)

diff --git a/ansible.cfg b/ansible.cfg
index c5770b4..0d9015e 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,3 @@
 [defaults]
 vars_plugins_enabled = host_group_vars,community.sops.sops
-timeout = 30
\ No newline at end of file
+timeout = 30
diff --git a/environments/lab/group_vars/all/environment.yaml b/environments/lab/group_vars/all/environment.yaml
new file mode 100644
index 0000000..32a5406
--- /dev/null
+++ b/environments/lab/group_vars/all/environment.yaml
@@ -0,0 +1,13 @@
+env:
+  name: lab
+  suffix: -lab
+  suffix_display: -Lab
+  domain: homecentr.one
+
+subnets:
+  services:
+    cidr: 10.1.8.0/24
+    prefix: 10.1.8
+  services_storage:
+    cidr: 192.168.9.0/24
+    prefix: 192.168.9
\ No newline at end of file
diff --git a/environments/lab/group_vars/cloudflared_containers/secrets.sops.yaml b/environments/lab/group_vars/cloudflared/secrets.sops.yaml
similarity index 100%
rename from environments/lab/group_vars/cloudflared_containers/secrets.sops.yaml
rename to environments/lab/group_vars/cloudflared/secrets.sops.yaml
diff --git a/environments/lab/group_vars/containers/app_container.yaml b/environments/lab/group_vars/containers/app_container.yaml
index fa6f336..ad6066d 100644
--- a/environments/lab/group_vars/containers/app_container.yaml
+++ b/environments/lab/group_vars/containers/app_container.yaml
@@ -1 +1,2 @@
-app_container_nameserver: 10.1.8.64
\ No newline at end of file
+app_container_nameserver: 10.1.8.64
+app_container_storage_name: dpool
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/firewall.yaml b/environments/lab/group_vars/pve_nodes/firewall.yaml
index 34fcd15..ec54b91 100644
--- a/environments/lab/group_vars/pve_nodes/firewall.yaml
+++ b/environments/lab/group_vars/pve_nodes/firewall.yaml
@@ -61,51 +61,3 @@ pve_cluster_firewall_ipsets:
         name: homepage
 
 pve_cluster_firewall_security_groups: []
-  # - name: my-group
-  #   rules:
-  #     - direction: IN
-  #       type: macro
-  #       name: SSH
-  #       action: ACCEPT
-  #       source:
-  #         type: ipset
-  #         name: some-ipset
-  #       destination: 10.1.8.0/24 # optional
-
-  #     - enabled: false # default = true
-  #       direction: IN
-  #       action: ACCEPT
-  #       protocol: TCP
-  #       source_port: 25
-  #       destination_port: http
-  #       source: # might be: ipset (+<name>), alias (dc/<name>), comma-separated list of ips or most likely also a cidr
-  #         type: alias
-  #         name: some-alias
-  #       destination: 10.1.8.0/24
-
-# pve_cluster_firewall_rules:
-  # - direction: IN
-  #   action: ACCEPT
-  #   macro: SSH
-  #   source:
-  #     type: alias
-  #     name: subnet-home
-  # - direction: IN
-  #   action: ACCEPT
-  #   macro: HTTPS
-  #   destination:
-  #     type: ipset
-  #     name: management
-  #   source:
-  #     type: alias
-  #     name: subnet-home
-  # - direction: IN
-  #   action: ACCEPT
-  #   destination_port: 8006
-  #   protocol: TCP
-  #   destination:
-  #     type: ipset
-  #     name: management
-  #   source:
-  #     type: alias
-  #     name: subnet-home
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
index e2986c4..1330590 100644
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -1,65 +1,8 @@
-# This is required for VNC proxy between the nodes
-ssh_allow_root_login_trusted_clients:
-  - pve1
-  - pve2
-  - pve3
-
 pve_zfs_max_arc_size_gb: 0.5
 
 pve_cluster_options_migration_network: 192.168.8.0/24
 
-pve_cluster_ha_groups:
-  - name: critical-priority-pve1
-    nodes:
-      - name: pve1
-        priority: 1000
-      - name: pve2
-        priority: 1
-    restricted: false
-    nofailback: false
-  - name: critical-priority-pve2
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1000
-    restricted: false
-    nofailback: false
-  - name: critical-priority-pve3
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1
-      - name: pve3
-        priority: 1000
-    restricted: false
-    nofailback: false
-  - name: critical
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1
-    restricted: false
-    nofailback: false
-  - name: non-critical
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1
-    restricted: true
-    nofailback: false
-
-pve_domain: homecentr.one
-pve_nameservers:
-  - 1.1.1.1
-  - 1.0.0.1
-
+# TODO: Move this to secrets and use external SMTP
 pve_smtp_host: 10.1.8.130
 pve_smtp_port: 25
 pve_smtp_tls: false
-
-pve_ct_templates:
-- http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
diff --git a/environments/lab/group_vars/pve_nodes/ups.yaml b/environments/lab/group_vars/pve_nodes/ups.yaml
index d10b859..3096565 100644
--- a/environments/lab/group_vars/pve_nodes/ups.yaml
+++ b/environments/lab/group_vars/pve_nodes/ups.yaml
@@ -1,3 +1,5 @@
+ups_name: dummy-ups1
+
 ups_devices:
   - name: dummy-ups1
     driver: dummy-ups
diff --git a/environments/lab/host_vars/cloudflared1.yaml b/environments/lab/host_vars/cloudflared1.yaml
deleted file mode 100644
index 37b66fc..0000000
--- a/environments/lab/host_vars/cloudflared1.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-ansible_host: 10.1.8.70
-ansible_hostname: ct-cloudflared1-lab
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.70/24
-    ipv4_gateway: 10.1.8.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
\ No newline at end of file
diff --git a/environments/lab/host_vars/frigate/container.yaml b/environments/lab/host_vars/frigate/container.yaml
index 3aee5d0..30eadbe 100644
--- a/environments/lab/host_vars/frigate/container.yaml
+++ b/environments/lab/host_vars/frigate/container.yaml
@@ -1,17 +1,6 @@
-ansible_host: 10.1.8.69
-ansible_hostname: ct-frigate-lab
-
-app_container_docker_support: true
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 2048
-app_container_storage_name: dpool
+# ??? app_container_memory: 2048
+app_container_storage_name: dpool1
 app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.69/24
-    ipv4_gateway: 10.1.8.1
 
 app_container_mounts:
   - type: disk
@@ -20,31 +9,4 @@ app_container_mounts:
     size_gb: 2
     target_path: /nvr
 
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
-app_container_pve_replication_nodes:
-  - pve1
-
 app_frigate_image_tag: 0.13.2
-app_frigate_cache_size_gb: 1
-app_frigate_shm_size_gb: 1
-
-app_pihole_records:
-  - hostname: frigate-lab
-    type: pomerium_proxy
-
-app_pomerium_routes:
-  - hostname: frigate-lab
-    target_port: 5000
-    auth_mode: users
-
-app_gatus_monitored_endpoints:
-  - name: Web UI / container
-    group: Frigate
-    type: http
-    host: ct-frigate-lab
-    port: 5000
-  - name: Web UI / via proxy
-    group: Frigate
-    type: https-pomerium-proxy
-    host: frigate-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/host_vars/mqtt.yaml b/environments/lab/host_vars/mqtt.yaml
deleted file mode 100644
index 96edda1..0000000
--- a/environments/lab/host_vars/mqtt.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-ansible_host: 10.1.8.67
-ansible_hostname: ct-mqtt-lab
-
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.8.67/24
-    ipv4_gateway: 10.1.8.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve2
-
-app_pihole_records:
-  - hostname: mqtt-lab
-    type: ansible_host
diff --git a/environments/lab/host_vars/pomerium/secrets.sops.yaml b/environments/lab/host_vars/pomerium.sops.yaml
similarity index 100%
rename from environments/lab/host_vars/pomerium/secrets.sops.yaml
rename to environments/lab/host_vars/pomerium.sops.yaml
diff --git a/environments/lab/host_vars/pomerium/pomerium.yaml b/environments/lab/host_vars/pomerium/pomerium.yaml
deleted file mode 100644
index ba9d439..0000000
--- a/environments/lab/host_vars/pomerium/pomerium.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-app_pomerium_hostname: login-lab.homecentr.one
-
-app_pomerium_groups_administrators: b77c210d-8ae3-4292-9e95-c7d42a2f254f
-app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
-
-app_pomerium_certificates:
-  - fullchain_path: /getssl/wildcard_fullchain.crt
-    key_path: /getssl/wildcard.key
diff --git a/environments/lab/host_vars/pve3.yaml b/environments/lab/host_vars/pve3.yaml
deleted file mode 100644
index 4a025de..0000000
--- a/environments/lab/host_vars/pve3.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# Common
-ansible_host: 10.1.8.13
-ansible_hostname: pve3-lab
-
-# UPS
-ups_name: dummy-ups1
-
-# GetSSL
-getssl_cron_renewal_hour: 18
-
-# Monitoring
-app_gatus_monitored_endpoints:
-  - name: pve3 / ping
-    group: Proxmox VE
-    type: ping
-  - name: pve3 / http
-    group: Proxmox VE
-    type: https
-    host: pve3-lab.homecentr.one
\ No newline at end of file
diff --git a/environments/lab/host_vars/smtp_relay/haraka.sops.yaml b/environments/lab/host_vars/smtp_relay.sops.yaml
similarity index 100%
rename from environments/lab/host_vars/smtp_relay/haraka.sops.yaml
rename to environments/lab/host_vars/smtp_relay.sops.yaml
diff --git a/environments/lab/host_vars/smtp_relay/dns.yaml b/environments/lab/host_vars/smtp_relay/dns.yaml
deleted file mode 100644
index 8002ecd..0000000
--- a/environments/lab/host_vars/smtp_relay/dns.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-app_pihole_records:
-  - hostname: smtp-lab
-    type: ansible_host
\ No newline at end of file
diff --git a/environments/lab/host_vars/smtp_relay/monitoring.yaml b/environments/lab/host_vars/smtp_relay/monitoring.yaml
deleted file mode 100644
index 0ddbab5..0000000
--- a/environments/lab/host_vars/smtp_relay/monitoring.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-app_gatus_monitored_endpoints:
-  - name: Haraka
-    group: SMTP Relay
-    type: starttls
-    host: smtp-lab.homecentr.one
-    port: 25
\ No newline at end of file
diff --git a/environments/prod/group_vars/all/general.yaml b/environments/prod/group_vars/all/general.yaml
deleted file mode 100644
index 78bfffd..0000000
--- a/environments/prod/group_vars/all/general.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-ansible_user: lholota
-ansible_python_interpreter: "/usr/bin/python3"
-domain: homecentr.one
diff --git a/environments/prod/group_vars/all/users.sops.yaml b/environments/prod/group_vars/all/users.sops.yaml
deleted file mode 100644
index 9df9ad8..0000000
--- a/environments/prod/group_vars/all/users.sops.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-users_root_password: ENC[AES256_GCM,data:eQB825IroAAna/XBIMUMuEUqeoJABWshyAo=,iv:GZzUc4/mjzbZucfSbeaVHdCVIyV7e9mjoizNZGWoLZI=,tag:FX4O+FC2MzCsdB/YxfYSUg==,type:str]
-users_root_password_salt: ENC[AES256_GCM,data:ow2yKqOruFRJRqMs9e7aGA==,iv:pf8VAYaJqchNTImR56m5JwY1yUK/OCKu5lMfCDdVrG8=,tag:UteFoWFXcNsxZbqdUM6C+A==,type:str]
-users_admin_users:
-    - username: ENC[AES256_GCM,data:IiH/5tGxww==,iv:MtuXPDoTp1X1dAlJ39xV1l/gNGFgbA98sLhhx4AtomU=,tag:7g/8IlL2UIfEoOfMZgxuPQ==,type:str]
-      public_keys:
-        - ENC[AES256_GCM,data:fem+nYEnzrc7p43txjY0920r3M5HAdTgUiyMsJbGs5Gm/7a8CPchBx5XIFUQfQdU2tN2jjjwybQ1hpB0A8Kq4l528Kr0KM0jT6nnork5oIYdU096fMwK7CExHVdyq50NDtf2ianQ5Osapw0EDyM/kcgTsUzAO50esGUdw5CWq0BG0dU8l6cD7n4MrACSdAIdO/clJ/8TZJ4Yqsc8r1vSRJVtwKOYIgmGonJZVs8NRyG8rnzDkjXDN7GgxMWyCTLBcBpt64CmRdHT8qEwLH2Fj6ys3WeebKU+lohrmbCHrvZIKT3I+OsedwPXdaRIHhrAKBNjmYe1+SctugJOEqc4FDYa6RD3rgKm0keFCz7wvvoxSr2z/k2jL/dhSQoGPWsDS4u3ZuXkt1UF8r4kh/ZNyiTOLohIGjWEnkwMjUyaD5VfykPG5zvda9gChsNJGTbthz6FeZGNgtlAt2fPFGcP2yEbm3GKHRNuuB4o8N4Vcn+HpCb/mI1WtgDugoqHc1eedz5pDk2kvtMhSMIJh2R/rceol2LrtLttovl34Pcib6xizR6HLtB5IFHYZen2bFx9OPl1ia6yCe/vfV1Tq/nUwX3DycwC+faRbVytVGWTfvcHw5typQffd+bY6Vg6G7twPNB+gixphVL8x7ME3rTs2CzAOUilXf6eRQ3CIxjvwIYp0fhaeh4xPn+AzsrniGNaAe4xk+CYg7D9wrrjV80WBY/nUea9LWmxc2m6ob6Flp9IoQjsFthEWtbomiLDBenih0FROIujXzsHL2WAbrlwKEgRrE/d7pM17kJT41qeFNHK2YwkTcA4NHbp6Yh35Gb58L0aF60V9WLUWabWTScOk3Crl7zECfMWKkuo6F7Po5BdXVArhFcGP+E0QkJdY/rlMNStc11nswarJUAogYsASLd0oARGZE+Afe+DOXelr6Bf/MirF5IG/rzcN5/QfvNFUoxAOQ==,iv:lffsvnH3gzYIXCgyS/lK3Y4Elbqg+HioPb3I0WZUOPQ=,tag:FOg1pOIeYI5d+XDNjzQGAQ==,type:str]
-        - ENC[AES256_GCM,data:nEC87xGrdsf6bWYEEhPN3v/rC81wrC6KxoEv6SUdZLcI4WZhXghSzKQck3GxtGaTXjjFfckLcdorkEa3XTvkUseCoOfLg2ASURVcnc4a/3LRvQzNtj0zlzfFQa08/xfFhWMiAZndz8GjzfrtzzBEkv2v8vasVfbcNkEnuQks25QJWP9VFi9F9zfngZLyeexX3CXSGgeE2qEJ+/haXIlwNu8RVCMhp2jmXecDDPdbkIfuCwKY33CgPTAKsJ5G4PH+fc/5G04LbTHQ1NCjyINFyQgbIXNl0j6+rEO2VeUeQJ26lDgHeOn/5ebFd8j7nXaVdmmnO6OPYj2PKP0O7F+MuYqVUdcTTDtnRKlDWDNNw+62J2SX8ea/xwG3HLvQtAg/obSOZXCYo1lvcsSBCB0xSZu58Z58EbVxMFuWRQTIfnig9CA1zn5XXsVBSWkBLUFmu91BYe3qooRVD9IdzlPvke9HRELkhBiLG38FdjkOuRyB8qpklWo0fRCjy99kWe7t6g8xL3mYubGtJW1IPMaQXTY7eBPZiGm5s920eF45wokDLhoZ5d88o7FDYSi3+G4hMZ5L3imD8AujqINiJCUR4xIzz94jR6eECgQQ/BngVnxQ2qUCc0UuqT9ZtywmNH+wcy+PkzZ7KNYb/ltVe4VFt1maBEyCwuHD1jkB3dEKouh/A3/DFnj1z5WAGyHyeX4phO9NH/RvZC/JcCLOskD8G3KXDIMoc3j51QnHa14x66m/FeOlUMjo6LDeVaXeYj/EqKw3AjwXr6yMozTax0kVBzWk8Uce7UC24dHJwh3+gDueSuOUjzdF5ngxeKNYxIFdPllX1UNs+JkjUNv2vK5L8WRT5mTcBtsbhSM0/cLuz4hGNl+sh6V2iNmF2fEa8KZ4wHTrfV4PdUBPF8N2j+VcDo2roVgtzp980Glb4VF4JEI9wsmYTPkCviy7W1Z0amVbrqCJ+q7imqKBBMDIaCwjJCiJXw==,iv:B9gVFmR9RLajkcUfNIe/5Tpi4z5CcfZyI76bmLFOBxo=,tag:6YzAEaKpmsE7nrlnqVq+GA==,type:str]
-    - username: ENC[AES256_GCM,data:5UAVVmm2rSdodkMrvA==,iv:IVBaDzpChyxqbCcMxh/ZmQAIfdFfVgqcdHFIMRTjujc=,tag:HH8dfEpPOMfw3wkW1etd+Q==,type:str]
-      public_keys:
-        - ENC[AES256_GCM,data:+khpCavR/ImMDWBc8giBTbeLJR5xWwLp+/i4sS846VE800rASFdIzxZgdB6rjYVTDEbBTyMcbe+vc6BKYyNeubdVOxFJ8F8X4/GldY0Ezx2QxuTLHw2dYsv4y+hsv1ReOwuaGD4/6DysNbAbNIOi7fsy0W+c98rSC0liWwA1PFn1N3X6iXSU8jhE7xuqEZzJh4LVJtRPohaZmUu5w0Kp3zFmcgHwp0XgHRrUNB+rCiydWO4juU4imub8OeRxYsrcCdWU0o42B8Ko1nTGPC/JwojbhTr4UyUYlhVp59qCdpwrbew8qzY5UOUSnlf+PmrZSLuqmhxK7nFAOVDSjOPepPNhwR4XZLtZAOCEkC0DUBJocFjdci3SZAxr55C6KjE9z8TJO9sOYsiU3rINZPftuPxSJTMN+M+dXLmg9Rp/Tq6C0Hr30otduLGNWoieN9EFV3QJKX1nZipjEEdgxSM5l+WE+nejN7dPCGskbE7LoolMVdzHTVcE1ynQVrT0MY6W+JSNR7/QBzmdAI2VJ5IAqskBSch1wH7O+h/V7RRsq1kGNbA4w852VygtXTTIV5YQmTdkI/dcOmawJpu7JDeEFIBikb57zStVcnKiV8pmbYhkwiwqiax6jV6psk30GzcXGQBuvGhG22cLRoqlOm7K4To90uk0CYAGmDvhllI9kzBqMykt15U0B6ucz4A1aGTcqAJLY7Wun3y4CZQDp0rCFDl4cBisvcDRUUNqMAiQH06jZgXdMShk6khZ1j0i5Wxa8K9n688HCVGQPxtiN1FPGVEj9KSOwbEB69EXWInisQsvcmgl87TwwupgT8oiSWh9whUYle1xhwSlBvwjWMk4ZKWQlhsuRz6Tk1IBS8/Uq+SdjRySqyaMD4AXVy2V2UWfCO/zaJuYgJAD991Io4/X3fKzRTkXKBStR5tqLytCvSPgT6DA2kGSxOx2QJHVB28lfpIgavpbeGtUeQTeLuZylVo+3bvrtvbVdQkDb5jxQgE=,iv:VgeFMjLn+z7nYmEETvJ43xWv7TrDKEDJ8K3jqtMMghk=,tag:/+jxTjcicr5RZbfl7q1w6Q==,type:str]
-ssh_allowed_users:
-    - ENC[AES256_GCM,data:HF8YTmKN+Q==,iv:aHIWB34sk+gLbuWB4ZD5oOIpM09egrYizhWLxc13mh0=,tag:CPEdUBdDpcJpTrqWUJYgqQ==,type:str]
-    - ENC[AES256_GCM,data:YNR0UGlGGI8DBU/GNw==,iv:HAwpRCsnz/jjYaT54M3zih4h8uaz0XiUlk3xhBARrFM=,tag:5HwUrFzewflbYu+p/dTpPw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Sndlcjd3bUtycHhBWXF5
-            NnBFdEVHc2hzR1pMRHhDMDJKWWpxUXBlblMwCnJ4WGxSeUM0MkRIenVqTmlGQ3dx
-            UTBvZkI0ZmZVSnhjazJYVUM2allJUGcKLS0tIDdJWitBSFpEb29Gc3NIMldVdGRV
-            aWN1V0VMcVVSTUI4eDY1L3dmaCs0SU0KkzPO20YfskpLYPYeNu09SGA6243cVGTf
-            MDOHatdRs2CkZNEw2A6xaoIXnj0Rr+N9sfrdAWRsCBBRxyfgxw1Bog==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-04T20:42:51Z"
-    mac: ENC[AES256_GCM,data:JYTu3yhVocuTnL01t5IU/LRVNd9HtTOVTHnEdXm65h4OoesytvHNmh2Csq7MfvYSWTuComOWxCGn4n2upwrEHL7IVietDX4A728GBOqDKD2ruHCetAqPqvFVInQoqzFWVAIvOrQhO/mLo7L6NlFRveNPw0SJn3koxtdj+JrVS/A=,iv:58T9mNgwmwsuAk496VFCBuK9h/jaT8YX8y/NORpDdlU=,tag:KTn1uE4Y7gMknB+EV0RpMg==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:59Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CARAAhgn5QVDIe74f3jPc6UeLebhptknDLqxrD/zO0xEs7BX9
-            XOy47z0jhdLruO+i9AxpFJxSX6VQ/D3DuLKTTikvTk0UYU6BEIVbw90UsLdY+g2K
-            beRsFeql7tKAYF2FQuPWGKzE7ee6TVypLD+VBXYuQOvpdd4sZCJ/qMlfMGMBrALZ
-            sV19IPtHnvFjtLKXO2/QyFk4OJfLAG6i+vuwtAokxSGMGab+F0iDhoCXo+YjbTR+
-            aTropldbOOudDDb4VFNDSkza7TI2gm4vyOjYN+i27D001ulywsBzO0/pXlb+ajZS
-            BlN4rGU+I4wsBDp841FTNZPy9Lf7vYsVPD+WFQpqr1VJOn3TAt/Dw5GsPVuux77Z
-            WjsVpxtXGWSt3esX6uOCT8ErOWN45ZmMdHK8Fdq63P11RlmUwox2GhNIcouT+s44
-            nhnpL2ZgLmZ1LS8DxG/ZRylgelGSnZjIxCDjtZ1zuqUJYJSyZWV57fD0Gs8mEHMk
-            SGntsuvkIqAUY0lk4kDFWqbLveyZgvu2hU4KvdWZEhfOK44fc2NAXGQY9O/ucdWD
-            Cae1jeygtFREp+ANsCkyErnSg4wrxZd29rJVjvUx4B3n4yMzgk15rO4r2i2QGeNE
-            T3QQC/JeLqFfvlhIYRjuZY+dqW0PomEjWDdSJF4ReXRvw/L2Usik5ktZgPJHQKvS
-            XAG4cJV6FNAEsnVzoDFN66sWq3RoGDSktvP765CHi1A3K+8WMrB765fn4eIyEye3
-            6aPbn7PNYSNluMdh9Z44nUrmS+tve+gBlLocwHHYZ6MyyIngsuhbEXKAEPIh
-            =3kz5
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/prod/group_vars/cloudflared_containers/container.yaml b/environments/prod/group_vars/cloudflared_containers/container.yaml
deleted file mode 100644
index 315d523..0000000
--- a/environments/prod/group_vars/cloudflared_containers/container.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 1024
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 1
-app_container_pve_replication_cron_expression: "*/5"
diff --git a/environments/prod/group_vars/pve_nodes/ups.yaml b/environments/prod/group_vars/pve_nodes/ups.yaml
deleted file mode 100644
index a5134d3..0000000
--- a/environments/prod/group_vars/pve_nodes/ups.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-ups_devices:
-  - name: ups1
-    driver: usbhid-ups
-    description: Eaton 1100
-    port: auto
-    monitored_by: pve1
-    # vendor: 0463
-    # product: ffff
-
-  - name: ups2
-    driver: usbhid-ups
-    description: Eaton 1500
-    port: auto
-    monitored_by: pve2
-    # vendor: 0463
-    # product: ffff
diff --git a/environments/prod/host_vars/cloudflared1.yaml b/environments/prod/host_vars/cloudflared1.yaml
deleted file mode 100644
index 7c4c42f..0000000
--- a/environments/prod/host_vars/cloudflared1.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-ansible_host: 10.1.2.70
-ansible_hostname: ct-cloudflared1
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.70/24
-    ipv4_gateway: 10.1.2.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
diff --git a/environments/prod/host_vars/cloudflared2.yaml b/environments/prod/host_vars/cloudflared2.yaml
deleted file mode 100644
index b413cbc..0000000
--- a/environments/prod/host_vars/cloudflared2.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-ansible_host: 10.1.2.71
-ansible_hostname: ct-cloudflared2
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.71/24
-    ipv4_gateway: 10.1.2.1
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: critical-priority-pve2
-app_container_pve_replication_nodes:
-  - pve1
diff --git a/environments/prod/host_vars/homepage/bookmarks.yaml b/environments/prod/host_vars/homepage/bookmarks.yaml
deleted file mode 100644
index 75da61f..0000000
--- a/environments/prod/host_vars/homepage/bookmarks.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-app_homepage_bookmarks:
-  - Homelab:
-      - "Homecentr documentation":
-          - icon: /icons/homecentr.png
-            href: https://docs.homecentr.one
-
-      - "Homecentr on Github":
-          - icon: github-light
-            href: https://github.com/homecentr/
-
-  - "Cloud tools":
-      - OneDrive:
-          - icon: /icons/onedrive.png
-            href: https://onedrive.com
-
-      - Gmail:
-          - icon: gmail
-            href: https://gmail.com
-
-  - "Cloud infrastructure":
-      - Azure:
-          - icon: azure
-            href: https://portal.azure.com
-
-      - Cloudflare:
-          - icon: cloudflare
-            href: https://cloudflare.com
-
-      - PagerDuty:
-          - icon: pagerduty
-            href: https://pagerduty.com
-
-      - SendGrid:
-          - icon: /icons/sendgrid.png
-            href: https://sendgrid.com
-
-      - Dynadot:
-          - icon: /icons/dynadot.png
-            href: https://dynadot.com
\ No newline at end of file
diff --git a/environments/prod/host_vars/homepage/container.yaml b/environments/prod/host_vars/homepage/container.yaml
deleted file mode 100644
index b3ec628..0000000
--- a/environments/prod/host_vars/homepage/container.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-ansible_host: 10.1.2.72
-ansible_hostname: ct-homepage
-
-app_container_docker_support: true
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 2
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.72/24
-    ipv4_gateway: 10.1.2.1
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
-app_container_pve_replication_nodes:
-  - pve1
-
-app_homepage_image_tag: v0.8.11
-
-app_pomerium_routes:
-  - hostname: homepage
-    target_port: 3000
-    path: /api/healthcheck
-    auth_mode: public
-
-  - hostname: homepage
-    target_port: 3000
-    auth_mode: users
-
-app_pihole_records:
-  - hostname: homepage
-    type: pomerium_proxy
-
-app_gatus_monitored_endpoints:
-  - name: Web UI / container
-    group: Homepage
-    type: http
-    host: ct-homepage
-    port: 3000
-    path: /api/healthcheck
-
-  - name: Web UI / via proxy
-    group: Homepage
-    type: https-pomerium-proxy
-    host: homepage.homecentr.one
-    path: /api/healthcheck
diff --git a/environments/prod/host_vars/homepage/services.yaml b/environments/prod/host_vars/homepage/services.yaml
deleted file mode 100644
index 5e25c93..0000000
--- a/environments/prod/host_vars/homepage/services.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-app_homepage_services:
-  - Apps: []
-  - Development: []
-  - Infrastructure: []
\ No newline at end of file
diff --git a/environments/prod/host_vars/homepage/settings.yaml b/environments/prod/host_vars/homepage/settings.yaml
deleted file mode 100644
index 33cf2f1..0000000
--- a/environments/prod/host_vars/homepage/settings.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-app_homepage_settings:
-  title: Homecentr
-  favicon: /icons/favicon.ico
-  background: https://images.unsplash.com/photo-1519681393784-d120267933ba
-  backgroundOpacity: 0.3
-  theme: dark
-  color: neutral
-  headerStyle: clean
\ No newline at end of file
diff --git a/environments/prod/host_vars/homepage/widgets.yaml b/environments/prod/host_vars/homepage/widgets.yaml
deleted file mode 100644
index 6ab1887..0000000
--- a/environments/prod/host_vars/homepage/widgets.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-app_homepage_widgets:
-    - search:
-        provider: google
-        target: _blank
\ No newline at end of file
diff --git a/environments/prod/host_vars/monitoring.yaml b/environments/prod/host_vars/monitoring.yaml
deleted file mode 100644
index b29d953..0000000
--- a/environments/prod/host_vars/monitoring.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-ansible_host: 10.1.2.68
-ansible_hostname: ct-monitoring
-
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 4096
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 50
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.68/24
-    ipv4_gateway: 10.1.2.1
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
-app_container_pve_replication_nodes:
-  - pve1
-
-app_gatus_image_tag: v5.7.0
-
-app_pomerium_routes:
-  - hostname: gatus
-    target_port: 8080
-    auth_mode: public
-
-app_pihole_records:
-  - hostname: gatus
-    type: pomerium_proxy
diff --git a/environments/prod/host_vars/mqtt.yaml b/environments/prod/host_vars/mqtt.yaml
deleted file mode 100644
index 867ddd7..0000000
--- a/environments/prod/host_vars/mqtt.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-ansible_host: 10.1.2.67
-ansible_hostname: ct-mqtt
-
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 1024
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.67/24
-    ipv4_gateway: 10.1.2.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve2
-
-app_pihole_records:
-  - hostname: mqtt
-    type: ansible_host
diff --git a/environments/prod/host_vars/pihole.yaml b/environments/prod/host_vars/pihole.yaml
deleted file mode 100644
index 3489a98..0000000
--- a/environments/prod/host_vars/pihole.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-ansible_host: 10.1.2.64
-ansible_hostname: ct-pihole
-
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 1024
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.64/24
-    ipv4_gateway: 10.1.2.1
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
-
-app_pihole_version: 5.17.3
-app_pihole_forwarders:
-  - 1.1.1.1
-  - 1.0.0.1
-
-app_pihole_custom_forwarders:
-  # Forward lab queries to lab nameserver
-  - domain_pattern: "*-lab.homecentr.one"
-    nameserver: 10.1.8.64
-
-app_pomerium_routes:
-  - hostname: pihole
-    auth_mode: administrators
-
-app_pihole_records:
-  - hostname: pihole
-    type: pomerium_proxy
-
-app_gatus_monitored_endpoints:
-  - name: Web UI / container
-    group: Pi-hole
-    type: http
-    host: ct-pihole
-    port: 80
-
-  - name: DNS
-    group: Pi-hole
-    type: dns
-    host: 10.1.2.64
-    dns_query_name: "login.homecentr.one"
-    dns_query_type: "A"
-    dns_query_answer: 10.1.2.66
diff --git a/environments/prod/host_vars/pomerium/container.yaml b/environments/prod/host_vars/pomerium/container.yaml
deleted file mode 100644
index 07db7fd..0000000
--- a/environments/prod/host_vars/pomerium/container.yaml
+++ /dev/null
@@ -1,62 +0,0 @@
-ansible_host: 10.1.2.66
-ansible_hostname: ct-pomerium
-
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 1024
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 3
-app_container_pve_replication_cron_expression: "*/5"
-app_container_mapped_uids:
-  - 7000
-app_container_mapped_gids:
-  - 7000
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: 10.1.2.66/24
-    ipv4_gateway: 10.1.2.1
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
-
-app_container_getssl_certificates:
-  - name: "*.homecentr.one"
-    fullchain_filename: "wildcard_fullchain.crt"
-    cert_filename: "wildcard.crt"
-    key_filename: "wildcard.key"
-    user: 7000
-    group: 7000
-    mode: 0440
-
-app_pomerium_routes:
-  - hostname: pve
-    auth_mode: public # Proxmox has its own authentication
-    protocol: https
-    target_port: 8006
-    tls_upstream_server_name: pve.homecentr.one
-    backend:
-      - 10.1.2.11
-      - 10.1.2.12
-      - 10.1.2.13
-
-app_pihole_records:
-  - hostname: login
-    type: ansible_host
-
-  - hostname: pve
-    type: pomerium_proxy
-
-app_gatus_monitored_endpoints:
-  - name: Pomerium
-    group: Pomerium
-    type: https
-    host: login.homecentr.one
-    path: /healthz
-
-  # Can check directly root because the site is not authenticated by pomerium
-  - name: Web UI balancing proxy
-    group: Proxmox VE
-    type: https-pomerium-proxy
-    host: pve.homecentr.one
-    
diff --git a/environments/prod/host_vars/pomerium/pomerium.yaml b/environments/prod/host_vars/pomerium/pomerium.yaml
deleted file mode 100644
index dadb34d..0000000
--- a/environments/prod/host_vars/pomerium/pomerium.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-app_pomerium_hostname: login.homecentr.one
-
-app_pomerium_groups_administrators: 64d004bd-9218-4fae-9919-0505ff5eeb8e
-app_pomerium_groups_users: aac23af7-2d73-497f-b93c-b8ca4007638d
-
-app_pomerium_certificates:
-  - fullchain_path: /getssl/wildcard_fullchain.crt
-    key_path: /getssl/wildcard.key
diff --git a/environments/prod/host_vars/pve1.yaml b/environments/prod/host_vars/pve1.yaml
deleted file mode 100644
index af7341e..0000000
--- a/environments/prod/host_vars/pve1.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-# Common
-ansible_host: 10.1.2.11
-ansible_hostname: pve1
-
-# UPS
-ups_name: ups1
-
-# GetSSL
-getssl_cron_renewal_hour: 16
-
-# PVE
-pve_pci_passhthrough_enabled: true
-
-# Monitoring
-app_gatus_monitored_endpoints:
-  - name: pve1 / ping
-    group: Proxmox VE
-    type: ping
-  - name: pve1 / http
-    group: Proxmox VE
-    type: https
-    host: pve1.homecentr.one
diff --git a/environments/prod/host_vars/pve2.yaml b/environments/prod/host_vars/pve2.yaml
deleted file mode 100644
index dd68962..0000000
--- a/environments/prod/host_vars/pve2.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-# Common
-ansible_host: 10.1.2.12
-ansible_hostname: pve2
-
-# UPS
-ups_name: ups2
-
-# GetSSL
-getssl_cron_renewal_hour: 17
-
-# PVE
-pve_pci_passhthrough_enabled: true
-
-# Monitoring
-app_gatus_monitored_endpoints:
-  - name: pve2 / ping
-    group: Proxmox VE
-    type: ping
-  - name: pve2 / http
-    group: Proxmox VE
-    type: https
-    host: pve2.homecentr.one
diff --git a/environments/prod/hosts.yaml b/environments/prod/hosts.yaml
deleted file mode 100644
index eccc34d..0000000
--- a/environments/prod/hosts.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-all:
-  children:
-    pve_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
-    containers:
-      hosts:      
-        frigate:
-        homepage:
-        monitoring:
-        mqtt:
-        pihole:
-        pomerium:
-      children:
-        cloudflared_containers:
-          hosts:
-            cloudflared1:
-            cloudflared2:
\ No newline at end of file
diff --git a/environments/shared/group_vars/all/env.yaml b/environments/shared/group_vars/all/env.yaml
new file mode 100644
index 0000000..585a61c
--- /dev/null
+++ b/environments/shared/group_vars/all/env.yaml
@@ -0,0 +1,5 @@
+ipam:
+  pihole: "{{ subnets.services | ansible.utils.ipmath(64) }}"
+  smtp_relay: "{{ subnets.services | ansible.utils.ipmath(65) }}"
+  pomerium: "{{ subnets.services | ansible.utils.ipmath(66) }}"
+  
\ No newline at end of file
diff --git a/environments/lab/group_vars/all/general.yaml b/environments/shared/group_vars/all/general.yaml
similarity index 98%
rename from environments/lab/group_vars/all/general.yaml
rename to environments/shared/group_vars/all/general.yaml
index 7f1af01..42f9e18 100644
--- a/environments/lab/group_vars/all/general.yaml
+++ b/environments/shared/group_vars/all/general.yaml
@@ -1,3 +1,4 @@
 ansible_user: lholota
 ansible_python_interpreter: "/usr/bin/python3"
+
 domain: homecentr.one
\ No newline at end of file
diff --git a/environments/lab/group_vars/cloudflared_containers/container.yaml b/environments/shared/group_vars/containers/app_container.yaml
similarity index 58%
rename from environments/lab/group_vars/cloudflared_containers/container.yaml
rename to environments/shared/group_vars/containers/app_container.yaml
index 9cdff6d..9679f42 100644
--- a/environments/lab/group_vars/cloudflared_containers/container.yaml
+++ b/environments/shared/group_vars/containers/app_container.yaml
@@ -1,5 +1,3 @@
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 512
-app_container_storage_name: dpool
-app_container_storage_size_gb: 1
 app_container_pve_replication_cron_expression: "*/5"
+app_container_pve_ha_group_name: noncritical
diff --git a/environments/prod/group_vars/pve_nodes/firewall.yaml b/environments/shared/group_vars/pve_nodes/firewall.yaml
similarity index 57%
rename from environments/prod/group_vars/pve_nodes/firewall.yaml
rename to environments/shared/group_vars/pve_nodes/firewall.yaml
index 3ee9c6d..954fc40 100644
--- a/environments/prod/group_vars/pve_nodes/firewall.yaml
+++ b/environments/shared/group_vars/pve_nodes/firewall.yaml
@@ -4,28 +4,28 @@ pve_cluster_firewall_aliases:
   - name: subnet-home
     cidr: 10.1.3.0/24
   - name: subnet-services
-    cidr: 10.1.2.0/24
+    cidr: "{{ subnets.services }}"
 
-  - name: pve1
-    cidr: 10.1.2.11/32
-  - name: pve2
-    cidr: 10.1.2.12/32
-  - name: pve3
-    cidr: 10.1.2.13/32
+  - name: "pve1{{ env.suffix }}"
+    cidr: "{{ subnets.services | ansible.utils.ipmath(11) }}/32"
+  - name: "pve2{{ env.suffix }}"
+    cidr: "{{ subnets.services | ansible.utils.ipmath(12) }}/32"
+  - name: "pve3{{ env.suffix }}"
+    cidr: "{{ subnets.services | ansible.utils.ipmath(13) }}/32"
 
-  - name: cloudflared1
-    cidr: 10.1.2.70/32
-  - name: cloudflared2
-    cidr: 10.1.2.71/32
+  - name: "cloudflared1{{ env.suffix }}"
+    cidr: "{{ subnets.services | ansible.utils.ipmath(70) }}/32"
+  - name: "cloudflared2{{ env.suffix }}"
+    cidr: "{{ subnets.services | ansible.utils.ipmath(71) }}/32"
 
   - name: mqtt
-    cidr: 10.1.2.67/32
+    cidr: 10.1.8.67/32
 
   - name: homepage
-    cidr: 10.1.2.72/32
+    cidr: 10.1.8.72/32
 
   - name: pomerium1
-    cidr: 10.1.2.66/32
+    cidr: 10.1.8.66/32
 
 
 pve_cluster_firewall_ipsets:
@@ -61,5 +61,3 @@ pve_cluster_firewall_ipsets:
         name: homepage
 
 pve_cluster_firewall_security_groups: []
-
-pve_cluster_firewall_rules: []
diff --git a/environments/prod/group_vars/pve_nodes/general.yaml b/environments/shared/group_vars/pve_nodes/general.yaml
similarity index 84%
rename from environments/prod/group_vars/pve_nodes/general.yaml
rename to environments/shared/group_vars/pve_nodes/general.yaml
index 5b89d7c..c51ec14 100644
--- a/environments/prod/group_vars/pve_nodes/general.yaml
+++ b/environments/shared/group_vars/pve_nodes/general.yaml
@@ -4,10 +4,6 @@ ssh_allow_root_login_trusted_clients:
   - pve2
   - pve3
 
-pve_zfs_max_arc_size_gb: 4
-
-pve_cluster_options_migration_network: 10.1.7.0/24
-
 pve_cluster_ha_groups:
   - name: critical-priority-pve1
     nodes:
@@ -42,14 +38,9 @@ pve_cluster_ha_groups:
     restricted: true
     nofailback: false
 
-pve_domain: homecentr.one
 pve_nameservers:
   - 1.1.1.1
   - 1.0.0.1
 
-pve_smtp_host: 10.1.2.130
-pve_smtp_port: 25
-pve_smtp_tls: false
-
 pve_ct_templates:
 - http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
diff --git a/environments/shared/host_vars/cloudflared1.yaml b/environments/shared/host_vars/cloudflared1.yaml
new file mode 100644
index 0000000..d56916b
--- /dev/null
+++ b/environments/shared/host_vars/cloudflared1.yaml
@@ -0,0 +1,16 @@
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(70) }}"
+ansible_hostname: "ct-cloudflared1{{ env.suffix }}"
+
+app_container_memory: 512
+app_container_storage_size_gb: 1
+
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(70) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
+app_container_pve_replication_nodes:
+  - pve2
\ No newline at end of file
diff --git a/environments/lab/host_vars/cloudflared2.yaml b/environments/shared/host_vars/cloudflared2.yaml
similarity index 59%
rename from environments/lab/host_vars/cloudflared2.yaml
rename to environments/shared/host_vars/cloudflared2.yaml
index 5d2ea3b..5a48594 100644
--- a/environments/lab/host_vars/cloudflared2.yaml
+++ b/environments/shared/host_vars/cloudflared2.yaml
@@ -1,5 +1,8 @@
-ansible_host: 10.1.8.71
-ansible_hostname: ct-cloudflared2-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(71) }}"
+ansible_hostname: "ct-cloudflared2{{ env.suffix }}"
+
+app_container_memory: 512
+app_container_storage_size_gb: 1
 
 app_container_network_interfaces:
   - name: eth0
diff --git a/environments/prod/host_vars/frigate/container.yaml b/environments/shared/host_vars/frigate.yaml
similarity index 58%
rename from environments/prod/host_vars/frigate/container.yaml
rename to environments/shared/host_vars/frigate.yaml
index 92f4de1..df60f45 100644
--- a/environments/prod/host_vars/frigate/container.yaml
+++ b/environments/shared/host_vars/frigate.yaml
@@ -1,23 +1,22 @@
-ansible_host: 10.1.2.69
-ansible_hostname: ct-frigate
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(69) }}"
+ansible_hostname: "ct-frigate{{ env.suffix }}"
 
 app_container_docker_support: true
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 2048
-app_container_storage_name: dpool1
 app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.2.69/24
-    ipv4_gateway: 10.1.2.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(69) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
+# TODO: Per environment
 app_container_mounts:
   - type: disk
-    storage_name: dpool-nvr
-    index: 0
-    size_gb: 2500
+    storage_name: dpool
+    index: 2
+    size_gb: 2
     target_path: /nvr
 
 app_container_pve_node: pve2
@@ -25,16 +24,17 @@ app_container_pve_ha_group_name: noncritical
 app_container_pve_replication_nodes:
   - pve1
 
+# TODO: Per env
 app_frigate_image_tag: 0.13.2
-app_frigate_cache_size_gb: 4
+app_frigate_cache_size_gb: 1
 app_frigate_shm_size_gb: 1
 
 app_pihole_records:
-  - hostname: frigate
+  - hostname: "frigate{{ env.suffix }}"
     type: pomerium_proxy
 
 app_pomerium_routes:
-  - hostname: frigate
+  - hostname: "frigate{{ env.suffix }}"
     target_port: 5000
     auth_mode: users
 
@@ -42,9 +42,9 @@ app_gatus_monitored_endpoints:
   - name: Web UI / container
     group: Frigate
     type: http
-    host: ct-frigate
+    host: "ct-frigate{{ env.suffix }}"
     port: 5000
   - name: Web UI / via proxy
     group: Frigate
     type: https-pomerium-proxy
-    host: frigate.homecentr.one
+    host: "frigate{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/lab/host_vars/homepage/bookmarks.yaml b/environments/shared/host_vars/homepage/bookmarks.yaml
similarity index 100%
rename from environments/lab/host_vars/homepage/bookmarks.yaml
rename to environments/shared/host_vars/homepage/bookmarks.yaml
diff --git a/environments/lab/host_vars/homepage/container.yaml b/environments/shared/host_vars/homepage/container.yaml
similarity index 55%
rename from environments/lab/host_vars/homepage/container.yaml
rename to environments/shared/host_vars/homepage/container.yaml
index 52f4c31..8d9e43f 100644
--- a/environments/lab/host_vars/homepage/container.yaml
+++ b/environments/shared/host_vars/homepage/container.yaml
@@ -1,16 +1,14 @@
-ansible_host: 10.1.8.72
-ansible_hostname: ct-homepage-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(72) }}"
+ansible_hostname: "ct-homepage{{ env.suffix }}"
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_docker_support: true
 app_container_memory: 512
-app_container_storage_name: dpool
 app_container_storage_size_gb: 1
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.72/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(72) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
 app_container_pve_ha_group_name: noncritical
@@ -20,21 +18,21 @@ app_container_pve_replication_nodes:
 app_homepage_image_tag: v0.8.9
 
 app_pomerium_routes:
-  - hostname: homepage-lab
+  - hostname: "homepage{{ env.suffix }}"
     target_port: 3000
     auth_mode: users
 
 app_pihole_records:
-  - hostname: homepage-lab
+  - hostname: "homepage{{ env.suffix }}"
     type: pomerium_proxy
 
 app_gatus_monitored_endpoints:
   - name: Homepage / container
     group: Homepage
     type: http
-    host: ct-homepage-lab
+    host: "ct-homepage{{ env.suffix }}"
     port: 3000
   - name: Homepage / via proxy
     group: Homepage
     type: https-pomerium-proxy
-    host: homepage-lab.homecentr.one
+    host: "homepage{{ env.suffix }}.homecentr.one"
diff --git a/environments/lab/host_vars/homepage/services.yaml b/environments/shared/host_vars/homepage/services.yaml
similarity index 100%
rename from environments/lab/host_vars/homepage/services.yaml
rename to environments/shared/host_vars/homepage/services.yaml
diff --git a/environments/lab/host_vars/homepage/settings.yaml b/environments/shared/host_vars/homepage/settings.yaml
similarity index 81%
rename from environments/lab/host_vars/homepage/settings.yaml
rename to environments/shared/host_vars/homepage/settings.yaml
index 33cf2f1..b2476e7 100644
--- a/environments/lab/host_vars/homepage/settings.yaml
+++ b/environments/shared/host_vars/homepage/settings.yaml
@@ -1,5 +1,5 @@
 app_homepage_settings:
-  title: Homecentr
+  title: "Homecentr{{ env.suffix_display }}"
   favicon: /icons/favicon.ico
   background: https://images.unsplash.com/photo-1519681393784-d120267933ba
   backgroundOpacity: 0.3
diff --git a/environments/lab/host_vars/homepage/widgets.yaml b/environments/shared/host_vars/homepage/widgets.yaml
similarity index 100%
rename from environments/lab/host_vars/homepage/widgets.yaml
rename to environments/shared/host_vars/homepage/widgets.yaml
diff --git a/environments/lab/host_vars/monitoring.yaml b/environments/shared/host_vars/monitoring.yaml
similarity index 51%
rename from environments/lab/host_vars/monitoring.yaml
rename to environments/shared/host_vars/monitoring.yaml
index 8ccd434..4c5076f 100644
--- a/environments/lab/host_vars/monitoring.yaml
+++ b/environments/shared/host_vars/monitoring.yaml
@@ -1,16 +1,14 @@
-ansible_host: 10.1.8.68
-ansible_hostname: ct-monitoring-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(68) }}"
+ansible_hostname: "ct-monitoring{{ env.suffix }}"
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_docker_support: true
 app_container_memory: 512
-app_container_storage_name: dpool
 app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.68/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(68) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
 app_container_pve_ha_group_name: noncritical
@@ -20,10 +18,10 @@ app_container_pve_replication_nodes:
 app_gatus_image_tag: v5.7.0
 
 app_pomerium_routes:
-  - hostname: gatus-lab
+  - hostname: "gatus{{ env.suffix }}"
     target_port: 8080
     auth_mode: public
 
 app_pihole_records:
-  - hostname: gatus-lab
+  - hostname: "gatus{{ env.suffix }}"
     type: pomerium_proxy
diff --git a/environments/shared/host_vars/mqtt.yaml b/environments/shared/host_vars/mqtt.yaml
new file mode 100644
index 0000000..75e3591
--- /dev/null
+++ b/environments/shared/host_vars/mqtt.yaml
@@ -0,0 +1,19 @@
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(67) }}"
+ansible_hostname: "ct-mqtt{{ env.suffix }}"
+
+app_container_memory: 512
+app_container_storage_size_gb: 5
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(67) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
+
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: non-critical
+app_container_pve_replication_nodes:
+  - pve2
+
+app_pihole_records:
+  - hostname: "mqtt{{ env.suffix }}"
+    type: ansible_host
diff --git a/environments/lab/host_vars/pihole.yaml b/environments/shared/host_vars/pihole.yaml
similarity index 52%
rename from environments/lab/host_vars/pihole.yaml
rename to environments/shared/host_vars/pihole.yaml
index 9690e21..2d9ecd0 100644
--- a/environments/lab/host_vars/pihole.yaml
+++ b/environments/shared/host_vars/pihole.yaml
@@ -1,17 +1,14 @@
-ansible_host: 10.1.8.64
-ansible_hostname: ct-pihole-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(64) }}"
+ansible_hostname: "ct-pihole{{ env.suffix }}"
 
 app_container_nameserver: 1.1.1.1
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
-app_container_storage_name: dpool
 app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.64/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(64) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: critical-priority-pve1
@@ -24,22 +21,22 @@ app_pihole_forwarders:
   - 1.0.0.1
 
 app_pomerium_routes:
-  - hostname: pihole-lab
+  - hostname: "pihole{{ env.suffix }}"
     auth_mode: administrators
 
 app_pihole_records:
-  - hostname: pihole-lab
+  - hostname: "pihole{{ env.suffix }}"
     type: pomerium_proxy
 
 app_gatus_monitored_endpoints:
   - name: Web UI
     group: Pi-hole
     type: https-pomerium-proxy
-    host: pihole-lab.homecentr.one
+    host: "pihole{{ env.suffix }}.homecentr.one"
   - name: DNS
     group: Pi-hole
     type: dns
-    host: 10.1.8.64
-    dns_query_name: "login-lab.homecentr.one"
+    host: "{{ subnets.services | ansible.utils.ipmath(64) }}"
+    dns_query_name: "login{{ env.suffix }}.homecentr.one"
     dns_query_type: "A"
-    dns_query_answer: 10.1.8.66
\ No newline at end of file
+    dns_query_answer: "{{ subnets.services | ansible.utils.ipmath(66) }}"
\ No newline at end of file
diff --git a/environments/lab/host_vars/pomerium/container.yaml b/environments/shared/host_vars/pomerium.yaml
similarity index 53%
rename from environments/lab/host_vars/pomerium/container.yaml
rename to environments/shared/host_vars/pomerium.yaml
index 1c5c4bd..e880b8b 100644
--- a/environments/lab/host_vars/pomerium/container.yaml
+++ b/environments/shared/host_vars/pomerium.yaml
@@ -1,9 +1,7 @@
-ansible_host: 10.1.8.66
-ansible_hostname: ct-pomerium1-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(66) }}"
+ansible_hostname: "ct-pomerium{{ env.suffix }}"
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 512
-app_container_storage_name: dpool
 app_container_storage_size_gb: 2
 app_container_pve_replication_cron_expression: "*/5"
 app_container_mapped_uids:
@@ -13,8 +11,8 @@ app_container_mapped_gids:
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.66/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(66) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
@@ -30,13 +28,21 @@ app_container_getssl_certificates:
     mode: 0440
 
 app_pihole_records:
-  - hostname: login-lab
+  - hostname: "login{{ env.suffix }}"
     type: ansible_host
 
 app_gatus_monitored_endpoints:
   - name: Pomerium
     group: Pomerium
     type: https
-    host: login-lab.homecentr.one
+    host: "login{{ env.suffix }}.homecentr.one"
     path: /healthz
-    
\ No newline at end of file
+
+app_pomerium_hostname: "login{{ env.suffix }}.homecentr.one"
+
+app_pomerium_groups_administrators: b77c210d-8ae3-4292-9e95-c7d42a2f254f
+app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
+
+app_pomerium_certificates:
+  - fullchain_path: /getssl/wildcard_fullchain.crt
+    key_path: /getssl/wildcard.key
diff --git a/environments/lab/host_vars/pve1.yaml b/environments/shared/host_vars/pve1.yaml
similarity index 58%
rename from environments/lab/host_vars/pve1.yaml
rename to environments/shared/host_vars/pve1.yaml
index 8522d1f..6c3f680 100644
--- a/environments/lab/host_vars/pve1.yaml
+++ b/environments/shared/host_vars/pve1.yaml
@@ -1,9 +1,6 @@
 # Common
-ansible_host: 10.1.8.11
-ansible_hostname: pve1-lab
-
-# UPS
-ups_name: dummy-ups1
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(11) }}"
+ansible_hostname: "pve1{{ env.suffix }}"
 
 # GetSSL
 getssl_cron_renewal_hour: 16
@@ -16,4 +13,4 @@ app_gatus_monitored_endpoints:
   - name: pve1 / http
     group: Proxmox VE
     type: https
-    host: pve1-lab.homecentr.one
\ No newline at end of file
+    host: "pve1{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/lab/host_vars/pve2.yaml b/environments/shared/host_vars/pve2.yaml
similarity index 58%
rename from environments/lab/host_vars/pve2.yaml
rename to environments/shared/host_vars/pve2.yaml
index 2c6f1b9..17fb3d7 100644
--- a/environments/lab/host_vars/pve2.yaml
+++ b/environments/shared/host_vars/pve2.yaml
@@ -1,9 +1,6 @@
 # Common
-ansible_host: 10.1.8.12
-ansible_hostname: pve2-lab
-
-# UPS
-ups_name: dummy-ups1
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(12) }}"
+ansible_hostname: "pve2{{ env.suffix }}"
 
 # GetSSL
 getssl_cron_renewal_hour: 17
@@ -16,4 +13,4 @@ app_gatus_monitored_endpoints:
   - name: pve2 / http
     group: Proxmox VE
     type: https
-    host: pve2-lab.homecentr.one
\ No newline at end of file
+    host: "pve2{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/prod/host_vars/pve3.yaml b/environments/shared/host_vars/pve3.yaml
similarity index 58%
rename from environments/prod/host_vars/pve3.yaml
rename to environments/shared/host_vars/pve3.yaml
index 1a2eb38..f832aec 100644
--- a/environments/prod/host_vars/pve3.yaml
+++ b/environments/shared/host_vars/pve3.yaml
@@ -1,9 +1,6 @@
 # Common
-ansible_host: 10.1.2.13
-ansible_hostname: pve3
-
-# UPS
-ups_name: ups1
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(13) }}"
+ansible_hostname: "pve3{{ env.suffix }}"
 
 # GetSSL
 getssl_cron_renewal_hour: 18
@@ -16,4 +13,4 @@ app_gatus_monitored_endpoints:
   - name: pve3 / http
     group: Proxmox VE
     type: https
-    host: pve3.homecentr.one
+    host: "pve3{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/lab/host_vars/smtp_relay/container.yaml b/environments/shared/host_vars/smtp_relay.yaml
similarity index 52%
rename from environments/lab/host_vars/smtp_relay/container.yaml
rename to environments/shared/host_vars/smtp_relay.yaml
index 57f3c4f..e4a3a65 100644
--- a/environments/lab/host_vars/smtp_relay/container.yaml
+++ b/environments/shared/host_vars/smtp_relay.yaml
@@ -1,16 +1,14 @@
-ansible_host: 10.1.8.65
-ansible_hostname: ct-smtp-relay-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(65) }}"
+ansible_hostname: "ct-smtp-relay{{ env.suffix }}"
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
+app_container_docker_support: true
 app_container_memory: 256
-app_container_storage_name: dpool
 app_container_storage_size_gb: 2
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.65/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(65) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve3
 app_container_pve_ha_group_name: critical-priority-pve3
@@ -34,4 +32,15 @@ app_container_getssl_certificates:
 
 app_haraka_uid: 7000
 app_haraka_gid: 7000
-app_haraka_image_tag: 1.1.0
\ No newline at end of file
+app_haraka_image_tag: 1.1.0
+
+app_pihole_records:
+  - hostname: "smtp{{ env.suffix }}"
+    type: ansible_host
+
+app_gatus_monitored_endpoints:
+  - name: Haraka
+    group: SMTP Relay
+    type: starttls
+    host: "smtp{{ env.suffix }}.homecentr.one"
+    port: 25
\ No newline at end of file
diff --git a/environments/lab/host_vars/unifi_controller.yaml b/environments/shared/host_vars/unifi_controller.yaml
similarity index 61%
rename from environments/lab/host_vars/unifi_controller.yaml
rename to environments/shared/host_vars/unifi_controller.yaml
index ea686e8..0e69c82 100644
--- a/environments/lab/host_vars/unifi_controller.yaml
+++ b/environments/shared/host_vars/unifi_controller.yaml
@@ -1,17 +1,14 @@
-ansible_host: 10.1.8.73
-ansible_hostname: ct-unifi-controller-lab
+ansible_host: "{{ subnets.services | ansible.utils.ipmath(73) }}"
+ansible_hostname: "ct-unifi-controller{{ env.suffix }}"
 
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_memory: 1024
 app_container_swap: 1024
-app_container_storage_name: dpool
 app_container_storage_size_gb: 5
-app_container_pve_replication_cron_expression: "*/5"
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.73/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(73) }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: non-critical
@@ -19,11 +16,11 @@ app_container_pve_replication_nodes:
   - pve2
 
 app_pihole_records:
-  - hostname: unifi-lab
+  - hostname: "unifi{{ env.suffix }}"
     type: pomerium_proxy
 
 app_pomerium_routes:
-  - hostname: unifi-lab
+  - hostname: "unifi{{ env.suffix }}"
     protocol: https
     tls_skip_verify: true
     target_port: 8443
@@ -33,10 +30,10 @@ app_gatus_monitored_endpoints:
   - name: Web UI / container
     group: Unifi Controller
     type: https
-    host: ct-unifi-controller-lab
+    host: "ct-unifi-controller{{ env.suffix }}"
     insecure: true
     port: 8443
   - name: Web UI / via proxy
     group: Unifi Controller
     type: https-pomerium-proxy
-    host: unifi-lab.homecentr.one
+    host: "unifi{{ env.suffix }}.homecentr.one"
diff --git a/environments/lab/hosts.yaml b/environments/shared/hosts.yaml
similarity index 91%
rename from environments/lab/hosts.yaml
rename to environments/shared/hosts.yaml
index d40dbe1..10adc52 100644
--- a/environments/lab/hosts.yaml
+++ b/environments/shared/hosts.yaml
@@ -16,7 +16,7 @@ all:
         smtp_relay:
         unifi_controller:
       children:
-        cloudflared_containers:
+        cloudflared:
           hosts:
             cloudflared1:
             cloudflared2:

From fff1e6ffa829ff32a2fddccb0b67340bc195c5ae Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 19 Apr 2024 18:34:36 +0200
Subject: [PATCH 35/51] Shared vars working in lab

---
 .../lab/group_vars/all/environment.yaml       |  8 +--
 .../lab/group_vars/pve_nodes/firewall.yaml    | 63 ------------------
 .../lab/group_vars/pve_nodes/general.yaml     | 12 ++--
 .../group_vars/pve_nodes/secrets.sops.yaml    |  8 ++-
 .../lab/group_vars/pve_nodes/ups.yaml         |  8 ---
 .../lab/host_vars/frigate/container.yaml      |  7 +-
 environments/shared/group_vars/all/env.yaml   | 12 +++-
 .../shared/group_vars/pve_nodes/firewall.yaml | 64 +++++++++----------
 .../shared/group_vars/pve_nodes/general.yaml  |  2 +
 .../shared/host_vars/cloudflared1.yaml        |  4 +-
 .../shared/host_vars/cloudflared2.yaml        |  6 +-
 environments/shared/host_vars/frigate.yaml    | 18 +-----
 .../shared/host_vars/homepage/container.yaml  |  6 +-
 environments/shared/host_vars/monitoring.yaml |  8 +--
 environments/shared/host_vars/mqtt.yaml       |  4 +-
 environments/shared/host_vars/pihole.yaml     |  8 +--
 environments/shared/host_vars/pomerium.yaml   |  4 +-
 environments/shared/host_vars/pve1.yaml       |  3 +-
 environments/shared/host_vars/pve2.yaml       |  3 +-
 environments/shared/host_vars/pve3.yaml       |  3 +-
 environments/shared/host_vars/smtp_relay.yaml |  4 +-
 .../shared/host_vars/unifi_controller.yaml    |  6 +-
 roles/app-pihole/templates/custom-hosts.j2    |  8 +--
 roles/app-pihole/templates/dnsmasq-local.j2   |  4 +-
 tools/apply.sh                                |  2 +-
 25 files changed, 102 insertions(+), 173 deletions(-)
 delete mode 100644 environments/lab/group_vars/pve_nodes/firewall.yaml
 delete mode 100644 environments/lab/group_vars/pve_nodes/ups.yaml

diff --git a/environments/lab/group_vars/all/environment.yaml b/environments/lab/group_vars/all/environment.yaml
index 32a5406..3b96f38 100644
--- a/environments/lab/group_vars/all/environment.yaml
+++ b/environments/lab/group_vars/all/environment.yaml
@@ -5,9 +5,5 @@ env:
   domain: homecentr.one
 
 subnets:
-  services:
-    cidr: 10.1.8.0/24
-    prefix: 10.1.8
-  services_storage:
-    cidr: 192.168.9.0/24
-    prefix: 192.168.9
\ No newline at end of file
+  services: 10.1.8.0/24
+  services_storage: 192.168.8.0/24
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/firewall.yaml b/environments/lab/group_vars/pve_nodes/firewall.yaml
deleted file mode 100644
index ec54b91..0000000
--- a/environments/lab/group_vars/pve_nodes/firewall.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-pve_cluster_firewall_enabled: false
-
-pve_cluster_firewall_aliases:
-  - name: subnet-home
-    cidr: 10.1.3.0/24
-  - name: subnet-services
-    cidr: 10.1.8.0/24
-
-  - name: pve1
-    cidr: 10.1.8.11/32
-  - name: pve2
-    cidr: 10.1.8.12/32
-  - name: pve3
-    cidr: 10.1.8.13/32
-
-  - name: cloudflared1
-    cidr: 10.1.8.70/32
-  - name: cloudflared2
-    cidr: 10.1.8.71/32
-
-  - name: mqtt
-    cidr: 10.1.8.67/32
-
-  - name: homepage
-    cidr: 10.1.8.72/32
-
-  - name: pomerium1
-    cidr: 10.1.8.66/32
-
-
-pve_cluster_firewall_ipsets:
-  - name: management
-    items:
-      - type: alias
-        name: subnet-home
-      - type: alias
-        name: monitoring
-  - name: proxmox
-    items:
-      - type: alias
-        name: pve1
-      - type: alias
-        name: pve2
-      - type: alias
-        name: pve3
-  - name: pomerium
-    items:
-      - type: alias
-        name: pomerium1
-  - name: mqtt
-    items:
-      - type: alias
-        name: mqtt
-  - name: monitoring
-    items:
-      - type: alias
-        name: monitoring
-  - name: homepage
-    items:
-      - type: alias
-        name: homepage
-
-pve_cluster_firewall_security_groups: []
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
index 1330590..4610bcd 100644
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ b/environments/lab/group_vars/pve_nodes/general.yaml
@@ -1,8 +1,10 @@
 pve_zfs_max_arc_size_gb: 0.5
 
-pve_cluster_options_migration_network: 192.168.8.0/24
+ups_name: dummy-ups1
 
-# TODO: Move this to secrets and use external SMTP
-pve_smtp_host: 10.1.8.130
-pve_smtp_port: 25
-pve_smtp_tls: false
+ups_devices:
+  - name: dummy-ups1
+    driver: dummy-ups
+    description: Dummy UPS
+    port: evolution500.seq
+    monitored_by: pve1
diff --git a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
index a613e83..67caa92 100644
--- a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
+++ b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
@@ -28,6 +28,10 @@ getssl_certificates:
 getssl_cloudflare_email: ENC[AES256_GCM,data:G6Ixtl6Lf8I4T8HupxePJlBLvv0CqQ==,iv:L4i+g6908jnf03HcikeM9f3Zoa5jhDP2IHkvDxWhO3M=,tag:8Oc046w1pYAVVsPd5NAEYw==,type:str]
 getssl_cloudflare_api_token: ENC[AES256_GCM,data:++P52Hl/14yekKI/pTfMKlQKHqISkotNFj7SToHzqUk0Z6wiL/eL4g==,iv:UFD41XQNKJz2tHDB5IG+PmhgoXFYPqHZC0DkeZpSkjY=,tag:23aditConHxuY3AaW2owWA==,type:str]
 ups_slave_password: ENC[AES256_GCM,data:LSkvc2D5JLs=,iv:kfdGQjVMi4Ujle6WzL1XN+6kV6tZdKdUKpEA6K3s4BQ=,tag:XX3BibPR3MZH58uUpH7aOA==,type:str]
+pve_smtp_username: ENC[AES256_GCM,data:X0IdKdfrPDVmsVZqupp0eU8Wf3GYMw==,iv:drM4tPsuLbGj8LpNXLFufUww9dRwHUVGZwBIsc3GAuA=,tag:m8hRaKS5/zKQdsQ4Trf62A==,type:str]
+pve_smtp_password: ENC[AES256_GCM,data:kTPfF1tsbgaNlxHIHPgsjHVH0WIc05ZJ0Cet47gJdVqtRB0Rh2xfCNF/hEzBhEw2caDm71y2vafui7d5eoeaynzRyTpe6HsveFDpKFG3poXvK4ckaXHJWkse,iv:x/catZEn5xD3eUzgYFNty9txZFbiprjW5mnKSaapWaI=,tag:TcX4U705mu8afO/MjnX67w==,type:str]
+pve_smtp_host: ENC[AES256_GCM,data:rBqZTGetloUR/d4ZEgHZVanK+ro=,iv:f2g+hEAIkCb9Iity3gJ4qzWVnjn/oRgTXKOCWHTNuAI=,tag:abOj7coVqpxRibOUdhlAhQ==,type:str]
+pve_smtp_port: ENC[AES256_GCM,data:mYqC,iv:0ExWSn/DWX1jD5D0HoqtQ4d9xGeuVYIFqMaZ+Et5TrU=,tag:ZNjzZWk4KO0Ap9clPnk9uA==,type:int]
 sops:
     kms: []
     gcp_kms: []
@@ -43,8 +47,8 @@ sops:
             QWU4OTVNQU9nRU12REp3dkpYdWpjbVEKkKpnxWW2iUkjQv3UzO8b0pUXJ2s72HdQ
             tQkvIENt6fns2f3WwAoMsouPsTzZSn4PXGrG9OAIWVcfkGtF/RRdHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T15:54:14Z"
-    mac: ENC[AES256_GCM,data:U5uGpkdQyDPcrxUElr2sWu/pf1enhzs8Ld96NvUcIKo7bJNex7RZ38Zm1lhw0QRH/E4fjtO0bPJ4YYCHTJdPmNzIJAz6S9L69vk+v0oOddpb/bCIQCBIPlSnhlUrBNx6804UnzvfhzF4iWH2/rJ+QR8stnJMI2BcPwNqfD66xwY=,iv:C7xoLAFXyCe/ac5276nmGu/fxOxaHNjaIr5pexUu/QM=,tag:n0E/Tcbyhmnouporam6i7w==,type:str]
+    lastmodified: "2024-04-19T09:09:28Z"
+    mac: ENC[AES256_GCM,data:dFCWklogHnpVjKf13Z8xFMDR7YAb/zT0tCrgq5cpW8oLNlEZ0+Cno1DTnE+rv3/avs9X1eQGDqGfQG66kBiawWiPURryb3BBrR4JXKRYRzWNvx7Vi5m9pVjYG6Ykkk12jVOBCx3vebeG5fYCgD7AO0Fx5I//eTRmsl1ecr80R6I=,iv:iBiWPDawc0sKUfZOYkCpbkSkjwyr5wcy9OC5xX04vDY=,tag:sv42MS8oaH9ucNQdE8d6dA==,type:str]
     pgp:
         - created_at: "2023-06-05T08:57:01Z"
           enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//a0vf1Oh3Tiyv++/rqq6X00JVXl2CZjoQ8BOKeGsX1wOY\r\nHIV7on7BJ4kW9gjIwOGIhsMLPryVIR7yJAJPu/qjQiQFBEk5To8xjoaMib0f3yvI\r\nQRDB2nvgChd04NHE7rYbwl+0aZcK1E88LA2uzXietlri4VzcmoMA9JBZn5/65Eaj\r\n+f2Ari4TKWTomYhseYPUVFCqtm5W64FehtGKao7iNcMAX/vxIupWUwRRDg6EsZu7\r\nP0nGszRVWwiucJ8BfDU2FQVrJKJuoEyerSUYW0tHEhAai+HTV47j2ST/ZvK18D5c\r\n+16RJzp1a3QFCViM3PlOAAVtunoUFQxMwfiLgniUB8kCjFBOMQ5wST8xZFUHrmjw\r\n07tkmV5/eRVA9/Vl5jRqM4sRf2f3Ou0YXbeOeJ3fzLrZgWOliUtTq7YzvN4AnNhg\r\nJfHSQsMR5nYi9wHfq6doTWXArXKp82Z2u/pZoVY5xlAaU9uerxgs6GTs7iRbW4BM\r\n+7WkqxnRo/agFzhLpDWBxehpP0XKx49JgxPdmQXlYDQY6AYc5jPswBsePSYL1LNz\r\nhoPUbCfgPik5nrdAy4pVW6ijBcf8KqgVH8eZAQa1M2GpdyO8tIL5paTLaM+oiyWN\r\nFEjT+GDjxAoxFvDW8ZSOTSlu9GdrLquFMF2hp3zZ0bZ6EfHr3K3cyRXAhkVuLUTS\r\nXgEQAAk4rZa7lH9ODHkKNzOhIfm69V2sAgH5oWHgiBAAJU44ZE5voZSQokVZPu+b\r\nK9ldX8+2W8XoE1CGuWXNtb5GYlWlVFpShFfhPCm1l5b4w9Y5lDhXmEXf8Opdw3c=\r\n=t7MQ\r\n-----END PGP MESSAGE-----\r\n"
diff --git a/environments/lab/group_vars/pve_nodes/ups.yaml b/environments/lab/group_vars/pve_nodes/ups.yaml
deleted file mode 100644
index 3096565..0000000
--- a/environments/lab/group_vars/pve_nodes/ups.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-ups_name: dummy-ups1
-
-ups_devices:
-  - name: dummy-ups1
-    driver: dummy-ups
-    description: Dummy UPS
-    port: evolution500.seq
-    monitored_by: pve1
diff --git a/environments/lab/host_vars/frigate/container.yaml b/environments/lab/host_vars/frigate/container.yaml
index 30eadbe..ddaf476 100644
--- a/environments/lab/host_vars/frigate/container.yaml
+++ b/environments/lab/host_vars/frigate/container.yaml
@@ -1,5 +1,5 @@
-# ??? app_container_memory: 2048
-app_container_storage_name: dpool1
+app_container_memory: 2048
+app_container_storage_name: dpool
 app_container_storage_size_gb: 5
 
 app_container_mounts:
@@ -9,4 +9,5 @@ app_container_mounts:
     size_gb: 2
     target_path: /nvr
 
-app_frigate_image_tag: 0.13.2
+app_frigate_cache_size_gb: 1
+app_frigate_shm_size_gb: 1
diff --git a/environments/shared/group_vars/all/env.yaml b/environments/shared/group_vars/all/env.yaml
index 585a61c..2b0a623 100644
--- a/environments/shared/group_vars/all/env.yaml
+++ b/environments/shared/group_vars/all/env.yaml
@@ -1,5 +1,15 @@
 ipam:
+  pve1: "{{ subnets.services | ansible.utils.ipmath(11) }}"
+  pve2: "{{ subnets.services | ansible.utils.ipmath(12) }}"
+  pve3: "{{ subnets.services | ansible.utils.ipmath(13) }}"
+
   pihole: "{{ subnets.services | ansible.utils.ipmath(64) }}"
   smtp_relay: "{{ subnets.services | ansible.utils.ipmath(65) }}"
   pomerium: "{{ subnets.services | ansible.utils.ipmath(66) }}"
-  
\ No newline at end of file
+  mqtt: "{{ subnets.services | ansible.utils.ipmath(67) }}"
+  monitoring: "{{ subnets.services | ansible.utils.ipmath(68) }}"
+  frigate: "{{ subnets.services | ansible.utils.ipmath(69) }}"
+  cloudflared1: "{{ subnets.services | ansible.utils.ipmath(70) }}"
+  cloudflared2: "{{ subnets.services | ansible.utils.ipmath(71) }}"
+  homepage: "{{ subnets.services | ansible.utils.ipmath(72) }}"
+  unifi_controller: "{{ subnets.services | ansible.utils.ipmath(73) }}"
\ No newline at end of file
diff --git a/environments/shared/group_vars/pve_nodes/firewall.yaml b/environments/shared/group_vars/pve_nodes/firewall.yaml
index 954fc40..1b72d9f 100644
--- a/environments/shared/group_vars/pve_nodes/firewall.yaml
+++ b/environments/shared/group_vars/pve_nodes/firewall.yaml
@@ -7,26 +7,32 @@ pve_cluster_firewall_aliases:
     cidr: "{{ subnets.services }}"
 
   - name: "pve1{{ env.suffix }}"
-    cidr: "{{ subnets.services | ansible.utils.ipmath(11) }}/32"
+    cidr: "{{ ipam.pve1 }}/32"
   - name: "pve2{{ env.suffix }}"
-    cidr: "{{ subnets.services | ansible.utils.ipmath(12) }}/32"
+    cidr: "{{ ipam.pve2 }}/32"
   - name: "pve3{{ env.suffix }}"
-    cidr: "{{ subnets.services | ansible.utils.ipmath(13) }}/32"
-
-  - name: "cloudflared1{{ env.suffix }}"
-    cidr: "{{ subnets.services | ansible.utils.ipmath(70) }}/32"
-  - name: "cloudflared2{{ env.suffix }}"
-    cidr: "{{ subnets.services | ansible.utils.ipmath(71) }}/32"
-
-  - name: mqtt
-    cidr: 10.1.8.67/32
-
-  - name: homepage
-    cidr: 10.1.8.72/32
-
-  - name: pomerium1
-    cidr: 10.1.8.66/32
-
+    cidr: "{{ ipam.pve3 }}/32"
+
+  - name: "ct-pihole{{ env.suffix }}"
+    cidr: "{{ ipam.pihole }}/32"
+  - name: "ct-smtp-relay{{ env.suffix }}"
+    cidr: "{{ ipam.smtp_relay }}/32"
+  - name: "ct-pomerium{{ env.suffix }}"
+    cidr: "{{ ipam.pomerium }}/32"
+  - name: "ct-mqtt{{ env.suffix }}"
+    cidr: "{{ ipam.mqtt }}/32"
+  - name: "ct-monitoring{{ env.suffix }}"
+    cidr: "{{ ipam.monitoring }}/32"
+  - name: "ct-frigate{{ env.suffix }}"
+    cidr: "{{ ipam.frigate }}/32"
+  - name: "ct-cloudflared1{{ env.suffix }}"
+    cidr: "{{ ipam.cloudflared }}/32"
+  - name: "ct-cloudflared2{{ env.suffix }}"
+    cidr: "{{ ipam.cloudflared }}/32"
+  - name: "ct-homepage{{ env.suffix }}"
+    cidr: "{{ ipam.homepage }}/32"
+  - name: ct-unifi-controller{{ env.suffix }}"
+    cidr: "{{ ipam.unifi_controller }}/32"
 
 pve_cluster_firewall_ipsets:
   - name: management
@@ -38,26 +44,16 @@ pve_cluster_firewall_ipsets:
   - name: proxmox
     items:
       - type: alias
-        name: pve1
+        name: "pve1{{ env.suffix }}"
       - type: alias
-        name: pve2
+        name: "pve1{{ env.suffix }}"
       - type: alias
-        name: pve3
-  - name: pomerium
+        name: "pve1{{ env.suffix }}"
+  - name: cloudflared
     items:
       - type: alias
-        name: pomerium1
-  - name: mqtt
-    items:
-      - type: alias
-        name: mqtt
-  - name: monitoring
-    items:
-      - type: alias
-        name: monitoring
-  - name: homepage
-    items:
+        name: "ct-cloudflared1{{ env.suffix }}"
       - type: alias
-        name: homepage
+        name: "ct-cloudflared2{{ env.suffix }}"
 
 pve_cluster_firewall_security_groups: []
diff --git a/environments/shared/group_vars/pve_nodes/general.yaml b/environments/shared/group_vars/pve_nodes/general.yaml
index c51ec14..10cf633 100644
--- a/environments/shared/group_vars/pve_nodes/general.yaml
+++ b/environments/shared/group_vars/pve_nodes/general.yaml
@@ -4,6 +4,8 @@ ssh_allow_root_login_trusted_clients:
   - pve2
   - pve3
 
+pve_cluster_options_migration_network: "{{ subnet.services_storage }}"
+
 pve_cluster_ha_groups:
   - name: critical-priority-pve1
     nodes:
diff --git a/environments/shared/host_vars/cloudflared1.yaml b/environments/shared/host_vars/cloudflared1.yaml
index d56916b..e0151a9 100644
--- a/environments/shared/host_vars/cloudflared1.yaml
+++ b/environments/shared/host_vars/cloudflared1.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(70) }}"
+ansible_host: "{{ ipam.cloudflared1 }}"
 ansible_hostname: "ct-cloudflared1{{ env.suffix }}"
 
 app_container_memory: 512
@@ -7,7 +7,7 @@ app_container_storage_size_gb: 1
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(70) }}/24"
+    ipv4_address: "{{ ipam.cloudflared1 }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
diff --git a/environments/shared/host_vars/cloudflared2.yaml b/environments/shared/host_vars/cloudflared2.yaml
index 5a48594..a066e20 100644
--- a/environments/shared/host_vars/cloudflared2.yaml
+++ b/environments/shared/host_vars/cloudflared2.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(71) }}"
+ansible_host: "{{ ipam.cloudflared2 }}"
 ansible_hostname: "ct-cloudflared2{{ env.suffix }}"
 
 app_container_memory: 512
@@ -7,8 +7,8 @@ app_container_storage_size_gb: 1
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: 10.1.8.71/24
-    ipv4_gateway: 10.1.8.1
+    ipv4_address: "{{ ipam.cloudflared2 }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
 app_container_pve_ha_group_name: critical-priority-pve2
diff --git a/environments/shared/host_vars/frigate.yaml b/environments/shared/host_vars/frigate.yaml
index df60f45..46e24f1 100644
--- a/environments/shared/host_vars/frigate.yaml
+++ b/environments/shared/host_vars/frigate.yaml
@@ -1,33 +1,19 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(69) }}"
+ansible_host: "{{ ipam.frigate }}"
 ansible_hostname: "ct-frigate{{ env.suffix }}"
 
 app_container_docker_support: true
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_memory: 2048
-app_container_storage_size_gb: 5
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(69) }}/24"
+    ipv4_address: "{{ ipam.frigate }}"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
-# TODO: Per environment
-app_container_mounts:
-  - type: disk
-    storage_name: dpool
-    index: 2
-    size_gb: 2
-    target_path: /nvr
-
 app_container_pve_node: pve2
 app_container_pve_ha_group_name: noncritical
 app_container_pve_replication_nodes:
   - pve1
 
-# TODO: Per env
 app_frigate_image_tag: 0.13.2
-app_frigate_cache_size_gb: 1
-app_frigate_shm_size_gb: 1
 
 app_pihole_records:
   - hostname: "frigate{{ env.suffix }}"
diff --git a/environments/shared/host_vars/homepage/container.yaml b/environments/shared/host_vars/homepage/container.yaml
index 8d9e43f..9c19008 100644
--- a/environments/shared/host_vars/homepage/container.yaml
+++ b/environments/shared/host_vars/homepage/container.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(72) }}"
+ansible_host: "{{ ipam.homepage }}"
 ansible_hostname: "ct-homepage{{ env.suffix }}"
 
 app_container_docker_support: true
@@ -7,7 +7,7 @@ app_container_storage_size_gb: 1
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(72) }}/24"
+    ipv4_address: "{{ ipam.homepage }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
@@ -30,7 +30,7 @@ app_gatus_monitored_endpoints:
   - name: Homepage / container
     group: Homepage
     type: http
-    host: "ct-homepage{{ env.suffix }}"
+    host: "ct-homepage{{ env.suffix }}.homecentr.one"
     port: 3000
   - name: Homepage / via proxy
     group: Homepage
diff --git a/environments/shared/host_vars/monitoring.yaml b/environments/shared/host_vars/monitoring.yaml
index 4c5076f..268e671 100644
--- a/environments/shared/host_vars/monitoring.yaml
+++ b/environments/shared/host_vars/monitoring.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(68) }}"
+ansible_host: "{{ ipam.monitoring }}"
 ansible_hostname: "ct-monitoring{{ env.suffix }}"
 
 app_container_docker_support: true
@@ -7,7 +7,7 @@ app_container_storage_size_gb: 5
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(68) }}/24"
+    ipv4_address: "{{ ipam.monitoring }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
@@ -18,10 +18,10 @@ app_container_pve_replication_nodes:
 app_gatus_image_tag: v5.7.0
 
 app_pomerium_routes:
-  - hostname: "gatus{{ env.suffix }}"
+  - hostname: "status{{ env.suffix }}"
     target_port: 8080
     auth_mode: public
 
 app_pihole_records:
-  - hostname: "gatus{{ env.suffix }}"
+  - hostname: "status{{ env.suffix }}"
     type: pomerium_proxy
diff --git a/environments/shared/host_vars/mqtt.yaml b/environments/shared/host_vars/mqtt.yaml
index 75e3591..9599e4c 100644
--- a/environments/shared/host_vars/mqtt.yaml
+++ b/environments/shared/host_vars/mqtt.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(67) }}"
+ansible_host: "{{ ipam.mqtt }}"
 ansible_hostname: "ct-mqtt{{ env.suffix }}"
 
 app_container_memory: 512
@@ -6,7 +6,7 @@ app_container_storage_size_gb: 5
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(67) }}/24"
+    ipv4_address: "{{ ipam.mqtt }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
diff --git a/environments/shared/host_vars/pihole.yaml b/environments/shared/host_vars/pihole.yaml
index 2d9ecd0..c48d256 100644
--- a/environments/shared/host_vars/pihole.yaml
+++ b/environments/shared/host_vars/pihole.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(64) }}"
+ansible_host: "{{ ipam.pihole }}"
 ansible_hostname: "ct-pihole{{ env.suffix }}"
 
 app_container_nameserver: 1.1.1.1
@@ -7,7 +7,7 @@ app_container_storage_size_gb: 5
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(64) }}/24"
+    ipv4_address: "{{ ipam.pihole }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
@@ -36,7 +36,7 @@ app_gatus_monitored_endpoints:
   - name: DNS
     group: Pi-hole
     type: dns
-    host: "{{ subnets.services | ansible.utils.ipmath(64) }}"
+    host: "{{ ipam.pihole }}"
     dns_query_name: "login{{ env.suffix }}.homecentr.one"
     dns_query_type: "A"
-    dns_query_answer: "{{ subnets.services | ansible.utils.ipmath(66) }}"
\ No newline at end of file
+    dns_query_answer: "{{ ipam.pomerium }}"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pomerium.yaml b/environments/shared/host_vars/pomerium.yaml
index e880b8b..7e28339 100644
--- a/environments/shared/host_vars/pomerium.yaml
+++ b/environments/shared/host_vars/pomerium.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(66) }}"
+ansible_host: "{{ ipam.pomerium }}"
 ansible_hostname: "ct-pomerium{{ env.suffix }}"
 
 app_container_memory: 512
@@ -11,7 +11,7 @@ app_container_mapped_gids:
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(66) }}/24"
+    ipv4_address: "{{ ipam.pomerium }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: critical-priority-pve1
diff --git a/environments/shared/host_vars/pve1.yaml b/environments/shared/host_vars/pve1.yaml
index 6c3f680..a50d71f 100644
--- a/environments/shared/host_vars/pve1.yaml
+++ b/environments/shared/host_vars/pve1.yaml
@@ -1,5 +1,5 @@
 # Common
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(11) }}"
+ansible_host: "{{ ipam.pve1 }}"
 ansible_hostname: "pve1{{ env.suffix }}"
 
 # GetSSL
@@ -10,6 +10,7 @@ app_gatus_monitored_endpoints:
   - name: pve1 / ping
     group: Proxmox VE
     type: ping
+    host: "pve1{{ env.suffix }}.homecentr.one"
   - name: pve1 / http
     group: Proxmox VE
     type: https
diff --git a/environments/shared/host_vars/pve2.yaml b/environments/shared/host_vars/pve2.yaml
index 17fb3d7..6697b70 100644
--- a/environments/shared/host_vars/pve2.yaml
+++ b/environments/shared/host_vars/pve2.yaml
@@ -1,5 +1,5 @@
 # Common
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(12) }}"
+ansible_host: "{{ ipam.pve2 }}"
 ansible_hostname: "pve2{{ env.suffix }}"
 
 # GetSSL
@@ -10,6 +10,7 @@ app_gatus_monitored_endpoints:
   - name: pve2 / ping
     group: Proxmox VE
     type: ping
+    host: "pve2{{ env.suffix }}.homecentr.one"
   - name: pve2 / http
     group: Proxmox VE
     type: https
diff --git a/environments/shared/host_vars/pve3.yaml b/environments/shared/host_vars/pve3.yaml
index f832aec..e5829d7 100644
--- a/environments/shared/host_vars/pve3.yaml
+++ b/environments/shared/host_vars/pve3.yaml
@@ -1,5 +1,5 @@
 # Common
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(13) }}"
+ansible_host: "{{ ipam.pve3 }}"
 ansible_hostname: "pve3{{ env.suffix }}"
 
 # GetSSL
@@ -10,6 +10,7 @@ app_gatus_monitored_endpoints:
   - name: pve3 / ping
     group: Proxmox VE
     type: ping
+    host: "pve3{{ env.suffix }}.homecentr.one"
   - name: pve3 / http
     group: Proxmox VE
     type: https
diff --git a/environments/shared/host_vars/smtp_relay.yaml b/environments/shared/host_vars/smtp_relay.yaml
index e4a3a65..50723bb 100644
--- a/environments/shared/host_vars/smtp_relay.yaml
+++ b/environments/shared/host_vars/smtp_relay.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(65) }}"
+ansible_host: "{{ ipam.smtp_relay }}"
 ansible_hostname: "ct-smtp-relay{{ env.suffix }}"
 
 app_container_docker_support: true
@@ -7,7 +7,7 @@ app_container_storage_size_gb: 2
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(65) }}/24"
+    ipv4_address: "{{ ipam.smtp_relay }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve3
diff --git a/environments/shared/host_vars/unifi_controller.yaml b/environments/shared/host_vars/unifi_controller.yaml
index 0e69c82..7a024c0 100644
--- a/environments/shared/host_vars/unifi_controller.yaml
+++ b/environments/shared/host_vars/unifi_controller.yaml
@@ -1,4 +1,4 @@
-ansible_host: "{{ subnets.services | ansible.utils.ipmath(73) }}"
+ansible_host: "{{ ipam.unifi_controller }}"
 ansible_hostname: "ct-unifi-controller{{ env.suffix }}"
 
 app_container_memory: 1024
@@ -7,7 +7,7 @@ app_container_storage_size_gb: 5
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ subnets.services | ansible.utils.ipmath(73) }}/24"
+    ipv4_address: "{{ ipam.unifi_controller }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
@@ -30,7 +30,7 @@ app_gatus_monitored_endpoints:
   - name: Web UI / container
     group: Unifi Controller
     type: https
-    host: "ct-unifi-controller{{ env.suffix }}"
+    host: "ct-unifi-controller{{ env.suffix }}.homecentr.one"
     insecure: true
     port: 8443
   - name: Web UI / via proxy
diff --git a/roles/app-pihole/templates/custom-hosts.j2 b/roles/app-pihole/templates/custom-hosts.j2
index b590ff8..ee04c05 100644
--- a/roles/app-pihole/templates/custom-hosts.j2
+++ b/roles/app-pihole/templates/custom-hosts.j2
@@ -1,15 +1,15 @@
 {%- for host in groups['all'] %}
-{{ hostvars[host].ansible_host }} {{ hostvars[host].ansible_hostname }}.{{ domain }}
+{{ hostvars[host].ansible_host }} {{ hostvars[host].ansible_hostname }}.{{ env.domain }}
 {% endfor %}
 
 {% for host in groups['all'] %}
 {% for record in hostvars[host].app_pihole_records | default([]) %}
 {% if record.type == "pomerium_proxy" %}
-{{ hostvars['pomerium'].ansible_host }} {{ record.hostname }}.{{ domain }}
+{{ hostvars['pomerium'].ansible_host }} {{ record.hostname }}.{{ env.domain }}
 {% elif record.type == "ansible_host" %}
-{{ hostvars[host].ansible_host }} {{ record.hostname }}.{{ domain }}
+{{ hostvars[host].ansible_host }} {{ record.hostname }}.{{ env.domain }}
 {% else %}
-{{ record.value }} {{ record.hostname }}.{{ domain }}
+{{ record.value }} {{ record.hostname }}.{{ env.domain }}
 {% endif %}
 {% endfor %}
 {% endfor %}
\ No newline at end of file
diff --git a/roles/app-pihole/templates/dnsmasq-local.j2 b/roles/app-pihole/templates/dnsmasq-local.j2
index 74dbb7c..9685bef 100644
--- a/roles/app-pihole/templates/dnsmasq-local.j2
+++ b/roles/app-pihole/templates/dnsmasq-local.j2
@@ -1,2 +1,2 @@
-domain={{ domain }}
-local=/{{ domain }}/
+domain={{ env.domain }}
+local=/{{ env.domain }}/
diff --git a/tools/apply.sh b/tools/apply.sh
index 180ffda..8482afa 100755
--- a/tools/apply.sh
+++ b/tools/apply.sh
@@ -27,7 +27,7 @@ shift
 
 export ANSIBLE_CONFIG="./ansible.cfg"
 
-COMMAND="ansible-playbook -i $INVENTORY $PLAYBOOK ${@:1}"
+COMMAND="ansible-playbook -i ./environments/shared -i $INVENTORY $PLAYBOOK ${@:1}"
 
 echo $COMMAND
 

From 53dd8951e7015c80158458b769031b95bedf3172 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 19 Apr 2024 18:50:08 +0200
Subject: [PATCH 36/51] Cloudflared tunnels upgrade

---
 environments/lab/group_vars/pve_nodes/secrets.sops.yaml      | 5 +++--
 environments/shared/group_vars/containers/app_container.yaml | 2 ++
 environments/shared/host_vars/cloudflared1.yaml              | 4 +++-
 environments/shared/host_vars/cloudflared2.yaml              | 4 +++-
 playbooks/containers/cloudflared.yaml                        | 2 +-
 roles/app-cloudflared/tasks/install.yaml                     | 3 ++-
 roles/app-cloudflared/tasks/systemd.yaml                     | 3 ++-
 7 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
index 67caa92..ca7f7e1 100644
--- a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
+++ b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
@@ -32,6 +32,7 @@ pve_smtp_username: ENC[AES256_GCM,data:X0IdKdfrPDVmsVZqupp0eU8Wf3GYMw==,iv:drM4t
 pve_smtp_password: ENC[AES256_GCM,data:kTPfF1tsbgaNlxHIHPgsjHVH0WIc05ZJ0Cet47gJdVqtRB0Rh2xfCNF/hEzBhEw2caDm71y2vafui7d5eoeaynzRyTpe6HsveFDpKFG3poXvK4ckaXHJWkse,iv:x/catZEn5xD3eUzgYFNty9txZFbiprjW5mnKSaapWaI=,tag:TcX4U705mu8afO/MjnX67w==,type:str]
 pve_smtp_host: ENC[AES256_GCM,data:rBqZTGetloUR/d4ZEgHZVanK+ro=,iv:f2g+hEAIkCb9Iity3gJ4qzWVnjn/oRgTXKOCWHTNuAI=,tag:abOj7coVqpxRibOUdhlAhQ==,type:str]
 pve_smtp_port: ENC[AES256_GCM,data:mYqC,iv:0ExWSn/DWX1jD5D0HoqtQ4d9xGeuVYIFqMaZ+Et5TrU=,tag:ZNjzZWk4KO0Ap9clPnk9uA==,type:int]
+pve_smtp_tls: ENC[AES256_GCM,data:jc+UyQ==,iv:JcrmfgzHIjtY3RaNISmX0SSNyqkkpKrZQkHEsafFYEg=,tag:uPJQTQIwkZpec+b3DHs3xg==,type:bool]
 sops:
     kms: []
     gcp_kms: []
@@ -47,8 +48,8 @@ sops:
             QWU4OTVNQU9nRU12REp3dkpYdWpjbVEKkKpnxWW2iUkjQv3UzO8b0pUXJ2s72HdQ
             tQkvIENt6fns2f3WwAoMsouPsTzZSn4PXGrG9OAIWVcfkGtF/RRdHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-19T09:09:28Z"
-    mac: ENC[AES256_GCM,data:dFCWklogHnpVjKf13Z8xFMDR7YAb/zT0tCrgq5cpW8oLNlEZ0+Cno1DTnE+rv3/avs9X1eQGDqGfQG66kBiawWiPURryb3BBrR4JXKRYRzWNvx7Vi5m9pVjYG6Ykkk12jVOBCx3vebeG5fYCgD7AO0Fx5I//eTRmsl1ecr80R6I=,iv:iBiWPDawc0sKUfZOYkCpbkSkjwyr5wcy9OC5xX04vDY=,tag:sv42MS8oaH9ucNQdE8d6dA==,type:str]
+    lastmodified: "2024-04-19T16:36:03Z"
+    mac: ENC[AES256_GCM,data:QFsHz55xCmpHHf6w/RSOeDHwj4BNSezUJNLtzmYDkAYHDLq3vem+SLyNtkE61a1XbZBvkC22BzBEYuGRg3J9+z/ovpoi7ot0IuB/ZK4QYUI1K0eOhJdOjk/MdPsJNnL7MFknWB6bG4/MK5yulL1WjRLr9rdyxa5YxJfci0kiGtE=,iv:6+YAalHHo16ZqrepV1dvfLhTw0L8xWMIxVG1ZIxpd/U=,tag:7eRbgWdwB9IbLchZT9uaFA==,type:str]
     pgp:
         - created_at: "2023-06-05T08:57:01Z"
           enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//a0vf1Oh3Tiyv++/rqq6X00JVXl2CZjoQ8BOKeGsX1wOY\r\nHIV7on7BJ4kW9gjIwOGIhsMLPryVIR7yJAJPu/qjQiQFBEk5To8xjoaMib0f3yvI\r\nQRDB2nvgChd04NHE7rYbwl+0aZcK1E88LA2uzXietlri4VzcmoMA9JBZn5/65Eaj\r\n+f2Ari4TKWTomYhseYPUVFCqtm5W64FehtGKao7iNcMAX/vxIupWUwRRDg6EsZu7\r\nP0nGszRVWwiucJ8BfDU2FQVrJKJuoEyerSUYW0tHEhAai+HTV47j2ST/ZvK18D5c\r\n+16RJzp1a3QFCViM3PlOAAVtunoUFQxMwfiLgniUB8kCjFBOMQ5wST8xZFUHrmjw\r\n07tkmV5/eRVA9/Vl5jRqM4sRf2f3Ou0YXbeOeJ3fzLrZgWOliUtTq7YzvN4AnNhg\r\nJfHSQsMR5nYi9wHfq6doTWXArXKp82Z2u/pZoVY5xlAaU9uerxgs6GTs7iRbW4BM\r\n+7WkqxnRo/agFzhLpDWBxehpP0XKx49JgxPdmQXlYDQY6AYc5jPswBsePSYL1LNz\r\nhoPUbCfgPik5nrdAy4pVW6ijBcf8KqgVH8eZAQa1M2GpdyO8tIL5paTLaM+oiyWN\r\nFEjT+GDjxAoxFvDW8ZSOTSlu9GdrLquFMF2hp3zZ0bZ6EfHr3K3cyRXAhkVuLUTS\r\nXgEQAAk4rZa7lH9ODHkKNzOhIfm69V2sAgH5oWHgiBAAJU44ZE5voZSQokVZPu+b\r\nK9ldX8+2W8XoE1CGuWXNtb5GYlWlVFpShFfhPCm1l5b4w9Y5lDhXmEXf8Opdw3c=\r\n=t7MQ\r\n-----END PGP MESSAGE-----\r\n"
diff --git a/environments/shared/group_vars/containers/app_container.yaml b/environments/shared/group_vars/containers/app_container.yaml
index 9679f42..ca2170e 100644
--- a/environments/shared/group_vars/containers/app_container.yaml
+++ b/environments/shared/group_vars/containers/app_container.yaml
@@ -1,3 +1,5 @@
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_pve_replication_cron_expression: "*/5"
 app_container_pve_ha_group_name: noncritical
+
+app_cloudflared_package_version:
\ No newline at end of file
diff --git a/environments/shared/host_vars/cloudflared1.yaml b/environments/shared/host_vars/cloudflared1.yaml
index e0151a9..2aaa7f5 100644
--- a/environments/shared/host_vars/cloudflared1.yaml
+++ b/environments/shared/host_vars/cloudflared1.yaml
@@ -13,4 +13,6 @@ app_container_network_interfaces:
 app_container_pve_node: pve1
 app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
-  - pve2
\ No newline at end of file
+  - pve2
+  
+app_cloudflared_package_version: 2024.4.0
\ No newline at end of file
diff --git a/environments/shared/host_vars/cloudflared2.yaml b/environments/shared/host_vars/cloudflared2.yaml
index a066e20..f4934df 100644
--- a/environments/shared/host_vars/cloudflared2.yaml
+++ b/environments/shared/host_vars/cloudflared2.yaml
@@ -13,4 +13,6 @@ app_container_network_interfaces:
 app_container_pve_node: pve2
 app_container_pve_ha_group_name: critical-priority-pve2
 app_container_pve_replication_nodes:
-  - pve1
\ No newline at end of file
+  - pve1
+
+app_cloudflared_package_version: 2024.4.0
\ No newline at end of file
diff --git a/playbooks/containers/cloudflared.yaml b/playbooks/containers/cloudflared.yaml
index c9b48bf..d454c78 100644
--- a/playbooks/containers/cloudflared.yaml
+++ b/playbooks/containers/cloudflared.yaml
@@ -19,7 +19,7 @@
       tags: [ container ]
 
 - name: Setup Cloudflared containers
-  hosts: cloudflared_containers
+  hosts: cloudflared
   become: true
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
diff --git a/roles/app-cloudflared/tasks/install.yaml b/roles/app-cloudflared/tasks/install.yaml
index d46585d..b5a8055 100644
--- a/roles/app-cloudflared/tasks/install.yaml
+++ b/roles/app-cloudflared/tasks/install.yaml
@@ -11,6 +11,7 @@
     state: present
 
 - name: Install cloudflared package
+  register: app_cloudflared_package
   ansible.builtin.apt:
-    name: cloudflared
+    name: "cloudflared={{ app_cloudflared_package_version }}"
     state: present
diff --git a/roles/app-cloudflared/tasks/systemd.yaml b/roles/app-cloudflared/tasks/systemd.yaml
index f4370d0..4973590 100644
--- a/roles/app-cloudflared/tasks/systemd.yaml
+++ b/roles/app-cloudflared/tasks/systemd.yaml
@@ -7,8 +7,9 @@
     content: "{{ lookup('template', 'systemd-unit.j2') }}"
 
 - name: (Re)start service
+  serial: 1
   ansible.builtin.systemd_service:
     name: cloudflared
     enabled: true
     daemon_reload: true
-    state: "{{ 'restarted' if app_cloudflared_config.changed or app_cloudflared_credentials.changed else 'started' }}"
+    state: "{{ 'restarted' if app_cloudflared_config.changed or app_cloudflared_credentials.changed or app_cloudflared_package.changed else 'started' }}"

From b53ae20bffd9fe8146dffb8b49bf590fa210f258 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Sat, 20 Apr 2024 19:44:10 +0200
Subject: [PATCH 37/51] Secondary DNS in Lab

---
 .../prod/group_vars/all/environment.yaml      |  9 ++++
 .../prod/group_vars/all/users.sops.yaml       | 53 +++++++++++++++++++
 .../secrets.sops.yaml                         |  0
 .../group_vars/containers/app_container.yaml  |  2 +
 .../prod/group_vars/pve_nodes/general.yaml    | 16 ++++++
 .../group_vars/pve_nodes/secrets.sops.yaml    |  9 +++-
 .../prod/host_vars/frigate/container.yaml     | 13 +++++
 environments/prod/host_vars/pihole.yaml       |  4 ++
 .../secrets.sops.yaml => pomerium.sops.yaml}  |  0
 environments/prod/host_vars/pve1.yaml         |  2 +
 environments/prod/host_vars/pve2.yaml         |  2 +
 environments/prod/host_vars/pve3.yaml         |  2 +
 .../prod/host_vars/smtp_relay.sops.yaml       | 47 ++++++++++++++++
 environments/shared/group_vars/all/env.yaml   |  5 +-
 .../shared/group_vars/pihole/container.yaml   |  8 +++
 .../shared/host_vars/cloudflared1.yaml        |  3 +-
 .../host_vars/{pihole.yaml => pihole1.yaml}   | 26 ++++-----
 environments/shared/host_vars/pihole2.yaml    | 34 ++++++++++++
 environments/shared/host_vars/smtp_relay.yaml |  7 ++-
 environments/shared/hosts.yaml                |  5 +-
 playbooks/containers/pihole.yaml              | 11 +++-
 roles/app-cloudflared/tasks/install.yaml      |  1 +
 roles/app-cloudflared/tasks/systemd.yaml      |  2 +-
 roles/app-cloudflared/templates/config.j2     |  3 ++
 roles/app-gatus/tasks/main.yaml               |  4 +-
 roles/app-gatus/templates/docker-compose.j2   |  1 -
 26 files changed, 236 insertions(+), 33 deletions(-)
 create mode 100644 environments/prod/group_vars/all/environment.yaml
 create mode 100644 environments/prod/group_vars/all/users.sops.yaml
 rename environments/prod/group_vars/{cloudflared_containers => cloudflared}/secrets.sops.yaml (100%)
 create mode 100644 environments/prod/group_vars/containers/app_container.yaml
 create mode 100644 environments/prod/group_vars/pve_nodes/general.yaml
 create mode 100644 environments/prod/host_vars/frigate/container.yaml
 create mode 100644 environments/prod/host_vars/pihole.yaml
 rename environments/prod/host_vars/{pomerium/secrets.sops.yaml => pomerium.sops.yaml} (100%)
 create mode 100644 environments/prod/host_vars/pve1.yaml
 create mode 100644 environments/prod/host_vars/pve2.yaml
 create mode 100644 environments/prod/host_vars/pve3.yaml
 create mode 100644 environments/prod/host_vars/smtp_relay.sops.yaml
 create mode 100644 environments/shared/group_vars/pihole/container.yaml
 rename environments/shared/host_vars/{pihole.yaml => pihole1.yaml} (55%)
 create mode 100644 environments/shared/host_vars/pihole2.yaml

diff --git a/environments/prod/group_vars/all/environment.yaml b/environments/prod/group_vars/all/environment.yaml
new file mode 100644
index 0000000..2ea7bf7
--- /dev/null
+++ b/environments/prod/group_vars/all/environment.yaml
@@ -0,0 +1,9 @@
+env:
+  name: prod
+  suffix: ""
+  suffix_display: ""
+  domain: homecentr.one
+
+subnets:
+  services: 10.1.2.0/24
+  services_storage: 10.1.7.0/24
\ No newline at end of file
diff --git a/environments/prod/group_vars/all/users.sops.yaml b/environments/prod/group_vars/all/users.sops.yaml
new file mode 100644
index 0000000..9df9ad8
--- /dev/null
+++ b/environments/prod/group_vars/all/users.sops.yaml
@@ -0,0 +1,53 @@
+users_root_password: ENC[AES256_GCM,data:eQB825IroAAna/XBIMUMuEUqeoJABWshyAo=,iv:GZzUc4/mjzbZucfSbeaVHdCVIyV7e9mjoizNZGWoLZI=,tag:FX4O+FC2MzCsdB/YxfYSUg==,type:str]
+users_root_password_salt: ENC[AES256_GCM,data:ow2yKqOruFRJRqMs9e7aGA==,iv:pf8VAYaJqchNTImR56m5JwY1yUK/OCKu5lMfCDdVrG8=,tag:UteFoWFXcNsxZbqdUM6C+A==,type:str]
+users_admin_users:
+    - username: ENC[AES256_GCM,data:IiH/5tGxww==,iv:MtuXPDoTp1X1dAlJ39xV1l/gNGFgbA98sLhhx4AtomU=,tag:7g/8IlL2UIfEoOfMZgxuPQ==,type:str]
+      public_keys:
+        - ENC[AES256_GCM,data:fem+nYEnzrc7p43txjY0920r3M5HAdTgUiyMsJbGs5Gm/7a8CPchBx5XIFUQfQdU2tN2jjjwybQ1hpB0A8Kq4l528Kr0KM0jT6nnork5oIYdU096fMwK7CExHVdyq50NDtf2ianQ5Osapw0EDyM/kcgTsUzAO50esGUdw5CWq0BG0dU8l6cD7n4MrACSdAIdO/clJ/8TZJ4Yqsc8r1vSRJVtwKOYIgmGonJZVs8NRyG8rnzDkjXDN7GgxMWyCTLBcBpt64CmRdHT8qEwLH2Fj6ys3WeebKU+lohrmbCHrvZIKT3I+OsedwPXdaRIHhrAKBNjmYe1+SctugJOEqc4FDYa6RD3rgKm0keFCz7wvvoxSr2z/k2jL/dhSQoGPWsDS4u3ZuXkt1UF8r4kh/ZNyiTOLohIGjWEnkwMjUyaD5VfykPG5zvda9gChsNJGTbthz6FeZGNgtlAt2fPFGcP2yEbm3GKHRNuuB4o8N4Vcn+HpCb/mI1WtgDugoqHc1eedz5pDk2kvtMhSMIJh2R/rceol2LrtLttovl34Pcib6xizR6HLtB5IFHYZen2bFx9OPl1ia6yCe/vfV1Tq/nUwX3DycwC+faRbVytVGWTfvcHw5typQffd+bY6Vg6G7twPNB+gixphVL8x7ME3rTs2CzAOUilXf6eRQ3CIxjvwIYp0fhaeh4xPn+AzsrniGNaAe4xk+CYg7D9wrrjV80WBY/nUea9LWmxc2m6ob6Flp9IoQjsFthEWtbomiLDBenih0FROIujXzsHL2WAbrlwKEgRrE/d7pM17kJT41qeFNHK2YwkTcA4NHbp6Yh35Gb58L0aF60V9WLUWabWTScOk3Crl7zECfMWKkuo6F7Po5BdXVArhFcGP+E0QkJdY/rlMNStc11nswarJUAogYsASLd0oARGZE+Afe+DOXelr6Bf/MirF5IG/rzcN5/QfvNFUoxAOQ==,iv:lffsvnH3gzYIXCgyS/lK3Y4Elbqg+HioPb3I0WZUOPQ=,tag:FOg1pOIeYI5d+XDNjzQGAQ==,type:str]
+        - ENC[AES256_GCM,data:nEC87xGrdsf6bWYEEhPN3v/rC81wrC6KxoEv6SUdZLcI4WZhXghSzKQck3GxtGaTXjjFfckLcdorkEa3XTvkUseCoOfLg2ASURVcnc4a/3LRvQzNtj0zlzfFQa08/xfFhWMiAZndz8GjzfrtzzBEkv2v8vasVfbcNkEnuQks25QJWP9VFi9F9zfngZLyeexX3CXSGgeE2qEJ+/haXIlwNu8RVCMhp2jmXecDDPdbkIfuCwKY33CgPTAKsJ5G4PH+fc/5G04LbTHQ1NCjyINFyQgbIXNl0j6+rEO2VeUeQJ26lDgHeOn/5ebFd8j7nXaVdmmnO6OPYj2PKP0O7F+MuYqVUdcTTDtnRKlDWDNNw+62J2SX8ea/xwG3HLvQtAg/obSOZXCYo1lvcsSBCB0xSZu58Z58EbVxMFuWRQTIfnig9CA1zn5XXsVBSWkBLUFmu91BYe3qooRVD9IdzlPvke9HRELkhBiLG38FdjkOuRyB8qpklWo0fRCjy99kWe7t6g8xL3mYubGtJW1IPMaQXTY7eBPZiGm5s920eF45wokDLhoZ5d88o7FDYSi3+G4hMZ5L3imD8AujqINiJCUR4xIzz94jR6eECgQQ/BngVnxQ2qUCc0UuqT9ZtywmNH+wcy+PkzZ7KNYb/ltVe4VFt1maBEyCwuHD1jkB3dEKouh/A3/DFnj1z5WAGyHyeX4phO9NH/RvZC/JcCLOskD8G3KXDIMoc3j51QnHa14x66m/FeOlUMjo6LDeVaXeYj/EqKw3AjwXr6yMozTax0kVBzWk8Uce7UC24dHJwh3+gDueSuOUjzdF5ngxeKNYxIFdPllX1UNs+JkjUNv2vK5L8WRT5mTcBtsbhSM0/cLuz4hGNl+sh6V2iNmF2fEa8KZ4wHTrfV4PdUBPF8N2j+VcDo2roVgtzp980Glb4VF4JEI9wsmYTPkCviy7W1Z0amVbrqCJ+q7imqKBBMDIaCwjJCiJXw==,iv:B9gVFmR9RLajkcUfNIe/5Tpi4z5CcfZyI76bmLFOBxo=,tag:6YzAEaKpmsE7nrlnqVq+GA==,type:str]
+    - username: ENC[AES256_GCM,data:5UAVVmm2rSdodkMrvA==,iv:IVBaDzpChyxqbCcMxh/ZmQAIfdFfVgqcdHFIMRTjujc=,tag:HH8dfEpPOMfw3wkW1etd+Q==,type:str]
+      public_keys:
+        - ENC[AES256_GCM,data:+khpCavR/ImMDWBc8giBTbeLJR5xWwLp+/i4sS846VE800rASFdIzxZgdB6rjYVTDEbBTyMcbe+vc6BKYyNeubdVOxFJ8F8X4/GldY0Ezx2QxuTLHw2dYsv4y+hsv1ReOwuaGD4/6DysNbAbNIOi7fsy0W+c98rSC0liWwA1PFn1N3X6iXSU8jhE7xuqEZzJh4LVJtRPohaZmUu5w0Kp3zFmcgHwp0XgHRrUNB+rCiydWO4juU4imub8OeRxYsrcCdWU0o42B8Ko1nTGPC/JwojbhTr4UyUYlhVp59qCdpwrbew8qzY5UOUSnlf+PmrZSLuqmhxK7nFAOVDSjOPepPNhwR4XZLtZAOCEkC0DUBJocFjdci3SZAxr55C6KjE9z8TJO9sOYsiU3rINZPftuPxSJTMN+M+dXLmg9Rp/Tq6C0Hr30otduLGNWoieN9EFV3QJKX1nZipjEEdgxSM5l+WE+nejN7dPCGskbE7LoolMVdzHTVcE1ynQVrT0MY6W+JSNR7/QBzmdAI2VJ5IAqskBSch1wH7O+h/V7RRsq1kGNbA4w852VygtXTTIV5YQmTdkI/dcOmawJpu7JDeEFIBikb57zStVcnKiV8pmbYhkwiwqiax6jV6psk30GzcXGQBuvGhG22cLRoqlOm7K4To90uk0CYAGmDvhllI9kzBqMykt15U0B6ucz4A1aGTcqAJLY7Wun3y4CZQDp0rCFDl4cBisvcDRUUNqMAiQH06jZgXdMShk6khZ1j0i5Wxa8K9n688HCVGQPxtiN1FPGVEj9KSOwbEB69EXWInisQsvcmgl87TwwupgT8oiSWh9whUYle1xhwSlBvwjWMk4ZKWQlhsuRz6Tk1IBS8/Uq+SdjRySqyaMD4AXVy2V2UWfCO/zaJuYgJAD991Io4/X3fKzRTkXKBStR5tqLytCvSPgT6DA2kGSxOx2QJHVB28lfpIgavpbeGtUeQTeLuZylVo+3bvrtvbVdQkDb5jxQgE=,iv:VgeFMjLn+z7nYmEETvJ43xWv7TrDKEDJ8K3jqtMMghk=,tag:/+jxTjcicr5RZbfl7q1w6Q==,type:str]
+ssh_allowed_users:
+    - ENC[AES256_GCM,data:HF8YTmKN+Q==,iv:aHIWB34sk+gLbuWB4ZD5oOIpM09egrYizhWLxc13mh0=,tag:CPEdUBdDpcJpTrqWUJYgqQ==,type:str]
+    - ENC[AES256_GCM,data:YNR0UGlGGI8DBU/GNw==,iv:HAwpRCsnz/jjYaT54M3zih4h8uaz0XiUlk3xhBARrFM=,tag:5HwUrFzewflbYu+p/dTpPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Sndlcjd3bUtycHhBWXF5
+            NnBFdEVHc2hzR1pMRHhDMDJKWWpxUXBlblMwCnJ4WGxSeUM0MkRIenVqTmlGQ3dx
+            UTBvZkI0ZmZVSnhjazJYVUM2allJUGcKLS0tIDdJWitBSFpEb29Gc3NIMldVdGRV
+            aWN1V0VMcVVSTUI4eDY1L3dmaCs0SU0KkzPO20YfskpLYPYeNu09SGA6243cVGTf
+            MDOHatdRs2CkZNEw2A6xaoIXnj0Rr+N9sfrdAWRsCBBRxyfgxw1Bog==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-04T20:42:51Z"
+    mac: ENC[AES256_GCM,data:JYTu3yhVocuTnL01t5IU/LRVNd9HtTOVTHnEdXm65h4OoesytvHNmh2Csq7MfvYSWTuComOWxCGn4n2upwrEHL7IVietDX4A728GBOqDKD2ruHCetAqPqvFVInQoqzFWVAIvOrQhO/mLo7L6NlFRveNPw0SJn3koxtdj+JrVS/A=,iv:58T9mNgwmwsuAk496VFCBuK9h/jaT8YX8y/NORpDdlU=,tag:KTn1uE4Y7gMknB+EV0RpMg==,type:str]
+    pgp:
+        - created_at: "2023-06-05T09:01:59Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CARAAhgn5QVDIe74f3jPc6UeLebhptknDLqxrD/zO0xEs7BX9
+            XOy47z0jhdLruO+i9AxpFJxSX6VQ/D3DuLKTTikvTk0UYU6BEIVbw90UsLdY+g2K
+            beRsFeql7tKAYF2FQuPWGKzE7ee6TVypLD+VBXYuQOvpdd4sZCJ/qMlfMGMBrALZ
+            sV19IPtHnvFjtLKXO2/QyFk4OJfLAG6i+vuwtAokxSGMGab+F0iDhoCXo+YjbTR+
+            aTropldbOOudDDb4VFNDSkza7TI2gm4vyOjYN+i27D001ulywsBzO0/pXlb+ajZS
+            BlN4rGU+I4wsBDp841FTNZPy9Lf7vYsVPD+WFQpqr1VJOn3TAt/Dw5GsPVuux77Z
+            WjsVpxtXGWSt3esX6uOCT8ErOWN45ZmMdHK8Fdq63P11RlmUwox2GhNIcouT+s44
+            nhnpL2ZgLmZ1LS8DxG/ZRylgelGSnZjIxCDjtZ1zuqUJYJSyZWV57fD0Gs8mEHMk
+            SGntsuvkIqAUY0lk4kDFWqbLveyZgvu2hU4KvdWZEhfOK44fc2NAXGQY9O/ucdWD
+            Cae1jeygtFREp+ANsCkyErnSg4wrxZd29rJVjvUx4B3n4yMzgk15rO4r2i2QGeNE
+            T3QQC/JeLqFfvlhIYRjuZY+dqW0PomEjWDdSJF4ReXRvw/L2Usik5ktZgPJHQKvS
+            XAG4cJV6FNAEsnVzoDFN66sWq3RoGDSktvP765CHi1A3K+8WMrB765fn4eIyEye3
+            6aPbn7PNYSNluMdh9Z44nUrmS+tve+gBlLocwHHYZ6MyyIngsuhbEXKAEPIh
+            =3kz5
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/environments/prod/group_vars/cloudflared_containers/secrets.sops.yaml b/environments/prod/group_vars/cloudflared/secrets.sops.yaml
similarity index 100%
rename from environments/prod/group_vars/cloudflared_containers/secrets.sops.yaml
rename to environments/prod/group_vars/cloudflared/secrets.sops.yaml
diff --git a/environments/prod/group_vars/containers/app_container.yaml b/environments/prod/group_vars/containers/app_container.yaml
new file mode 100644
index 0000000..5f3f0f3
--- /dev/null
+++ b/environments/prod/group_vars/containers/app_container.yaml
@@ -0,0 +1,2 @@
+app_container_nameserver: 10.1.2.64
+app_container_storage_name: dpool1
\ No newline at end of file
diff --git a/environments/prod/group_vars/pve_nodes/general.yaml b/environments/prod/group_vars/pve_nodes/general.yaml
new file mode 100644
index 0000000..03556f8
--- /dev/null
+++ b/environments/prod/group_vars/pve_nodes/general.yaml
@@ -0,0 +1,16 @@
+ups_devices:
+  - name: ups1
+    driver: usbhid-ups
+    description: Eaton 1100
+    port: auto
+    monitored_by: pve1
+    # vendor: 0463
+    # product: ffff
+
+  - name: ups2
+    driver: usbhid-ups
+    description: Eaton 1500
+    port: auto
+    monitored_by: pve2
+    # vendor: 0463
+    # product: ffff
\ No newline at end of file
diff --git a/environments/prod/group_vars/pve_nodes/secrets.sops.yaml b/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
index d44bb08..69bc19f 100644
--- a/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
+++ b/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
@@ -29,6 +29,11 @@ getssl_certificates:
 getssl_cloudflare_email: ENC[AES256_GCM,data:8oS0LQt1MVH8dPwZ7Xwq+2vAs799Mw==,iv:rgjAafCDLtKQfGSKOXG6Sv7foFvoCOdv9n6mI+hmbro=,tag:n4qkIbDkC92lcym8CD13pg==,type:str]
 getssl_cloudflare_api_token: ENC[AES256_GCM,data:YEG3q5gMQ405UNqal6o4sQ95CNLMFrxjnBdlbHwxEvMEerhkRVMOzg==,iv:maYf2UCkIwwYKOLvy+PDSsG1LDgR8AbvGeduXcVKVms=,tag:i2f8PyLgv3wFe+Ir86aaCw==,type:str]
 ups_slave_password: ENC[AES256_GCM,data:lmUebjuRsVL0qnP7g53bnGb6PMONZI1OzikV,iv:vPzdPgjMA5AMXXbI9f2K/zE2OgbbNSOJgxntKGuYcPI=,tag:YDBva18phZQG+FOD42wGJA==,type:str]
+pve_smtp_username: ENC[AES256_GCM,data:jK/v4zPqS46SdpscEg/OrPmT/rtglA==,iv:eHPflyJMzh4xLc7h1fUdR+m8m1i38WdTF47jDWtFhv8=,tag:ncXuOYM3gOaQJduksgzpZQ==,type:str]
+pve_smtp_password: ENC[AES256_GCM,data:maPzOcH/vPLlf5yh+sq2wSGVkNTecSa/+pX2thGj0KyWl4zPGFoB5+4/A4HBhJHzcgQsAEkgRlmpvTR39v6LiIof5/fSKfbt82CugEPpxXQX/lumiz3eq2c4,iv:OlwHIGAnKvys3jeEP52BRrcSvqBJ6FKBTJ9/7BFYYtw=,tag:Jm+4/wdRxAff0uOyDBd2Vw==,type:str]
+pve_smtp_host: ENC[AES256_GCM,data:zS3YuMC/Cp4THOrUtaw/jTO1jAE=,iv:a6D4ooZQBKM3MhQEYav1alAH5dYN8abZB01ndV+IvbM=,tag:4magRUDY8WIhVBBOt8F3fg==,type:str]
+pve_smtp_port: ENC[AES256_GCM,data:O5zo,iv:m8cpc8bQ72XDnwnndoit33WPMYBfuP9I9LZLm+sDoHA=,tag:YMMidNk8QdMGla+TJG4UYA==,type:int]
+pve_smtp_tls: ENC[AES256_GCM,data:ILd6SQ==,iv:uTart7c/4XUNUivNTdbl3NVLFjdeQp9czDXjjuwc250=,tag:Fzs1Q0fGuwU1X3mj9As//A==,type:bool]
 sops:
     kms: []
     gcp_kms: []
@@ -44,8 +49,8 @@ sops:
             K2p6NzNleVJLVXIwR3gvdFk3VjNuSnMKVoTukJFUyfcpAi2Sihnhzy8zpFBiHJrM
             Mhsg+k/UeeDGy8dntttNwwLUiDoZSy2q4yWjJo2ZL8dNJIfxx0UWxA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T15:54:37Z"
-    mac: ENC[AES256_GCM,data:24kUMCacmUZQKR8eXJm48AqyYLVWQyYk06QMMIlcAzFQT2HPLYJ07Zk0eXeNzq4A4qrBaw6SOx4Sl06K5HduHL7eLbP4s074nOfmus1IgDZQPYPgjLcH6GL0m/SF1cBMbTUxVMyTCktxgdTxuYk3TacGhhocbychkTuGC2mBAQs=,iv:vv34m8IVyeo2qgdTjtOIN8Xqh/WidNn0BkAPtqmlZpE=,tag:yagwLgxfqLrrn0XHtaVdvg==,type:str]
+    lastmodified: "2024-04-19T16:58:14Z"
+    mac: ENC[AES256_GCM,data:vdI5CEqUyduqQdJ+rfuyU0AfyOr7wFNkwxaIN1ueTUuO4CW4QABgaSp3S1FgskTUW7UKDdGft9Y9FDa6Wgydic7jKn1+E5Cgp61Fzc4OIgPvg7/XHboMgksZPgZFvgcH2XsTZW0PZ4xSLRWdf8Auaib9kUiPR254dOjOn0AfP+w=,iv:V9Sn0TC54n+MVJPq+8442qeI5xufy8YbIq8NhsYtaRg=,tag:JDaDbP/ooQtw6XkmiyT24A==,type:str]
     pgp:
         - created_at: "2023-06-05T08:58:32Z"
           enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//e3QKIVOOfBuOF2Q3avCCJNjI8PEJ93pTo/FzTQYYGUOU\r\nOacmnaizo/c3f9IUjax0jbtt2TepYyU0xNmQLZPMjH+mv3l5fzShjUjbtyJyrEJN\r\ncDSV9uktt5BCYKU7wfixK+aNlu8v+5TSPh67DzfX8gnObp5FuZl9lZfFG34nKTuM\r\nIQ2/1h+jiqX1YzTlen43oYGw2vl9AN+irWaKHFXcp4MrJ09RmwdNN6BQERXyBggq\r\nvYyOO46D2zfB6LpvZOsYsLIQ5r2Q5HkT6iYIBQdiiYcXXblkFub4QX1Xidhqbye8\r\nkF3xWPSM4Ah2E/Vle8K0WaECBEjEgntGQUG9Ox1Rx4TZu2dE/kYzbSSZJEAjOrdq\r\nLmjjoeZb9GgulVx8bosB+nu5uBLFENUFRAX13/OIV3wFMgWNq4GEuFx4o1bAYGyY\r\nQJBQPPTNWAg7KILXHJGurkPJQFm+97wJr6movUbYIm8kZQddUltoHuU+WF2ziTii\r\ntlavjA5+YBlww3fLvxAwOGbMLDew7QVdS+jlytAFE/WiY4+DevhCscZ0HMFC8gxF\r\nHGTHQoGMmrDRbceuOLfjAriGJGteAzFTA92U8tFNiHMDtOOI6A0ZWy3qdSWVECid\r\nD9vj0i/eLei30Fsx8Cy572oTqt8aP2/hEZLtxUfLj3JDWq/D1AAStuUEFPFvqKrS\r\nXgFqcNjohYoLdsm2ARos+Jpp0UIQn8pnqLlqzdaj3Lg6OymMwaP+NoTg8vKs9WCb\r\n53ui5uz1ds2oQRkFAFibUap+Mb9iNo4xgSjtRenS7KoGqQr1xWVHASSHffP7kgk=\r\n=/TSI\r\n-----END PGP MESSAGE-----\r\n"
diff --git a/environments/prod/host_vars/frigate/container.yaml b/environments/prod/host_vars/frigate/container.yaml
new file mode 100644
index 0000000..af006cb
--- /dev/null
+++ b/environments/prod/host_vars/frigate/container.yaml
@@ -0,0 +1,13 @@
+app_container_memory: 8096
+app_container_storage_name: dpool1
+app_container_storage_size_gb: 10
+
+app_container_mounts:
+  - type: disk
+    storage_name: dpool_nvr
+    index: 2
+    size_gb: 2500
+    target_path: /nvr
+
+app_frigate_cache_size_gb: 16
+app_frigate_shm_size_gb: 8
diff --git a/environments/prod/host_vars/pihole.yaml b/environments/prod/host_vars/pihole.yaml
new file mode 100644
index 0000000..54e0b6a
--- /dev/null
+++ b/environments/prod/host_vars/pihole.yaml
@@ -0,0 +1,4 @@
+app_pihole_custom_forwarders:
+  # Forward lab queries to lab nameserver
+  - domain_pattern: "*-lab.homecentr.one"
+    nameserver: 10.1.8.64
\ No newline at end of file
diff --git a/environments/prod/host_vars/pomerium/secrets.sops.yaml b/environments/prod/host_vars/pomerium.sops.yaml
similarity index 100%
rename from environments/prod/host_vars/pomerium/secrets.sops.yaml
rename to environments/prod/host_vars/pomerium.sops.yaml
diff --git a/environments/prod/host_vars/pve1.yaml b/environments/prod/host_vars/pve1.yaml
new file mode 100644
index 0000000..483191b
--- /dev/null
+++ b/environments/prod/host_vars/pve1.yaml
@@ -0,0 +1,2 @@
+pve_zfs_max_arc_size_gb: 4
+ups_name: ups1
\ No newline at end of file
diff --git a/environments/prod/host_vars/pve2.yaml b/environments/prod/host_vars/pve2.yaml
new file mode 100644
index 0000000..934309d
--- /dev/null
+++ b/environments/prod/host_vars/pve2.yaml
@@ -0,0 +1,2 @@
+pve_zfs_max_arc_size_gb: 4
+ups_name: ups2
\ No newline at end of file
diff --git a/environments/prod/host_vars/pve3.yaml b/environments/prod/host_vars/pve3.yaml
new file mode 100644
index 0000000..2bc2b16
--- /dev/null
+++ b/environments/prod/host_vars/pve3.yaml
@@ -0,0 +1,2 @@
+pve_zfs_max_arc_size_gb: 0.5
+ups_name: ups1
\ No newline at end of file
diff --git a/environments/prod/host_vars/smtp_relay.sops.yaml b/environments/prod/host_vars/smtp_relay.sops.yaml
new file mode 100644
index 0000000..396725c
--- /dev/null
+++ b/environments/prod/host_vars/smtp_relay.sops.yaml
@@ -0,0 +1,47 @@
+app_haraka_users:
+    - username: ENC[AES256_GCM,data:wIFb,iv:/n/Zv39xiZKWl+TsiWq/+xPfpS/bMxLmmvcludsfOMA=,tag:sL8/YeRNq/w5+nxVjIRATA==,type:str]
+      password: ENC[AES256_GCM,data:5xQSIu1SKQ2YICc9k2TgH/gZzKQ=,iv:QZ/wW7hoYd9HyrIEXZxG2EePyE2XV06pRpM7hOoBqXU=,tag:h57JAYLn+r49D66JKjrV3g==,type:str]
+app_haraka_smtp_username: ENC[AES256_GCM,data:W88iwjJhJFMdxJ1s5BaqtU1eQXxvWQ==,iv:fxIOt+0LBjjoLB1xo0KWOBJ9R8g4Q2U+gB+ujT7KXu0=,tag:cJjMQnjTJTtB6Gx0o3QWvw==,type:str]
+app_haraka_smtp_password: ENC[AES256_GCM,data:5F7M77Jv5rcKTjEvbWmGLty7+lbd9WJIA7OzyHMRbSGOpGmdiJWwKFjHKsBlotBW0gofJHDoBh05nID1B8FYM36jkd+0TkQTB3kqdB/onXHmLn0Hy2M/PgAX,iv:mMLZS79WYtVyg4BL0O1r1LOsFMSkDMTN3+oN68jlmeU=,tag:jpT0V2IZWImu19VbbH0zow==,type:str]
+app_haraka_smtp_host: ENC[AES256_GCM,data:BSaVrZGb++wnK39Dt3+UrAqbfSI=,iv:hlipTNIV5PJ4wIsH/ORTHp8C5V8kjzsX7dQyG+tvqno=,tag:xQgicmiGvMRBreLAdDlvTQ==,type:str]
+app_haraka_smtp_port: ENC[AES256_GCM,data:bqtZ,iv:RC8tIIBHvOWXNGs7NDGi46ss92oyq6C9vnbnyPGr5hw=,tag:DTd3Wd706FR48MDXza55OA==,type:int]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNjdnUWhha0JvUkVkQ1J0
+            K2RVclB0NTljWkx0SXo2QjM0S290TVcxb0JZCit5SVBxanRsNFJ6aTRKYUZ5ZHpK
+            T3czaHBISTl1N1pJeUhqWVBrdEFRSzgKLS0tIHQvT255a1dhQjBON0tOaHl3Zmkr
+            U1RuL2xVbC9pRFppQ3BEUmFkV1ZDTzAKgBEI44mfeId4G4VrnOTi20q0jeLPLvEI
+            Xpy6J8rcP/ixbN+bns2Y8dC55+uFEpQQdVObCBzyYgSqapFM9cYpHQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-19T17:02:22Z"
+    mac: ENC[AES256_GCM,data:rCzgrm7Plp0Ubd3kXLYXY5hhKGS3OdR3TiCM9sqBl+8CfrfBXYtg8DLo8z+pTJQBAw8sjAC1kt+xHzHoKnuy8mHpJiDiiXeOb7U1+4qbjA2x3HaY/cf8IxW5tPNZwy6XH27AI7/dYSQVrt1NGnkgE8eka+6wOlGDQC0EdbiHRXM=,iv:hO/j1nJjmmsn4zZcE0eeKov2tXU6NAyOpi0CpFhVp70=,tag:K9qRW4INTmb/zfbZvHJhLA==,type:str]
+    pgp:
+        - created_at: "2024-04-17T13:26:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CARAAkUwBdOFb6cNMqPIHyxrKLrh6syCc0Icu/OnvyBsINnV0
+            qT7l8sneOVd0g6YKuJXTXH87iUxS01fXSZBa5A5NZhohGSufhMhpy2AbtpiDeWBg
+            zQuEwwjb0l/T4AVUVNPWHrC5ctFXuA1xF4e4pFPmyY2aCXURPR8vjWpIDwMIXWdp
+            nxHDwQADoE2MtM5mzHBKjL1HVJDtfh2fzvKl6R0SVg9a9gEL8tVbheNnwo5FfSU4
+            6RX5T7xNo5nDLwXaHKfQttlMCHbMqEDeQxQaXJ2fg2byz8C+HaOvNdUAhvI8dHRA
+            tPwavu8l0dTLYMU77/+mQo17+LWql29uCZFHQRhvEB88kLbJ8T2KKLE4jqdzFiuk
+            c3lfMEmMoq0XZ1L7S2Us+IPZOz03mvAYeKaBiJwsAcUyy+qhoZ2UVm7pV6TIrSxw
+            6W/iKjXCczfmIjgjkLEJCYys6P3dHdOnBlp0XnLnr4QRvb415oRyAzNIkO6iYdy3
+            qy7bf7k61mk1GYR7EoZt4p0CYAlK1T8SYOOVO0AlaPIqX9l6jhI55D5HwbzXsLP4
+            y2AbIj/rQ6ZzmeLtAkcMapmZduvz7Qv0VSsLS6c2MiMMChW6P6qcR/w9K/zE/VCF
+            RHIAm7vzsT+A/6bbq1ECORMIn7qry+5hSPgqYJxbhuRpZuL8FtydZoAAw47gPkrS
+            XgHqmQsENy6eCGaPmkA769tgw+7C9/k1ZBRiuoAFw2xASiryfjPrF1DNNOrEm4OS
+            MgJW9EiGMc/WCY5KVrBdMU1KKfvQrOi+9KNNelOgOYaTcRRclR5LAP80AynUOd4=
+            =4mv+
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/environments/shared/group_vars/all/env.yaml b/environments/shared/group_vars/all/env.yaml
index 2b0a623..5456aa4 100644
--- a/environments/shared/group_vars/all/env.yaml
+++ b/environments/shared/group_vars/all/env.yaml
@@ -3,8 +3,9 @@ ipam:
   pve2: "{{ subnets.services | ansible.utils.ipmath(12) }}"
   pve3: "{{ subnets.services | ansible.utils.ipmath(13) }}"
 
-  pihole: "{{ subnets.services | ansible.utils.ipmath(64) }}"
-  smtp_relay: "{{ subnets.services | ansible.utils.ipmath(65) }}"
+  pihole1: "{{ subnets.services | ansible.utils.ipmath(64) }}"
+  pihole2: "{{ subnets.services | ansible.utils.ipmath(65) }}"
+  smtp_relay: "{{ subnets.services | ansible.utils.ipmath(74) }}"
   pomerium: "{{ subnets.services | ansible.utils.ipmath(66) }}"
   mqtt: "{{ subnets.services | ansible.utils.ipmath(67) }}"
   monitoring: "{{ subnets.services | ansible.utils.ipmath(68) }}"
diff --git a/environments/shared/group_vars/pihole/container.yaml b/environments/shared/group_vars/pihole/container.yaml
new file mode 100644
index 0000000..07c8cc9
--- /dev/null
+++ b/environments/shared/group_vars/pihole/container.yaml
@@ -0,0 +1,8 @@
+app_container_nameserver: 1.1.1.1
+app_container_memory: 512
+app_container_storage_size_gb: 5
+
+app_pihole_version: 5.17.3
+app_pihole_forwarders:
+  - 1.1.1.1
+  - 1.0.0.1
diff --git a/environments/shared/host_vars/cloudflared1.yaml b/environments/shared/host_vars/cloudflared1.yaml
index 2aaa7f5..57f83de 100644
--- a/environments/shared/host_vars/cloudflared1.yaml
+++ b/environments/shared/host_vars/cloudflared1.yaml
@@ -15,4 +15,5 @@ app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
   - pve2
   
-app_cloudflared_package_version: 2024.4.0
\ No newline at end of file
+app_cloudflared_package_version: 2024.4.0
+app_cloudflared_healthcheck_hostname: "tunnel-health{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pihole.yaml b/environments/shared/host_vars/pihole1.yaml
similarity index 55%
rename from environments/shared/host_vars/pihole.yaml
rename to environments/shared/host_vars/pihole1.yaml
index c48d256..0d49281 100644
--- a/environments/shared/host_vars/pihole.yaml
+++ b/environments/shared/host_vars/pihole1.yaml
@@ -1,13 +1,10 @@
-ansible_host: "{{ ipam.pihole }}"
-ansible_hostname: "ct-pihole{{ env.suffix }}"
+ansible_host: "{{ ipam.pihole1 }}"
+ansible_hostname: "ct-pihole1{{ env.suffix }}"
 
-app_container_nameserver: 1.1.1.1
-app_container_memory: 512
-app_container_storage_size_gb: 5
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ ipam.pihole }}/24"
+    ipv4_address: "{{ ipam.pihole1 }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve1
@@ -15,28 +12,23 @@ app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
   - pve2
 
-app_pihole_version: 5.17.3
-app_pihole_forwarders:
-  - 1.1.1.1
-  - 1.0.0.1
-
 app_pomerium_routes:
-  - hostname: "pihole{{ env.suffix }}"
+  - hostname: "pihole1{{ env.suffix }}"
     auth_mode: administrators
 
 app_pihole_records:
-  - hostname: "pihole{{ env.suffix }}"
+  - hostname: "pihole1{{ env.suffix }}"
     type: pomerium_proxy
 
 app_gatus_monitored_endpoints:
-  - name: Web UI
+  - name: pihole1 / Web UI
     group: Pi-hole
     type: https-pomerium-proxy
-    host: "pihole{{ env.suffix }}.homecentr.one"
-  - name: DNS
+    host: "pihole1{{ env.suffix }}.homecentr.one"
+  - name: pihole1 / DNS
     group: Pi-hole
     type: dns
-    host: "{{ ipam.pihole }}"
+    host: "{{ ipam.pihole1 }}"
     dns_query_name: "login{{ env.suffix }}.homecentr.one"
     dns_query_type: "A"
     dns_query_answer: "{{ ipam.pomerium }}"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pihole2.yaml b/environments/shared/host_vars/pihole2.yaml
new file mode 100644
index 0000000..6505771
--- /dev/null
+++ b/environments/shared/host_vars/pihole2.yaml
@@ -0,0 +1,34 @@
+ansible_host: "{{ ipam.pihole2 }}"
+ansible_hostname: "ct-pihole2{{ env.suffix }}"
+
+app_container_network_interfaces:
+  - name: eth0
+    bridge: vmbr0
+    ipv4_address: "{{ ipam.pihole2 }}/24"
+    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
+
+app_container_pve_node: pve2
+app_container_pve_ha_group_name: critical-priority-pve2
+app_container_pve_replication_nodes:
+  - pve1
+
+app_pomerium_routes:
+  - hostname: "pihole2{{ env.suffix }}"
+    auth_mode: administrators
+
+app_pihole_records:
+  - hostname: "pihole2{{ env.suffix }}"
+    type: pomerium_proxy
+
+app_gatus_monitored_endpoints:
+  - name: pihole2 / Web UI
+    group: Pi-hole
+    type: https-pomerium-proxy
+    host: "pihole2{{ env.suffix }}.homecentr.one"
+  - name: pihole2 / DNS
+    group: Pi-hole
+    type: dns
+    host: "{{ ipam.pihole2 }}"
+    dns_query_name: "login{{ env.suffix }}.homecentr.one"
+    dns_query_type: "A"
+    dns_query_answer: "{{ ipam.pomerium }}"
\ No newline at end of file
diff --git a/environments/shared/host_vars/smtp_relay.yaml b/environments/shared/host_vars/smtp_relay.yaml
index 50723bb..052929d 100644
--- a/environments/shared/host_vars/smtp_relay.yaml
+++ b/environments/shared/host_vars/smtp_relay.yaml
@@ -2,7 +2,7 @@ ansible_host: "{{ ipam.smtp_relay }}"
 ansible_hostname: "ct-smtp-relay{{ env.suffix }}"
 
 app_container_docker_support: true
-app_container_memory: 256
+app_container_memory: 512
 app_container_storage_size_gb: 2
 app_container_network_interfaces:
   - name: eth0
@@ -10,10 +10,9 @@ app_container_network_interfaces:
     ipv4_address: "{{ ipam.smtp_relay }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
-app_container_pve_node: pve3
-app_container_pve_ha_group_name: critical-priority-pve3
+app_container_pve_node: pve1
+app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
-  - pve1
   - pve2
 
 app_container_mapped_uids:
diff --git a/environments/shared/hosts.yaml b/environments/shared/hosts.yaml
index 10adc52..f745744 100644
--- a/environments/shared/hosts.yaml
+++ b/environments/shared/hosts.yaml
@@ -11,7 +11,6 @@ all:
         homepage:
         monitoring:
         mqtt:
-        pihole:
         pomerium:
         smtp_relay:
         unifi_controller:
@@ -20,3 +19,7 @@ all:
           hosts:
             cloudflared1:
             cloudflared2:
+        pihole:
+          hosts:
+            pihole1:
+            pihole2:
diff --git a/playbooks/containers/pihole.yaml b/playbooks/containers/pihole.yaml
index afc75f1..b11f7e4 100644
--- a/playbooks/containers/pihole.yaml
+++ b/playbooks/containers/pihole.yaml
@@ -4,11 +4,18 @@
   become_method: ansible.builtin.sudo
   any_errors_fatal: true
   tasks:
-    - name: Create application container
+    - name: Create phole1 container
       ansible.builtin.import_role:
         name: ../../roles/app-container
       vars:
-        container_inventory_name: "pihole"
+        container_inventory_name: "pihole1"
+      tags: [ container ]
+
+    - name: Create phole2 container
+      ansible.builtin.import_role:
+        name: ../../roles/app-container
+      vars:
+        container_inventory_name: "pihole2"
       tags: [ container ]
 
 - name: Setup Pihole containers
diff --git a/roles/app-cloudflared/tasks/install.yaml b/roles/app-cloudflared/tasks/install.yaml
index b5a8055..44fe262 100644
--- a/roles/app-cloudflared/tasks/install.yaml
+++ b/roles/app-cloudflared/tasks/install.yaml
@@ -14,4 +14,5 @@
   register: app_cloudflared_package
   ansible.builtin.apt:
     name: "cloudflared={{ app_cloudflared_package_version }}"
+    update_cache: true
     state: present
diff --git a/roles/app-cloudflared/tasks/systemd.yaml b/roles/app-cloudflared/tasks/systemd.yaml
index 4973590..60d5e72 100644
--- a/roles/app-cloudflared/tasks/systemd.yaml
+++ b/roles/app-cloudflared/tasks/systemd.yaml
@@ -7,7 +7,7 @@
     content: "{{ lookup('template', 'systemd-unit.j2') }}"
 
 - name: (Re)start service
-  serial: 1
+  throttle: 1
   ansible.builtin.systemd_service:
     name: cloudflared
     enabled: true
diff --git a/roles/app-cloudflared/templates/config.j2 b/roles/app-cloudflared/templates/config.j2
index 2af6a85..2c12d5d 100644
--- a/roles/app-cloudflared/templates/config.j2
+++ b/roles/app-cloudflared/templates/config.j2
@@ -9,4 +9,7 @@ ingress:
           noTLSVerify: true
     {% endfor %}
 
+    - hostname: {{ app_cloudflared_healthcheck_hostname }}
+      service: http_status: 204
+
     - service: http_status:404
\ No newline at end of file
diff --git a/roles/app-gatus/tasks/main.yaml b/roles/app-gatus/tasks/main.yaml
index 49b954c..4326b4b 100644
--- a/roles/app-gatus/tasks/main.yaml
+++ b/roles/app-gatus/tasks/main.yaml
@@ -9,7 +9,6 @@
     state: directory
 
 - name: Create config file
-  register: app_gatus_config
   ansible.builtin.copy:
     dest: /etc/gatus/config.yaml
     force: true
@@ -21,7 +20,8 @@
     force: true
     content: "{{ lookup('template', 'docker-compose.j2') }}"
 
+# Gatus picks up updates in the config file by itself without the need to restart the service
 - name: Start docker stack
   community.docker.docker_compose_v2:
     project_src: /etc/gatus
-    state: "{{ 'restarted' if app_gatus_config.changed else 'present' }}"
+    state: "present"
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
index 3334e74..179df03 100644
--- a/roles/app-gatus/templates/docker-compose.j2
+++ b/roles/app-gatus/templates/docker-compose.j2
@@ -1,4 +1,3 @@
-version: "3.9"
 services:
   gatus:
     container_name: gatus

From e55d41fbb05a3364a1fe15e63eacfdd9c15beec5 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Sun, 21 Apr 2024 09:48:45 +0200
Subject: [PATCH 38/51] Fixes

---
 .../group_vars/containers/app_container.yaml  |  1 -
 .../group_vars/containers/app_container.yaml  |  1 -
 .../group_vars/containers/app_container.yaml  |  2 +-
 environments/shared/host_vars/pve1.yaml       | 26 +++++++++++++++++--
 roles/app-gatus/tasks/main.yaml               |  4 +--
 5 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/environments/lab/group_vars/containers/app_container.yaml b/environments/lab/group_vars/containers/app_container.yaml
index ad6066d..8183527 100644
--- a/environments/lab/group_vars/containers/app_container.yaml
+++ b/environments/lab/group_vars/containers/app_container.yaml
@@ -1,2 +1 @@
-app_container_nameserver: 10.1.8.64
 app_container_storage_name: dpool
\ No newline at end of file
diff --git a/environments/prod/group_vars/containers/app_container.yaml b/environments/prod/group_vars/containers/app_container.yaml
index 5f3f0f3..2c77daa 100644
--- a/environments/prod/group_vars/containers/app_container.yaml
+++ b/environments/prod/group_vars/containers/app_container.yaml
@@ -1,2 +1 @@
-app_container_nameserver: 10.1.2.64
 app_container_storage_name: dpool1
\ No newline at end of file
diff --git a/environments/shared/group_vars/containers/app_container.yaml b/environments/shared/group_vars/containers/app_container.yaml
index ca2170e..9b8650c 100644
--- a/environments/shared/group_vars/containers/app_container.yaml
+++ b/environments/shared/group_vars/containers/app_container.yaml
@@ -2,4 +2,4 @@ app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_pve_replication_cron_expression: "*/5"
 app_container_pve_ha_group_name: noncritical
 
-app_cloudflared_package_version:
\ No newline at end of file
+app_container_nameserver: "{{ ipam.pihole1 }},{{ ipam.pihole2 }}"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pve1.yaml b/environments/shared/host_vars/pve1.yaml
index a50d71f..38fe84d 100644
--- a/environments/shared/host_vars/pve1.yaml
+++ b/environments/shared/host_vars/pve1.yaml
@@ -5,13 +5,35 @@ ansible_hostname: "pve1{{ env.suffix }}"
 # GetSSL
 getssl_cron_renewal_hour: 16
 
+app_pomerium_routes:
+  - hostname: pve
+    auth_mode: public # Proxmox has its own authentication
+    protocol: https
+    target_port: 8006
+    tls_upstream_server_name: "pve{{ env.suffix }}.homecentr.one"
+    backend:
+      - "{{ ipam.pve1 }}"
+      - "{{ ipam.pve2 }}"
+      - "{{ ipam.pve3 }}"
+
+# DNS
+app_pihole_records:
+  - hostname: pve
+    type: pomerium_proxy
+
 # Monitoring
 app_gatus_monitored_endpoints:
   - name: pve1 / ping
     group: Proxmox VE
     type: ping
     host: "pve1{{ env.suffix }}.homecentr.one"
-  - name: pve1 / http
+  - name: pve1 / Web UI
     group: Proxmox VE
     type: https
-    host: "pve1{{ env.suffix }}.homecentr.one"
\ No newline at end of file
+    host: "pve1{{ env.suffix }}.homecentr.one"
+  
+  # Can check directly root because the site is not authenticated by pomerium
+  - name: Balancing proxy / Web UI
+    group: Proxmox VE
+    type: https-pomerium-proxy
+    host: "pve{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/roles/app-gatus/tasks/main.yaml b/roles/app-gatus/tasks/main.yaml
index 4326b4b..49b954c 100644
--- a/roles/app-gatus/tasks/main.yaml
+++ b/roles/app-gatus/tasks/main.yaml
@@ -9,6 +9,7 @@
     state: directory
 
 - name: Create config file
+  register: app_gatus_config
   ansible.builtin.copy:
     dest: /etc/gatus/config.yaml
     force: true
@@ -20,8 +21,7 @@
     force: true
     content: "{{ lookup('template', 'docker-compose.j2') }}"
 
-# Gatus picks up updates in the config file by itself without the need to restart the service
 - name: Start docker stack
   community.docker.docker_compose_v2:
     project_src: /etc/gatus
-    state: "present"
+    state: "{{ 'restarted' if app_gatus_config.changed else 'present' }}"

From dff45a6b7a1ea41e58e3a649425e9d315e0ceb68 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Tue, 23 Apr 2024 17:20:57 +0200
Subject: [PATCH 39/51] e2e tests working locally

---
 .gitignore                                    |    3 +
 .../pihole}/pihole.yaml                       |    0
 .../group_vars/cloudflared/cloudflared.yaml   |    2 +
 .../shared/host_vars/cloudflared1.yaml        |    8 +-
 .../shared/host_vars/cloudflared2.yaml        |    2 -
 environments/shared/host_vars/pve1.yaml       |    4 +-
 nightwatch.conf.js                            |   77 +
 package.json                                  |   12 +-
 requirements.yml                              |   36 -
 roles/app-cloudflared/templates/config.j2     |    2 +-
 roles/app-gatus/templates/config.j2           |    7 +-
 roles/app-pomerium/templates/config.j2        |    2 +-
 tests/client/docker-compose.yaml              |   14 +
 tests/environments/lab.local.env              |    2 +
 tests/environments/prod.local.env             |    2 +
 tests/environments/remote.env                 |    2 +
 tests/environments/secrets.lab.sops.yaml      |   33 +
 tests/environments/secrets.prod.sops.yaml     |   35 +
 tests/haraka-relay.spec.js                    |   33 +
 tests/nightwatch/assertions/isAadErrorPage.js |   39 +
 .../assertions/isAadPermissionRejectedPage.js |   14 +
 ...isCloudflareOrAadPermissionRejectedPage.js |   14 +
 ...udflareOrPomeriumPermissionRejectedPage.js |   14 +
 .../isCloudflarePermissionRejectedPage.js     |   39 +
 .../isPomeriumPermissionRejectedPage.js       |   39 +
 tests/nightwatch/commands/signIn.js           |   26 +
 tests/nightwatch/commands/signInAsAdmin.js    |    7 +
 tests/nightwatch/commands/signInAsNonAdmin.js |    7 +
 tests/nightwatch/commands/subdomain.js        |    5 +
 tests/nightwatch/globals.js                   |   22 +
 tests/proxmox-ve-local.spec.js                |   28 +
 tests/proxmox-ve-remote.spec.js               |   24 +
 tools/tests.sh                                |   46 +
 yarn.lock                                     | 1758 ++++++++++++++++-
 34 files changed, 2256 insertions(+), 102 deletions(-)
 rename environments/prod/{host_vars => group_vars/pihole}/pihole.yaml (100%)
 create mode 100644 environments/shared/group_vars/cloudflared/cloudflared.yaml
 create mode 100644 nightwatch.conf.js
 delete mode 100644 requirements.yml
 create mode 100644 tests/client/docker-compose.yaml
 create mode 100644 tests/environments/lab.local.env
 create mode 100644 tests/environments/prod.local.env
 create mode 100644 tests/environments/remote.env
 create mode 100644 tests/environments/secrets.lab.sops.yaml
 create mode 100644 tests/environments/secrets.prod.sops.yaml
 create mode 100644 tests/haraka-relay.spec.js
 create mode 100644 tests/nightwatch/assertions/isAadErrorPage.js
 create mode 100644 tests/nightwatch/assertions/isAadPermissionRejectedPage.js
 create mode 100644 tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js
 create mode 100644 tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js
 create mode 100644 tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js
 create mode 100644 tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js
 create mode 100644 tests/nightwatch/commands/signIn.js
 create mode 100644 tests/nightwatch/commands/signInAsAdmin.js
 create mode 100644 tests/nightwatch/commands/signInAsNonAdmin.js
 create mode 100644 tests/nightwatch/commands/subdomain.js
 create mode 100644 tests/nightwatch/globals.js
 create mode 100644 tests/proxmox-ve-local.spec.js
 create mode 100644 tests/proxmox-ve-remote.spec.js
 create mode 100755 tools/tests.sh

diff --git a/.gitignore b/.gitignore
index aa6faf6..7e9b485 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
+**/tests_output
+**/screenshots
+
 *.key
 *.crt
 .images
diff --git a/environments/prod/host_vars/pihole.yaml b/environments/prod/group_vars/pihole/pihole.yaml
similarity index 100%
rename from environments/prod/host_vars/pihole.yaml
rename to environments/prod/group_vars/pihole/pihole.yaml
diff --git a/environments/shared/group_vars/cloudflared/cloudflared.yaml b/environments/shared/group_vars/cloudflared/cloudflared.yaml
new file mode 100644
index 0000000..d50e87b
--- /dev/null
+++ b/environments/shared/group_vars/cloudflared/cloudflared.yaml
@@ -0,0 +1,2 @@
+app_cloudflared_package_version: 2024.4.0
+app_cloudflared_healthcheck_hostname: "tunnel-health{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/cloudflared1.yaml b/environments/shared/host_vars/cloudflared1.yaml
index 57f83de..ac2881d 100644
--- a/environments/shared/host_vars/cloudflared1.yaml
+++ b/environments/shared/host_vars/cloudflared1.yaml
@@ -15,5 +15,9 @@ app_container_pve_ha_group_name: critical-priority-pve1
 app_container_pve_replication_nodes:
   - pve2
   
-app_cloudflared_package_version: 2024.4.0
-app_cloudflared_healthcheck_hostname: "tunnel-health{{ env.suffix }}.homecentr.one"
\ No newline at end of file
+app_gatus_monitored_endpoints:
+  - name: Cloudflare Tunnel
+    group: Cloudflared
+    type: https
+    dns_resolver: tcp://1.1.1.1:53
+    host: "tunnel-health{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/cloudflared2.yaml b/environments/shared/host_vars/cloudflared2.yaml
index f4934df..7650109 100644
--- a/environments/shared/host_vars/cloudflared2.yaml
+++ b/environments/shared/host_vars/cloudflared2.yaml
@@ -14,5 +14,3 @@ app_container_pve_node: pve2
 app_container_pve_ha_group_name: critical-priority-pve2
 app_container_pve_replication_nodes:
   - pve1
-
-app_cloudflared_package_version: 2024.4.0
\ No newline at end of file
diff --git a/environments/shared/host_vars/pve1.yaml b/environments/shared/host_vars/pve1.yaml
index 38fe84d..b11b126 100644
--- a/environments/shared/host_vars/pve1.yaml
+++ b/environments/shared/host_vars/pve1.yaml
@@ -6,7 +6,7 @@ ansible_hostname: "pve1{{ env.suffix }}"
 getssl_cron_renewal_hour: 16
 
 app_pomerium_routes:
-  - hostname: pve
+  - hostname: "pve{{ env.suffix }}"
     auth_mode: public # Proxmox has its own authentication
     protocol: https
     target_port: 8006
@@ -18,7 +18,7 @@ app_pomerium_routes:
 
 # DNS
 app_pihole_records:
-  - hostname: pve
+  - hostname: "pve{{ env.suffix }}"
     type: pomerium_proxy
 
 # Monitoring
diff --git a/nightwatch.conf.js b/nightwatch.conf.js
new file mode 100644
index 0000000..79cc583
--- /dev/null
+++ b/nightwatch.conf.js
@@ -0,0 +1,77 @@
+module.exports = {
+  src_folders: ['tests'],
+  filter : "**/*.spec.js",
+  exclude : ["tests/client", "tests/nightwatch", "tests/test_output"],
+  custom_commands_path: ['tests/nightwatch/commands'],
+  custom_assertions_path: ['tests/nightwatch/assertions'],
+  plugins: [],
+  globals_path: 'tests/nightwatch/globals.js',
+  output_folder: 'tests/tests_output',
+  screenshots : {
+    enabled : true,
+    on_failure : true,
+    on_error : false,
+    path : "tests/screenshots"
+  }
+
+  webdriver: {},
+
+  test_workers: {
+    enabled: true
+  },
+
+  test_settings: {
+    default: {
+      globals: {
+        waitForConditionTimeout: 30000,
+        waitForConditionPollInterval: 500
+      },
+      persist_globals: true,
+      screenshots: {
+        enabled: "${SCREENSHOTS_ENABLED}",
+        on_failure: "${SCREENSHOTS_ENABLED}",
+        path: "screenshots"
+      },
+      selenium_port: "${WEBDRIVER_PORT}",
+      selenium_host: "${WEBDRIVER_HOST}",
+      desiredCapabilities: {
+        browserName: "chrome",
+        javascriptEnabled: true,
+        acceptSslCerts: true,
+        acceptInsecureCerts: true
+      }
+    },
+    "local:lab": {
+      globals: {
+        domainSuffix: "-lab.homecentr.one",
+        secretsFile: "secrets.lab.sops.yaml",
+        envFile: "lab.local.env",
+        isRemote: false
+      }
+    },
+    "remote:lab": {
+      globals: {
+        domainSuffix: "-lab.homecentr.one",
+        secretsFile: "secrets.lab.sops.yaml",
+        envFile: "remote.env",
+        isRemote: true
+      }
+    },
+    "local:prod": {
+      globals: {
+        domainSuffix: ".homecentr.one",
+        secretsFile: "secrets.prod.sops.yaml",
+        envFile: "prod.local.env",
+        isRemote: false
+      }
+    },
+    "remote:prod": {
+      globals: {
+        domainSuffix: ".homecentr.one",
+        secretsFile: "secrets.prod.sops.yaml",
+        envFile: "remote.env",
+        isRemote: true
+      }
+    }
+  }
+};
\ No newline at end of file
diff --git a/package.json b/package.json
index c7b2658..95b2389 100644
--- a/package.json
+++ b/package.json
@@ -11,11 +11,19 @@
     "lab:clear-keys": "./tools/clearkeys.sh",
     "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox/nodes -u root -e ansible_user=root --tags init -k",
     "lab:apply": "./tools/apply.sh lab",
+    "lab:test:local": "./tools/tests.sh 'lab.local' ./tests --skiptags remoteonly -e local:lab --suiteRetries 3",
+    "lab:test:remote": "",
     "prod:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh prod proxmox/nodes -u root -e ansible_user=root --tags init -k",
     "prod:apply": "./tools/apply.sh prod",
     "validate-values": "node ./tools/validations.js"
   },
   "devDependencies": {
-    "@homecentr/yaml-diff": "1.1.7"
+    "@homecentr/yaml-diff": "1.1.7",
+    "dotenv": "^16.4.5",
+    "env-cmd": "^10.1.0",
+    "nightwatch": "^3.6.1"
+  },
+  "dependencies": {
+    "nodemailer": "^6.9.13"
   }
-}
\ No newline at end of file
+}
diff --git a/requirements.yml b/requirements.yml
deleted file mode 100644
index aa1d450..0000000
--- a/requirements.yml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-collections:
-  - name: ansible.posix
-    version: 1.4.0
-  - name: ansible.utils
-    version: 2.7.0
-  - name: oasis_roles.system
-  - name: community.general
-    version: 6.3.0
-  - name: gluster.gluster
-    version: 1.0.2
-  - name: kubernetes.core
-    version: 2.3.2
-  - name: community.crypto
-    version: 2.5.0
-  - name: community.sops
-    version: 1.6.0
-  - name: https://github.com/homecentr/ansible-collection-system
-    type: git
-    version: master
-  - name: https://github.com/homecentr/ansible-collection-proxmox
-    type: git
-    version: master
-
-roles:
-  - name: geerlingguy.pip
-    version: 2.2.0
-  - name: geerlingguy.security
-    version: 2.2.0
-  - name: geerlingguy.clamav
-  - name: geerlingguy.helm
-    version: 1.0.1
-  - name: geerlingguy.node_exporter
-    version: 2.0.0
-  - name: lablabs.rke2
-    version: 1.28.0
\ No newline at end of file
diff --git a/roles/app-cloudflared/templates/config.j2 b/roles/app-cloudflared/templates/config.j2
index 2c12d5d..1daa90c 100644
--- a/roles/app-cloudflared/templates/config.j2
+++ b/roles/app-cloudflared/templates/config.j2
@@ -10,6 +10,6 @@ ingress:
     {% endfor %}
 
     - hostname: {{ app_cloudflared_healthcheck_hostname }}
-      service: http_status: 204
+      service: http_status:204
 
     - service: http_status:404
\ No newline at end of file
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
index c17071c..15e674f 100644
--- a/roles/app-gatus/templates/config.j2
+++ b/roles/app-gatus/templates/config.j2
@@ -12,10 +12,13 @@ endpoints:
   group: {{ endpoint.group }}
 {% endif %}
   interval: {{ endpoint.interval | default('30s') }}
-{% if endpoint.insecure | default(false) == true %}
   client:
+{% if endpoint.insecure | default(false) == true %}
     insecure: true
 {% endif %}
+{% if endpoint.dns_resolver | default('') != '' %}
+    dns-resolver: {{ endpoint.dns_resolver }}
+{% endif %}
 {% if endpoint.type == "ping" %}
   url: "icmp://{{ endpoint.host | default(hostvars[host].ansible_host) }}"
   conditions:
@@ -64,7 +67,7 @@ endpoints:
   url: starttls://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}
   conditions:
     - "[CONNECTED] == true"
-#    - "[CERTIFICATE_EXPIRATION] > 48h"
+    - "[CERTIFICATE_EXPIRATION] > 48h"
 {% endif %}
 
 {% endfor %}
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
index a783aac..04a16f5 100644
--- a/roles/app-pomerium/templates/config.j2
+++ b/roles/app-pomerium/templates/config.j2
@@ -21,7 +21,7 @@ routes:
 {% for host in groups['all'] %}
 {% for route in hostvars[host].app_pomerium_routes | default([]) %}
   - from: https://{{ route.hostname }}.{{ domain }}
-    tls_skip_verify: {{ route.tls_skip_verify | default(false) }}
+    tls_skip_verify: {{ 'true' if route.tls_skip_verify | default(false) else 'false' }}
 {% if route.backend | default(none) is none %}
     to: {{ route.protocol | default("http") }}://{{ hostvars[host].ansible_host }}:{{ route.target_port | default(80) }}
 {% elif route.backend is string %}
diff --git a/tests/client/docker-compose.yaml b/tests/client/docker-compose.yaml
new file mode 100644
index 0000000..eba470a
--- /dev/null
+++ b/tests/client/docker-compose.yaml
@@ -0,0 +1,14 @@
+services:
+  chrome:
+    image: selenium/standalone-chrome
+    ports:
+      - 4444:4444
+      - 7900:7900
+    shm_size: 4g
+    environment:
+      VNC_NO_PASSWORD: 1
+      SE_OPTS: "--log-level FINE"
+      DBUS_SESSION_BUS_ADDRESS: /dev/null
+    dns:
+      - ${DNS1}
+      - ${DNS2}
\ No newline at end of file
diff --git a/tests/environments/lab.local.env b/tests/environments/lab.local.env
new file mode 100644
index 0000000..b513ed4
--- /dev/null
+++ b/tests/environments/lab.local.env
@@ -0,0 +1,2 @@
+DNS1=10.1.8.64
+DNS2=10.1.8.65
diff --git a/tests/environments/prod.local.env b/tests/environments/prod.local.env
new file mode 100644
index 0000000..1bf0d2f
--- /dev/null
+++ b/tests/environments/prod.local.env
@@ -0,0 +1,2 @@
+DNS1=10.1.2.64
+DNS2=10.1.2.65
diff --git a/tests/environments/remote.env b/tests/environments/remote.env
new file mode 100644
index 0000000..7f4b206
--- /dev/null
+++ b/tests/environments/remote.env
@@ -0,0 +1,2 @@
+DNS1=1.1.1.1
+DNS2=1.0.0.1
\ No newline at end of file
diff --git a/tests/environments/secrets.lab.sops.yaml b/tests/environments/secrets.lab.sops.yaml
new file mode 100644
index 0000000..454dac2
--- /dev/null
+++ b/tests/environments/secrets.lab.sops.yaml
@@ -0,0 +1,33 @@
+admin_user_email: ENC[AES256_GCM,data:nFgSJ1NZ/x+J+GmR11WQalWiAkBzAc8bELDzN0S2+qK5Q4o9Bk8=,iv:cOcmvNvCzg2N58WGPrgG/h82lZmkSaQqylVFF+OtoE0=,tag:lwt+RVFICgizF1GunDAZQw==,type:str]
+admin_user_password: ENC[AES256_GCM,data:2MDBS89tGg3KoI+x/xlDIYVR/s2PbC+3BsCtCxznrV+KYMBMZggv6Bp8/5pDhtP9kaP1RrbRJw==,iv:0jkbg2SJ168Bc2vRJpelyJkPmajoP0vB7xSgqPMmPGM=,tag:toLFBDOZQeov8/nhuw/bmA==,type:str]
+admin_user_totp_secret: ENC[AES256_GCM,data:RYs4wfs9J6Woc7FNnlO98Q==,iv:6hNiQEp/anTdA9EaApZip913s/aGPMHxTeMrhEkocxk=,tag:dL9fCev2q2XgBh225nS+iw==,type:str]
+nonadmin_user_email: ENC[AES256_GCM,data:936vJ4eDLxFH/KF5/AchAe34andA4aZN1au50hLJ/e+tbVh5dkY1uL75,iv:jYpCZ4UH4UsOfeGzECnOrpiW8lDM7E8RKP8nAZhynQk=,tag:EWUKg3SHBfFYzoGWJzlMzQ==,type:str]
+nonadmin_user_password: ENC[AES256_GCM,data:ZIpvNOA1bvlxFSpQ6v8YWHWOHcQvitJBRsSxy/WNfh2f0KfwY4pNIbZmecXRwUpidclzu6HlQA==,iv:5ijqvWgeXSgtuKtfVqpY2LlYBkQypWwZBgPHX7N5mAA=,tag:wHQY33HC6Z0aTdX0tEbJ0w==,type:str]
+nonadmin_user_totp_secret: ENC[AES256_GCM,data:HC9qMizk0zO4hdTQCUuXZA==,iv:bFlDRAJS9jx6znPajcxFnfRHsl9p+IUoDRxFePCmfSk=,tag:I6YU4e3MzOB1d61/U1FeXA==,type:str]
+smtp_relay_username: ENC[AES256_GCM,data:U1Lt,iv:CxxGRI6gvghpSv9RwvjTXsm+76ePMMdCvcORex0cDCQ=,tag:FvWDwmm0j/juum9B4MDQFw==,type:str]
+smtp_relay_password: ENC[AES256_GCM,data:C2hNgECf+DlAGF3RmF7FHqeg3l0=,iv:X2xGjQ+G/Y/Brwj6nZBZg0NbBAM1gDzeEePTc9/uXfQ=,tag:35xEfngNMExm0Qn0E/0qWg==,type:str]
+smtp_relay_sender: ENC[AES256_GCM,data:OzeYoX08FwmELYuRoELct8g=,iv:Jo9Oq0QqvEEMJkOWB0xFSlY01sS+UVPslCZtk6Bp3m4=,tag:ND5gTv+oZ2oZ63g0ebCw6Q==,type:str]
+smtp_relay_recipient: ENC[AES256_GCM,data:SKfBSaKsffNCDFtt0DHafVQ=,iv:bc4IUIr9t0xPU8kZkcrWdzYfk+2zVEMPXoSTpBD5XbY=,tag:D5Vhfl21r8ItOw8Z2jVdzA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5KzFmVVJaT3JMcDAweWhB
+            WmlMdlpSbDdWV3k4YWg1WE93UHpOMStDTUFzCmN4WEhaN3RYMlYvOVFIYldkOGxP
+            VmI3Q1lhaVpYQXpwcE9ZSzBpblRna00KLS0tIEQvZDlkZ1pnOW95WlMyQzhIMUR5
+            WlFYaW9naGM5RURrblp6dXZ3NUtscTgKjSZPu9KB7hK1sO5kq4CbyA1kh9P51FRQ
+            Hoqk2ZelOzAn/oTNI6hfUQ5hp8n9OAr19kXet4DOXej1LLF2Pb5qpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-23T15:16:27Z"
+    mac: ENC[AES256_GCM,data:Nu5Azf+5B5eQfeLvb70uuoLYiIFICLQRJqf508cyS3eOugay55q0OrcdzqF6XYwqBXY3IEN7PK/55LbRo19zxWTSpamtjI5cMtck5yXEc+G9z4/fRGjmQNrSVeW5k7WcjfFk+yW1g62wIKyM+18TVvsLt6+RiNGKMf7dWaUwuG8=,iv:0nAP6EMWo617uok1sbl5OH1g/snWUQPdxQFxFtBDP2A=,tag:ioWp9DPuzkTK75k6DWgm2g==,type:str]
+    pgp:
+        - created_at: "2023-05-22T15:44:10Z"
+          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CARAAjCHbw0aHusUPjQeR3d7sWTY9cVV3krshzHUeMtbPtkLQ\r\nb/2rEM37/kXF2iB64sa0xVukWOglfPa4+irrEYwv6eqJ2avrhOvWYZq3c/9N9sUP\r\nNoYYWr5jkF9hxLiqjjdAs1bNQY4vMbWnt3v7UWw+kYoEa/RJBsS0UtvOcZZQor1L\r\nGT7gqyD/Izt7ta2WGuWsUqiTadnNLBCDU6P/KcCJpUUKnyoYyq0UcyZm5IspUbFG\r\nxCc3trt62mvydypWJICWPFsEpfM0bg01DKpz4qHjiGNurHKaYw9Ct9aO+bQW7akD\r\n5lGrPeZm06NTOxbtlp10Znch30EUBBojKp/KABtj9jI+uj26Czdmb9H7N9FfapMy\r\nk3ghAYwHgQCYWg6/dRAxHCa0OkMOjsl9y4dUhG0nnKOVIyX8VRXiaVDAtExcvmDx\r\nNl3kAq6C5PXD3ZI2chuDdEvqkShPJuY8hGPrL5oENIOWCBZjc6mAUFnh9Oo9Lx1K\r\ntpn3uzx7m1ctAIQ8Z6P4EV/hs9YnWvRBKJelHnFU/Nvb44bzql+BQMn+kyiwvYND\r\nBWo8jWvpQz0AVVLacM0sCLQrgVUAogP2fXNjT2gU7o3ApYE7+8LRIvsIEUPR6El8\r\nxzOK7fd6szwI0jb7xrUEZZJiXurvPGfnUTYRSmmLewtKGCq0tdJP9lUsYsdtWe3S\r\nXgGJ8V+cJA6fznNTtVPTILEgxoP9MJRsbtJz/GJnVLCKl+2ZzFLcaBazPkjjsqbW\r\navcg39zbA0EImVH1GX1ehMj9ArviUPQIO3TREUSXqvEGglHpngF9ZUHlwIUEip0=\r\n=W3XR\r\n-----END PGP MESSAGE-----\r\n"
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/tests/environments/secrets.prod.sops.yaml b/tests/environments/secrets.prod.sops.yaml
new file mode 100644
index 0000000..60a2756
--- /dev/null
+++ b/tests/environments/secrets.prod.sops.yaml
@@ -0,0 +1,35 @@
+admin_user_email: ENC[AES256_GCM,data:DJ+yYqHT+sNqWIG7VC80ysUYAV8GfsA8wnZsbCz/Og/t45A=,iv:mCEivfSPxoF8v44g/yJsS3FSb4Fz/AsvIbIgbFyyypo=,tag:M4Hlan03EXJm8TlE6Iq6WQ==,type:str]
+admin_user_password: ENC[AES256_GCM,data:9UWNFCgxBtUtySf1SgE5/0abCY2zPFMCAjGS5+POn98Lt7ymxoDWogF3ZpgoCnCRxbs5iDwGdQ==,iv:An5jYrjQmZc6edD0cXVCehVVRa4++hL4cdR8jqb8blw=,tag:o8JpRJ1caGZHfNJi5pO2qg==,type:str]
+admin_user_totp_secret: ENC[AES256_GCM,data:KUA9MRIHJh7DGDcUnWst7g==,iv:EIX0JD/7dQxP2UmU803FoioI5IhQiFgNUPQiD6TO8bY=,tag:9lJyRMRhz94iMutJddtGEg==,type:str]
+nonadmin_user_email: ENC[AES256_GCM,data:CuO0R0QIiBSrQk50QMQdSEwAQgvFUSemhbx+mEbo7s+PQsIyWpWf,iv:RBwaGgWUApORtNM0aiKeJLYv2Af42VGVN+9WGfQjLVo=,tag:Id6jX0XVoUgLgOaoHnblfQ==,type:str]
+nonadmin_user_password: ENC[AES256_GCM,data:Hhjjv6E3wZLe5siwyJ0mQmcWv3S7SjyxFN/+T3E9yZW0evScOqa3CV3jpmyZbssxld1cNkNXww==,iv:dp9bpUXduLc3QKYvTpqN0MxZtqoL1dWCLoXVMLW6wQc=,tag:NqTd66IoRCrOrhxf9x61kA==,type:str]
+nonadmin_user_totp_secret: ENC[AES256_GCM,data:YUQ39S4VG65PdNAiLFKqiQ==,iv:Hpnbhwd6GVzLj3Pzd/wC/dYPL0xsaOeysEKzCnFxhH0=,tag:5ByyFMsEMydwJksluroX+w==,type:str]
+smtp_relay_host: ENC[AES256_GCM,data:G+0RfS0sV909kw==,iv:w+Uml/zgZcwrJILgJQSJSIPG3/jHLTPWNbHHvasRE8E=,tag:jrQucPUtIVJaxK/2Pe/sBQ==,type:str]
+smtp_relay_servername: ENC[AES256_GCM,data:YL/N7nwQb2dY1nojinltLLpd,iv:0xTv+70OCzU7YzIn+ZucliKqo4DR343R1HyoWNL/ZlE=,tag:WbWXJkPxVFnTKe3b/oQC4w==,type:str]
+smtp_relay_username: ENC[AES256_GCM,data:R2r4,iv:jKhS9MZuUO+VbzbOE0tp3qTaQf5kPiSXxUbB6fr7SqU=,tag:/1BtdD/bQiX9t3CpyXUzbQ==,type:str]
+smtp_relay_password: ENC[AES256_GCM,data:2eViWnQg2EurGFYklEpJZQZZ3u0=,iv:55UoizyY8XrhwmX21//nwO1P7eTmOSRJywZvQetonk8=,tag:ESsW7j9819VZZLeJrG3wRw==,type:str]
+smtp_relay_sender: ENC[AES256_GCM,data:dVV3vJrxCPInq8QBDe+2wtQ=,iv:7iRCL4Oc2yhFs8wfkFeI2p7AWwzAm1OpWc6zdYOiO8I=,tag:2wVMn5xcUnixEp/l5K37BQ==,type:str]
+smtp_relay_recipient: ENC[AES256_GCM,data:BV4M2vNuaolyQNiwGKmg4PY=,iv:+5VTH3LDRomFuDPlY3V/iuiYBNUEKuXbA4Kgcb2tvFk=,tag:4Oyo1hPmhaRlJwCBxHG6Qg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RWwzVklFb3BRcXl3QUQ0
+            bE9xS0t2SkxrZEVYV2dXMG51WVF1Y2NWZnhvCnpFeCt6MUNJblFCZThLWUNuaDZT
+            RzBMQnVsa1dhMTIyb1NGeHYyVXNTT1EKLS0tIHlQNjJ5L09DNUdRL0lHd1dGSVFl
+            YWkvd0FBK0pNMi9GNmdJbXlYT2IzaTQKNsbrKyhgigstwQ+KmnyAV0WZWti6h08J
+            nEBh6LSBWnXANr8vwKv9URTh7Sf40m9pyrfBT38SVk0KMgMwItDeaQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-08T10:05:32Z"
+    mac: ENC[AES256_GCM,data:53JGIWp3liZw4U6qPt+oLw4SE5ErEbm0z7E1EEhA9lW7noSTaMFrJwvurJS0rSvmyvXgy9btbBrpz6xDuHVs2UggqyObpkMwwYzhdGJhbvDd+O9qVFqQbJjzNruxS366IIGg+H0uxY7IFx5ivCd0RFoeUoWFUm+GiWp0GbyLvdw=,iv:xohKU4JFhtlf/YRDEBLEckK0mmpEx2wAFmFERBTOrww=,tag:F8ay6GgATyZI4gBX89xVNA==,type:str]
+    pgp:
+        - created_at: "2023-06-06T22:06:37Z"
+          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//cdCjtQMCmtmLZTCKt26NMpe37d7xbuCEUVyTQ3MWM8ov\r\n99LBw9qb7JcI03Tz8Tc44jSIciFnhXdWa2c2XZGovMva0D9D0f0DvioL+uRqFDVO\r\nZjLzInCkJM0WGYJW/ae8SPNcy/8FN8yIOzlPxtl9t8oNhLIg28R9zZPvYgVmsoOh\r\nh38P+32lsaDc44LEN8dTEigRcSvqgntLyrnWkTJZby86SD0ijQgWvLJCbLKmta0B\r\noBDR2ZOffyAVPANAHOAGOY2V/4O3O3v6wli8suWrIPTY35JZ6Lk+TxRkub4T4lGg\r\nFAihOUtJ1XF6k7d5Qo0QR1aSKHPfW8/+oxnD0TwjcY7I0V6BnVcB9jI/2PbvrNJj\r\nc2E6qaObJrRy2YHojhxwHNl64XLbMv/3JtkCldeVANwLr+NF2bGa73neSVsGCkfQ\r\nF+cC6gH5JXikWRU+Yf3vmkfF99Q4oleceeAGTNGdKopknHf0wLUrZLb7sm3p8mqm\r\n/ZbgG0BbOn7J4GBXxuQpcgUPekiOi1AUBSUuYD6xqbaVgOLYKKlUGWo+UWD7IdIp\r\nu2XU56CYzPgKX7/HcgvpmAorU3xtdRLEQTmsrOQNpiADtgJukJPwZBmGxt8z94vE\r\ndM1j6mj4tOopZt2TGWl6WuSJUnZngPgqzEIEN3rSyHsPjKsvGu4+SOvzlYaMTk3S\r\nXgHJygIiNSTHrHPdIUQbYlbLXRbS71ZzGfUgmjVm6izsI2KqbA7KfniOJtjAPgNK\r\n9UIz9uOvKsuGTH83ARe0Z5USzWYPmJP8IwodBEsowHRpI/pfbIMJ1tcrGJws9ZM=\r\n=V1Ee\r\n-----END PGP MESSAGE-----\r\n"
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/tests/haraka-relay.spec.js b/tests/haraka-relay.spec.js
new file mode 100644
index 0000000..c24aa42
--- /dev/null
+++ b/tests/haraka-relay.spec.js
@@ -0,0 +1,33 @@
+const nodemailer = require("nodemailer");
+const dnsPromises = require("dns").promises
+
+describe('Mailrelay when accessed locally should', async () => {
+  this.tags = ["localonly"]
+
+  it('Send e-mail', async (browser) => {
+    const smtpHostname = `smtp${browser.globals.domainSuffix}`
+    const smtpIp = await dnsPromises.resolve(smtpHostname, "A")
+
+    const transport = nodemailer.createTransport({
+      host: smtpIp[0],
+      port: 25,
+      auth: {
+        user: browser.globals.smtp_relay_username,
+        pass: browser.globals.smtp_relay_password
+      },
+      tls: {
+        // Server has only domain in certificate and we are using a direct ip to skip dns resolution
+        servername: smtpHostname
+      }
+    });
+
+    const receipt = await transport.sendMail({
+      from: browser.globals.smtp_relay_sender,
+      to: browser.globals.smtp_relay_recipient,
+      subject: "E2E test ✔",
+      text: "Hello, world!"
+    });
+
+    expect(receipt.accepted.length).to.be.equal(1)
+  });
+});
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isAadErrorPage.js b/tests/nightwatch/assertions/isAadErrorPage.js
new file mode 100644
index 0000000..d7b2889
--- /dev/null
+++ b/tests/nightwatch/assertions/isAadErrorPage.js
@@ -0,0 +1,39 @@
+const reusable = function (context, errorCode) {
+  context.formatMessage = () => {
+    const message = `Checking if the page ${this.negate ? 'doesn\'t indicate' : 'indicates'} AAD error code %s`;
+
+    return {
+      message,
+      args: [`'${errorCode}'`]
+    }
+  };
+
+  context.expected = () => {
+    return errorCode
+  }
+
+  context.value = function (result) {
+    return result.value;
+  };
+
+  context.failure = function (result) {
+    return !result;
+  };
+
+  context.evaluate = function (value) {
+    return value && value.startsWith(this.expected())
+  };
+
+  context.command = async function (callback) {
+    this.api.getText("#exceptionMessageContainer", callback)
+  };
+};
+
+const assertion = function (errorCode) {
+  reusable(this, errorCode)
+};
+
+module.exports = {
+  reusable,
+  assertion
+}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isAadPermissionRejectedPage.js b/tests/nightwatch/assertions/isAadPermissionRejectedPage.js
new file mode 100644
index 0000000..de66ced
--- /dev/null
+++ b/tests/nightwatch/assertions/isAadPermissionRejectedPage.js
@@ -0,0 +1,14 @@
+const isAadErrorPage = require("./isAadErrorPage")
+
+const reusable = function (context) {
+  isAadErrorPage.reusable(context, "AADSTS50105")
+}
+
+const assertion = function () {
+  reusable(this)
+};
+
+module.exports = {
+  reusable,
+  assertion
+}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js b/tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js
new file mode 100644
index 0000000..7e49643
--- /dev/null
+++ b/tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js
@@ -0,0 +1,14 @@
+const isAadPermissionRejectedPage = require("./isAadPermissionRejectedPage")
+const isCloudflarePermissionRejectedPage = require("./isCloudflarePermissionRejectedPage")
+
+const assertion = function () {
+  if (this.__nightwatchInstance.settings.globals.isRemote) {
+    isCloudflarePermissionRejectedPage.reusable(this)
+  } else {
+    isAadPermissionRejectedPage.reusable(this)
+  }
+}
+
+module.exports = {
+  assertion
+}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js b/tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js
new file mode 100644
index 0000000..b5b5b49
--- /dev/null
+++ b/tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js
@@ -0,0 +1,14 @@
+const isPomeriumPermissionRejectedPage = require("./isPomeriumPermissionRejectedPage")
+const isCloudflarePermissionRejectedPage = require("./isCloudflarePermissionRejectedPage")
+
+const assertion = function () {
+  if (this.__nightwatchInstance.settings.globals.isRemote) {
+    isCloudflarePermissionRejectedPage.reusable(this)
+  } else {
+    isPomeriumPermissionRejectedPage.reusable(this)
+  }
+}
+
+module.exports = {
+  assertion
+}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js b/tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js
new file mode 100644
index 0000000..5192bd3
--- /dev/null
+++ b/tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js
@@ -0,0 +1,39 @@
+const reusable = function (context) {
+  context.formatMessage = () => {
+    const message = `Checking if the page ${this.negate ? 'doesn\'t indicate' : 'indicates'} cloudflare permission rejected`;
+
+    return {
+      message,
+      args: []
+    }
+  };
+
+  context.expected = () => {
+    return "That account does not have access."
+  }
+
+  context.value = function (result) {
+    return result.value;
+  };
+
+  context.failure = function (result) {
+    return !result;
+  };
+
+  context.evaluate = function (value) {
+    return value && value.startsWith(this.expected())
+  };
+
+  context.command = async function (callback) {
+    this.api.getText("div.AuthBox-messages", callback)
+  };
+};
+
+const assertion = function () {
+  reusable(this)
+};
+
+module.exports = {
+  reusable,
+  assertion
+}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js b/tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js
new file mode 100644
index 0000000..ca69570
--- /dev/null
+++ b/tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js
@@ -0,0 +1,39 @@
+const reusable = function (context) {
+  context.formatMessage = () => {
+    const message = `Checking if the page ${this.negate ? 'doesn\'t indicate' : 'indicates'} Pomerium permission rejected`;
+
+    return {
+      message,
+      args: []
+    }
+  };
+
+  context.expected = () => {
+    return "403 Forbidden"
+  }
+
+  context.value = function (result) {
+    return result.value;
+  };
+
+  context.failure = function (result) {
+    return !result;
+  };
+
+  context.evaluate = function (value) {
+    return value && value.startsWith(this.expected())
+  };
+
+  context.command = async function (callback) {
+    this.api.getText("div[role=alert]", callback)
+  };
+};
+
+const assertion = function () {
+  reusable(this)
+};
+
+module.exports = {
+  reusable,
+  assertion
+}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/signIn.js b/tests/nightwatch/commands/signIn.js
new file mode 100644
index 0000000..6449d93
--- /dev/null
+++ b/tests/nightwatch/commands/signIn.js
@@ -0,0 +1,26 @@
+module.exports = {
+  command: function (email, password) {
+    return this
+      // E-mail
+      .setValue("input[type=email]", email)
+      .click('input[type=submit]')
+
+      // Password
+      .waitForElementVisible("css selector", "input[type=password].form-control") // Checking the e-mail may take a few seconds
+      .setValue("input[type=password].form-control", password)
+      .click("input[value='Sign in']")
+      // Wait for the Sign in button to disappear
+      .waitForElementNotPresent("input[value='Sign in']", 2000)
+      // Check whether the "Stay signed in?" page was shown
+      .isPresent({
+          suppressNotFoundErrors: true,
+          selector: "input[type=button][value=No]",
+          timeout: 1000
+        },
+        result => {
+          if (result.status > -1) {
+            this.click("input[type=button][value=No]")
+          }
+        })
+  }
+}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/signInAsAdmin.js b/tests/nightwatch/commands/signInAsAdmin.js
new file mode 100644
index 0000000..3cb6363
--- /dev/null
+++ b/tests/nightwatch/commands/signInAsAdmin.js
@@ -0,0 +1,7 @@
+module.exports = {
+    command: function () {
+        return this.signIn(
+            this.globals.admin_user_email,
+            this.globals.admin_user_password)
+    }
+}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/signInAsNonAdmin.js b/tests/nightwatch/commands/signInAsNonAdmin.js
new file mode 100644
index 0000000..b7247c6
--- /dev/null
+++ b/tests/nightwatch/commands/signInAsNonAdmin.js
@@ -0,0 +1,7 @@
+module.exports = {
+    command: function () {
+        return this.signIn(
+            this.globals.nonadmin_user_email,
+            this.globals.nonadmin_user_password)
+    }
+}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/subdomain.js b/tests/nightwatch/commands/subdomain.js
new file mode 100644
index 0000000..784e4ec
--- /dev/null
+++ b/tests/nightwatch/commands/subdomain.js
@@ -0,0 +1,5 @@
+module.exports = {
+  command: function (subdomain) {
+      return this.url(`https://${subdomain}${this.globals.domainSuffix}`)
+  }
+}
\ No newline at end of file
diff --git a/tests/nightwatch/globals.js b/tests/nightwatch/globals.js
new file mode 100644
index 0000000..6be9a01
--- /dev/null
+++ b/tests/nightwatch/globals.js
@@ -0,0 +1,22 @@
+const { decryptSops } = require('sops-wrapper');
+const dotenv = require("dotenv");
+const fs = require("fs");
+const dns = require("dns");
+
+module.exports = {
+  beforeEach(done) {
+    console.log("Loading secrets via SOPS...")
+
+    const secrets = decryptSops(`./tests/environments/${this.secretsFile}`)
+    
+    // Expose env file and secrets as globals
+    Object.assign(this, secrets)
+
+    // Set DNS from env file
+    const envFile = dotenv.parse(fs.readFileSync(`./tests/environments/${this.envFile}`))
+    console.log(envFile)
+    dns.setServers([ envFile.DNS1, envFile.DNS2 ])
+
+    done()
+  }
+}
\ No newline at end of file
diff --git a/tests/proxmox-ve-local.spec.js b/tests/proxmox-ve-local.spec.js
new file mode 100644
index 0000000..53e34e9
--- /dev/null
+++ b/tests/proxmox-ve-local.spec.js
@@ -0,0 +1,28 @@
+describe('Proxmox VE when accessed locally should', () => {
+  this.tags = [ "localonly" ]
+
+  afterEach((browser) => {
+    browser.end()
+  })
+
+  it('Load main screen after signing in as admin', (browser) => {
+    browser
+      .subdomain('pve')
+      .setValue('#pveloginrealm-inputEl', 'Azure Active Directory')
+      .waitForElementVisible("a#button-1070")
+      .click('a#button-1070')  // Redirects to AAD
+      .signInAsAdmin()
+      .assert.textContains("#versioninfo-innerCt", "Virtual Environment")
+  });
+
+  it('Not allow non-admins to use the app', (browser) => {
+    browser
+      .subdomain('pve')
+      .setValue('#pveloginrealm-inputEl', 'Azure Active Directory')
+      .waitForElementVisible("a#button-1070")
+      .click('a#button-1070') // Redirects to AAD
+      .signInAsNonAdmin()
+      .pause(6000)
+      .assert.isAadPermissionRejectedPage()
+  });
+});
diff --git a/tests/proxmox-ve-remote.spec.js b/tests/proxmox-ve-remote.spec.js
new file mode 100644
index 0000000..482550f
--- /dev/null
+++ b/tests/proxmox-ve-remote.spec.js
@@ -0,0 +1,24 @@
+describe('Proxmox VE when accessed remotely should', () => {
+  this.tags = [ "remoteonly" ]
+
+  afterEach((browser) => {
+    browser.end()
+  })
+
+  it('Load main screen after signing in as admin', (browser) => {
+    browser
+      .subdomain('pve')
+      .signInAsAdmin() // Sign into Cloudflare Access
+      .setValue('#pveloginrealm-inputEl', 'Azure Active Directory')
+      .waitForElementVisible("a#button-1070")
+      .click('a#button-1070')  // Redirects to AAD
+      .assert.textContains("#versioninfo-innerCt", "Virtual Environment")
+  });
+
+  it('Not allow non-admins to use the app', (browser) => {
+    browser
+      .subdomain('pve')
+      .signInAsNonAdmin()  // Sign into Cloudflare Access
+      .assert.isCloudflarePermissionRejectedPage()
+  });
+});
\ No newline at end of file
diff --git a/tools/tests.sh b/tools/tests.sh
new file mode 100755
index 0000000..917fd0b
--- /dev/null
+++ b/tools/tests.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+ENV_NAME=$1
+
+echo "Loading environment variables..."
+
+set -a
+source ./tests/environments/$ENV_NAME.env
+set +a
+
+if [ -z "${WEBDRIVER_HOST}" ]; then
+    export WEBDRIVER_HOST="localhost"
+fi
+
+if [ -z "${WEBDRIVER_PORT}" ]; then
+    export WEBDRIVER_PORT="4444"
+fi
+
+if [ "${SKIP_SELENIUM_CONTAINER}" != "1" ]; then
+    echo "Starting webdriver container..."
+    docker compose -f ./tests/client/docker-compose.yaml up --force-recreate --detach --remove-orphans
+
+    echo "Waiting for the webdriver to be ready..."
+
+    x=1
+    READY=$(curl http://${WEBDRIVER_HOST}:${WEBDRIVER_PORT}/status 2>/dev/null | jq .value.ready)
+    while [[ "${READY}" -ne "true" ]]
+    do
+        sleep 10
+        x=$(( $x + 1 ))
+
+        if [ $x -gt 10 ]
+        then
+            echo "The selenium container did not get ready in time, ending test run..."
+            exit 255
+        fi
+
+        READY=$(curl http://${WEBDRIVER_HOST}:${WEBDRIVER_PORT}/status 2>/dev/null | jq .value.ready)
+    done
+
+    echo "Webdriver ready..."
+fi
+
+echo "Running nightwatch..."
+TST_COMMAND="nightwatch ${@:2}"
+eval $TST_COMMAND
diff --git a/yarn.lock b/yarn.lock
index 29dda15..93fefff 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -10,6 +10,15 @@
     "@jridgewell/gen-mapping" "^0.3.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
+"@asamuzakjp/dom-selector@^2.0.1":
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/@asamuzakjp/dom-selector/-/dom-selector-2.0.2.tgz#160f601d9a465bbdf641410afdc527f37325506e"
+  integrity sha512-x1KXOatwofR6ZAYzXRBL5wrdV0vwNxlTCK9NCuLqAzQYARqGcvFwiJA6A1ERuh+dgeA4Dxm3JBYictIes+SqUQ==
+  dependencies:
+    bidi-js "^1.0.3"
+    css-tree "^2.3.1"
+    is-potential-custom-element-name "^1.0.1"
+
 "@babel/code-frame@^7.0.0", "@babel/code-frame@^7.12.13", "@babel/code-frame@^7.18.6", "@babel/code-frame@^7.21.4":
   version "7.21.4"
   resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.21.4.tgz#d0fa9e4413aca81f2b23b9442797bda1826edb39"
@@ -371,6 +380,11 @@
   resolved "https://registry.yarnpkg.com/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz#75a2e8b51cb758a7553d6804a5932d7aace75c39"
   integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==
 
+"@colors/colors@1.5.0":
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/@colors/colors/-/colors-1.5.0.tgz#bb504579c1cae923e6576a4f5da43d25f97bdbd9"
+  integrity sha512-ooWCrlZP11i8GImSjTHYHLkvFDP48nS4+204nGb1RiX/WXYHmJA2III9/e2DWVabCESdW7hBAEzHRqUn9OUVvQ==
+
 "@homecentr/yaml-diff@1.1.7":
   version "1.1.7"
   resolved "https://registry.yarnpkg.com/@homecentr/yaml-diff/-/yaml-diff-1.1.7.tgz#6eefc3239d98a29f2978fa7d2f9daf692279c507"
@@ -628,6 +642,30 @@
     "@jridgewell/resolve-uri" "3.1.0"
     "@jridgewell/sourcemap-codec" "1.4.14"
 
+"@nightwatch/chai@5.0.3":
+  version "5.0.3"
+  resolved "https://registry.yarnpkg.com/@nightwatch/chai/-/chai-5.0.3.tgz#c92ebe0cd2ee986f7e838cbd86abd8af49861b01"
+  integrity sha512-1OIkOf/7jswOC3/t+Add/HVQO8ib75kz6BVYSNeWGghTlmHUqYEfNJ6vcACbXrn/4v3+9iRlWixuhFkxXkU/RQ==
+  dependencies:
+    assertion-error "1.1.0"
+    check-error "1.0.2"
+    deep-eql "4.0.1"
+    loupe "^2.3.7"
+    pathval "1.1.1"
+    type-detect "4.0.8"
+
+"@nightwatch/html-reporter-template@^0.3.0":
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/@nightwatch/html-reporter-template/-/html-reporter-template-0.3.0.tgz#80ca3ccfe880d1db988eefe0e0e9ea7d161d91f3"
+  integrity sha512-Mze1z6pmUz2O8N9w1/h3QWz1lzMig45PGyh8PrL9ERs3FxVnIX0RCn37vjZUYiV4wgjZOg41JjdcpriZ3dJxkA==
+
+"@nightwatch/nightwatch-inspector@^1.0.1":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/@nightwatch/nightwatch-inspector/-/nightwatch-inspector-1.0.1.tgz#bbfbf1d17418abf3c6335232e899040832b60678"
+  integrity sha512-/ax11EOB4eJXT5VioMztcalbCtsNeuFn6icfT75qPLBmkxLvThePSfyGTys+t9AULUR0ug0wMDMiLV1Oy586Fg==
+  dependencies:
+    archiver "^5.3.1"
+
 "@pkgjs/parseargs@^0.11.0":
   version "0.11.0"
   resolved "https://registry.yarnpkg.com/@pkgjs/parseargs/-/parseargs-0.11.0.tgz#a77ea742fab25775145434eb1d2328cf5013ac33"
@@ -685,6 +723,11 @@
   dependencies:
     "@babel/types" "^7.3.0"
 
+"@types/chai@^4.3.5":
+  version "4.3.14"
+  resolved "https://registry.yarnpkg.com/@types/chai/-/chai-4.3.14.tgz#ae3055ea2be43c91c9fd700a36d67820026d96e6"
+  integrity sha512-Wj71sXE4Q4AkGdG9Tvq1u/fquNz9EdG4LIJMwVVII7ashjD/8cf8fyIfJAjRr6YcsXnSE8cOGQPq1gqeR8z+3w==
+
 "@types/graceful-fs@^4.1.3":
   version "4.1.6"
   resolved "https://registry.yarnpkg.com/@types/graceful-fs/-/graceful-fs-4.1.6.tgz#e14b2576a1c25026b7f02ede1de3b84c3a1efeae"
@@ -721,11 +764,25 @@
   resolved "https://registry.yarnpkg.com/@types/prettier/-/prettier-2.7.2.tgz#6c2324641cc4ba050a8c710b2b251b377581fbf0"
   integrity sha512-KufADq8uQqo1pYKVIYzfKbJfBAc0sOeXqGbFaSpv8MRmC/zXgowNZmFcbngndGk922QDmOASEXUZCaY48gs4cg==
 
+"@types/selenium-webdriver@^4.1.14":
+  version "4.1.22"
+  resolved "https://registry.yarnpkg.com/@types/selenium-webdriver/-/selenium-webdriver-4.1.22.tgz#344519b90727eb713e1ce6d2e0198eb0b4f8f316"
+  integrity sha512-MCL4l7q8dwxejr2Q2NXLyNwHWMPdlWE0Kpn6fFwJtvkJF7PTkG5jkvbH/X1IAAQxgt/L1dA8u2GtDeekvSKvOA==
+  dependencies:
+    "@types/ws" "*"
+
 "@types/stack-utils@^2.0.0":
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/@types/stack-utils/-/stack-utils-2.0.1.tgz#20f18294f797f2209b5f65c8e3b5c8e8261d127c"
   integrity sha512-Hl219/BT5fLAaz6NDkSuhzasy49dwQS/DSdu4MdggFB8zcXv7vflBI3xp7FEmkmdDkBUI2bPUNeMttp2knYdxw==
 
+"@types/ws@*":
+  version "8.5.10"
+  resolved "https://registry.yarnpkg.com/@types/ws/-/ws-8.5.10.tgz#4acfb517970853fa6574a3a6886791d04a396787"
+  integrity sha512-vmQSUcfalpIq0R9q7uTo2lXs6eGIpt9wtnLdMv9LVpIjCA/+ufZRozlVoVelIYixx1ugCBKDhn89vnsEGOCx9A==
+  dependencies:
+    "@types/node" "*"
+
 "@types/yargs-parser@*":
   version "21.0.0"
   resolved "https://registry.yarnpkg.com/@types/yargs-parser/-/yargs-parser-21.0.0.tgz#0c60e537fa790f5f9472ed2776c2b71ec117351b"
@@ -738,6 +795,25 @@
   dependencies:
     "@types/yargs-parser" "*"
 
+agent-base@^7.0.2, agent-base@^7.1.0:
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/agent-base/-/agent-base-7.1.1.tgz#bdbded7dfb096b751a2a087eeeb9664725b2e317"
+  integrity sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==
+  dependencies:
+    debug "^4.3.4"
+
+ansi-align@^3.0.0:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/ansi-align/-/ansi-align-3.0.1.tgz#0cdf12e111ace773a86e9a1fad1225c43cb19a59"
+  integrity sha512-IOfwwBF5iczOjp/WeY4YxyjqAFMQoZufdQWDd19SEExbVLNXqvpzSJ/M7Za4/sCPmQ0+GRquoA7bGcINcxew6w==
+  dependencies:
+    string-width "^4.1.0"
+
+ansi-colors@4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/ansi-colors/-/ansi-colors-4.1.1.tgz#cbb9ae256bf750af1eab344f229aa27fe94ba348"
+  integrity sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==
+
 ansi-escapes@^4.2.1:
   version "4.3.2"
   resolved "https://registry.yarnpkg.com/ansi-escapes/-/ansi-escapes-4.3.2.tgz#6b2291d1db7d98b6521d5f1efa42d0f3a9feb65e"
@@ -769,7 +845,14 @@ ansi-styles@^5.0.0:
   resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-5.2.0.tgz#07449690ad45777d1924ac2abb2fc8895dba836b"
   integrity sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==
 
-anymatch@^3.0.3:
+ansi-to-html@0.7.2:
+  version "0.7.2"
+  resolved "https://registry.yarnpkg.com/ansi-to-html/-/ansi-to-html-0.7.2.tgz#a92c149e4184b571eb29a0135ca001a8e2d710cb"
+  integrity sha512-v6MqmEpNlxF+POuyhKkidusCHWWkaLcGRURzivcU3I9tv7k4JVhFcnukrM5Rlk2rUywdZuzYAZ+kbZqWCnfN3g==
+  dependencies:
+    entities "^2.2.0"
+
+anymatch@^3.0.3, anymatch@~3.1.2:
   version "3.1.3"
   resolved "https://registry.yarnpkg.com/anymatch/-/anymatch-3.1.3.tgz#790c58b19ba1720a84205b57c618d5ad8524973e"
   integrity sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==
@@ -777,6 +860,51 @@ anymatch@^3.0.3:
     normalize-path "^3.0.0"
     picomatch "^2.0.4"
 
+archiver-utils@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/archiver-utils/-/archiver-utils-2.1.0.tgz#e8a460e94b693c3e3da182a098ca6285ba9249e2"
+  integrity sha512-bEL/yUb/fNNiNTuUz979Z0Yg5L+LzLxGJz8x79lYmR54fmTIb6ob/hNQgkQnIUDWIFjZVQwl9Xs356I6BAMHfw==
+  dependencies:
+    glob "^7.1.4"
+    graceful-fs "^4.2.0"
+    lazystream "^1.0.0"
+    lodash.defaults "^4.2.0"
+    lodash.difference "^4.5.0"
+    lodash.flatten "^4.4.0"
+    lodash.isplainobject "^4.0.6"
+    lodash.union "^4.6.0"
+    normalize-path "^3.0.0"
+    readable-stream "^2.0.0"
+
+archiver-utils@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/archiver-utils/-/archiver-utils-3.0.4.tgz#a0d201f1cf8fce7af3b5a05aea0a337329e96ec7"
+  integrity sha512-KVgf4XQVrTjhyWmx6cte4RxonPLR9onExufI1jhvw/MQ4BB6IsZD5gT8Lq+u/+pRkWna/6JoHpiQioaqFP5Rzw==
+  dependencies:
+    glob "^7.2.3"
+    graceful-fs "^4.2.0"
+    lazystream "^1.0.0"
+    lodash.defaults "^4.2.0"
+    lodash.difference "^4.5.0"
+    lodash.flatten "^4.4.0"
+    lodash.isplainobject "^4.0.6"
+    lodash.union "^4.6.0"
+    normalize-path "^3.0.0"
+    readable-stream "^3.6.0"
+
+archiver@^5.3.1:
+  version "5.3.2"
+  resolved "https://registry.yarnpkg.com/archiver/-/archiver-5.3.2.tgz#99991d5957e53bd0303a392979276ac4ddccf3b0"
+  integrity sha512-+25nxyyznAXF7Nef3y0EbBeqmGZgeN/BxHX29Rs39djAfaFalmQ89SE6CWyDCHzGL0yt/ycBtNOmGTW0FyGWNw==
+  dependencies:
+    archiver-utils "^2.1.0"
+    async "^3.2.4"
+    buffer-crc32 "^0.2.1"
+    readable-stream "^3.6.0"
+    readdir-glob "^1.1.2"
+    tar-stream "^2.2.0"
+    zip-stream "^4.1.0"
+
 argparse@^1.0.7:
   version "1.0.10"
   resolved "https://registry.yarnpkg.com/argparse/-/argparse-1.0.10.tgz#bcd6791ea5ae09725e17e5ad988134cd40b3d911"
@@ -789,6 +917,48 @@ argparse@^2.0.1:
   resolved "https://registry.yarnpkg.com/argparse/-/argparse-2.0.1.tgz#246f50f3ca78a3240f6c997e8a9bd1eac49e4b38"
   integrity sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==
 
+aria-query@5.1.3:
+  version "5.1.3"
+  resolved "https://registry.yarnpkg.com/aria-query/-/aria-query-5.1.3.tgz#19db27cd101152773631396f7a95a3b58c22c35e"
+  integrity sha512-R5iJ5lkuHybztUfuOAznmboyjWq8O6sqNqtK7CLOqdydi54VNbORp49mb14KbWgG1QD3JFO9hJdZ+y4KutfdOQ==
+  dependencies:
+    deep-equal "^2.0.5"
+
+array-buffer-byte-length@^1.0.0:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/array-buffer-byte-length/-/array-buffer-byte-length-1.0.1.tgz#1e5583ec16763540a27ae52eed99ff899223568f"
+  integrity sha512-ahC5W1xgou+KTXix4sAO8Ki12Q+jf4i0+tmk3sC+zgcynshkHxzpXdImBehiUYKKKDwvfFiJl1tZt6ewscS1Mg==
+  dependencies:
+    call-bind "^1.0.5"
+    is-array-buffer "^3.0.4"
+
+assertion-error@1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/assertion-error/-/assertion-error-1.1.0.tgz#e60b6b0e8f301bd97e5375215bda406c85118c0b"
+  integrity sha512-jgsaNduz+ndvGyFt3uSuWqvy4lCnIJiovtouQN5JZHOKCS2QuhEdbcQHFhVksz2N2U9hXJo8odG7ETyWlEeuDw==
+
+async@^3.2.3, async@^3.2.4:
+  version "3.2.5"
+  resolved "https://registry.yarnpkg.com/async/-/async-3.2.5.tgz#ebd52a8fdaf7a2289a24df399f8d8485c8a46b66"
+  integrity sha512-baNZyqaaLhyLVKm/DlvdW051MSgO6b8eVfIezl9E5PqWxFgzLm/wQntEW4zOytVburDEr0JlALEpdOFwvErLsg==
+
+asynckit@^0.4.0:
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"
+  integrity sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==
+
+available-typed-arrays@^1.0.7:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz#a5cc375d6a03c2efc87a553f3e0b1522def14846"
+  integrity sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==
+  dependencies:
+    possible-typed-array-names "^1.0.0"
+
+axe-core@^4.8.3:
+  version "4.9.0"
+  resolved "https://registry.yarnpkg.com/axe-core/-/axe-core-4.9.0.tgz#b18971494551ab39d4ff5f7d4c6411bd20cc7c2a"
+  integrity sha512-H5orY+M2Fr56DWmMFpMrq5Ge93qjNdPVqzBv5gWK3aD1OvjBEJlEzxf09z93dGVQeI0LiW+aCMIx1QtShC/zUw==
+
 babel-jest@^29.6.1:
   version "29.6.1"
   resolved "https://registry.yarnpkg.com/babel-jest/-/babel-jest-29.6.1.tgz#a7141ad1ed5ec50238f3cd36127636823111233a"
@@ -854,6 +1024,46 @@ balanced-match@^1.0.0:
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee"
   integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==
 
+base64-js@^1.3.1:
+  version "1.5.1"
+  resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.5.1.tgz#1b1b440160a5bf7ad40b650f095963481903930a"
+  integrity sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==
+
+bidi-js@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/bidi-js/-/bidi-js-1.0.3.tgz#6f8bcf3c877c4d9220ddf49b9bb6930c88f877d2"
+  integrity sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==
+  dependencies:
+    require-from-string "^2.0.2"
+
+binary-extensions@^2.0.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.3.0.tgz#f6e14a97858d327252200242d4ccfe522c445522"
+  integrity sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==
+
+bl@^4.0.3, bl@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/bl/-/bl-4.1.0.tgz#451535264182bec2fbbc83a62ab98cf11d9f7b3a"
+  integrity sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==
+  dependencies:
+    buffer "^5.5.0"
+    inherits "^2.0.4"
+    readable-stream "^3.4.0"
+
+boxen@5.1.2:
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/boxen/-/boxen-5.1.2.tgz#788cb686fc83c1f486dfa8a40c68fc2b831d2b50"
+  integrity sha512-9gYgQKXx+1nP8mP7CzFyaUARhg7D3n1dF/FnErWmu9l6JvGpNUN278h0aSb+QjoiKSWG+iZ3uHrcqk0qrY9RQQ==
+  dependencies:
+    ansi-align "^3.0.0"
+    camelcase "^6.2.0"
+    chalk "^4.1.0"
+    cli-boxes "^2.2.1"
+    string-width "^4.2.2"
+    type-fest "^0.20.2"
+    widest-line "^3.1.0"
+    wrap-ansi "^7.0.0"
+
 brace-expansion@^1.1.7:
   version "1.1.11"
   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
@@ -869,13 +1079,18 @@ brace-expansion@^2.0.1:
   dependencies:
     balanced-match "^1.0.0"
 
-braces@^3.0.2:
+braces@^3.0.2, braces@~3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
   integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==
   dependencies:
     fill-range "^7.0.1"
 
+browser-stdout@1.3.1:
+  version "1.3.1"
+  resolved "https://registry.yarnpkg.com/browser-stdout/-/browser-stdout-1.3.1.tgz#baa559ee14ced73452229bad7326467c61fabd60"
+  integrity sha512-qhAVI1+Av2X7qelOfAIYwXONood6XlZE/fXaBSmW/T5SzLAmCgzi+eiWE7fUvbHaeNBQH13UftjpXxsfLkMpgw==
+
 browserslist@^4.21.3:
   version "4.21.5"
   resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.21.5.tgz#75c5dae60063ee641f977e00edd3cfb2fb7af6a7"
@@ -893,11 +1108,35 @@ bser@2.1.1:
   dependencies:
     node-int64 "^0.4.0"
 
+buffer-crc32@^0.2.1, buffer-crc32@^0.2.13:
+  version "0.2.13"
+  resolved "https://registry.yarnpkg.com/buffer-crc32/-/buffer-crc32-0.2.13.tgz#0d333e3f00eac50aa1454abd30ef8c2a5d9a7242"
+  integrity sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ==
+
 buffer-from@^1.0.0:
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.2.tgz#2b146a6fd72e80b4f55d255f35ed59a3a9a41bd5"
   integrity sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==
 
+buffer@^5.5.0:
+  version "5.7.1"
+  resolved "https://registry.yarnpkg.com/buffer/-/buffer-5.7.1.tgz#ba62e7c13133053582197160851a8f648e99eed0"
+  integrity sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==
+  dependencies:
+    base64-js "^1.3.1"
+    ieee754 "^1.1.13"
+
+call-bind@^1.0.2, call-bind@^1.0.5, call-bind@^1.0.6, call-bind@^1.0.7:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/call-bind/-/call-bind-1.0.7.tgz#06016599c40c56498c18769d2730be242b6fa3b9"
+  integrity sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==
+  dependencies:
+    es-define-property "^1.0.0"
+    es-errors "^1.3.0"
+    function-bind "^1.1.2"
+    get-intrinsic "^1.2.4"
+    set-function-length "^1.2.1"
+
 callsites@^3.0.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/callsites/-/callsites-3.1.0.tgz#b3630abd8943432f54b3f0519238e33cd7df2f73"
@@ -908,7 +1147,7 @@ camelcase@^5.3.1:
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-5.3.1.tgz#e3c9b31569e106811df242f715725a1f4c494320"
   integrity sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==
 
-camelcase@^6.2.0:
+camelcase@^6.0.0, camelcase@^6.2.0:
   version "6.3.0"
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-6.3.0.tgz#5685b95eb209ac9c0c177467778c9c84df58ba9a"
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
@@ -918,6 +1157,13 @@ caniuse-lite@^1.0.30001449:
   resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001481.tgz#f58a717afe92f9e69d0e35ff64df596bfad93912"
   integrity sha512-KCqHwRnaa1InZBtqXzP98LPg0ajCVujMKjqKDhZEthIpAsJl/YEIa3YvXjGXPVqzZVguccuu7ga9KOE1J9rKPQ==
 
+chai-nightwatch@^0.5.3:
+  version "0.5.3"
+  resolved "https://registry.yarnpkg.com/chai-nightwatch/-/chai-nightwatch-0.5.3.tgz#980ecf63dde5a04e7f3524370682c7ff01178ffb"
+  integrity sha512-38ixH/mqpY6IwnZkz6xPqx8aB5/KVR+j6VPugcir3EGOsphnWXrPH/mUt8Jp+ninL6ghY0AaJDQ10hSfCPGy/g==
+  dependencies:
+    assertion-error "1.1.0"
+
 chalk@^2.0.0, chalk@^2.4.2:
   version "2.4.2"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-2.4.2.tgz#cd42541677a54333cf541a49108c1432b44c9424"
@@ -927,7 +1173,7 @@ chalk@^2.0.0, chalk@^2.4.2:
     escape-string-regexp "^1.0.5"
     supports-color "^5.3.0"
 
-chalk@^4.0.0:
+chalk@^4.0.0, chalk@^4.0.2, chalk@^4.1.0, chalk@^4.1.2:
   version "4.1.2"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-4.1.2.tgz#aac4e2b7734a740867aeb16bf02aad556a1e7a01"
   integrity sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==
@@ -940,6 +1186,31 @@ char-regex@^1.0.2:
   resolved "https://registry.yarnpkg.com/char-regex/-/char-regex-1.0.2.tgz#d744358226217f981ed58f479b1d6bcc29545dcf"
   integrity sha512-kWWXztvZ5SBQV+eRgKFeh8q5sLuZY2+8WUIzlxWVTg+oGwY14qylx1KbKzHd8P6ZYkAg0xyIDU9JMHhyJMZ1jw==
 
+check-error@1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/check-error/-/check-error-1.0.2.tgz#574d312edd88bb5dd8912e9286dd6c0aed4aac82"
+  integrity sha512-BrgHpW9NURQgzoNyjfq0Wu6VFO6D7IZEmJNdtgNqpzGG8RuNFHt2jQxWlAs4HMe119chBnv+34syEZtc6IhLtA==
+
+chokidar@3.5.3:
+  version "3.5.3"
+  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-3.5.3.tgz#1cf37c8707b932bd1af1ae22c0432e2acd1903bd"
+  integrity sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==
+  dependencies:
+    anymatch "~3.1.2"
+    braces "~3.0.2"
+    glob-parent "~5.1.2"
+    is-binary-path "~2.1.0"
+    is-glob "~4.0.1"
+    normalize-path "~3.0.0"
+    readdirp "~3.6.0"
+  optionalDependencies:
+    fsevents "~2.3.2"
+
+ci-info@3.3.0:
+  version "3.3.0"
+  resolved "https://registry.yarnpkg.com/ci-info/-/ci-info-3.3.0.tgz#b4ed1fb6818dea4803a55c623041f9165d2066b2"
+  integrity sha512-riT/3vI5YpVH6/qomlDnJow6TBee2PBKSEpx3O32EGPYbWGIRsIlGRms3Sm74wYE1JMo8RnO04Hb12+v1J5ICw==
+
 ci-info@^3.2.0:
   version "3.8.0"
   resolved "https://registry.yarnpkg.com/ci-info/-/ci-info-3.8.0.tgz#81408265a5380c929f0bc665d62256628ce9ef91"
@@ -950,7 +1221,33 @@ cjs-module-lexer@^1.0.0:
   resolved "https://registry.yarnpkg.com/cjs-module-lexer/-/cjs-module-lexer-1.2.2.tgz#9f84ba3244a512f3a54e5277e8eef4c489864e40"
   integrity sha512-cOU9usZw8/dXIXKtwa8pM0OTJQuJkxMN6w30csNRUerHfeQ5R6U3kkU/FtJeIf3M202OHfY2U8ccInBG7/xogA==
 
-cliui@^7.0.4:
+cli-boxes@^2.2.1:
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/cli-boxes/-/cli-boxes-2.2.1.tgz#ddd5035d25094fce220e9cab40a45840a440318f"
+  integrity sha512-y4coMcylgSCdVinjiDBuR8PCC2bLjyGTwEmPb9NHR/QaNU6EUOXcTY/s6VjGMD6ENSEaeQYHCY0GNGS5jfMwPw==
+
+cli-cursor@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/cli-cursor/-/cli-cursor-3.1.0.tgz#264305a7ae490d1d03bf0c9ba7c925d1753af307"
+  integrity sha512-I/zHAwsKf9FqGoXM4WWRACob9+SNukZTd94DWF57E4toouRulbCxcUh6RKUEOQlYTHJnzkPMySvPNaaSLNfLZw==
+  dependencies:
+    restore-cursor "^3.1.0"
+
+cli-spinners@^2.5.0:
+  version "2.9.2"
+  resolved "https://registry.yarnpkg.com/cli-spinners/-/cli-spinners-2.9.2.tgz#1773a8f4b9c4d6ac31563df53b3fc1d79462fe41"
+  integrity sha512-ywqV+5MmyL4E7ybXgKys4DugZbX0FC6LnwrhjuykIjnK9k8OQacQ7axGKnjDXWNhns0xot3bZI5h55H8yo9cJg==
+
+cli-table3@^0.6.3:
+  version "0.6.4"
+  resolved "https://registry.yarnpkg.com/cli-table3/-/cli-table3-0.6.4.tgz#d1c536b8a3f2e7bec58f67ac9e5769b1b30088b0"
+  integrity sha512-Lm3L0p+/npIQWNIiyF/nAn7T5dnOwR3xNTHXYEBFBFVPXzCVNZ5lqEC/1eo/EVfpDsQ1I+TX4ORPQgp+UI0CRw==
+  dependencies:
+    string-width "^4.2.0"
+  optionalDependencies:
+    "@colors/colors" "1.5.0"
+
+cliui@^7.0.2, cliui@^7.0.4:
   version "7.0.4"
   resolved "https://registry.yarnpkg.com/cliui/-/cliui-7.0.4.tgz#a0265ee655476fc807aea9df3df8df7783808b4f"
   integrity sha512-OcRE68cOsVMXp1Yvonl/fzkQOyjLSu/8bhPDfQt0e0/Eb283TKP20Fs2MqoPsr9SwA595rRCA+QMzYc9nBP+JQ==
@@ -968,6 +1265,11 @@ cliui@^8.0.1:
     strip-ansi "^6.0.1"
     wrap-ansi "^7.0.0"
 
+clone@^1.0.2:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/clone/-/clone-1.0.4.tgz#da309cc263df15994c688ca902179ca3c7cd7c7e"
+  integrity sha512-JQHZ2QMW6l3aH/j6xCqQThY/9OH4D/9ls34cgkUBiEeocRTU04tHfKPBsUK1PqZCUQM7GiA0IIXJSuXHI64Kbg==
+
 co@^4.6.0:
   version "4.6.0"
   resolved "https://registry.yarnpkg.com/co/-/co-4.6.0.tgz#6ea6bdf3d853ae54ccb8e47bfa0bf3f9031fb184"
@@ -1002,6 +1304,28 @@ color-name@~1.1.4:
   resolved "https://registry.yarnpkg.com/color-name/-/color-name-1.1.4.tgz#c2a09a87acbde69543de6f63fa3995c826c536a2"
   integrity sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==
 
+combined-stream@^1.0.8:
+  version "1.0.8"
+  resolved "https://registry.yarnpkg.com/combined-stream/-/combined-stream-1.0.8.tgz#c3d45a8b34fd730631a110a8a2520682b31d5a7f"
+  integrity sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==
+  dependencies:
+    delayed-stream "~1.0.0"
+
+commander@^4.0.0:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/commander/-/commander-4.1.1.tgz#9fd602bd936294e9e9ef46a3f4d6964044b18068"
+  integrity sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==
+
+compress-commons@^4.1.2:
+  version "4.1.2"
+  resolved "https://registry.yarnpkg.com/compress-commons/-/compress-commons-4.1.2.tgz#6542e59cb63e1f46a8b21b0e06f9a32e4c8b06df"
+  integrity sha512-D3uMHtGc/fcO1Gt1/L7i1e33VOvD4A9hfQLP+6ewd+BvG/gQ84Yh4oftEhAdjSMgBgwGL+jsppT7JYNpo6MHHg==
+  dependencies:
+    buffer-crc32 "^0.2.13"
+    crc32-stream "^4.0.2"
+    normalize-path "^3.0.0"
+    readable-stream "^3.6.0"
+
 concat-map@0.0.1:
   version "0.0.1"
   resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
@@ -1017,6 +1341,24 @@ convert-source-map@^2.0.0:
   resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-2.0.0.tgz#4b560f649fc4e918dd0ab75cf4961e8bc882d82a"
   integrity sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==
 
+core-util-is@~1.0.0:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/core-util-is/-/core-util-is-1.0.3.tgz#a6042d3634c2b27e9328f837b965fac83808db85"
+  integrity sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==
+
+crc-32@^1.2.0:
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/crc-32/-/crc-32-1.2.2.tgz#3cad35a934b8bf71f25ca524b6da51fb7eace2ff"
+  integrity sha512-ROmzCKrTnOwybPcJApAA6WBWij23HVfGVNKqqrZpuyZOHqK2CwHSvpGuyt/UNNvaIjEd8X5IFGp4Mh+Ie1IHJQ==
+
+crc32-stream@^4.0.2:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/crc32-stream/-/crc32-stream-4.0.3.tgz#85dd677eb78fa7cad1ba17cc506a597d41fc6f33"
+  integrity sha512-NT7w2JVU7DFroFdYkeq8cywxrgjPHWkdX1wjpRQXPX5Asews3tA+Ght6lddQO5Mkumffp3X7GEqku3epj2toIw==
+  dependencies:
+    crc-32 "^1.2.0"
+    readable-stream "^3.4.0"
+
 cross-spawn@^7.0.0, cross-spawn@^7.0.3:
   version "7.0.3"
   resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-7.0.3.tgz#f73a85b9d5d41d045551c177e2882d4ac85728a6"
@@ -1026,33 +1368,164 @@ cross-spawn@^7.0.0, cross-spawn@^7.0.3:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
-debug@^4.1.0, debug@^4.1.1:
+css-tree@^2.3.1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/css-tree/-/css-tree-2.3.1.tgz#10264ce1e5442e8572fc82fbe490644ff54b5c20"
+  integrity sha512-6Fv1DV/TYw//QF5IzQdqsNDjx/wc8TrMBZsqjL9eW01tWb7R7k/mq+/VXfJCl7SoD5emsJop9cOByJZfs8hYIw==
+  dependencies:
+    mdn-data "2.0.30"
+    source-map-js "^1.0.1"
+
+cssstyle@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/cssstyle/-/cssstyle-4.0.1.tgz#ef29c598a1e90125c870525490ea4f354db0660a"
+  integrity sha512-8ZYiJ3A/3OkDd093CBT/0UKDWry7ak4BdPTFP2+QEP7cmhouyq/Up709ASSj2cK02BbZiMgk7kYjZNS4QP5qrQ==
+  dependencies:
+    rrweb-cssom "^0.6.0"
+
+data-urls@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/data-urls/-/data-urls-5.0.0.tgz#2f76906bce1824429ffecb6920f45a0b30f00dde"
+  integrity sha512-ZYP5VBHshaDAiVZxjbRVcFJpc+4xGgT0bK3vzy1HLN8jTO975HEbuYzZJcHoQEY5K1a0z8YayJkyVETa08eNTg==
+  dependencies:
+    whatwg-mimetype "^4.0.0"
+    whatwg-url "^14.0.0"
+
+debug@4, debug@4.3.4, debug@^4.1.0, debug@^4.1.1, debug@^4.3.4:
   version "4.3.4"
   resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.4.tgz#1319f6579357f2338d3337d2cdd4914bb5dcc865"
   integrity sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==
   dependencies:
     ms "2.1.2"
 
+decamelize@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/decamelize/-/decamelize-4.0.0.tgz#aa472d7bf660eb15f3494efd531cab7f2a709837"
+  integrity sha512-9iE1PgSik9HeIIw2JO94IidnE3eBoQrFJ3w7sFuzSX4DpmZ3v5sZpUiV5Swcf6mQEF+Y0ru8Neo+p+nyh2J+hQ==
+
+decimal.js@^10.4.3:
+  version "10.4.3"
+  resolved "https://registry.yarnpkg.com/decimal.js/-/decimal.js-10.4.3.tgz#1044092884d245d1b7f65725fa4ad4c6f781cc23"
+  integrity sha512-VBBaLc1MgL5XpzgIP7ny5Z6Nx3UrRkIViUkPUdtl9aya5amy3De1gsUUSB1g3+3sExYNjCAsAznmukyxCb1GRA==
+
 dedent@^0.7.0:
   version "0.7.0"
   resolved "https://registry.yarnpkg.com/dedent/-/dedent-0.7.0.tgz#2495ddbaf6eb874abb0e1be9df22d2e5a544326c"
   integrity sha512-Q6fKUPqnAHAyhiUgFU7BUzLiv0kd8saH9al7tnu5Q/okj6dnupxyTgFIBjVzJATdfIAm9NAsvXNzjaKa+bxVyA==
 
+deep-eql@4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/deep-eql/-/deep-eql-4.0.1.tgz#2b65bc89491d193780c452edee2144a91bb0a445"
+  integrity sha512-D/Oxqobjr+kxaHsgiQBZq9b6iAWdEj5W/JdJm8deNduAPc9CwXQ3BJJCuEqlrPXcy45iOMkGPZ0T81Dnz7UDCA==
+  dependencies:
+    type-detect "^4.0.0"
+
+deep-equal@^2.0.5:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/deep-equal/-/deep-equal-2.2.3.tgz#af89dafb23a396c7da3e862abc0be27cf51d56e1"
+  integrity sha512-ZIwpnevOurS8bpT4192sqAowWM76JDKSHYzMLty3BZGSswgq6pBaH3DhCSW5xVAZICZyKdOBPjwww5wfgT/6PA==
+  dependencies:
+    array-buffer-byte-length "^1.0.0"
+    call-bind "^1.0.5"
+    es-get-iterator "^1.1.3"
+    get-intrinsic "^1.2.2"
+    is-arguments "^1.1.1"
+    is-array-buffer "^3.0.2"
+    is-date-object "^1.0.5"
+    is-regex "^1.1.4"
+    is-shared-array-buffer "^1.0.2"
+    isarray "^2.0.5"
+    object-is "^1.1.5"
+    object-keys "^1.1.1"
+    object.assign "^4.1.4"
+    regexp.prototype.flags "^1.5.1"
+    side-channel "^1.0.4"
+    which-boxed-primitive "^1.0.2"
+    which-collection "^1.0.1"
+    which-typed-array "^1.1.13"
+
 deepmerge@^4.2.2:
   version "4.3.1"
   resolved "https://registry.yarnpkg.com/deepmerge/-/deepmerge-4.3.1.tgz#44b5f2147cd3b00d4b56137685966f26fd25dd4a"
   integrity sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==
 
+defaults@^1.0.3:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/defaults/-/defaults-1.0.4.tgz#b0b02062c1e2aa62ff5d9528f0f98baa90978d7a"
+  integrity sha512-eFuaLoy/Rxalv2kr+lqMlUnrDWV+3j4pljOIJgLIhI058IQfWJ7vXhyEIHu+HtC738klGALYxOKDO0bQP3tg8A==
+  dependencies:
+    clone "^1.0.2"
+
+define-data-property@^1.0.1, define-data-property@^1.1.4:
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/define-data-property/-/define-data-property-1.1.4.tgz#894dc141bb7d3060ae4366f6a0107e68fbe48c5e"
+  integrity sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A==
+  dependencies:
+    es-define-property "^1.0.0"
+    es-errors "^1.3.0"
+    gopd "^1.0.1"
+
+define-lazy-prop@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/define-lazy-prop/-/define-lazy-prop-2.0.0.tgz#3f7ae421129bcaaac9bc74905c98a0009ec9ee7f"
+  integrity sha512-Ds09qNh8yw3khSjiJjiUInaGX9xlqZDY7JVryGxdxV7NPeuqQfplOpQ66yJFZut3jLa5zOwkXw1g9EI2uKh4Og==
+
+define-properties@^1.2.1:
+  version "1.2.1"
+  resolved "https://registry.yarnpkg.com/define-properties/-/define-properties-1.2.1.tgz#10781cc616eb951a80a034bafcaa7377f6af2b6c"
+  integrity sha512-8QmQKqEASLd5nx0U1B1okLElbUuuttJ/AnYmRXbbbGDWh6uS208EjD4Xqq/I9wK7u0v6O08XhTWnt5XtEbR6Dg==
+  dependencies:
+    define-data-property "^1.0.1"
+    has-property-descriptors "^1.0.0"
+    object-keys "^1.1.1"
+
+delayed-stream@~1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619"
+  integrity sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==
+
 detect-newline@^3.0.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/detect-newline/-/detect-newline-3.1.0.tgz#576f5dfc63ae1a192ff192d8ad3af6308991b651"
   integrity sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA==
 
+devtools-protocol@^0.0.1140464:
+  version "0.0.1140464"
+  resolved "https://registry.yarnpkg.com/devtools-protocol/-/devtools-protocol-0.0.1140464.tgz#ee5bb78646008e0dd97724d7659588c80fdb08b6"
+  integrity sha512-I1jXnjpQh/6TBFyQ0A9dB2kXXk6DprpPFZoI8pUsxHtlNuOTQEdv9fUqYBsFtf8tOJCbdsZZyQrWeXu6GfK+Bw==
+
+didyoumean@^1.2.2:
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/didyoumean/-/didyoumean-1.2.2.tgz#989346ffe9e839b4555ecf5666edea0d3e8ad037"
+  integrity sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==
+
 diff-sequences@^29.4.3:
   version "29.4.3"
   resolved "https://registry.yarnpkg.com/diff-sequences/-/diff-sequences-29.4.3.tgz#9314bc1fabe09267ffeca9cbafc457d8499a13f2"
   integrity sha512-ofrBgwpPhCD85kMKtE9RYFFq6OC1A89oW2vvgWZNCwxrUpRUILopY7lsYyMDSjc8g6U6aiO0Qubg6r4Wgt5ZnA==
 
+diff@5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/diff/-/diff-5.0.0.tgz#7ed6ad76d859d030787ec35855f5b1daf31d852b"
+  integrity sha512-/VTCrvm5Z0JGty/BWHljh+BAiw3IK+2j87NGMu8Nwc/f48WoDAC395uomO9ZD117ZOBaHmkX1oyLvkVM/aIT3w==
+
+dotenv@16.3.1:
+  version "16.3.1"
+  resolved "https://registry.yarnpkg.com/dotenv/-/dotenv-16.3.1.tgz#369034de7d7e5b120972693352a3bf112172cc3e"
+  integrity sha512-IPzF4w4/Rd94bA9imS68tZBaYyBWSCE47V1RGuMrB94iyTOIEwRmVL2x/4An+6mETpLrKJ5hQkB8W4kFAadeIQ==
+
+dotenv@^16.4.5:
+  version "16.4.5"
+  resolved "https://registry.yarnpkg.com/dotenv/-/dotenv-16.4.5.tgz#cdd3b3b604cb327e286b4762e13502f717cb099f"
+  integrity sha512-ZmdL2rui+eB2YwhsWzjInR8LldtZHGDoQ1ugH85ppHKwpUHL7j7rN0Ti9NCnGiQbhaZ11FpR+7ao1dNsmduNUg==
+
+ejs@3.1.8:
+  version "3.1.8"
+  resolved "https://registry.yarnpkg.com/ejs/-/ejs-3.1.8.tgz#758d32910c78047585c7ef1f92f9ee041c1c190b"
+  integrity sha512-/sXZeMlhS0ArkfX2Aw780gJzXSMPnKjtspYZv+f3NiKLlubezAHDU5+9xz6gd3/NhG3txQCo6xlglmTS+oTGEQ==
+  dependencies:
+    jake "^10.8.5"
+
 electron-to-chromium@^1.4.284:
   version "1.4.375"
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.375.tgz#69e5928454b0dacde07972310bd526b4516ba507"
@@ -1068,6 +1541,36 @@ emoji-regex@^8.0.0:
   resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
   integrity sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==
 
+end-of-stream@^1.4.1:
+  version "1.4.4"
+  resolved "https://registry.yarnpkg.com/end-of-stream/-/end-of-stream-1.4.4.tgz#5ae64a5f45057baf3626ec14da0ca5e4b2431eb0"
+  integrity sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==
+  dependencies:
+    once "^1.4.0"
+
+entities@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/entities/-/entities-2.2.0.tgz#098dc90ebb83d8dffa089d55256b351d34c4da55"
+  integrity sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==
+
+entities@^4.4.0:
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/entities/-/entities-4.5.0.tgz#5d268ea5e7113ec74c4d033b79ea5a35a488fb48"
+  integrity sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==
+
+env-cmd@^10.1.0:
+  version "10.1.0"
+  resolved "https://registry.yarnpkg.com/env-cmd/-/env-cmd-10.1.0.tgz#c7f5d3b550c9519f137fdac4dd8fb6866a8c8c4b"
+  integrity sha512-mMdWTT9XKN7yNth/6N6g2GuKuJTsKMDHlQFUDacb/heQRRWOTIZ42t1rMHnQu4jYxU1ajdTeJM+9eEETlqToMA==
+  dependencies:
+    commander "^4.0.0"
+    cross-spawn "^7.0.0"
+
+envinfo@7.11.0:
+  version "7.11.0"
+  resolved "https://registry.yarnpkg.com/envinfo/-/envinfo-7.11.0.tgz#c3793f44284a55ff8c82faf1ffd91bc6478ea01f"
+  integrity sha512-G9/6xF1FPbIw0TtalAMaVPpiq2aDEuKLXM314jPVAO9r2fo2a4BLqMNkmRS7O/xPPZ+COAhGIz3ETvHEV3eUcg==
+
 error-ex@^1.3.1:
   version "1.3.2"
   resolved "https://registry.yarnpkg.com/error-ex/-/error-ex-1.3.2.tgz#b4ac40648107fdcdcfae242f428bea8a14d4f1bf"
@@ -1075,11 +1578,43 @@ error-ex@^1.3.1:
   dependencies:
     is-arrayish "^0.2.1"
 
+es-define-property@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/es-define-property/-/es-define-property-1.0.0.tgz#c7faefbdff8b2696cf5f46921edfb77cc4ba3845"
+  integrity sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==
+  dependencies:
+    get-intrinsic "^1.2.4"
+
+es-errors@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/es-errors/-/es-errors-1.3.0.tgz#05f75a25dab98e4fb1dcd5e1472c0546d5057c8f"
+  integrity sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==
+
+es-get-iterator@^1.1.3:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/es-get-iterator/-/es-get-iterator-1.1.3.tgz#3ef87523c5d464d41084b2c3c9c214f1199763d6"
+  integrity sha512-sPZmqHBe6JIiTfN5q2pEi//TwxmAFHwj/XEuYjTuse78i8KxaqMTTzxPoFKuzRpDpTJ+0NAbpfenkmH2rePtuw==
+  dependencies:
+    call-bind "^1.0.2"
+    get-intrinsic "^1.1.3"
+    has-symbols "^1.0.3"
+    is-arguments "^1.1.1"
+    is-map "^2.0.2"
+    is-set "^2.0.2"
+    is-string "^1.0.7"
+    isarray "^2.0.5"
+    stop-iteration-iterator "^1.0.0"
+
 escalade@^3.1.1:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/escalade/-/escalade-3.1.1.tgz#d8cfdc7000965c5a0174b4a82eaa5c0552742e40"
   integrity sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==
 
+escape-string-regexp@4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz#14ba83a5d373e3d311e5afca29cf5bfad965bf34"
+  integrity sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==
+
 escape-string-regexp@^1.0.5:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz#1b61c0562190a8dff6ae3bb2cf0200ca130b86d4"
@@ -1139,6 +1674,13 @@ fb-watchman@^2.0.0:
   dependencies:
     bser "2.1.1"
 
+filelist@^1.0.4:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/filelist/-/filelist-1.0.4.tgz#f78978a1e944775ff9e62e744424f215e58352b5"
+  integrity sha512-w1cEuf3S+DrLCQL7ET6kz+gmlJdbq9J7yXCSjK/OZCPA+qEN1WyF4ZAf0YYJa4/shHJra2t/d/r8SV4Ji+x+8Q==
+  dependencies:
+    minimatch "^5.0.1"
+
 fill-range@^7.0.1:
   version "7.0.1"
   resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40"
@@ -1146,6 +1688,14 @@ fill-range@^7.0.1:
   dependencies:
     to-regex-range "^5.0.1"
 
+find-up@5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/find-up/-/find-up-5.0.0.tgz#4c92819ecb7083561e4f4a240a86be5198f536fc"
+  integrity sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==
+  dependencies:
+    locate-path "^6.0.0"
+    path-exists "^4.0.0"
+
 find-up@^4.0.0, find-up@^4.1.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/find-up/-/find-up-4.1.0.tgz#97afe7d6cdc0bc5928584b7c8d7b16e8a9aa5d19"
@@ -1154,6 +1704,18 @@ find-up@^4.0.0, find-up@^4.1.0:
     locate-path "^5.0.0"
     path-exists "^4.0.0"
 
+flat@^5.0.2:
+  version "5.0.2"
+  resolved "https://registry.yarnpkg.com/flat/-/flat-5.0.2.tgz#8ca6fe332069ffa9d324c327198c598259ceb241"
+  integrity sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==
+
+for-each@^0.3.3:
+  version "0.3.3"
+  resolved "https://registry.yarnpkg.com/for-each/-/for-each-0.3.3.tgz#69b447e88a0a5d32c3e7084f3f1710034b21376e"
+  integrity sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==
+  dependencies:
+    is-callable "^1.1.3"
+
 foreground-child@^3.1.0:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/foreground-child/-/foreground-child-3.1.1.tgz#1d173e776d75d2772fed08efe4a0de1ea1b12d0d"
@@ -1162,6 +1724,20 @@ foreground-child@^3.1.0:
     cross-spawn "^7.0.0"
     signal-exit "^4.0.1"
 
+form-data@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.0.tgz#93919daeaf361ee529584b9b31664dc12c9fa452"
+  integrity sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==
+  dependencies:
+    asynckit "^0.4.0"
+    combined-stream "^1.0.8"
+    mime-types "^2.1.12"
+
+fs-constants@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/fs-constants/-/fs-constants-1.0.0.tgz#6be0de9be998ce16af8afc24497b9ee9b7ccd9ad"
+  integrity sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==
+
 fs.realpath@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f"
@@ -1172,11 +1748,26 @@ fsevents@^2.3.2:
   resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.2.tgz#8a526f78b8fdf4623b709e0b975c52c24c02fd1a"
   integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==
 
+fsevents@~2.3.2:
+  version "2.3.3"
+  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.3.tgz#cac6407785d03675a2a5e1a5305c697b347d90d6"
+  integrity sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==
+
 function-bind@^1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
   integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==
 
+function-bind@^1.1.2:
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.2.tgz#2c02d864d97f3ea6c8830c464cbd11ab6eab7a1c"
+  integrity sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==
+
+functions-have-names@^1.2.3:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/functions-have-names/-/functions-have-names-1.2.3.tgz#0404fe4ee2ba2f607f0e0ec3c80bae994133b834"
+  integrity sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==
+
 gensync@^1.0.0-beta.2:
   version "1.0.0-beta.2"
   resolved "https://registry.yarnpkg.com/gensync/-/gensync-1.0.0-beta.2.tgz#32a6ee76c3d7f52d46b2b1ae5d93fea8580a25e0"
@@ -1187,6 +1778,22 @@ get-caller-file@^2.0.5:
   resolved "https://registry.yarnpkg.com/get-caller-file/-/get-caller-file-2.0.5.tgz#4f94412a82db32f36e3b0b9741f8a97feb031f7e"
   integrity sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==
 
+get-func-name@^2.0.1:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/get-func-name/-/get-func-name-2.0.2.tgz#0d7cf20cd13fda808669ffa88f4ffc7a3943fc41"
+  integrity sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==
+
+get-intrinsic@^1.1.3, get-intrinsic@^1.2.1, get-intrinsic@^1.2.2, get-intrinsic@^1.2.4:
+  version "1.2.4"
+  resolved "https://registry.yarnpkg.com/get-intrinsic/-/get-intrinsic-1.2.4.tgz#e385f5a4b5227d449c3eabbad05494ef0abbeadd"
+  integrity sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==
+  dependencies:
+    es-errors "^1.3.0"
+    function-bind "^1.1.2"
+    has-proto "^1.0.1"
+    has-symbols "^1.0.3"
+    hasown "^2.0.0"
+
 get-package-type@^0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/get-package-type/-/get-package-type-0.1.0.tgz#8de2d803cff44df3bc6c456e6668b36c3926e11a"
@@ -1197,18 +1804,26 @@ get-stream@^6.0.0:
   resolved "https://registry.yarnpkg.com/get-stream/-/get-stream-6.0.1.tgz#a262d8eef67aced57c2852ad6167526a43cbf7b7"
   integrity sha512-ts6Wi+2j3jQjqi70w5AlN8DFnkSwC+MqmxEzdEALB2qXZYV3X/b1CTfgPLGJNMeAWxdPfU8FO1ms3NUfaHCPYg==
 
-glob@^10.3.3:
-  version "10.3.3"
-  resolved "https://registry.yarnpkg.com/glob/-/glob-10.3.3.tgz#8360a4ffdd6ed90df84aa8d52f21f452e86a123b"
-  integrity sha512-92vPiMb/iqpmEgsOoIDvTjc50wf9CCCvMzsi6W0JLPeUKE8TWP1a73PgqSrqy7iAZxaSD1YdzU7QZR5LF51MJw==
+glob-parent@~5.1.2:
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-5.1.2.tgz#869832c58034fe68a4093c17dc15e8340d8401c4"
+  integrity sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==
   dependencies:
-    foreground-child "^3.1.0"
-    jackspeak "^2.0.3"
-    minimatch "^9.0.1"
-    minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
-    path-scurry "^1.10.1"
+    is-glob "^4.0.1"
+
+glob@7.2.0:
+  version "7.2.0"
+  resolved "https://registry.yarnpkg.com/glob/-/glob-7.2.0.tgz#d15535af7732e02e948f4c41628bd910293f6023"
+  integrity sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==
+  dependencies:
+    fs.realpath "^1.0.0"
+    inflight "^1.0.4"
+    inherits "2"
+    minimatch "^3.0.4"
+    once "^1.3.0"
+    path-is-absolute "^1.0.0"
 
-glob@^7.1.3, glob@^7.1.4:
+glob@7.2.3, glob@^7.1.3, glob@^7.1.4, glob@^7.2.3:
   version "7.2.3"
   resolved "https://registry.yarnpkg.com/glob/-/glob-7.2.3.tgz#b8df0fb802bbfa8e89bd1d938b4e16578ed44f2b"
   integrity sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==
@@ -1220,16 +1835,39 @@ glob@^7.1.3, glob@^7.1.4:
     once "^1.3.0"
     path-is-absolute "^1.0.0"
 
+glob@^10.3.3:
+  version "10.3.3"
+  resolved "https://registry.yarnpkg.com/glob/-/glob-10.3.3.tgz#8360a4ffdd6ed90df84aa8d52f21f452e86a123b"
+  integrity sha512-92vPiMb/iqpmEgsOoIDvTjc50wf9CCCvMzsi6W0JLPeUKE8TWP1a73PgqSrqy7iAZxaSD1YdzU7QZR5LF51MJw==
+  dependencies:
+    foreground-child "^3.1.0"
+    jackspeak "^2.0.3"
+    minimatch "^9.0.1"
+    minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
+    path-scurry "^1.10.1"
+
 globals@^11.1.0:
   version "11.12.0"
   resolved "https://registry.yarnpkg.com/globals/-/globals-11.12.0.tgz#ab8795338868a0babd8525758018c2a7eb95c42e"
   integrity sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==
 
-graceful-fs@^4.2.9:
+gopd@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/gopd/-/gopd-1.0.1.tgz#29ff76de69dac7489b7c0918a5788e56477c332c"
+  integrity sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==
+  dependencies:
+    get-intrinsic "^1.1.3"
+
+graceful-fs@^4.2.0, graceful-fs@^4.2.9:
   version "4.2.11"
   resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.11.tgz#4183e4e8bf08bb6e05bbb2f7d2e0c8f712ca40e3"
   integrity sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==
 
+has-bigints@^1.0.1:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/has-bigints/-/has-bigints-1.0.2.tgz#0871bd3e3d51626f6ca0966668ba35d5602d6eaa"
+  integrity sha512-tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ==
+
 has-flag@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-3.0.0.tgz#b5d454dc2199ae225699f3467e5a07f3b955bafd"
@@ -1240,6 +1878,30 @@ has-flag@^4.0.0:
   resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-4.0.0.tgz#944771fd9c81c81265c4d6941860da06bb59479b"
   integrity sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==
 
+has-property-descriptors@^1.0.0, has-property-descriptors@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz#963ed7d071dc7bf5f084c5bfbe0d1b6222586854"
+  integrity sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==
+  dependencies:
+    es-define-property "^1.0.0"
+
+has-proto@^1.0.1:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/has-proto/-/has-proto-1.0.3.tgz#b31ddfe9b0e6e9914536a6ab286426d0214f77fd"
+  integrity sha512-SJ1amZAJUiZS+PhsVLf5tGydlaVB8EdFpaSO4gmiUKUOxk8qzn5AIy4ZeJUmh22znIdk/uMAUT2pl3FxzVUH+Q==
+
+has-symbols@^1.0.2, has-symbols@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/has-symbols/-/has-symbols-1.0.3.tgz#bb7b2c4349251dce87b125f7bdf874aa7c8b39f8"
+  integrity sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==
+
+has-tostringtag@^1.0.0, has-tostringtag@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/has-tostringtag/-/has-tostringtag-1.0.2.tgz#2cdc42d40bef2e5b4eeab7c01a73c54ce7ab5abc"
+  integrity sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==
+  dependencies:
+    has-symbols "^1.0.3"
+
 has@^1.0.3:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796"
@@ -1247,16 +1909,68 @@ has@^1.0.3:
   dependencies:
     function-bind "^1.1.1"
 
+hasown@^2.0.0:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/hasown/-/hasown-2.0.2.tgz#003eaf91be7adc372e84ec59dc37252cedb80003"
+  integrity sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==
+  dependencies:
+    function-bind "^1.1.2"
+
+he@1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
+  integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==
+
+html-encoding-sniffer@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/html-encoding-sniffer/-/html-encoding-sniffer-4.0.0.tgz#696df529a7cfd82446369dc5193e590a3735b448"
+  integrity sha512-Y22oTqIU4uuPgEemfz7NDJz6OeKf12Lsu+QC+s3BVpda64lTiMYCyGwg5ki4vFxkMwQdeZDl2adZoqUgdFuTgQ==
+  dependencies:
+    whatwg-encoding "^3.1.1"
+
 html-escaper@^2.0.0:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/html-escaper/-/html-escaper-2.0.2.tgz#dfd60027da36a36dfcbe236262c00a5822681453"
   integrity sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==
 
+http-proxy-agent@^7.0.0:
+  version "7.0.2"
+  resolved "https://registry.yarnpkg.com/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz#9a8b1f246866c028509486585f62b8f2c18c270e"
+  integrity sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==
+  dependencies:
+    agent-base "^7.1.0"
+    debug "^4.3.4"
+
+https-proxy-agent@^7.0.2:
+  version "7.0.4"
+  resolved "https://registry.yarnpkg.com/https-proxy-agent/-/https-proxy-agent-7.0.4.tgz#8e97b841a029ad8ddc8731f26595bad868cb4168"
+  integrity sha512-wlwpilI7YdjSkWaQ/7omYBMTliDcmCN8OLihO6I9B86g06lMyAoqgoDpV0XqoaPOKj+0DIdAvnsWfyAAhmimcg==
+  dependencies:
+    agent-base "^7.0.2"
+    debug "4"
+
 human-signals@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/human-signals/-/human-signals-2.1.0.tgz#dc91fcba42e4d06e4abaed33b3e7a3c02f514ea0"
   integrity sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==
 
+iconv-lite@0.6.3:
+  version "0.6.3"
+  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.6.3.tgz#a52f80bf38da1952eb5c681790719871a1a72501"
+  integrity sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==
+  dependencies:
+    safer-buffer ">= 2.1.2 < 3.0.0"
+
+ieee754@^1.1.13:
+  version "1.2.1"
+  resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.2.1.tgz#8eb7a10a63fff25d15a57b001586d177d1b0d352"
+  integrity sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==
+
+immediate@~3.0.5:
+  version "3.0.6"
+  resolved "https://registry.yarnpkg.com/immediate/-/immediate-3.0.6.tgz#9db1dbd0faf8de6fbe0f5dd5e56bb606280de69b"
+  integrity sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==
+
 import-local@^3.0.2:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/import-local/-/import-local-3.1.0.tgz#b4479df8a5fd44f6cdce24070675676063c95cb4"
@@ -1278,25 +1992,94 @@ inflight@^1.0.4:
     once "^1.3.0"
     wrappy "1"
 
-inherits@2:
+inherits@2, inherits@^2.0.3, inherits@^2.0.4, inherits@~2.0.3:
   version "2.0.4"
   resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c"
   integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
 
+internal-slot@^1.0.4:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/internal-slot/-/internal-slot-1.0.7.tgz#c06dcca3ed874249881007b0a5523b172a190802"
+  integrity sha512-NGnrKwXzSms2qUUih/ILZ5JBqNTSa1+ZmP6flaIp6KmSElgE9qdndzS3cqjrDovwFdmwsGsLdeFgB6suw+1e9g==
+  dependencies:
+    es-errors "^1.3.0"
+    hasown "^2.0.0"
+    side-channel "^1.0.4"
+
+is-arguments@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/is-arguments/-/is-arguments-1.1.1.tgz#15b3f88fda01f2a97fec84ca761a560f123efa9b"
+  integrity sha512-8Q7EARjzEnKpt/PCD7e1cgUS0a6X8u5tdSiMqXhojOdoV9TsMsiO+9VLC5vAmO8N7/GmXn7yjR8qnA6bVAEzfA==
+  dependencies:
+    call-bind "^1.0.2"
+    has-tostringtag "^1.0.0"
+
+is-array-buffer@^3.0.2, is-array-buffer@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/is-array-buffer/-/is-array-buffer-3.0.4.tgz#7a1f92b3d61edd2bc65d24f130530ea93d7fae98"
+  integrity sha512-wcjaerHw0ydZwfhiKbXJWLDY8A7yV7KhjQOpb83hGgGfId/aQa4TOvwyzn2PuswW2gPCYEL/nEAiSVpdOj1lXw==
+  dependencies:
+    call-bind "^1.0.2"
+    get-intrinsic "^1.2.1"
+
 is-arrayish@^0.2.1:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/is-arrayish/-/is-arrayish-0.2.1.tgz#77c99840527aa8ecb1a8ba697b80645a7a926a9d"
   integrity sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg==
 
-is-core-module@^2.11.0:
-  version "2.12.0"
-  resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.12.0.tgz#36ad62f6f73c8253fd6472517a12483cf03e7ec4"
-  integrity sha512-RECHCBCd/viahWmwj6enj19sKbHfJrddi/6cBDsNTKbNq0f7VeaUkBo60BqzvPqo/W54ChS62Z5qyun7cfOMqQ==
+is-bigint@^1.0.1:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/is-bigint/-/is-bigint-1.0.4.tgz#08147a1875bc2b32005d41ccd8291dffc6691df3"
+  integrity sha512-zB9CruMamjym81i2JZ3UMn54PKGsQzsJeo6xvN3HJJ4CAsQNB6iRutp2To77OfCNuoxspsIhzaPoO1zyCEhFOg==
   dependencies:
-    has "^1.0.3"
+    has-bigints "^1.0.1"
 
-is-fullwidth-code-point@^3.0.0:
-  version "3.0.0"
+is-binary-path@~2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/is-binary-path/-/is-binary-path-2.1.0.tgz#ea1f7f3b80f064236e83470f86c09c254fb45b09"
+  integrity sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==
+  dependencies:
+    binary-extensions "^2.0.0"
+
+is-boolean-object@^1.1.0:
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/is-boolean-object/-/is-boolean-object-1.1.2.tgz#5c6dc200246dd9321ae4b885a114bb1f75f63719"
+  integrity sha512-gDYaKHJmnj4aWxyj6YHyXVpdQawtVLHU5cb+eztPGczf6cjuTdwve5ZIEfgXqH4e57An1D1AKf8CZ3kYrQRqYA==
+  dependencies:
+    call-bind "^1.0.2"
+    has-tostringtag "^1.0.0"
+
+is-callable@^1.1.3:
+  version "1.2.7"
+  resolved "https://registry.yarnpkg.com/is-callable/-/is-callable-1.2.7.tgz#3bc2a85ea742d9e36205dcacdd72ca1fdc51b055"
+  integrity sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==
+
+is-core-module@^2.11.0:
+  version "2.12.0"
+  resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.12.0.tgz#36ad62f6f73c8253fd6472517a12483cf03e7ec4"
+  integrity sha512-RECHCBCd/viahWmwj6enj19sKbHfJrddi/6cBDsNTKbNq0f7VeaUkBo60BqzvPqo/W54ChS62Z5qyun7cfOMqQ==
+  dependencies:
+    has "^1.0.3"
+
+is-date-object@^1.0.5:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/is-date-object/-/is-date-object-1.0.5.tgz#0841d5536e724c25597bf6ea62e1bd38298df31f"
+  integrity sha512-9YQaSxsAiSwcvS33MBk3wTCVnWK+HhF8VZR2jRxehM16QcVOdHqPn4VPHmRK4lSr38n9JriurInLcP90xsYNfQ==
+  dependencies:
+    has-tostringtag "^1.0.0"
+
+is-docker@^2.0.0, is-docker@^2.1.1:
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/is-docker/-/is-docker-2.2.1.tgz#33eeabe23cfe86f14bde4408a02c0cfb853acdaa"
+  integrity sha512-F+i2BKsFrH66iaUFc0woD8sLy8getkwTwtOBjvs56Cx4CgJDeKQeqfz8wAYiSb8JOprWhHH5p77PbmYCvvUuXQ==
+
+is-extglob@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/is-extglob/-/is-extglob-2.1.1.tgz#a88c02535791f02ed37c76a1b9ea9773c833f8c2"
+  integrity sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==
+
+is-fullwidth-code-point@^3.0.0:
+  version "3.0.0"
   resolved "https://registry.yarnpkg.com/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz#f116f8064fe90b3f7844a38997c0b75051269f1d"
   integrity sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==
 
@@ -1305,16 +2088,119 @@ is-generator-fn@^2.0.0:
   resolved "https://registry.yarnpkg.com/is-generator-fn/-/is-generator-fn-2.1.0.tgz#7d140adc389aaf3011a8f2a2a4cfa6faadffb118"
   integrity sha512-cTIB4yPYL/Grw0EaSzASzg6bBy9gqCofvWN8okThAYIxKJZC+udlRAmGbM0XLeniEJSs8uEgHPGuHSe1XsOLSQ==
 
+is-glob@^4.0.1, is-glob@~4.0.1:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-4.0.3.tgz#64f61e42cbbb2eec2071a9dac0b28ba1e65d5084"
+  integrity sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==
+  dependencies:
+    is-extglob "^2.1.1"
+
+is-interactive@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/is-interactive/-/is-interactive-1.0.0.tgz#cea6e6ae5c870a7b0a0004070b7b587e0252912e"
+  integrity sha512-2HvIEKRoqS62guEC+qBjpvRubdX910WCMuJTZ+I9yvqKU2/12eSL549HMwtabb4oupdj2sMP50k+XJfB/8JE6w==
+
+is-map@^2.0.2, is-map@^2.0.3:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/is-map/-/is-map-2.0.3.tgz#ede96b7fe1e270b3c4465e3a465658764926d62e"
+  integrity sha512-1Qed0/Hr2m+YqxnM09CjA2d/i6YZNfF6R2oRAOj36eUdS6qIV/huPJNSEpKbupewFs+ZsJlxsjjPbc0/afW6Lw==
+
+is-number-object@^1.0.4:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/is-number-object/-/is-number-object-1.0.7.tgz#59d50ada4c45251784e9904f5246c742f07a42fc"
+  integrity sha512-k1U0IRzLMo7ZlYIfzRu23Oh6MiIFasgpb9X76eqfFZAqwH44UI4KTBvBYIZ1dSL9ZzChTB9ShHfLkR4pdW5krQ==
+  dependencies:
+    has-tostringtag "^1.0.0"
+
 is-number@^7.0.0:
   version "7.0.0"
   resolved "https://registry.yarnpkg.com/is-number/-/is-number-7.0.0.tgz#7535345b896734d5f80c4d06c50955527a14f12b"
   integrity sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==
 
+is-plain-obj@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/is-plain-obj/-/is-plain-obj-2.1.0.tgz#45e42e37fccf1f40da8e5f76ee21515840c09287"
+  integrity sha512-YWnfyRwxL/+SsrWYfOpUtz5b3YD+nyfkHvjbcanzk8zgyO4ASD67uVMRt8k5bM4lLMDnXfriRhOpemw+NfT1eA==
+
+is-potential-custom-element-name@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz#171ed6f19e3ac554394edf78caa05784a45bebb5"
+  integrity sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==
+
+is-regex@^1.1.4:
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/is-regex/-/is-regex-1.1.4.tgz#eef5663cd59fa4c0ae339505323df6854bb15958"
+  integrity sha512-kvRdxDsxZjhzUX07ZnLydzS1TU/TJlTUHHY4YLL87e37oUA49DfkLqgy+VjFocowy29cKvcSiu+kIv728jTTVg==
+  dependencies:
+    call-bind "^1.0.2"
+    has-tostringtag "^1.0.0"
+
+is-set@^2.0.2, is-set@^2.0.3:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/is-set/-/is-set-2.0.3.tgz#8ab209ea424608141372ded6e0cb200ef1d9d01d"
+  integrity sha512-iPAjerrse27/ygGLxw+EBR9agv9Y6uLeYVJMu+QNCoouJ1/1ri0mGrcWpfCqFZuzzx3WjtwxG098X+n4OuRkPg==
+
+is-shared-array-buffer@^1.0.2:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/is-shared-array-buffer/-/is-shared-array-buffer-1.0.3.tgz#1237f1cba059cdb62431d378dcc37d9680181688"
+  integrity sha512-nA2hv5XIhLR3uVzDDfCIknerhx8XUKnstuOERPNNIinXG7v9u+ohXF67vxm4TPTEPU6lm61ZkwP3c9PCB97rhg==
+  dependencies:
+    call-bind "^1.0.7"
+
 is-stream@^2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-2.0.1.tgz#fac1e3d53b97ad5a9d0ae9cef2389f5810a5c077"
   integrity sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==
 
+is-string@^1.0.5, is-string@^1.0.7:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/is-string/-/is-string-1.0.7.tgz#0dd12bf2006f255bb58f695110eff7491eebc0fd"
+  integrity sha512-tE2UXzivje6ofPW7l23cjDOMa09gb7xlAqG6jG5ej6uPV32TlWP3NKPigtaGeHNu9fohccRYvIiZMfOOnOYUtg==
+  dependencies:
+    has-tostringtag "^1.0.0"
+
+is-symbol@^1.0.3:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/is-symbol/-/is-symbol-1.0.4.tgz#a6dac93b635b063ca6872236de88910a57af139c"
+  integrity sha512-C/CPBqKWnvdcxqIARxyOh4v1UUEOCHpgDa0WYgpKDFMszcrPcffg5uhwSgPCLD2WWxmq6isisz87tzT01tuGhg==
+  dependencies:
+    has-symbols "^1.0.2"
+
+is-unicode-supported@^0.1.0:
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/is-unicode-supported/-/is-unicode-supported-0.1.0.tgz#3f26c76a809593b52bfa2ecb5710ed2779b522a7"
+  integrity sha512-knxG2q4UC3u8stRGyAVJCOdxFmv5DZiRcdlIaAQXAbSfJya+OhopNotLQrstBhququ4ZpuKbDc/8S6mgXgPFPw==
+
+is-weakmap@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/is-weakmap/-/is-weakmap-2.0.2.tgz#bf72615d649dfe5f699079c54b83e47d1ae19cfd"
+  integrity sha512-K5pXYOm9wqY1RgjpL3YTkF39tni1XajUIkawTLUo9EZEVUFga5gSQJF8nNS7ZwJQ02y+1YCNYcMh+HIf1ZqE+w==
+
+is-weakset@^2.0.3:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/is-weakset/-/is-weakset-2.0.3.tgz#e801519df8c0c43e12ff2834eead84ec9e624007"
+  integrity sha512-LvIm3/KWzS9oRFHugab7d+M/GcBXuXX5xZkzPmN+NxihdQlZUQ4dWuSV1xR/sq6upL1TJEDrfBgRepHFdBtSNQ==
+  dependencies:
+    call-bind "^1.0.7"
+    get-intrinsic "^1.2.4"
+
+is-wsl@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/is-wsl/-/is-wsl-2.2.0.tgz#74a4c76e77ca9fd3f932f290c17ea326cd157271"
+  integrity sha512-fKzAra0rGJUUBwGBgNkHZuToZcn+TtXHpeCgmkMJMMYx1sQDYaCSyjJBSCa2nH1DGm7s3n1oBnohoVTBaN7Lww==
+  dependencies:
+    is-docker "^2.0.0"
+
+isarray@^2.0.5:
+  version "2.0.5"
+  resolved "https://registry.yarnpkg.com/isarray/-/isarray-2.0.5.tgz#8af1e4c1221244cc62459faf38940d4e644a5723"
+  integrity sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==
+
+isarray@~1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/isarray/-/isarray-1.0.0.tgz#bb935d48582cba168c06834957a54a3e07124f11"
+  integrity sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==
+
 isexe@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/isexe/-/isexe-2.0.0.tgz#e8fbf374dc556ff8947a10dcb0572d633f2cfa10"
@@ -1371,6 +2257,16 @@ jackspeak@^2.0.3:
   optionalDependencies:
     "@pkgjs/parseargs" "^0.11.0"
 
+jake@^10.8.5:
+  version "10.8.7"
+  resolved "https://registry.yarnpkg.com/jake/-/jake-10.8.7.tgz#63a32821177940c33f356e0ba44ff9d34e1c7d8f"
+  integrity sha512-ZDi3aP+fG/LchyBzUM804VjddnwfSfsdeYkwt8NcbKRvo4rFkjhs456iLFn3k2ZUWvNe4i48WACDbza8fhq2+w==
+  dependencies:
+    async "^3.2.3"
+    chalk "^4.0.2"
+    filelist "^1.0.4"
+    minimatch "^3.1.2"
+
 jest-changed-files@^29.5.0:
   version "29.5.0"
   resolved "https://registry.yarnpkg.com/jest-changed-files/-/jest-changed-files-29.5.0.tgz#e88786dca8bf2aa899ec4af7644e16d9dcf9b23e"
@@ -1735,6 +2631,13 @@ js-tokens@^4.0.0:
   resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-4.0.0.tgz#19203fb59991df98e3a287050d4647cdeaf32499"
   integrity sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==
 
+js-yaml@4.1.0, js-yaml@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
+  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+  dependencies:
+    argparse "^2.0.1"
+
 js-yaml@^3.13.1:
   version "3.14.1"
   resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537"
@@ -1743,12 +2646,32 @@ js-yaml@^3.13.1:
     argparse "^1.0.7"
     esprima "^4.0.0"
 
-js-yaml@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
-  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
-  dependencies:
-    argparse "^2.0.1"
+jsdom@^23.1.0:
+  version "23.2.0"
+  resolved "https://registry.yarnpkg.com/jsdom/-/jsdom-23.2.0.tgz#08083220146d41c467efa1c6969f02b525ba6c1d"
+  integrity sha512-L88oL7D/8ufIES+Zjz7v0aes+oBMh2Xnh3ygWvL0OaICOomKEPKuPnIfBJekiXr+BHbbMjrWn/xqrDQuxFTeyA==
+  dependencies:
+    "@asamuzakjp/dom-selector" "^2.0.1"
+    cssstyle "^4.0.1"
+    data-urls "^5.0.0"
+    decimal.js "^10.4.3"
+    form-data "^4.0.0"
+    html-encoding-sniffer "^4.0.0"
+    http-proxy-agent "^7.0.0"
+    https-proxy-agent "^7.0.2"
+    is-potential-custom-element-name "^1.0.1"
+    parse5 "^7.1.2"
+    rrweb-cssom "^0.6.0"
+    saxes "^6.0.0"
+    symbol-tree "^3.2.4"
+    tough-cookie "^4.1.3"
+    w3c-xmlserializer "^5.0.0"
+    webidl-conversions "^7.0.0"
+    whatwg-encoding "^3.1.1"
+    whatwg-mimetype "^4.0.0"
+    whatwg-url "^14.0.0"
+    ws "^8.16.0"
+    xml-name-validator "^5.0.0"
 
 jsesc@^2.5.1:
   version "2.5.2"
@@ -1765,16 +2688,40 @@ json5@^2.2.2:
   resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
   integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
 
+jszip@^3.10.1:
+  version "3.10.1"
+  resolved "https://registry.yarnpkg.com/jszip/-/jszip-3.10.1.tgz#34aee70eb18ea1faec2f589208a157d1feb091c2"
+  integrity sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==
+  dependencies:
+    lie "~3.3.0"
+    pako "~1.0.2"
+    readable-stream "~2.3.6"
+    setimmediate "^1.0.5"
+
 kleur@^3.0.3:
   version "3.0.3"
   resolved "https://registry.yarnpkg.com/kleur/-/kleur-3.0.3.tgz#a79c9ecc86ee1ce3fa6206d1216c501f147fc07e"
   integrity sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==
 
+lazystream@^1.0.0:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/lazystream/-/lazystream-1.0.1.tgz#494c831062f1f9408251ec44db1cba29242a2638"
+  integrity sha512-b94GiNHQNy6JNTrt5w6zNyffMrNkXZb3KTkCZJb2V1xaEGCk093vkZ2jk3tpaeP33/OiXC+WvK9AxUebnf5nbw==
+  dependencies:
+    readable-stream "^2.0.5"
+
 leven@^3.1.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/leven/-/leven-3.1.0.tgz#77891de834064cccba82ae7842bb6b14a13ed7f2"
   integrity sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A==
 
+lie@~3.3.0:
+  version "3.3.0"
+  resolved "https://registry.yarnpkg.com/lie/-/lie-3.3.0.tgz#dcf82dee545f46074daf200c7c1c5a08e0f40f6a"
+  integrity sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==
+  dependencies:
+    immediate "~3.0.5"
+
 lines-and-columns@^1.1.6:
   version "1.2.4"
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
@@ -1787,6 +2734,58 @@ locate-path@^5.0.0:
   dependencies:
     p-locate "^4.1.0"
 
+locate-path@^6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/locate-path/-/locate-path-6.0.0.tgz#55321eb309febbc59c4801d931a72452a681d286"
+  integrity sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==
+  dependencies:
+    p-locate "^5.0.0"
+
+lodash.defaults@^4.2.0:
+  version "4.2.0"
+  resolved "https://registry.yarnpkg.com/lodash.defaults/-/lodash.defaults-4.2.0.tgz#d09178716ffea4dde9e5fb7b37f6f0802274580c"
+  integrity sha512-qjxPLHd3r5DnsdGacqOMU6pb/avJzdh9tFX2ymgoZE27BmjXrNy/y4LoaiTeAb+O3gL8AfpJGtqfX/ae2leYYQ==
+
+lodash.difference@^4.5.0:
+  version "4.5.0"
+  resolved "https://registry.yarnpkg.com/lodash.difference/-/lodash.difference-4.5.0.tgz#9ccb4e505d486b91651345772885a2df27fd017c"
+  integrity sha512-dS2j+W26TQ7taQBGN8Lbbq04ssV3emRw4NY58WErlTO29pIqS0HmoT5aJ9+TUQ1N3G+JOZSji4eugsWwGp9yPA==
+
+lodash.flatten@^4.4.0:
+  version "4.4.0"
+  resolved "https://registry.yarnpkg.com/lodash.flatten/-/lodash.flatten-4.4.0.tgz#f31c22225a9632d2bbf8e4addbef240aa765a61f"
+  integrity sha512-C5N2Z3DgnnKr0LOpv/hKCgKdb7ZZwafIrsesve6lmzvZIRZRGaZ/l6Q8+2W7NaT+ZwO3fFlSCzCzrDCFdJfZ4g==
+
+lodash.isplainobject@^4.0.6:
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz#7c526a52d89b45c45cc690b88163be0497f550cb"
+  integrity sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==
+
+lodash.union@^4.6.0:
+  version "4.6.0"
+  resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
+  integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==
+
+lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
+log-symbols@4.1.0, log-symbols@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/log-symbols/-/log-symbols-4.1.0.tgz#3fbdbb95b4683ac9fc785111e792e558d4abd503"
+  integrity sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==
+  dependencies:
+    chalk "^4.1.0"
+    is-unicode-supported "^0.1.0"
+
+loupe@^2.3.7:
+  version "2.3.7"
+  resolved "https://registry.yarnpkg.com/loupe/-/loupe-2.3.7.tgz#6e69b7d4db7d3ab436328013d37d1c8c3540c697"
+  integrity sha512-zSMINGVYkdpYSOBmLi0D1Uo7JU9nVdQKrHxC8eYlV+9YKK9WePqAlL7lSlorG/U2Fw1w0hTBmaa/jrQ3UbPHtA==
+  dependencies:
+    get-func-name "^2.0.1"
+
 lru-cache@^5.1.1:
   version "5.1.1"
   resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-5.1.1.tgz#1da27e6710271947695daf6848e847f01d84b920"
@@ -1820,6 +2819,11 @@ makeerror@1.0.12:
   dependencies:
     tmpl "1.0.5"
 
+mdn-data@2.0.30:
+  version "2.0.30"
+  resolved "https://registry.yarnpkg.com/mdn-data/-/mdn-data-2.0.30.tgz#ce4df6f80af6cfbe218ecd5c552ba13c4dfa08cc"
+  integrity sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==
+
 merge-stream@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/merge-stream/-/merge-stream-2.0.0.tgz#52823629a14dd00c9770fb6ad47dc6310f2c1f60"
@@ -1833,18 +2837,44 @@ micromatch@^4.0.4:
     braces "^3.0.2"
     picomatch "^2.3.1"
 
+mime-db@1.52.0:
+  version "1.52.0"
+  resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.52.0.tgz#bbabcdc02859f4987301c856e3387ce5ec43bf70"
+  integrity sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==
+
+mime-types@^2.1.12:
+  version "2.1.35"
+  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.35.tgz#381a871b62a734450660ae3deee44813f70d959a"
+  integrity sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==
+  dependencies:
+    mime-db "1.52.0"
+
 mimic-fn@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/mimic-fn/-/mimic-fn-2.1.0.tgz#7ed2c2ccccaf84d3ffcb7a69b57711fc2083401b"
   integrity sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==
 
-minimatch@^3.0.4, minimatch@^3.1.1:
+minimatch@3.1.2, minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
   integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
   dependencies:
     brace-expansion "^1.1.7"
 
+minimatch@5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-5.0.1.tgz#fb9022f7528125187c92bd9e9b6366be1cf3415b"
+  integrity sha512-nLDxIFRyhDblz3qMuq+SoRZED4+miJ/G+tdDrjkkkRnjAsBexeGpgjLEQ0blJy7rHhR2b93rhQY4SvyWu9v03g==
+  dependencies:
+    brace-expansion "^2.0.1"
+
+minimatch@^5.0.1, minimatch@^5.1.0:
+  version "5.1.6"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-5.1.6.tgz#1cfcb8cf5522ea69952cd2af95ae09477f122a96"
+  integrity sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==
+  dependencies:
+    brace-expansion "^2.0.1"
+
 minimatch@^9.0.0:
   version "9.0.0"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-9.0.0.tgz#bfc8e88a1c40ffd40c172ddac3decb8451503b56"
@@ -1859,21 +2889,128 @@ minimatch@^9.0.1:
   dependencies:
     brace-expansion "^2.0.1"
 
+minimist@1.2.6:
+  version "1.2.6"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
+  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==
+
 "minipass@^5.0.0 || ^6.0.2 || ^7.0.0":
   version "7.0.2"
   resolved "https://registry.yarnpkg.com/minipass/-/minipass-7.0.2.tgz#58a82b7d81c7010da5bd4b2c0c85ac4b4ec5131e"
   integrity sha512-eL79dXrE1q9dBbDCLg7xfn/vl7MS4F1gvJAgjJrQli/jbQWdUttuVawphqpffoIYfRdq78LHx6GP4bU/EQ2ATA==
 
+mocha@10.2.0:
+  version "10.2.0"
+  resolved "https://registry.yarnpkg.com/mocha/-/mocha-10.2.0.tgz#1fd4a7c32ba5ac372e03a17eef435bd00e5c68b8"
+  integrity sha512-IDY7fl/BecMwFHzoqF2sg/SHHANeBoMMXFlS9r0OXKDssYE1M5O43wUY/9BVPeIvfH2zmEbBfseqN9gBQZzXkg==
+  dependencies:
+    ansi-colors "4.1.1"
+    browser-stdout "1.3.1"
+    chokidar "3.5.3"
+    debug "4.3.4"
+    diff "5.0.0"
+    escape-string-regexp "4.0.0"
+    find-up "5.0.0"
+    glob "7.2.0"
+    he "1.2.0"
+    js-yaml "4.1.0"
+    log-symbols "4.1.0"
+    minimatch "5.0.1"
+    ms "2.1.3"
+    nanoid "3.3.3"
+    serialize-javascript "6.0.0"
+    strip-json-comments "3.1.1"
+    supports-color "8.1.1"
+    workerpool "6.2.1"
+    yargs "16.2.0"
+    yargs-parser "20.2.4"
+    yargs-unparser "2.0.0"
+
 ms@2.1.2:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
   integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==
 
+ms@2.1.3:
+  version "2.1.3"
+  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.3.tgz#574c8138ce1d2b5861f0b44579dbadd60c6615b2"
+  integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==
+
+nanoid@3.3.3:
+  version "3.3.3"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.3.tgz#fd8e8b7aa761fe807dba2d1b98fb7241bb724a25"
+  integrity sha512-p1sjXuopFs0xg+fPASzQ28agW1oHD7xDsd9Xkf3T15H3c/cifrFHVwrh74PdoklAPi+i7MdRsE47vm2r6JoB+w==
+
 natural-compare@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==
 
+nice-napi@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/nice-napi/-/nice-napi-1.0.2.tgz#dc0ab5a1eac20ce548802fc5686eaa6bc654927b"
+  integrity sha512-px/KnJAJZf5RuBGcfD+Sp2pAKq0ytz8j+1NehvgIGFkvtvFrDM3T8E4x/JJODXK9WZow8RRGrbA9QQ3hs+pDhA==
+  dependencies:
+    node-addon-api "^3.0.0"
+    node-gyp-build "^4.2.2"
+
+nightwatch-axe-verbose@^2.3.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/nightwatch-axe-verbose/-/nightwatch-axe-verbose-2.3.0.tgz#56c6e2f35b039b4471e8b2db743d9d69940eb565"
+  integrity sha512-IC29PLvYrbbKRdIU/NJaxk/UvTmQ5EiNN08UnCWyImpzV0Y7tE1CYchrvFTaHXBZkkZTQC3uHTeHF/41mvK8eQ==
+  dependencies:
+    axe-core "^4.8.3"
+
+nightwatch@^3.6.1:
+  version "3.6.1"
+  resolved "https://registry.yarnpkg.com/nightwatch/-/nightwatch-3.6.1.tgz#58fc74f39ca1d8fcd84c2fb744d3f5676224f4d1"
+  integrity sha512-p70bzbc2SefTEI6bUebwlimcRaOhb8wNt5j9aDWkxTvTcczhoAzfDkNuic+fSMzsreiFweZXhX1enpB3eJZrZw==
+  dependencies:
+    "@nightwatch/chai" "5.0.3"
+    "@nightwatch/html-reporter-template" "^0.3.0"
+    "@nightwatch/nightwatch-inspector" "^1.0.1"
+    "@types/chai" "^4.3.5"
+    "@types/selenium-webdriver" "^4.1.14"
+    ansi-to-html "0.7.2"
+    aria-query "5.1.3"
+    assertion-error "1.1.0"
+    boxen "5.1.2"
+    chai-nightwatch "^0.5.3"
+    chalk "^4.1.2"
+    ci-info "3.3.0"
+    cli-table3 "^0.6.3"
+    devtools-protocol "^0.0.1140464"
+    didyoumean "^1.2.2"
+    dotenv "16.3.1"
+    ejs "3.1.8"
+    envinfo "7.11.0"
+    glob "7.2.3"
+    jsdom "^23.1.0"
+    lodash "^4.17.21"
+    minimatch "3.1.2"
+    minimist "1.2.6"
+    mocha "10.2.0"
+    nightwatch-axe-verbose "^2.3.0"
+    open "8.4.2"
+    ora "5.4.1"
+    piscina "^4.3.1"
+    selenium-webdriver "4.16.0"
+    semver "7.5.4"
+    stacktrace-parser "0.1.10"
+    strip-ansi "6.0.1"
+    untildify "4.0.0"
+    uuid "8.3.2"
+
+node-addon-api@^3.0.0:
+  version "3.2.1"
+  resolved "https://registry.yarnpkg.com/node-addon-api/-/node-addon-api-3.2.1.tgz#81325e0a2117789c0128dab65e7e38f07ceba161"
+  integrity sha512-mmcei9JghVNDYydghQmeDX8KoAm0FAiYyIcUt/N4nhyAipB17pllZQDOJD2fotxABnt4Mdz+dKTO7eftLg4d0A==
+
+node-gyp-build@^4.2.2:
+  version "4.8.0"
+  resolved "https://registry.yarnpkg.com/node-gyp-build/-/node-gyp-build-4.8.0.tgz#3fee9c1731df4581a3f9ead74664369ff00d26dd"
+  integrity sha512-u6fs2AEUljNho3EYTJNBfImO5QTo/J/1Etd+NVdCj7qWKUSN/bSLkZwhDv7I+w/MSC6qJ4cknepkAYykDdK8og==
+
 node-int64@^0.4.0:
   version "0.4.0"
   resolved "https://registry.yarnpkg.com/node-int64/-/node-int64-0.4.0.tgz#87a9065cdb355d3182d8f94ce11188b825c68a3b"
@@ -1884,7 +3021,12 @@ node-releases@^2.0.8:
   resolved "https://registry.yarnpkg.com/node-releases/-/node-releases-2.0.10.tgz#c311ebae3b6a148c89b1813fd7c4d3c024ef537f"
   integrity sha512-5GFldHPXVG/YZmFzJvKK2zDSzPKhEp0+ZR5SVaoSag9fsL5YgHbUHDfnG5494ISANDcK4KwPXAx2xqVEydmd7w==
 
-normalize-path@^3.0.0:
+nodemailer@^6.9.13:
+  version "6.9.13"
+  resolved "https://registry.yarnpkg.com/nodemailer/-/nodemailer-6.9.13.tgz#5b292bf1e92645f4852ca872c56a6ba6c4a3d3d6"
+  integrity sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==
+
+normalize-path@^3.0.0, normalize-path@~3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/normalize-path/-/normalize-path-3.0.0.tgz#0dcd69ff23a1c9b11fd0978316644a0388216a65"
   integrity sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==
@@ -1896,20 +3038,72 @@ npm-run-path@^4.0.1:
   dependencies:
     path-key "^3.0.0"
 
-once@^1.3.0:
+object-inspect@^1.13.1:
+  version "1.13.1"
+  resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.13.1.tgz#b96c6109324ccfef6b12216a956ca4dc2ff94bc2"
+  integrity sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==
+
+object-is@^1.1.5:
+  version "1.1.6"
+  resolved "https://registry.yarnpkg.com/object-is/-/object-is-1.1.6.tgz#1a6a53aed2dd8f7e6775ff870bea58545956ab07"
+  integrity sha512-F8cZ+KfGlSGi09lJT7/Nd6KJZ9ygtvYC0/UYYLI9nmQKLMnydpB9yvbv9K1uSkEu7FU9vYPmVwLg328tX+ot3Q==
+  dependencies:
+    call-bind "^1.0.7"
+    define-properties "^1.2.1"
+
+object-keys@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-1.1.1.tgz#1c47f272df277f3b1daf061677d9c82e2322c60e"
+  integrity sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==
+
+object.assign@^4.1.4:
+  version "4.1.5"
+  resolved "https://registry.yarnpkg.com/object.assign/-/object.assign-4.1.5.tgz#3a833f9ab7fdb80fc9e8d2300c803d216d8fdbb0"
+  integrity sha512-byy+U7gp+FVwmyzKPYhW2h5l3crpmGsxl7X2s8y43IgxvG4g3QZ6CffDtsNQy1WsmZpQbO+ybo0AlW7TY6DcBQ==
+  dependencies:
+    call-bind "^1.0.5"
+    define-properties "^1.2.1"
+    has-symbols "^1.0.3"
+    object-keys "^1.1.1"
+
+once@^1.3.0, once@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/once/-/once-1.4.0.tgz#583b1aa775961d4b113ac17d9c50baef9dd76bd1"
   integrity sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==
   dependencies:
     wrappy "1"
 
-onetime@^5.1.2:
+onetime@^5.1.0, onetime@^5.1.2:
   version "5.1.2"
   resolved "https://registry.yarnpkg.com/onetime/-/onetime-5.1.2.tgz#d0e96ebb56b07476df1dd9c4806e5237985ca45e"
   integrity sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg==
   dependencies:
     mimic-fn "^2.1.0"
 
+open@8.4.2:
+  version "8.4.2"
+  resolved "https://registry.yarnpkg.com/open/-/open-8.4.2.tgz#5b5ffe2a8f793dcd2aad73e550cb87b59cb084f9"
+  integrity sha512-7x81NCL719oNbsq/3mh+hVrAWmFuEYUqrq/Iw3kUzH8ReypT9QQ0BLoJS7/G9k6N81XjW4qHWtjWwe/9eLy1EQ==
+  dependencies:
+    define-lazy-prop "^2.0.0"
+    is-docker "^2.1.1"
+    is-wsl "^2.2.0"
+
+ora@5.4.1:
+  version "5.4.1"
+  resolved "https://registry.yarnpkg.com/ora/-/ora-5.4.1.tgz#1b2678426af4ac4a509008e5e4ac9e9959db9e18"
+  integrity sha512-5b6Y85tPxZZ7QytO+BQzysW31HJku27cRIlkbAXaNx+BdcVi+LlRFmVXzeF6a7JCwJpyw5c4b+YSVImQIrBpuQ==
+  dependencies:
+    bl "^4.1.0"
+    chalk "^4.1.0"
+    cli-cursor "^3.1.0"
+    cli-spinners "^2.5.0"
+    is-interactive "^1.0.0"
+    is-unicode-supported "^0.1.0"
+    log-symbols "^4.1.0"
+    strip-ansi "^6.0.0"
+    wcwidth "^1.0.1"
+
 p-limit@^2.2.0:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-2.3.0.tgz#3dd33c647a214fdfffd835933eb086da0dc21db1"
@@ -1917,7 +3111,7 @@ p-limit@^2.2.0:
   dependencies:
     p-try "^2.0.0"
 
-p-limit@^3.1.0:
+p-limit@^3.0.2, p-limit@^3.1.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-3.1.0.tgz#e1daccbe78d0d1388ca18c64fea38e3e57e3706b"
   integrity sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==
@@ -1931,11 +3125,23 @@ p-locate@^4.1.0:
   dependencies:
     p-limit "^2.2.0"
 
+p-locate@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/p-locate/-/p-locate-5.0.0.tgz#83c8315c6785005e3bd021839411c9e110e6d834"
+  integrity sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==
+  dependencies:
+    p-limit "^3.0.2"
+
 p-try@^2.0.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/p-try/-/p-try-2.2.0.tgz#cb2868540e313d61de58fafbe35ce9004d5540e6"
   integrity sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==
 
+pako@~1.0.2:
+  version "1.0.11"
+  resolved "https://registry.yarnpkg.com/pako/-/pako-1.0.11.tgz#6c9599d340d54dfd3946380252a35705a6b992bf"
+  integrity sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==
+
 parse-json@^5.2.0:
   version "5.2.0"
   resolved "https://registry.yarnpkg.com/parse-json/-/parse-json-5.2.0.tgz#c76fc66dee54231c962b22bcc8a72cf2f99753cd"
@@ -1946,6 +3152,13 @@ parse-json@^5.2.0:
     json-parse-even-better-errors "^2.3.0"
     lines-and-columns "^1.1.6"
 
+parse5@^7.1.2:
+  version "7.1.2"
+  resolved "https://registry.yarnpkg.com/parse5/-/parse5-7.1.2.tgz#0736bebbfd77793823240a23b7fc5e010b7f8e32"
+  integrity sha512-Czj1WaSVpaoj0wbhMzLmWD69anp2WH7FXMB9n1Sy8/ZFF9jolSQVMu1Ij5WIyGmcBmhk7EOndpO4mIpihVqAXw==
+  dependencies:
+    entities "^4.4.0"
+
 path-exists@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-4.0.0.tgz#513bdbe2d3b95d7762e8c1137efa195c6c61b5b3"
@@ -1974,12 +3187,17 @@ path-scurry@^1.10.1:
     lru-cache "^9.1.1 || ^10.0.0"
     minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
 
+pathval@1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/pathval/-/pathval-1.1.1.tgz#8534e77a77ce7ac5a2512ea21e0fdb8fcf6c3d8d"
+  integrity sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==
+
 picocolors@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.0.0.tgz#cb5bdc74ff3f51892236eaf79d68bc44564ab81c"
   integrity sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==
 
-picomatch@^2.0.4, picomatch@^2.2.3, picomatch@^2.3.1:
+picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.2.3, picomatch@^2.3.1:
   version "2.3.1"
   resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
   integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==
@@ -1989,6 +3207,13 @@ pirates@^4.0.4:
   resolved "https://registry.yarnpkg.com/pirates/-/pirates-4.0.5.tgz#feec352ea5c3268fb23a37c702ab1699f35a5f3b"
   integrity sha512-8V9+HQPupnaXMA23c5hvl69zXvTwTzyAYasnkb0Tts4XvO4CliqONMOnvlq26rkhLC3nWDFBJf73LU1e1VZLaQ==
 
+piscina@^4.3.1:
+  version "4.4.0"
+  resolved "https://registry.yarnpkg.com/piscina/-/piscina-4.4.0.tgz#e3af8e5721d8fad08c6ccaf8a64f9f42279efbb5"
+  integrity sha512-+AQduEJefrOApE4bV7KRmp3N2JnnyErlVqq4P/jmko4FPz9Z877BCccl/iB3FdrWSUkvbGV9Kan/KllJgat3Vg==
+  optionalDependencies:
+    nice-napi "^1.0.2"
+
 pkg-dir@^4.2.0:
   version "4.2.0"
   resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-4.2.0.tgz#f099133df7ede422e81d1d8448270eeb3e4261f3"
@@ -1996,6 +3221,11 @@ pkg-dir@^4.2.0:
   dependencies:
     find-up "^4.0.0"
 
+possible-typed-array-names@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/possible-typed-array-names/-/possible-typed-array-names-1.0.0.tgz#89bb63c6fada2c3e90adc4a647beeeb39cc7bf8f"
+  integrity sha512-d7Uw+eZoloe0EHDIYoe+bQ5WXnGMOpmiZFTuMWCwpjzzkL2nTjcKiAk4hh8TjnGye2TwWOk3UXucZ+3rbmBa8Q==
+
 pretty-format@^29.6.1:
   version "29.6.1"
   resolved "https://registry.yarnpkg.com/pretty-format/-/pretty-format-29.6.1.tgz#ec838c288850b7c4f9090b867c2d4f4edbfb0f3e"
@@ -2005,6 +3235,11 @@ pretty-format@^29.6.1:
     ansi-styles "^5.0.0"
     react-is "^18.0.0"
 
+process-nextick-args@~2.0.0:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-2.0.1.tgz#7820d9b16120cc55ca9ae7792680ae7dba6d7fe2"
+  integrity sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==
+
 prompts@^2.0.1:
   version "2.4.2"
   resolved "https://registry.yarnpkg.com/prompts/-/prompts-2.4.2.tgz#7b57e73b3a48029ad10ebd44f74b01722a4cb069"
@@ -2013,21 +3248,99 @@ prompts@^2.0.1:
     kleur "^3.0.3"
     sisteransi "^1.0.5"
 
+psl@^1.1.33:
+  version "1.9.0"
+  resolved "https://registry.yarnpkg.com/psl/-/psl-1.9.0.tgz#d0df2a137f00794565fcaf3b2c00cd09f8d5a5a7"
+  integrity sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==
+
+punycode@^2.1.1, punycode@^2.3.1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.3.1.tgz#027422e2faec0b25e1549c3e1bd8309b9133b6e5"
+  integrity sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==
+
 pure-rand@^6.0.0:
   version "6.0.2"
   resolved "https://registry.yarnpkg.com/pure-rand/-/pure-rand-6.0.2.tgz#a9c2ddcae9b68d736a8163036f088a2781c8b306"
   integrity sha512-6Yg0ekpKICSjPswYOuC5sku/TSWaRYlA0qsXqJgM/d/4pLPHPuTxK7Nbf7jFKzAeedUhR8C7K9Uv63FBsSo8xQ==
 
+querystringify@^2.1.1:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/querystringify/-/querystringify-2.2.0.tgz#3345941b4153cb9d082d8eee4cda2016a9aef7f6"
+  integrity sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==
+
+randombytes@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/randombytes/-/randombytes-2.1.0.tgz#df6f84372f0270dc65cdf6291349ab7a473d4f2a"
+  integrity sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==
+  dependencies:
+    safe-buffer "^5.1.0"
+
 react-is@^18.0.0:
   version "18.2.0"
   resolved "https://registry.yarnpkg.com/react-is/-/react-is-18.2.0.tgz#199431eeaaa2e09f86427efbb4f1473edb47609b"
   integrity sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==
 
+readable-stream@^2.0.0, readable-stream@^2.0.5, readable-stream@~2.3.6:
+  version "2.3.8"
+  resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.8.tgz#91125e8042bba1b9887f49345f6277027ce8be9b"
+  integrity sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==
+  dependencies:
+    core-util-is "~1.0.0"
+    inherits "~2.0.3"
+    isarray "~1.0.0"
+    process-nextick-args "~2.0.0"
+    safe-buffer "~5.1.1"
+    string_decoder "~1.1.1"
+    util-deprecate "~1.0.1"
+
+readable-stream@^3.1.1, readable-stream@^3.4.0, readable-stream@^3.6.0:
+  version "3.6.2"
+  resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-3.6.2.tgz#56a9b36ea965c00c5a93ef31eb111a0f11056967"
+  integrity sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==
+  dependencies:
+    inherits "^2.0.3"
+    string_decoder "^1.1.1"
+    util-deprecate "^1.0.1"
+
+readdir-glob@^1.1.2:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/readdir-glob/-/readdir-glob-1.1.3.tgz#c3d831f51f5e7bfa62fa2ffbe4b508c640f09584"
+  integrity sha512-v05I2k7xN8zXvPD9N+z/uhXPaj0sUFCe2rcWZIpBsqxfP7xXFQ0tipAd/wjj1YxWyWtUS5IDJpOG82JKt2EAVA==
+  dependencies:
+    minimatch "^5.1.0"
+
+readdirp@~3.6.0:
+  version "3.6.0"
+  resolved "https://registry.yarnpkg.com/readdirp/-/readdirp-3.6.0.tgz#74a370bd857116e245b29cc97340cd431a02a6c7"
+  integrity sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==
+  dependencies:
+    picomatch "^2.2.1"
+
+regexp.prototype.flags@^1.5.1:
+  version "1.5.2"
+  resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.5.2.tgz#138f644a3350f981a858c44f6bb1a61ff59be334"
+  integrity sha512-NcDiDkTLuPR+++OCKB0nWafEmhg/Da8aUPLPMQbK+bxKKCm1/S5he+AqYa4PlMCVBalb4/yxIRub6qkEx5yJbw==
+  dependencies:
+    call-bind "^1.0.6"
+    define-properties "^1.2.1"
+    es-errors "^1.3.0"
+    set-function-name "^2.0.1"
+
 require-directory@^2.1.1:
   version "2.1.1"
   resolved "https://registry.yarnpkg.com/require-directory/-/require-directory-2.1.1.tgz#8c64ad5fd30dab1c976e2344ffe7f792a6a6df42"
   integrity sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==
 
+require-from-string@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/require-from-string/-/require-from-string-2.0.2.tgz#89a7fdd938261267318eafe14f9c32e598c36909"
+  integrity sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==
+
+requires-port@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/requires-port/-/requires-port-1.0.0.tgz#925d2601d39ac485e091cf0da5c6e694dc3dcaff"
+  integrity sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==
+
 resolve-cwd@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/resolve-cwd/-/resolve-cwd-3.0.0.tgz#0f0075f1bb2544766cf73ba6a6e2adfebcb13f2d"
@@ -2054,18 +3367,96 @@ resolve@^1.20.0:
     path-parse "^1.0.7"
     supports-preserve-symlinks-flag "^1.0.0"
 
-semver@^6.0.0, semver@^6.3.0:
-  version "6.3.1"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
-  integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
+restore-cursor@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/restore-cursor/-/restore-cursor-3.1.0.tgz#39f67c54b3a7a58cea5236d95cf0034239631f7e"
+  integrity sha512-l+sSefzHpj5qimhFSE5a8nufZYAM3sBSVMAPtYkmC+4EH2anSGaEMXSD0izRQbu9nfyQ9y5JrVmp7E8oZrUjvA==
+  dependencies:
+    onetime "^5.1.0"
+    signal-exit "^3.0.2"
+
+rrweb-cssom@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/rrweb-cssom/-/rrweb-cssom-0.6.0.tgz#ed298055b97cbddcdeb278f904857629dec5e0e1"
+  integrity sha512-APM0Gt1KoXBz0iIkkdB/kfvGOwC4UuJFeG/c+yV7wSc7q96cG/kJ0HiYCnzivD9SB53cLV1MlHFNfOuPaadYSw==
+
+safe-buffer@^5.1.0, safe-buffer@~5.2.0:
+  version "5.2.1"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6"
+  integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==
+
+safe-buffer@~5.1.0, safe-buffer@~5.1.1:
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
+  integrity sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==
+
+"safer-buffer@>= 2.1.2 < 3.0.0":
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
+  integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
 
-semver@^7.5.3:
+saxes@^6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/saxes/-/saxes-6.0.0.tgz#fe5b4a4768df4f14a201b1ba6a65c1f3d9988cc5"
+  integrity sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==
+  dependencies:
+    xmlchars "^2.2.0"
+
+selenium-webdriver@4.16.0:
+  version "4.16.0"
+  resolved "https://registry.yarnpkg.com/selenium-webdriver/-/selenium-webdriver-4.16.0.tgz#2f1a2426d876aa389d1c937b00f034c2c7808360"
+  integrity sha512-IbqpRpfGE7JDGgXHJeWuCqT/tUqnLvZ14csSwt+S8o4nJo3RtQoE9VR4jB47tP/A8ArkYsh/THuMY6kyRP6kuA==
+  dependencies:
+    jszip "^3.10.1"
+    tmp "^0.2.1"
+    ws ">=8.14.2"
+
+semver@7.5.4, semver@^7.5.3:
   version "7.5.4"
   resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
   integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
   dependencies:
     lru-cache "^6.0.0"
 
+semver@^6.0.0, semver@^6.3.0:
+  version "6.3.1"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
+  integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
+
+serialize-javascript@6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-6.0.0.tgz#efae5d88f45d7924141da8b5c3a7a7e663fefeb8"
+  integrity sha512-Qr3TosvguFt8ePWqsvRfrKyQXIiW+nGbYpy8XK24NQHE83caxWt+mIymTT19DGFbNWNLfEwsrkSmN64lVWB9ag==
+  dependencies:
+    randombytes "^2.1.0"
+
+set-function-length@^1.2.1:
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/set-function-length/-/set-function-length-1.2.2.tgz#aac72314198eaed975cf77b2c3b6b880695e5449"
+  integrity sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==
+  dependencies:
+    define-data-property "^1.1.4"
+    es-errors "^1.3.0"
+    function-bind "^1.1.2"
+    get-intrinsic "^1.2.4"
+    gopd "^1.0.1"
+    has-property-descriptors "^1.0.2"
+
+set-function-name@^2.0.1:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/set-function-name/-/set-function-name-2.0.2.tgz#16a705c5a0dc2f5e638ca96d8a8cd4e1c2b90985"
+  integrity sha512-7PGFlmtwsEADb0WYyvCMa1t+yke6daIG4Wirafur5kcf+MhUnPms1UeR0CKQdTZD81yESwMHbtn+TR+dMviakQ==
+  dependencies:
+    define-data-property "^1.1.4"
+    es-errors "^1.3.0"
+    functions-have-names "^1.2.3"
+    has-property-descriptors "^1.0.2"
+
+setimmediate@^1.0.5:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/setimmediate/-/setimmediate-1.0.5.tgz#290cbb232e306942d7d7ea9b83732ab7856f8285"
+  integrity sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==
+
 shebang-command@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/shebang-command/-/shebang-command-2.0.0.tgz#ccd0af4f8835fbdc265b82461aaf0c36663f34ea"
@@ -2078,7 +3469,17 @@ shebang-regex@^3.0.0:
   resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-3.0.0.tgz#ae16f1644d873ecad843b0307b143362d4c42172"
   integrity sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==
 
-signal-exit@^3.0.3, signal-exit@^3.0.7:
+side-channel@^1.0.4:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.6.tgz#abd25fb7cd24baf45466406b1096b7831c9215f2"
+  integrity sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==
+  dependencies:
+    call-bind "^1.0.7"
+    es-errors "^1.3.0"
+    get-intrinsic "^1.2.4"
+    object-inspect "^1.13.1"
+
+signal-exit@^3.0.2, signal-exit@^3.0.3, signal-exit@^3.0.7:
   version "3.0.7"
   resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9"
   integrity sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==
@@ -2106,6 +3507,11 @@ sops-wrapper@^1.0.0:
     execa "^5.1.1"
     js-yaml "^4.1.0"
 
+source-map-js@^1.0.1:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/source-map-js/-/source-map-js-1.2.0.tgz#16b809c162517b5b8c3e7dcd315a2a5c2612b2af"
+  integrity sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==
+
 source-map-support@0.5.13:
   version "0.5.13"
   resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.13.tgz#31b24a9c2e73c2de85066c0feb7d44767ed52932"
@@ -2131,6 +3537,20 @@ stack-utils@^2.0.3:
   dependencies:
     escape-string-regexp "^2.0.0"
 
+stacktrace-parser@0.1.10:
+  version "0.1.10"
+  resolved "https://registry.yarnpkg.com/stacktrace-parser/-/stacktrace-parser-0.1.10.tgz#29fb0cae4e0d0b85155879402857a1639eb6051a"
+  integrity sha512-KJP1OCML99+8fhOHxwwzyWrlUuVX5GQ0ZpJTd1DFXhdkrvg1szxfHhawXUZ3g9TkXORQd4/WG68jMlQZ2p8wlg==
+  dependencies:
+    type-fest "^0.7.1"
+
+stop-iteration-iterator@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/stop-iteration-iterator/-/stop-iteration-iterator-1.0.0.tgz#6a60be0b4ee757d1ed5254858ec66b10c49285e4"
+  integrity sha512-iCGQj+0l0HOdZ2AEeBADlsRC+vsnDsZsbdSiH1yNSjcfKM7fdpCMfqAL/dwF5BLiw/XhRft/Wax6zQbhq2BcjQ==
+  dependencies:
+    internal-slot "^1.0.4"
+
 string-length@^4.0.1:
   version "4.0.2"
   resolved "https://registry.yarnpkg.com/string-length/-/string-length-4.0.2.tgz#a8a8dc7bd5c1a82b9b3c8b87e125f66871b6e57a"
@@ -2139,7 +3559,7 @@ string-length@^4.0.1:
     char-regex "^1.0.2"
     strip-ansi "^6.0.0"
 
-string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
+string-width@^4.0.0, string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.2, string-width@^4.2.3:
   version "4.2.3"
   resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
   integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -2148,7 +3568,21 @@ string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
     is-fullwidth-code-point "^3.0.0"
     strip-ansi "^6.0.1"
 
-strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+string_decoder@^1.1.1:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.3.0.tgz#42f114594a46cf1a8e30b0a84f56c78c3edac21e"
+  integrity sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==
+  dependencies:
+    safe-buffer "~5.2.0"
+
+string_decoder@~1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.1.1.tgz#9cf1611ba62685d7030ae9e4ba34149c3af03fc8"
+  integrity sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==
+  dependencies:
+    safe-buffer "~5.1.0"
+
+strip-ansi@6.0.1, strip-ansi@^6.0.0, strip-ansi@^6.0.1:
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
   integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -2165,11 +3599,18 @@ strip-final-newline@^2.0.0:
   resolved "https://registry.yarnpkg.com/strip-final-newline/-/strip-final-newline-2.0.0.tgz#89b852fb2fcbe936f6f4b3187afb0a12c1ab58ad"
   integrity sha512-BrpvfNAE3dcvq7ll3xVumzjKjZQ5tI1sEUIKr3Uoks0XUl45St3FlatVqef9prk4jRDzhW6WZg+3bk93y6pLjA==
 
-strip-json-comments@^3.1.1:
+strip-json-comments@3.1.1, strip-json-comments@^3.1.1:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006"
   integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==
 
+supports-color@8.1.1, supports-color@^8.0.0:
+  version "8.1.1"
+  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-8.1.1.tgz#cd6fc17e28500cff56c1b86c0a7fd4a54a73005c"
+  integrity sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q==
+  dependencies:
+    has-flag "^4.0.0"
+
 supports-color@^5.3.0:
   version "5.5.0"
   resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-5.5.0.tgz#e2e69a44ac8772f78a1ec0b35b689df6530efc8f"
@@ -2184,18 +3625,27 @@ supports-color@^7.1.0:
   dependencies:
     has-flag "^4.0.0"
 
-supports-color@^8.0.0:
-  version "8.1.1"
-  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-8.1.1.tgz#cd6fc17e28500cff56c1b86c0a7fd4a54a73005c"
-  integrity sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q==
-  dependencies:
-    has-flag "^4.0.0"
-
 supports-preserve-symlinks-flag@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz#6eda4bd344a3c94aea376d4cc31bc77311039e09"
   integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
 
+symbol-tree@^3.2.4:
+  version "3.2.4"
+  resolved "https://registry.yarnpkg.com/symbol-tree/-/symbol-tree-3.2.4.tgz#430637d248ba77e078883951fb9aa0eed7c63fa2"
+  integrity sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==
+
+tar-stream@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/tar-stream/-/tar-stream-2.2.0.tgz#acad84c284136b060dc3faa64474aa9aebd77287"
+  integrity sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==
+  dependencies:
+    bl "^4.0.3"
+    end-of-stream "^1.4.1"
+    fs-constants "^1.0.0"
+    inherits "^2.0.3"
+    readable-stream "^3.1.1"
+
 test-exclude@^6.0.0:
   version "6.0.0"
   resolved "https://registry.yarnpkg.com/test-exclude/-/test-exclude-6.0.0.tgz#04a8698661d805ea6fa293b6cb9e63ac044ef15e"
@@ -2205,6 +3655,11 @@ test-exclude@^6.0.0:
     glob "^7.1.4"
     minimatch "^3.0.4"
 
+tmp@^0.2.1:
+  version "0.2.3"
+  resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.3.tgz#eb783cc22bc1e8bebd0671476d46ea4eb32a79ae"
+  integrity sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==
+
 tmpl@1.0.5:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/tmpl/-/tmpl-1.0.5.tgz#8683e0b902bb9c20c4f726e3c0b69f36518c07cc"
@@ -2222,16 +3677,53 @@ to-regex-range@^5.0.1:
   dependencies:
     is-number "^7.0.0"
 
-type-detect@4.0.8:
+tough-cookie@^4.1.3:
+  version "4.1.3"
+  resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-4.1.3.tgz#97b9adb0728b42280aa3d814b6b999b2ff0318bf"
+  integrity sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==
+  dependencies:
+    psl "^1.1.33"
+    punycode "^2.1.1"
+    universalify "^0.2.0"
+    url-parse "^1.5.3"
+
+tr46@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/tr46/-/tr46-5.0.0.tgz#3b46d583613ec7283020d79019f1335723801cec"
+  integrity sha512-tk2G5R2KRwBd+ZN0zaEXpmzdKyOYksXwywulIX95MBODjSzMIuQnQ3m8JxgbhnL1LeVo7lqQKsYa1O3Htl7K5g==
+  dependencies:
+    punycode "^2.3.1"
+
+type-detect@4.0.8, type-detect@^4.0.0:
   version "4.0.8"
   resolved "https://registry.yarnpkg.com/type-detect/-/type-detect-4.0.8.tgz#7646fb5f18871cfbb7749e69bd39a6388eb7450c"
   integrity sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==
 
+type-fest@^0.20.2:
+  version "0.20.2"
+  resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.20.2.tgz#1bf207f4b28f91583666cb5fbd327887301cd5f4"
+  integrity sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==
+
 type-fest@^0.21.3:
   version "0.21.3"
   resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.21.3.tgz#d260a24b0198436e133fa26a524a6d65fa3b2e37"
   integrity sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w==
 
+type-fest@^0.7.1:
+  version "0.7.1"
+  resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.7.1.tgz#8dda65feaf03ed78f0a3f9678f1869147f7c5c48"
+  integrity sha512-Ne2YiiGN8bmrmJJEuTWTLJR32nh/JdL1+PSicowtNb0WFpn59GK8/lfD61bVtzguz7b3PBt74nxpv/Pw5po5Rg==
+
+universalify@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.2.0.tgz#6451760566fa857534745ab1dde952d1b1761be0"
+  integrity sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==
+
+untildify@4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/untildify/-/untildify-4.0.0.tgz#2bc947b953652487e4600949fb091e3ae8cd919b"
+  integrity sha512-KK8xQ1mkzZeg9inewmFVDNkg3l5LUhoq9kN6iWYB/CC9YMG8HA+c1Q8HwDe6dEX7kErrEVNVBO3fWsVq5iDgtw==
+
 update-browserslist-db@^1.0.10:
   version "1.0.11"
   resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.0.11.tgz#9a2a641ad2907ae7b3616506f4b977851db5b940"
@@ -2240,6 +3732,24 @@ update-browserslist-db@^1.0.10:
     escalade "^3.1.1"
     picocolors "^1.0.0"
 
+url-parse@^1.5.3:
+  version "1.5.10"
+  resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.10.tgz#9d3c2f736c1d75dd3bd2be507dcc111f1e2ea9c1"
+  integrity sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==
+  dependencies:
+    querystringify "^2.1.1"
+    requires-port "^1.0.0"
+
+util-deprecate@^1.0.1, util-deprecate@~1.0.1:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
+  integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==
+
+uuid@8.3.2:
+  version "8.3.2"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
+  integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==
+
 v8-to-istanbul@^9.0.1:
   version "9.1.0"
   resolved "https://registry.yarnpkg.com/v8-to-istanbul/-/v8-to-istanbul-9.1.0.tgz#1b83ed4e397f58c85c266a570fc2558b5feb9265"
@@ -2249,6 +3759,13 @@ v8-to-istanbul@^9.0.1:
     "@types/istanbul-lib-coverage" "^2.0.1"
     convert-source-map "^1.6.0"
 
+w3c-xmlserializer@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz#f925ba26855158594d907313cedd1476c5967f6c"
+  integrity sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==
+  dependencies:
+    xml-name-validator "^5.0.0"
+
 walker@^1.0.8:
   version "1.0.8"
   resolved "https://registry.yarnpkg.com/walker/-/walker-1.0.8.tgz#bd498db477afe573dc04185f011d3ab8a8d7653f"
@@ -2256,6 +3773,70 @@ walker@^1.0.8:
   dependencies:
     makeerror "1.0.12"
 
+wcwidth@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/wcwidth/-/wcwidth-1.0.1.tgz#f0b0dcf915bc5ff1528afadb2c0e17b532da2fe8"
+  integrity sha512-XHPEwS0q6TaxcvG85+8EYkbiCux2XtWG2mkc47Ng2A77BQu9+DqIOJldST4HgPkuea7dvKSj5VgX3P1d4rW8Tg==
+  dependencies:
+    defaults "^1.0.3"
+
+webidl-conversions@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/webidl-conversions/-/webidl-conversions-7.0.0.tgz#256b4e1882be7debbf01d05f0aa2039778ea080a"
+  integrity sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==
+
+whatwg-encoding@^3.1.1:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/whatwg-encoding/-/whatwg-encoding-3.1.1.tgz#d0f4ef769905d426e1688f3e34381a99b60b76e5"
+  integrity sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==
+  dependencies:
+    iconv-lite "0.6.3"
+
+whatwg-mimetype@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/whatwg-mimetype/-/whatwg-mimetype-4.0.0.tgz#bc1bf94a985dc50388d54a9258ac405c3ca2fc0a"
+  integrity sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==
+
+whatwg-url@^14.0.0:
+  version "14.0.0"
+  resolved "https://registry.yarnpkg.com/whatwg-url/-/whatwg-url-14.0.0.tgz#00baaa7fd198744910c4b1ef68378f2200e4ceb6"
+  integrity sha512-1lfMEm2IEr7RIV+f4lUNPOqfFL+pO+Xw3fJSqmjX9AbXcXcYOkCe1P6+9VBZB6n94af16NfZf+sSk0JCBZC9aw==
+  dependencies:
+    tr46 "^5.0.0"
+    webidl-conversions "^7.0.0"
+
+which-boxed-primitive@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/which-boxed-primitive/-/which-boxed-primitive-1.0.2.tgz#13757bc89b209b049fe5d86430e21cf40a89a8e6"
+  integrity sha512-bwZdv0AKLpplFY2KZRX6TvyuN7ojjr7lwkg6ml0roIy9YeuSr7JS372qlNW18UQYzgYK9ziGcerWqZOmEn9VNg==
+  dependencies:
+    is-bigint "^1.0.1"
+    is-boolean-object "^1.1.0"
+    is-number-object "^1.0.4"
+    is-string "^1.0.5"
+    is-symbol "^1.0.3"
+
+which-collection@^1.0.1:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/which-collection/-/which-collection-1.0.2.tgz#627ef76243920a107e7ce8e96191debe4b16c2a0"
+  integrity sha512-K4jVyjnBdgvc86Y6BkaLZEN933SwYOuBFkdmBu9ZfkcAbdVbpITnDmjvZ/aQjRXQrv5EPkTnD1s39GiiqbngCw==
+  dependencies:
+    is-map "^2.0.3"
+    is-set "^2.0.3"
+    is-weakmap "^2.0.2"
+    is-weakset "^2.0.3"
+
+which-typed-array@^1.1.13:
+  version "1.1.15"
+  resolved "https://registry.yarnpkg.com/which-typed-array/-/which-typed-array-1.1.15.tgz#264859e9b11a649b388bfaaf4f767df1f779b38d"
+  integrity sha512-oV0jmFtUky6CXfkqehVvBP/LSWJ2sy4vWMioiENyJLePrBO/yKyV9OyJySfAKosh+RYkIl5zJCNZ8/4JncrpdA==
+  dependencies:
+    available-typed-arrays "^1.0.7"
+    call-bind "^1.0.7"
+    for-each "^0.3.3"
+    gopd "^1.0.1"
+    has-tostringtag "^1.0.2"
+
 which@^2.0.1:
   version "2.0.2"
   resolved "https://registry.yarnpkg.com/which/-/which-2.0.2.tgz#7c6a8dd0a636a0327e10b59c9286eee93f3f51b1"
@@ -2263,6 +3844,18 @@ which@^2.0.1:
   dependencies:
     isexe "^2.0.0"
 
+widest-line@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/widest-line/-/widest-line-3.1.0.tgz#8292333bbf66cb45ff0de1603b136b7ae1496eca"
+  integrity sha512-NsmoXalsWVDMGupxZ5R08ka9flZjjiLvHVAWYOKtiKM8ujtZWr9cRffak+uSE48+Ob8ObalXpwyeUiyDD6QFgg==
+  dependencies:
+    string-width "^4.0.0"
+
+workerpool@6.2.1:
+  version "6.2.1"
+  resolved "https://registry.yarnpkg.com/workerpool/-/workerpool-6.2.1.tgz#46fc150c17d826b86a008e5a4508656777e9c343"
+  integrity sha512-ILEIE97kDZvF9Wb9f6h5aXK4swSlKGUcOEGiIYb2OOu/IrDU9iwj0fD//SsA6E5ibwJxpEvhullJY4Sl4GcpAw==
+
 wrap-ansi@^7.0.0:
   version "7.0.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
@@ -2285,6 +3878,21 @@ write-file-atomic@^4.0.2:
     imurmurhash "^0.1.4"
     signal-exit "^3.0.7"
 
+ws@>=8.14.2, ws@^8.16.0:
+  version "8.16.0"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-8.16.0.tgz#d1cd774f36fbc07165066a60e40323eab6446fd4"
+  integrity sha512-HS0c//TP7Ina87TfiPUz1rQzMhHrl/SG2guqRcTOIUYD2q8uhUdNHZYJUaQ8aTGPzCh+c6oawMKW35nFl1dxyQ==
+
+xml-name-validator@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-5.0.0.tgz#82be9b957f7afdacf961e5980f1bf227c0bf7673"
+  integrity sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==
+
+xmlchars@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/xmlchars/-/xmlchars-2.2.0.tgz#060fe1bcb7f9c76fe2a17db86a9bc3ab894210cb"
+  integrity sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==
+
 y18n@^5.0.5:
   version "5.0.8"
   resolved "https://registry.yarnpkg.com/y18n/-/y18n-5.0.8.tgz#7f4934d0f7ca8c56f95314939ddcd2dd91ce1d55"
@@ -2305,11 +3913,44 @@ yaml@^2.3.1:
   resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.3.1.tgz#02fe0975d23cd441242aa7204e09fc28ac2ac33b"
   integrity sha512-2eHWfjaoXgTBC2jNM1LRef62VQa0umtvRiDSk6HSzW7RvS5YtkabJrwYLLEKWBc8a5U2PTSCs+dJjUTJdlHsWQ==
 
+yargs-parser@20.2.4:
+  version "20.2.4"
+  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-20.2.4.tgz#b42890f14566796f85ae8e3a25290d205f154a54"
+  integrity sha512-WOkpgNhPTlE73h4VFAFsOnomJVaovO8VqLDzy5saChRBFQFBoMYirowyW+Q9HB4HFF4Z7VZTiG3iSzJJA29yRA==
+
+yargs-parser@^20.2.2:
+  version "20.2.9"
+  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-20.2.9.tgz#2eb7dc3b0289718fc295f362753845c41a0c94ee"
+  integrity sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==
+
 yargs-parser@^21.1.1:
   version "21.1.1"
   resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-21.1.1.tgz#9096bceebf990d21bb31fa9516e0ede294a77d35"
   integrity sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==
 
+yargs-unparser@2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/yargs-unparser/-/yargs-unparser-2.0.0.tgz#f131f9226911ae5d9ad38c432fe809366c2325eb"
+  integrity sha512-7pRTIA9Qc1caZ0bZ6RYRGbHJthJWuakf+WmHK0rVeLkNrrGhfoabBNdue6kdINI6r4if7ocq9aD/n7xwKOdzOA==
+  dependencies:
+    camelcase "^6.0.0"
+    decamelize "^4.0.0"
+    flat "^5.0.2"
+    is-plain-obj "^2.1.0"
+
+yargs@16.2.0:
+  version "16.2.0"
+  resolved "https://registry.yarnpkg.com/yargs/-/yargs-16.2.0.tgz#1c82bf0f6b6a66eafce7ef30e376f49a12477f66"
+  integrity sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw==
+  dependencies:
+    cliui "^7.0.2"
+    escalade "^3.1.1"
+    get-caller-file "^2.0.5"
+    require-directory "^2.1.1"
+    string-width "^4.2.0"
+    y18n "^5.0.5"
+    yargs-parser "^20.2.2"
+
 yargs@^17.3.1:
   version "17.7.2"
   resolved "https://registry.yarnpkg.com/yargs/-/yargs-17.7.2.tgz#991df39aca675a192b816e1e0363f9d75d2aa269"
@@ -2327,3 +3968,12 @@ yocto-queue@^0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/yocto-queue/-/yocto-queue-0.1.0.tgz#0294eb3dee05028d31ee1a5fa2c556a6aaf10a1b"
   integrity sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==
+
+zip-stream@^4.1.0:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/zip-stream/-/zip-stream-4.1.1.tgz#1337fe974dbaffd2fa9a1ba09662a66932bd7135"
+  integrity sha512-9qv4rlDiopXg4E69k+vMHjNN63YFMe9sZMrdlvKnCjlCRWeCBswPPMPUfx+ipsAWq1LXHe70RcbaHdJJpS6hyQ==
+  dependencies:
+    archiver-utils "^3.0.4"
+    compress-commons "^4.1.2"
+    readable-stream "^3.6.0"

From 32256911afee3c4f20186adc376f50f2248ed41d Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Tue, 23 Apr 2024 17:21:11 +0200
Subject: [PATCH 40/51] fix

---
 nightwatch.conf.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nightwatch.conf.js b/nightwatch.conf.js
index 79cc583..625c36f 100644
--- a/nightwatch.conf.js
+++ b/nightwatch.conf.js
@@ -12,7 +12,7 @@ module.exports = {
     on_failure : true,
     on_error : false,
     path : "tests/screenshots"
-  }
+  },
 
   webdriver: {},
 

From fa00b295bb936fb168d419e2732e2406e65a231d Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 25 Apr 2024 15:17:26 +0200
Subject: [PATCH 41/51] Fixes

---
 environments/lab/host_vars/pomerium.yaml              |  2 ++
 environments/prod/host_vars/frigate/container.yaml    |  4 ++--
 environments/prod/host_vars/pomerium.yaml             |  2 ++
 .../shared/group_vars/containers/app_container.yaml   |  2 +-
 environments/shared/group_vars/pihole/container.yaml  |  2 ++
 environments/shared/host_vars/frigate.yaml            |  4 ++--
 environments/shared/host_vars/homepage/container.yaml |  2 +-
 environments/shared/host_vars/monitoring.yaml         |  2 +-
 environments/shared/host_vars/pomerium.yaml           |  3 ---
 environments/shared/host_vars/pve1.yaml               |  1 +
 roles/app-container/tasks/container.yaml              |  2 +-
 roles/app-container/tasks/main.yaml                   | 10 ++++++++--
 .../tasks/uid-gid-mapping-container.yaml              | 10 ++++++++++
 ...d-gid-mapping.yaml => uid-gid-mapping-global.yaml} | 11 -----------
 roles/app-container/templates/pct-set.j2              |  2 +-
 roles/app-frigate/templates/docker-compose.j2         |  1 -
 roles/app-homepage/templates/docker-compose.j2        |  1 -
 roles/app-pihole/templates/setup-vars.j2              |  3 ++-
 roles/app-pomerium/templates/config.j2                |  3 +++
 19 files changed, 39 insertions(+), 28 deletions(-)
 create mode 100644 environments/lab/host_vars/pomerium.yaml
 create mode 100644 environments/prod/host_vars/pomerium.yaml
 create mode 100644 roles/app-container/tasks/uid-gid-mapping-container.yaml
 rename roles/app-container/tasks/{uid-gid-mapping.yaml => uid-gid-mapping-global.yaml} (50%)

diff --git a/environments/lab/host_vars/pomerium.yaml b/environments/lab/host_vars/pomerium.yaml
new file mode 100644
index 0000000..e5f0998
--- /dev/null
+++ b/environments/lab/host_vars/pomerium.yaml
@@ -0,0 +1,2 @@
+app_pomerium_groups_administrators: b77c210d-8ae3-4292-9e95-c7d42a2f254f
+app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
\ No newline at end of file
diff --git a/environments/prod/host_vars/frigate/container.yaml b/environments/prod/host_vars/frigate/container.yaml
index af006cb..2ec62ee 100644
--- a/environments/prod/host_vars/frigate/container.yaml
+++ b/environments/prod/host_vars/frigate/container.yaml
@@ -4,8 +4,8 @@ app_container_storage_size_gb: 10
 
 app_container_mounts:
   - type: disk
-    storage_name: dpool_nvr
-    index: 2
+    storage_name: dpool-nvr
+    index: 1
     size_gb: 2500
     target_path: /nvr
 
diff --git a/environments/prod/host_vars/pomerium.yaml b/environments/prod/host_vars/pomerium.yaml
new file mode 100644
index 0000000..0e2ff3b
--- /dev/null
+++ b/environments/prod/host_vars/pomerium.yaml
@@ -0,0 +1,2 @@
+app_pomerium_groups_administrators: 64d004bd-9218-4fae-9919-0505ff5eeb8e
+app_pomerium_groups_users: aac23af7-2d73-497f-b93c-b8ca4007638d
\ No newline at end of file
diff --git a/environments/shared/group_vars/containers/app_container.yaml b/environments/shared/group_vars/containers/app_container.yaml
index 9b8650c..6fa97b4 100644
--- a/environments/shared/group_vars/containers/app_container.yaml
+++ b/environments/shared/group_vars/containers/app_container.yaml
@@ -1,5 +1,5 @@
 app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
 app_container_pve_replication_cron_expression: "*/5"
-app_container_pve_ha_group_name: noncritical
+app_container_pve_ha_group_name: non-critical
 
 app_container_nameserver: "{{ ipam.pihole1 }},{{ ipam.pihole2 }}"
\ No newline at end of file
diff --git a/environments/shared/group_vars/pihole/container.yaml b/environments/shared/group_vars/pihole/container.yaml
index 07c8cc9..f130ab7 100644
--- a/environments/shared/group_vars/pihole/container.yaml
+++ b/environments/shared/group_vars/pihole/container.yaml
@@ -6,3 +6,5 @@ app_pihole_version: 5.17.3
 app_pihole_forwarders:
   - 1.1.1.1
   - 1.0.0.1
+
+app_pihole_blocking_enabled: false
\ No newline at end of file
diff --git a/environments/shared/host_vars/frigate.yaml b/environments/shared/host_vars/frigate.yaml
index 46e24f1..c89f636 100644
--- a/environments/shared/host_vars/frigate.yaml
+++ b/environments/shared/host_vars/frigate.yaml
@@ -5,11 +5,11 @@ app_container_docker_support: true
 app_container_network_interfaces:
   - name: eth0
     bridge: vmbr0
-    ipv4_address: "{{ ipam.frigate }}"
+    ipv4_address: "{{ ipam.frigate }}/24"
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
+app_container_pve_ha_group_name: non-critical
 app_container_pve_replication_nodes:
   - pve1
 
diff --git a/environments/shared/host_vars/homepage/container.yaml b/environments/shared/host_vars/homepage/container.yaml
index 9c19008..7ffa91d 100644
--- a/environments/shared/host_vars/homepage/container.yaml
+++ b/environments/shared/host_vars/homepage/container.yaml
@@ -11,7 +11,7 @@ app_container_network_interfaces:
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
+app_container_pve_ha_group_name: non-critical
 app_container_pve_replication_nodes:
   - pve1
 
diff --git a/environments/shared/host_vars/monitoring.yaml b/environments/shared/host_vars/monitoring.yaml
index 268e671..ea2446e 100644
--- a/environments/shared/host_vars/monitoring.yaml
+++ b/environments/shared/host_vars/monitoring.yaml
@@ -11,7 +11,7 @@ app_container_network_interfaces:
     ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
 
 app_container_pve_node: pve2
-app_container_pve_ha_group_name: noncritical
+app_container_pve_ha_group_name: non-critical
 app_container_pve_replication_nodes:
   - pve1
 
diff --git a/environments/shared/host_vars/pomerium.yaml b/environments/shared/host_vars/pomerium.yaml
index 7e28339..71d3d18 100644
--- a/environments/shared/host_vars/pomerium.yaml
+++ b/environments/shared/host_vars/pomerium.yaml
@@ -40,9 +40,6 @@ app_gatus_monitored_endpoints:
 
 app_pomerium_hostname: "login{{ env.suffix }}.homecentr.one"
 
-app_pomerium_groups_administrators: b77c210d-8ae3-4292-9e95-c7d42a2f254f
-app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
-
 app_pomerium_certificates:
   - fullchain_path: /getssl/wildcard_fullchain.crt
     key_path: /getssl/wildcard.key
diff --git a/environments/shared/host_vars/pve1.yaml b/environments/shared/host_vars/pve1.yaml
index b11b126..f0c6183 100644
--- a/environments/shared/host_vars/pve1.yaml
+++ b/environments/shared/host_vars/pve1.yaml
@@ -15,6 +15,7 @@ app_pomerium_routes:
       - "{{ ipam.pve1 }}"
       - "{{ ipam.pve2 }}"
       - "{{ ipam.pve3 }}"
+    backend_lb_policy: RING_HASH
 
 # DNS
 app_pihole_records:
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
index 7675bc5..a5ad9a5 100644
--- a/roles/app-container/tasks/container.yaml
+++ b/roles/app-container/tasks/container.yaml
@@ -15,7 +15,7 @@
 - name: Wait for the container to be created
   retries: 10
   delay: 3
-  until: (app_container_info_raw is defined) and (app_container_info_raw.proxmox_vms | length) > 0
+  until: (app_container_info_raw is defined) and (app_container_info_raw.proxmox_vms | default([]) | length) > 0
   register: app_container_info_raw
   community.general.proxmox_vm_info:
     api_user: root@pam
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
index c5b6607..68cc3ad 100644
--- a/roles/app-container/tasks/main.yaml
+++ b/roles/app-container/tasks/main.yaml
@@ -22,10 +22,16 @@
   vars:
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
-- name: Configure mapped UID/GID
+- name: Configure mapped UID/GID in container config file
   when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
   ansible.builtin.include_tasks:
-    file: uid-gid-mapping.yaml
+    file: uid-gid-mapping-container.yaml
+  vars:
+    container_vars: "{{ hostvars[container_inventory_name] }}"
+
+- name: Configure mapped UID/GID idmap files
+  ansible.builtin.include_tasks:
+    file: uid-gid-mapping-global.yaml
   vars:
     container_vars: "{{ hostvars[container_inventory_name] }}"
 
diff --git a/roles/app-container/tasks/uid-gid-mapping-container.yaml b/roles/app-container/tasks/uid-gid-mapping-container.yaml
new file mode 100644
index 0000000..f293be3
--- /dev/null
+++ b/roles/app-container/tasks/uid-gid-mapping-container.yaml
@@ -0,0 +1,10 @@
+- name: Load current container config file
+  register: app_container_config
+  ansible.builtin.slurp:
+    path: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
+
+- name: Update config with lxc.idmap
+  ansible.builtin.copy:
+    force: true
+    dest: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
+    content: "{{ lookup('template', 'lxc-idmap.j2', template_vars=dict(current_config=(app_container_config.content | b64decode)) | combine(container_vars)) }}"
diff --git a/roles/app-container/tasks/uid-gid-mapping.yaml b/roles/app-container/tasks/uid-gid-mapping-global.yaml
similarity index 50%
rename from roles/app-container/tasks/uid-gid-mapping.yaml
rename to roles/app-container/tasks/uid-gid-mapping-global.yaml
index f9f123d..52bdd3b 100644
--- a/roles/app-container/tasks/uid-gid-mapping.yaml
+++ b/roles/app-container/tasks/uid-gid-mapping-global.yaml
@@ -1,14 +1,3 @@
-- name: Load current container config file
-  register: app_container_config
-  ansible.builtin.slurp:
-    path: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
-
-- name: Update config with lxc.idmap
-  ansible.builtin.copy:
-    force: true
-    dest: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
-    content: "{{ lookup('template', 'lxc-idmap.j2', template_vars=dict(current_config=(app_container_config.content | b64decode)) | combine(container_vars)) }}"
-
 - name: Add mapped uids to setuid
   loop: "{{ container_vars.app_container_mapped_uids | default([]) }}"
   loop_control:
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
index c758b9a..eee4b37 100644
--- a/roles/app-container/templates/pct-set.j2
+++ b/roles/app-container/templates/pct-set.j2
@@ -9,7 +9,7 @@ pct set {{ app_container_id }}
  {%- endif %}
  {%- endfor %}
  {%- if app_container_getssl_certificates is defined %}
- --mp{{ app_container_mounts | default([]) | length }} "/var/lib/getssl/{{ app_container_id }},mp={{ app_container_getssl_mountpoint | default('/getssl') }},replicate=0"
+ --mp{{ app_container_mounts | default([]) | length }} "/var/lib/getssl/{{ app_container_id }},mp={{ app_container_getssl_mountpoint | default('/getssl') }},replicate=0,shared=1"
  {%- endif %}
  {%- for nic in app_container_network_interfaces %}
  --net{{ loop.index - 1 }} "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}"
diff --git a/roles/app-frigate/templates/docker-compose.j2 b/roles/app-frigate/templates/docker-compose.j2
index ee6fe37..5cb2efb 100644
--- a/roles/app-frigate/templates/docker-compose.j2
+++ b/roles/app-frigate/templates/docker-compose.j2
@@ -1,4 +1,3 @@
-version: "3.9"
 services:
   frigate:
     image: ghcr.io/blakeblackshear/frigate:{{ app_frigate_image_tag }}
diff --git a/roles/app-homepage/templates/docker-compose.j2 b/roles/app-homepage/templates/docker-compose.j2
index 329f42c..2081ce8 100644
--- a/roles/app-homepage/templates/docker-compose.j2
+++ b/roles/app-homepage/templates/docker-compose.j2
@@ -1,4 +1,3 @@
-version: "3.9"
 services:
   homepage:
     image: ghcr.io/gethomepage/homepage:{{ app_homepage_image_tag }}
diff --git a/roles/app-pihole/templates/setup-vars.j2 b/roles/app-pihole/templates/setup-vars.j2
index 12e79d7..280c0ea 100644
--- a/roles/app-pihole/templates/setup-vars.j2
+++ b/roles/app-pihole/templates/setup-vars.j2
@@ -13,4 +13,5 @@ WEBUIBOXEDLAYOUT=traditional
 API_EXCLUDE_DOMAINS=
 API_EXCLUDE_CLIENTS=
 API_QUERY_LOG_SHOW=all
-API_PRIVACY_MODE=false
\ No newline at end of file
+API_PRIVACY_MODE=false
+BLOCKING_ENABLED={{ app_pihole_blocking_enabled | string | lower }}
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
index 04a16f5..02bc0a4 100644
--- a/roles/app-pomerium/templates/config.j2
+++ b/roles/app-pomerium/templates/config.j2
@@ -32,6 +32,9 @@ routes:
       - {{ route.protocol | default("http") }}://{{ backend_host }}:{{ route.target_port | default(80) }}
 {% endfor%}
 {% endif %}
+{% if not (route.backend | default('') is string) %}
+    lb_policy: {{ route.backend_lb_policy | default('ROUND_ROBIN') }}
+{% endif %}
 {% if route.path | default('') != '' %}
     path: {{ route.path }}
 {% endif %}

From 952cff4b75bb8c5567a286ff87bfaff3126a4d24 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 19 Jul 2024 16:24:48 +0200
Subject: [PATCH 42/51] Checkpoint

---
 inventory/group_vars/all/ups.sops.yaml     |  41 ++++++++
 inventory/group_vars/all/ups.yaml          |  16 +++
 inventory/group_vars/all/users.sops.yaml   |  49 +++++++++
 inventory/group_vars/pve_nodes/ssh.yaml    |   7 ++
 inventory/hosts.yaml                       |  77 ++++++++++++++
 package.json                               |  10 +-
 playbooks/_all.yaml                        |  12 +--
 playbooks/containers/_common.yaml          |  11 --
 playbooks/containers/cloudflared.yaml      |  36 -------
 playbooks/containers/frigate.yaml          |  33 ------
 playbooks/containers/homepage.yaml         |  33 ------
 playbooks/containers/monitoring.yaml       |  37 -------
 playbooks/containers/mqtt.yaml             |  28 -----
 playbooks/containers/pihole.yaml           |  48 ---------
 playbooks/containers/pomerium.yaml         |  28 -----
 playbooks/containers/smtp-relay.yaml       |  33 ------
 playbooks/containers/unifi-controller.yaml |  28 -----
 playbooks/local/setup.yaml                 |  23 -----
 playbooks/local/ssh.yaml                   |  53 ++++++----
 playbooks/proxmox/cluster.yaml             |  33 ------
 playbooks/proxmox/nodes.yaml               | 113 ---------------------
 playbooks/pve-guests.yaml                  |  35 +++++++
 playbooks/pve-nodes.yaml                   |  63 ++++++++++++
 playbooks/templates/init-container.sh.j2   |  46 +++++++++
 requirements.yaml                          |  34 +++----
 tools/apply.sh                             |  24 +----
 tools/clearkeys.sh                         |   5 -
 tools/install.sh                           |   3 +-
 tools/tests.sh                             |  46 ---------
 tools/validations.js                       |  44 --------
 30 files changed, 387 insertions(+), 662 deletions(-)
 create mode 100644 inventory/group_vars/all/ups.sops.yaml
 create mode 100644 inventory/group_vars/all/ups.yaml
 create mode 100644 inventory/group_vars/all/users.sops.yaml
 create mode 100644 inventory/group_vars/pve_nodes/ssh.yaml
 create mode 100644 inventory/hosts.yaml
 delete mode 100644 playbooks/containers/_common.yaml
 delete mode 100644 playbooks/containers/cloudflared.yaml
 delete mode 100644 playbooks/containers/frigate.yaml
 delete mode 100644 playbooks/containers/homepage.yaml
 delete mode 100644 playbooks/containers/monitoring.yaml
 delete mode 100644 playbooks/containers/mqtt.yaml
 delete mode 100644 playbooks/containers/pihole.yaml
 delete mode 100644 playbooks/containers/pomerium.yaml
 delete mode 100644 playbooks/containers/smtp-relay.yaml
 delete mode 100644 playbooks/containers/unifi-controller.yaml
 delete mode 100644 playbooks/proxmox/cluster.yaml
 delete mode 100644 playbooks/proxmox/nodes.yaml
 create mode 100644 playbooks/pve-guests.yaml
 create mode 100644 playbooks/pve-nodes.yaml
 create mode 100644 playbooks/templates/init-container.sh.j2
 delete mode 100755 tools/clearkeys.sh
 delete mode 100755 tools/tests.sh
 delete mode 100644 tools/validations.js

diff --git a/inventory/group_vars/all/ups.sops.yaml b/inventory/group_vars/all/ups.sops.yaml
new file mode 100644
index 0000000..da64e65
--- /dev/null
+++ b/inventory/group_vars/all/ups.sops.yaml
@@ -0,0 +1,41 @@
+ups_observer_password: ENC[AES256_GCM,data:6hOusAECGlOcRfvlfrScBQCT,iv:+WSb3FOVY9XaNzW32aJBXI4d9f6sp+MvuIBP2h7JvGk=,tag:W0ZF3EZd7wFQPN9dWSCSDw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RXhJZTVqM0tKalQ5RWQz
+            cUFUM0lsdlFjVi9wZlBtZmZpZzZkMC9hUlVjClI2VW5XdE5talFsemovaitxbjFM
+            TVAxbHRaSysvcXo1VnhWa3gyckl1R3cKLS0tIFlJNllOcE9OVmFydHlWMk1nbm1x
+            czhTc3hjY2diUmZuaFdOMDRKVmVZZncKoQ1GwgWjY773aUPwIno02YMr43VI+gge
+            FV5SPn/6dBuGtycIHc1V6Fh23xbRTTQGZgPaQW19koKVMrJQQ9ravA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-08T14:57:20Z"
+    mac: ENC[AES256_GCM,data:Zja+1RBG31quXHXNbGdiyRUkmX5nzAaIi7IWWRR20l5b9ziN/ik1goChD1KIKxjMOfmTcSinW/TGLlJJ1ZNEWA/oaqDmY51xbg2m7x85j3u2O30/A0uJLsUZxp1wWQI085UOBDVwg6lA5qb66S4F+/zCjWLyU6885Qlt7it/zzg=,iv:mArkS0nazzivJ0YvLkLGj+N+Sg/7GToJQqIWFLdj/fw=,tag:SaMul47eT87WECVeYURvCQ==,type:str]
+    pgp:
+        - created_at: "2023-06-05T09:01:58Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//SGwbtb8MrrOyr/bN0MOsLGIRzDMJGPsbOGw9nGNC6bm2
+            n7SKyD3fZGIiq5MlF2LeqgWge6dDACdkkMD51S37Fddtiuy/u30q/InmyjsMjjR1
+            XBLhicdqXpmLRm1dJzUeS+uv/tq0prIdKNT+70RxRd47XB92QReC7EnSFx/YOG+r
+            URMVYeEE4qZPP608WFZ6u1QXouYnMb/QRQo3gGKdxif8Q4vJDtmErPehz4gaa8fh
+            h97bSR85393gvkygDgvJ5bSg+Zl9H/KFO3OI/R5PYWfBhHwBZ8xyKtugCow4qt6I
+            1N0SIOtSb4VXQk4Xo0O23T7zPcL6VWRmMOWaq1QsVoCWj9GPxD9EP/XVIvX+AslN
+            4QL/OW6Z4M+opTrmyKPO5QlJvrl5QiXMLpmTdX8sFAEz2a0/eRCmz84sbAradpee
+            U92GMhmrO6T952+NHPaSOwNelOiF0LqAkguxsVwrtBB7NjWGJHuotWAruYUjrlF2
+            HbQMuFxNyp8ILwm3aDk2ujQ2Jzy3CAcTbVn/WoufiiOAc9CG4BLquhXT0Td8LZJ4
+            xFKf/V+JUpV6W4a7Q8BL8xiYoC8mXFP4guSmKNAYPOkuLv+flVJMEsHlOi4usR88
+            fBS3OZz39AOHRZMubKycF6vTmCeZ+skX1/CUooMie7jJHWja/D2ZQIJDpg7SbpHS
+            XgFwQlC73NhXiftdn/n03eGO6lbWxVkGTUoHwXY6G65sLHzb2J8L/YgrzjdptHdK
+            n8M/uLOoqKXVAKfmVdewYbwvl54F7QylBLJ8Gi0lpg2EQeUpEOzSZ00cBLWZfCg=
+            =r4qP
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/inventory/group_vars/all/ups.yaml b/inventory/group_vars/all/ups.yaml
new file mode 100644
index 0000000..03556f8
--- /dev/null
+++ b/inventory/group_vars/all/ups.yaml
@@ -0,0 +1,16 @@
+ups_devices:
+  - name: ups1
+    driver: usbhid-ups
+    description: Eaton 1100
+    port: auto
+    monitored_by: pve1
+    # vendor: 0463
+    # product: ffff
+
+  - name: ups2
+    driver: usbhid-ups
+    description: Eaton 1500
+    port: auto
+    monitored_by: pve2
+    # vendor: 0463
+    # product: ffff
\ No newline at end of file
diff --git a/inventory/group_vars/all/users.sops.yaml b/inventory/group_vars/all/users.sops.yaml
new file mode 100644
index 0000000..a8e18e4
--- /dev/null
+++ b/inventory/group_vars/all/users.sops.yaml
@@ -0,0 +1,49 @@
+users_root_password: ENC[AES256_GCM,data:osVLSgM4D1h190pue4ixuR/ageZqdyN8rz6zATOAHb/Ggg==,iv:fXa38OqhwyOShqE9Md22e/OUjeJIj1UYQOYe0xo/gvM=,tag:nxNR9UzpWJ1r74V7Oe2Xow==,type:str]
+users_root_password_salt: ENC[AES256_GCM,data:ow2yKqOruFRJRqMs9e7aGA==,iv:pf8VAYaJqchNTImR56m5JwY1yUK/OCKu5lMfCDdVrG8=,tag:UteFoWFXcNsxZbqdUM6C+A==,type:str]
+users_admin_users:
+    - username: ENC[AES256_GCM,data:IiH/5tGxww==,iv:MtuXPDoTp1X1dAlJ39xV1l/gNGFgbA98sLhhx4AtomU=,tag:7g/8IlL2UIfEoOfMZgxuPQ==,type:str]
+      public_keys:
+        - ENC[AES256_GCM,data:fem+nYEnzrc7p43txjY0920r3M5HAdTgUiyMsJbGs5Gm/7a8CPchBx5XIFUQfQdU2tN2jjjwybQ1hpB0A8Kq4l528Kr0KM0jT6nnork5oIYdU096fMwK7CExHVdyq50NDtf2ianQ5Osapw0EDyM/kcgTsUzAO50esGUdw5CWq0BG0dU8l6cD7n4MrACSdAIdO/clJ/8TZJ4Yqsc8r1vSRJVtwKOYIgmGonJZVs8NRyG8rnzDkjXDN7GgxMWyCTLBcBpt64CmRdHT8qEwLH2Fj6ys3WeebKU+lohrmbCHrvZIKT3I+OsedwPXdaRIHhrAKBNjmYe1+SctugJOEqc4FDYa6RD3rgKm0keFCz7wvvoxSr2z/k2jL/dhSQoGPWsDS4u3ZuXkt1UF8r4kh/ZNyiTOLohIGjWEnkwMjUyaD5VfykPG5zvda9gChsNJGTbthz6FeZGNgtlAt2fPFGcP2yEbm3GKHRNuuB4o8N4Vcn+HpCb/mI1WtgDugoqHc1eedz5pDk2kvtMhSMIJh2R/rceol2LrtLttovl34Pcib6xizR6HLtB5IFHYZen2bFx9OPl1ia6yCe/vfV1Tq/nUwX3DycwC+faRbVytVGWTfvcHw5typQffd+bY6Vg6G7twPNB+gixphVL8x7ME3rTs2CzAOUilXf6eRQ3CIxjvwIYp0fhaeh4xPn+AzsrniGNaAe4xk+CYg7D9wrrjV80WBY/nUea9LWmxc2m6ob6Flp9IoQjsFthEWtbomiLDBenih0FROIujXzsHL2WAbrlwKEgRrE/d7pM17kJT41qeFNHK2YwkTcA4NHbp6Yh35Gb58L0aF60V9WLUWabWTScOk3Crl7zECfMWKkuo6F7Po5BdXVArhFcGP+E0QkJdY/rlMNStc11nswarJUAogYsASLd0oARGZE+Afe+DOXelr6Bf/MirF5IG/rzcN5/QfvNFUoxAOQ==,iv:lffsvnH3gzYIXCgyS/lK3Y4Elbqg+HioPb3I0WZUOPQ=,tag:FOg1pOIeYI5d+XDNjzQGAQ==,type:str]
+        - ENC[AES256_GCM,data:nEC87xGrdsf6bWYEEhPN3v/rC81wrC6KxoEv6SUdZLcI4WZhXghSzKQck3GxtGaTXjjFfckLcdorkEa3XTvkUseCoOfLg2ASURVcnc4a/3LRvQzNtj0zlzfFQa08/xfFhWMiAZndz8GjzfrtzzBEkv2v8vasVfbcNkEnuQks25QJWP9VFi9F9zfngZLyeexX3CXSGgeE2qEJ+/haXIlwNu8RVCMhp2jmXecDDPdbkIfuCwKY33CgPTAKsJ5G4PH+fc/5G04LbTHQ1NCjyINFyQgbIXNl0j6+rEO2VeUeQJ26lDgHeOn/5ebFd8j7nXaVdmmnO6OPYj2PKP0O7F+MuYqVUdcTTDtnRKlDWDNNw+62J2SX8ea/xwG3HLvQtAg/obSOZXCYo1lvcsSBCB0xSZu58Z58EbVxMFuWRQTIfnig9CA1zn5XXsVBSWkBLUFmu91BYe3qooRVD9IdzlPvke9HRELkhBiLG38FdjkOuRyB8qpklWo0fRCjy99kWe7t6g8xL3mYubGtJW1IPMaQXTY7eBPZiGm5s920eF45wokDLhoZ5d88o7FDYSi3+G4hMZ5L3imD8AujqINiJCUR4xIzz94jR6eECgQQ/BngVnxQ2qUCc0UuqT9ZtywmNH+wcy+PkzZ7KNYb/ltVe4VFt1maBEyCwuHD1jkB3dEKouh/A3/DFnj1z5WAGyHyeX4phO9NH/RvZC/JcCLOskD8G3KXDIMoc3j51QnHa14x66m/FeOlUMjo6LDeVaXeYj/EqKw3AjwXr6yMozTax0kVBzWk8Uce7UC24dHJwh3+gDueSuOUjzdF5ngxeKNYxIFdPllX1UNs+JkjUNv2vK5L8WRT5mTcBtsbhSM0/cLuz4hGNl+sh6V2iNmF2fEa8KZ4wHTrfV4PdUBPF8N2j+VcDo2roVgtzp980Glb4VF4JEI9wsmYTPkCviy7W1Z0amVbrqCJ+q7imqKBBMDIaCwjJCiJXw==,iv:B9gVFmR9RLajkcUfNIe/5Tpi4z5CcfZyI76bmLFOBxo=,tag:6YzAEaKpmsE7nrlnqVq+GA==,type:str]
+ssh_allowed_users:
+    - ENC[AES256_GCM,data:HF8YTmKN+Q==,iv:aHIWB34sk+gLbuWB4ZD5oOIpM09egrYizhWLxc13mh0=,tag:CPEdUBdDpcJpTrqWUJYgqQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Sndlcjd3bUtycHhBWXF5
+            NnBFdEVHc2hzR1pMRHhDMDJKWWpxUXBlblMwCnJ4WGxSeUM0MkRIenVqTmlGQ3dx
+            UTBvZkI0ZmZVSnhjazJYVUM2allJUGcKLS0tIDdJWitBSFpEb29Gc3NIMldVdGRV
+            aWN1V0VMcVVSTUI4eDY1L3dmaCs0SU0KkzPO20YfskpLYPYeNu09SGA6243cVGTf
+            MDOHatdRs2CkZNEw2A6xaoIXnj0Rr+N9sfrdAWRsCBBRxyfgxw1Bog==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-27T09:42:12Z"
+    mac: ENC[AES256_GCM,data:zUBrb08E1rVzSVmD9uoKP0cVsVvlzZ4WCsJ3u4Rhp24UWJTZSDwukwtBj8mZsjm93Reyp8zWjsEI2dzVf5RLbBNHM49nfp/jjG/KoUUhxhv8CM5QgxxtfVI59jFkhibfDIe6wSjCGOVXsS7wgsd4hsk4qM+AAlTj/Ki9QQbIxzc=,iv:dbO4FezniKhQOcEXIcls0sh0CCiMcIBsclS6rMpuI+s=,tag:rth9Rby0RxD5MdK1dnOi2A==,type:str]
+    pgp:
+        - created_at: "2023-06-05T09:01:59Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CARAAhgn5QVDIe74f3jPc6UeLebhptknDLqxrD/zO0xEs7BX9
+            XOy47z0jhdLruO+i9AxpFJxSX6VQ/D3DuLKTTikvTk0UYU6BEIVbw90UsLdY+g2K
+            beRsFeql7tKAYF2FQuPWGKzE7ee6TVypLD+VBXYuQOvpdd4sZCJ/qMlfMGMBrALZ
+            sV19IPtHnvFjtLKXO2/QyFk4OJfLAG6i+vuwtAokxSGMGab+F0iDhoCXo+YjbTR+
+            aTropldbOOudDDb4VFNDSkza7TI2gm4vyOjYN+i27D001ulywsBzO0/pXlb+ajZS
+            BlN4rGU+I4wsBDp841FTNZPy9Lf7vYsVPD+WFQpqr1VJOn3TAt/Dw5GsPVuux77Z
+            WjsVpxtXGWSt3esX6uOCT8ErOWN45ZmMdHK8Fdq63P11RlmUwox2GhNIcouT+s44
+            nhnpL2ZgLmZ1LS8DxG/ZRylgelGSnZjIxCDjtZ1zuqUJYJSyZWV57fD0Gs8mEHMk
+            SGntsuvkIqAUY0lk4kDFWqbLveyZgvu2hU4KvdWZEhfOK44fc2NAXGQY9O/ucdWD
+            Cae1jeygtFREp+ANsCkyErnSg4wrxZd29rJVjvUx4B3n4yMzgk15rO4r2i2QGeNE
+            T3QQC/JeLqFfvlhIYRjuZY+dqW0PomEjWDdSJF4ReXRvw/L2Usik5ktZgPJHQKvS
+            XAG4cJV6FNAEsnVzoDFN66sWq3RoGDSktvP765CHi1A3K+8WMrB765fn4eIyEye3
+            6aPbn7PNYSNluMdh9Z44nUrmS+tve+gBlLocwHHYZ6MyyIngsuhbEXKAEPIh
+            =3kz5
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/inventory/group_vars/pve_nodes/ssh.yaml b/inventory/group_vars/pve_nodes/ssh.yaml
new file mode 100644
index 0000000..83318cd
--- /dev/null
+++ b/inventory/group_vars/pve_nodes/ssh.yaml
@@ -0,0 +1,7 @@
+ssh_allow_root_login_trusted_clients:
+  - 10.1.2.16
+  - 10.1.2.17
+  - 10.1.2.18
+  - 10.1.8.16
+  - 10.1.8.17
+  - 10.1.8.18
\ No newline at end of file
diff --git a/inventory/hosts.yaml b/inventory/hosts.yaml
new file mode 100644
index 0000000..5753639
--- /dev/null
+++ b/inventory/hosts.yaml
@@ -0,0 +1,77 @@
+all:
+  vars:
+    ansible_user: lholota
+    domain: homecentr.one
+    ups_shutdown_command: "systemctl stop ve-ha-crm & systemctl stop pve-ha-lrm && /sbin/shutdown -h +0"
+  children:
+    pve_nodes:
+      hosts:
+        pve1:
+          ansible_host: 10.1.2.16
+          ansible_hostname: pve1
+          ups_name: ups1
+        pve2:
+          ansible_host: 10.1.2.17
+          ansible_hostname: pve2
+          ups_name: ups2
+        pve3:
+          ansible_host: 10.1.2.18
+          ansible_hostname: pve3
+          ups_name: ups1
+    pve_guests:
+      vars:
+        unattended_upgrades_additional_security_only: false # apply all updates
+      children:
+        lxc:
+          vars:
+            node_exporter_args: "--collector.disable-defaults --collector.os --collector.uname --collector.textfile --collector.textfile.directory /var/lib/prometheus/node-exporter"
+          hosts:
+            pihole1:
+              ansible_host: 10.1.2.64
+              ssh_allowed_users:
+                - lholota
+                - gravity
+            pihole2:
+              ansible_host: 10.1.2.65
+              ssh_allowed_users:
+                - lholota
+                - gravity
+            cloudflared1:
+              ansible_host: 10.1.2.66
+            cloudflared2:
+              ansible_host: 10.1.2.67
+            pbs:
+              ansible_host: 10.1.2.68
+            monitoring:
+              ansible_host: 10.1.2.70
+            homepage:
+              ansible_host: 10.1.2.71
+            mqtt:
+              ansible_host: 10.1.2.72
+            frigate:
+              ansible_host: 10.1.2.73
+            snipeit:
+              ansible_host: 10.1.2.74
+            haraka:
+              ansible_host: 10.1.2.75
+            unifi_controller:
+              ansible_host: 10.1.2.76
+            docs:
+              ansible_host: 10.1.2.77
+            autosnap:
+              ansible_host: 10.1.2.78
+            myspeed:
+              ansible_host: 10.1.2.80
+            immich:
+              ansible_host: 10.1.2.82
+        vm:
+          hosts:
+            pomerium:
+              ansible_host: 10.1.2.69
+              ansible_hostname: app-pomerium
+            coder:
+              ansible_host: 10.1.2.79
+              ansible_hostname: app-coder
+            nextcloud:
+              ansible_host: 10.1.2.81
+              ansible_hostname: app-nextcloud
\ No newline at end of file
diff --git a/package.json b/package.json
index 95b2389..07b87b1 100644
--- a/package.json
+++ b/package.json
@@ -8,14 +8,8 @@
   "scripts": {
     "install": "./tools/install.sh",
     "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint",
-    "lab:clear-keys": "./tools/clearkeys.sh",
-    "lab:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh lab proxmox/nodes -u root -e ansible_user=root --tags init -k",
-    "lab:apply": "./tools/apply.sh lab",
-    "lab:test:local": "./tools/tests.sh 'lab.local' ./tests --skiptags remoteonly -e local:lab --suiteRetries 3",
-    "lab:test:remote": "",
-    "prod:init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh prod proxmox/nodes -u root -e ansible_user=root --tags init -k",
-    "prod:apply": "./tools/apply.sh prod",
-    "validate-values": "node ./tools/validations.js"
+    "init:pve": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh pve-nodes -u root -e ansible_user=root --tags init -k",
+    "apply": "./tools/apply.sh"
   },
   "devDependencies": {
     "@homecentr/yaml-diff": "1.1.7",
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index 71bbd24..1faaf25 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -1,9 +1,3 @@
-- import_playbook: proxmox/nodes.yaml
-- import_playbook: proxmox/cluster.yaml
-- import_playbook: containers/pihole.yaml
-- import_playbook: containers/cloudflared.yaml
-- import_playbook: containers/mqtt.yaml
-- import_playbook: containers/pomerium.yaml
-- import_playbook: containers/homepage.yaml
-- import_playbook: containers/monitoring.yaml
-- import_playbook: containers/frigate.yaml
\ No newline at end of file
+- ansible.builtin.import_playbook: pve-nodes.yaml
+- ansible.builtin.import_playbook: pve-guests.yaml
+  
\ No newline at end of file
diff --git a/playbooks/containers/_common.yaml b/playbooks/containers/_common.yaml
deleted file mode 100644
index 6f08cc7..0000000
--- a/playbooks/containers/_common.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Configure users
-  ansible.builtin.import_role:
-    name: homecentr.system.users
-
-- name: Configure ssh
-  ansible.builtin.import_role:
-    name: homecentr.system.ssh
-
-- name: Configure motd
-  ansible.builtin.import_role:
-    name: homecentr.system.motd
\ No newline at end of file
diff --git a/playbooks/containers/cloudflared.yaml b/playbooks/containers/cloudflared.yaml
deleted file mode 100644
index d454c78..0000000
--- a/playbooks/containers/cloudflared.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container cloudflared1
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "cloudflared1"
-      tags: [ container ]
-
-    - name: Create application container cloudflared2
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "cloudflared2"
-      tags: [ container ]
-
-- name: Setup Cloudflared containers
-  hosts: cloudflared
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.import_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install cloudflared
-      ansible.builtin.import_role:
-        name: ../../roles/app-cloudflared
-      tags: [ cloudflared ]
-    
\ No newline at end of file
diff --git a/playbooks/containers/frigate.yaml b/playbooks/containers/frigate.yaml
deleted file mode 100644
index aa74406..0000000
--- a/playbooks/containers/frigate.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "frigate"
-      tags: [ container ]
-
-- name: Setup Frigate container
-  hosts: frigate
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.include_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install Docker
-      ansible.builtin.import_role:
-        name: ../../roles/docker
-      tags: [ docker ]
-
-    - name: Install Frigate
-      ansible.builtin.import_role:
-        name: ../../roles/app-frigate
-      tags: [ frigate ]
diff --git a/playbooks/containers/homepage.yaml b/playbooks/containers/homepage.yaml
deleted file mode 100644
index 0d1614a..0000000
--- a/playbooks/containers/homepage.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: homepage
-      tags: [ container ]
-
-- name: Setup Homepage container
-  hosts: homepage
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.import_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install Docker
-      ansible.builtin.import_role:
-        name: ../../roles/docker
-      tags: [ docker ]
-
-    - name: Install homepage
-      ansible.builtin.import_role:
-        name: ../../roles/app-homepage
-      tags: [ homepage ]
diff --git a/playbooks/containers/monitoring.yaml b/playbooks/containers/monitoring.yaml
deleted file mode 100644
index 9cc93dd..0000000
--- a/playbooks/containers/monitoring.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "monitoring"
-      tags: [ container ]
-
-- name: Setup Monitoring container
-  hosts: monitoring
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.import_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install Docker
-      ansible.builtin.import_role:
-        name: ../../roles/docker
-      tags: [ docker ]
-
-    - name: Install gatus
-      ansible.builtin.import_role:
-        name: ../../roles/app-gatus
-      tags: [ gatus ]
-
-    # TODO: Prometheus
-    # TODO: Grafana
-    
\ No newline at end of file
diff --git a/playbooks/containers/mqtt.yaml b/playbooks/containers/mqtt.yaml
deleted file mode 100644
index 42ab6a4..0000000
--- a/playbooks/containers/mqtt.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "mqtt"
-      tags: [ container ]
-
-- name: Setup Pomerium containers
-  hosts: mqtt
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.include_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install Mosquitto
-      ansible.builtin.import_role:
-        name: ../../roles/app-mosquitto
-      tags: [ mosquitto ]
diff --git a/playbooks/containers/pihole.yaml b/playbooks/containers/pihole.yaml
deleted file mode 100644
index b11f7e4..0000000
--- a/playbooks/containers/pihole.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create phole1 container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "pihole1"
-      tags: [ container ]
-
-    - name: Create phole2 container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "pihole2"
-      tags: [ container ]
-
-- name: Setup Pihole containers
-  hosts: pihole
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.import_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Create pihole group
-      ansible.builtin.group:
-        name: pihole
-      tags: [ pihole ]
-
-    - name: Create pihole user
-      ansible.builtin.user:
-        name: pihole
-        group: pihole
-        create_home: true
-      tags: [ pihole ]
-
-    - name: Install pihole
-      ansible.builtin.import_role:
-        name: ../../roles/app-pihole
-      tags: [ pihole ]
-    
\ No newline at end of file
diff --git a/playbooks/containers/pomerium.yaml b/playbooks/containers/pomerium.yaml
deleted file mode 100644
index 6913f73..0000000
--- a/playbooks/containers/pomerium.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "pomerium"
-      tags: [ container ]
-
-- name: Setup Pomerium containers
-  hosts: pomerium
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.include_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install pomerium
-      ansible.builtin.import_role:
-        name: ../../roles/app-pomerium
-      tags: [ pomerium ]
diff --git a/playbooks/containers/smtp-relay.yaml b/playbooks/containers/smtp-relay.yaml
deleted file mode 100644
index 4185ad8..0000000
--- a/playbooks/containers/smtp-relay.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: smtp_relay
-      tags: [ container ]
-
-- name: Setup SMTP relay container
-  hosts: smtp_relay
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.include_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install Docker
-      ansible.builtin.import_role:
-        name: ../../roles/docker
-      tags: [ docker ]
-
-    - name: Install Haraka relay
-      ansible.builtin.import_role:
-        name: ../../roles/app-haraka
-      tags: [ haraka ]
diff --git a/playbooks/containers/unifi-controller.yaml b/playbooks/containers/unifi-controller.yaml
deleted file mode 100644
index dfef620..0000000
--- a/playbooks/containers/unifi-controller.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Create application container
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Create application container
-      ansible.builtin.import_role:
-        name: ../../roles/app-container
-      vars:
-        container_inventory_name: "unifi_controller"
-      tags: [ container ]
-
-- name: Setup Unifi Controller container
-  hosts: unifi_controller
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Run common set up
-      ansible.builtin.include_tasks:
-        file: _common.yaml
-      tags: [ common ]
-
-    - name: Install Unifi Controller
-      ansible.builtin.import_role:
-        name: ../../roles/app-unifi-controller
-      tags: [ unifi, unifi-controller ]
diff --git a/playbooks/local/setup.yaml b/playbooks/local/setup.yaml
index 6428fc2..f90a249 100644
--- a/playbooks/local/setup.yaml
+++ b/playbooks/local/setup.yaml
@@ -38,26 +38,3 @@
           - sshpass
           - cloudflared
           - grepcidr
-
-    - name: Create proxy command script (for wsl)
-      become: false
-      ansible.builtin.copy:
-        dest: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh"
-        mode: 0700
-        force: true
-        content: |
-          #!/usr/bin/env bash
-
-          # $1 = FQDN of the host
-          # $2 = Remote user
-          # $3 = Remote port
-
-          IP=$(dig -t a $1 +short @ | tail -n1)
-          LOCAL_IP=$(echo "$IP" | grepcidr "10.0.0.0/8")
-          
-          if [ -z "$LOCAL_IP" ]; then
-            echo "Remote, using Cloudflare Access..."
-            /usr/local/bin/cloudflared access ssh --hostname $1
-          else
-            ssh $2@$1
-          fi
\ No newline at end of file
diff --git a/playbooks/local/ssh.yaml b/playbooks/local/ssh.yaml
index c22668b..688eba0 100644
--- a/playbooks/local/ssh.yaml
+++ b/playbooks/local/ssh.yaml
@@ -4,26 +4,35 @@
   become: true
   become_method: ansible.builtin.sudo
   tasks:
-    - name: Add a host into the configuration (short name)
-      become: false
-      community.general.ssh_config:
-        user: "{{ ansible_user }}"
-        host: "{{ hostvars[item].ansible_hostname }}"
-        hostname: "{{ hostvars[item].ansible_hostname }}"
-        forward_agent: true # To enable YubiKey forwarding
-        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh %h %r"
-        remote_user: "{{ ansible_user }}"
-        state: present
-      with_items: "{{ groups['all'] }}"
+    - name: Enable CanonicalizeHostname
+      ansible.builtin.lineinfile:
+        path: "{{ lookup('env', 'HOME') }}/.ssh/config"
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: "0600"
+        regex: "^CanonicalizeHostname .*"
+        line: "CanonicalizeHostname yes"
+        insertbefore: BOF
 
-    - name: Add a host into the configuration (full name)
-      become: false
-      community.general.ssh_config:
-        user: "{{ ansible_user }}"
-        host: "{{ hostvars[item].ansible_hostname }}"
-        hostname: "{{ hostvars[item].ansible_hostname }}.{{ domain }}"
-        forward_agent: true # To enable YubiKey forwarding
-        proxycommand: "{{ lookup('env', 'HOME') }}/.ssh/proxy.sh %h %r"
-        remote_user: "{{ ansible_user }}"
-        state: present
-      with_items: "{{ groups['all'] }}"
+    - name: Configure CanonicalDomains
+      ansible.builtin.lineinfile:
+        path: "{{ lookup('env', 'HOME') }}/.ssh/config"
+        owner: "{{ lookup('env', 'USER') }}"
+        group: "{{ lookup('env', 'USER') }}"
+        mode: "0600"
+        regex: "^CanonicalDomains .*"
+        line: "CanonicalDomains {{ domain }}"
+        insertbefore: BOF
+
+    - name: Add match blocks to the ssh config
+      ansible.builtin.blockinfile:
+        path: "{{ lookup('env', 'HOME') }}/.ssh/config"
+        create: false
+        marker: "# {mark} Homecentr SSH configuration"
+        block: |
+          Match host=pve*.{{ domain }},app-*.{{ domain }} exec "dig -t a '%h' +short | tail -n1 | grepcidr '10.0.0.0/8'"
+            ForwardAgent yes
+
+          Match host=pve*.{{ domain }},app-*.{{ domain }} exec "dig -t a '%h' +short | tail -n1 | grepcidr -v '10.0.0.0/8'"
+            ForwardAgent yes
+            ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
diff --git a/playbooks/proxmox/cluster.yaml b/playbooks/proxmox/cluster.yaml
deleted file mode 100644
index c76e90f..0000000
--- a/playbooks/proxmox/cluster.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-- name: Proxmox Virtual Environment Configuration
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    - name: Download Container templates
-      ansible.builtin.get_url:
-        url: "{{ item }}"
-        dest: "/var/lib/vz/template/cache/{{ item | basename }}"
-      loop: "{{ pve_ct_templates }}"
-      tags:
-        - ct_templates
-
-    - name: Configure cluster-level options
-      ansible.builtin.import_role:
-        name: ../../roles/pve_cluster_options
-      tags: cluster_options
-
-    - name: Configure cluster-level firewall
-      ansible.builtin.import_role:
-        name: ../../roles/pve_cluster_firewall
-      tags: firewall
-
-    - name: Configure HA
-      ansible.builtin.import_role:
-        name: ../../roles/pve_cluster_ha
-      tags: ha
-
-    - name: Install and configure getssl
-      ansible.builtin.import_role:
-        name: ../../roles/pve_cluster_getssl
-      tags: getssl
\ No newline at end of file
diff --git a/playbooks/proxmox/nodes.yaml b/playbooks/proxmox/nodes.yaml
deleted file mode 100644
index 6c696af..0000000
--- a/playbooks/proxmox/nodes.yaml
+++ /dev/null
@@ -1,113 +0,0 @@
-- name: Proxmox Virtual Environment Configuration
-  hosts: pve_nodes
-  become: true
-  become_method: ansible.builtin.sudo
-  any_errors_fatal: true
-  tasks:
-    # Must run before users to make sure the apt repositories are configured in order to install sudo
-    - name: Configure proxmox apt repositories
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_apt
-      tags: [ init, apt ]
-
-    # Root's password must be set so that it can be used to communicate with Proxmox API
-    - name: Create users
-      ansible.builtin.import_role:
-        name: homecentr.system.users
-      tags: [ init, users ]
-
-    - name: Configure proxmox user and their permissions
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_users
-      tags: [ init, users ]
-
-    - name: Configure https port forwarding
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_https_forward
-      tags: [ pve-https-forward ]
-
-    - name: Configure PCI passthrough dependencies
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_pci_passthrough
-      tags: [ pve-pci-passthrough ]
-
-    - name: Configure SMTP
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_smtp
-      tags: [ pve-smtp ]
-
-    - name: Configure SSO via Open ID
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_sso_openid
-      tags: [ pve-sso-openid ]
-
-    - name: Apply corosync fix
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_corosync_fix
-      tags: [ corosync ]
-
-    - name: Remove the no-subscription warning
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_nosubs_warning
-      tags: [ no-subs-warning ]
-
-    - name: Configure USB HID quirk for UPS communication
-      ansible.builtin.import_role:
-        name: homecentr.system.usbhid_quirk
-      tags: [ usbhid-quirk ]
-
-    - name: Configure ZFS
-      ansible.builtin.import_role:
-        name: homecentr.system.zfs_configuration
-      tags: [ usbhid-quirk ]
-
-    - name: Configure local storage
-      ansible.builtin.import_role:
-        name: homecentr.proxmox.pve_local_storage
-      tags: [ vm, pve-storage ]
-      vars:
-        pve_local_storage_api_user: root@pam
-        pve_local_storage_api_password: "{{ users_root_password }}"
-
-    - name: Create host records for servers
-      ansible.builtin.import_role:
-        name: ../../roles/hosts
-      vars:
-        hosts_group_name: pve_nodes
-      tags:
-        - hosts
-
-    - name: Install benchmarks
-      ansible.builtin.import_role:
-        name: homecentr.system.benchmarks
-      tags:
-        - benchmarks
-
-    - name: Install lynis
-      ansible.builtin.import_role:
-        name: homecentr.system.lynis
-      tags:
-        - lynis
-
-    - name: Harden the system according to lynis recommendations
-      ansible.builtin.import_role:
-        name: homecentr.system.lynis_hardening
-      tags:
-        - lynis
-
-    - name: Install and configure Network UPS tools
-      ansible.builtin.import_role:
-        name: homecentr.system.ups
-      tags:
-        - ups
-
-    - name: Set up Message-of-the-day
-      ansible.builtin.import_role:
-        name: homecentr.system.motd
-      vars:
-        motd_enable_ups_status: "true"
-      tags:
-        - motd
-
-    - name: Flush handlers before starting the VMs & Containers
-      ansible.builtin.meta: flush_handlers
diff --git a/playbooks/pve-guests.yaml b/playbooks/pve-guests.yaml
new file mode 100644
index 0000000..3f142af
--- /dev/null
+++ b/playbooks/pve-guests.yaml
@@ -0,0 +1,35 @@
+- name: PVE guests
+  hosts: pve_guests
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    - name: Create users
+      ansible.builtin.import_role:
+        name: homecentr.system.users
+      tags: [ init, users ]
+
+    - name: Configure SSH
+      ansible.builtin.import_role:
+        name: homecentr.system.ssh
+      tags: [ init, ssh ]
+
+    - name: Set up Message-of-the-day
+      ansible.builtin.import_role:
+        name: homecentr.system.motd
+      tags: [ motd ]
+
+    - name: Set up unattended upgrades
+      ansible.builtin.import_role:
+        name: homecentr.system.unattended_upgrades
+      tags: [ upgrades ]
+
+    - name: Set up etckeeper
+      ansible.builtin.import_role:
+        name: homecentr.system.etckeeper
+      tags: [ etckeeper ]
+
+    - name: Set up Node Exporter
+      ansible.builtin.import_role:
+        name: homecentr.system.node_exporter
+      tags: [ node-exporter ]
\ No newline at end of file
diff --git a/playbooks/pve-nodes.yaml b/playbooks/pve-nodes.yaml
new file mode 100644
index 0000000..0d1058e
--- /dev/null
+++ b/playbooks/pve-nodes.yaml
@@ -0,0 +1,63 @@
+- name: Proxmox Virtual Environment Configuration
+  hosts: pve_nodes
+  become: true
+  become_method: ansible.builtin.sudo
+  any_errors_fatal: true
+  tasks:
+    # Must run before users to make sure the apt repositories are configured in order to install sudo
+    - name: Configure proxmox apt repositories
+      ansible.builtin.import_role:
+        name: homecentr.proxmox.pve_apt
+      tags: [ init, apt ]
+
+    # Root's password must be set so that it can be used to communicate with Proxmox API
+    - name: Create users
+      ansible.builtin.import_role:
+        name: homecentr.system.users
+      tags: [ init, users ]
+
+    - name: Configure SSH
+      ansible.builtin.import_role:
+        name: homecentr.system.ssh
+      tags: [ init, ssh ]
+
+    - name: Configure https port forwarding
+      ansible.builtin.import_role:
+        name: homecentr.proxmox.pve_https_forward
+      tags: [ pve-https-forward ]
+
+    - name: Install and configure Network UPS tools
+      ansible.builtin.import_role:
+        name: homecentr.system.ups
+      tags: [ ups ]
+
+    - name: Set up Message-of-the-day
+      ansible.builtin.import_role:
+        name: homecentr.system.motd
+      vars:
+        motd_enable_ups_status: "true"
+      tags: [ motd ]
+
+    - name: Install lynis
+      ansible.builtin.import_role:
+        name: homecentr.system.lynis
+      tags: [ lynis ]
+
+    - name: Create init container script
+      ansible.builtin.copy:
+        dest: /usr/sbin/pct-init-container
+        mode: 0750
+        owner: root
+        group: root
+        content: "{{ lookup('template', 'init-container.sh.j2') }}"
+      tags: [ container-init-script ]
+
+    - name: Set up etckeeper
+      ansible.builtin.import_role:
+        name: homecentr.system.etckeeper
+      tags: [ etckeeper ]
+
+    - name: Set up Node Exporter
+      ansible.builtin.import_role:
+        name: homecentr.system.node_exporter
+      tags: [ node-exporter ]
\ No newline at end of file
diff --git a/playbooks/templates/init-container.sh.j2 b/playbooks/templates/init-container.sh.j2
new file mode 100644
index 0000000..c6de582
--- /dev/null
+++ b/playbooks/templates/init-container.sh.j2
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+read -r -d '' SCRIPT << EOM
+set -e
+
+apt-get update
+apt-get install -y sudo
+
+# Enable passwordless sudo
+sed -i -E 's/%sudo\s+ALL=\(ALL:ALL\)\s+ALL/%sudo   ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
+
+{% for user in users_admin_users %}
+id -u {{ user.username }} > /dev/null || adduser --disabled-password --gecos GECOS {{ user.username }}
+
+usermod -a -G sudo {{ user.username }}
+
+# Create home dir
+mkdir -p /home/{{ user.username }}
+chown {{ user.username }} /home/{{ user.username }}
+chgrp {{ user.username }} /home/{{ user.username }}
+chmod 0700 /home/{{ user.username }}
+
+# Create .ssh directory
+mkdir -p /home/{{ user.username }}/.ssh
+chown {{ user.username }} /home/{{ user.username }}/.ssh
+chgrp {{ user.username }} /home/{{ user.username }}/.ssh
+chmod 0700 /home/{{ user.username }}/.ssh
+
+# Configure public keys
+echo "" > /home/{{ user.username }}/.ssh/authorized_keys
+{% for public_key in user.public_keys %}
+echo "{{ public_key }}" >> /home/{{ user.username }}/.ssh/authorized_keys
+{% endfor %}
+{% endfor %}
+
+# Add allowed ssh users
+SSH_ALLOWED_USERS="AllowUsers {{ ssh_allowed_users | join(' ') }}"
+grep -q "AllowedUsers " /etc/ssh/sshd_config || echo "$SSH_ALLOWED_USERS" >> /etc/ssh/sshd_config
+
+# Apply sshd changes
+systemctl restart sshd
+
+echo "Done :)"
+EOM
+
+pct exec $1 -- bash -c "$SCRIPT"
\ No newline at end of file
diff --git a/requirements.yaml b/requirements.yaml
index 4fe015e..5277aab 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -1,26 +1,22 @@
 ---
 collections:
-  - name: ansible.posix
-    version: 1.4.0
-  - name: ansible.utils
-    version: 2.7.0
-  - name: oasis_roles.system
-  - name: community.general
-    version: 8.4.0
-  - name: gluster.gluster
-    version: 1.0.2
-  - name: kubernetes.core
-    version: 2.3.2
-  - name: community.crypto
-    version: 2.5.0
-  - name: community.sops
-    version: 1.6.7
+  # - name: ansible.posix
+  #   version: 1.5.4
+  # - name: ansible.utils
+  #   version: 2.7.0
+  # - name: community.general
+  #   version: 8.4.0
+  # - name: community.crypto
+  #   version: 2.5.0
+  # - name: community.sops
+  #   version: 1.6.7
+  - name: prometheus.prometheus
   - name: https://github.com/homecentr/ansible-collection-system
     type: git
-    version: origin/fix/ssh #master
+    version: origin/feat/simplify #master
   - name: https://github.com/homecentr/ansible-collection-proxmox
     type: git
-    version: origin/fix/https-forward-2 # master
+    version: origin/feat/simplify # master
 
 roles:
   - name: geerlingguy.pip
@@ -30,9 +26,5 @@ roles:
   - name: geerlingguy.clamav
   - name: geerlingguy.docker
     version: 7.1.0
-  - name: geerlingguy.helm
-    version: 1.0.1
   - name: geerlingguy.node_exporter
     version: 2.0.0
-  - name: lablabs.rke2
-    version: 1.28.0
\ No newline at end of file
diff --git a/tools/apply.sh b/tools/apply.sh
index 8482afa..6c564e6 100755
--- a/tools/apply.sh
+++ b/tools/apply.sh
@@ -1,35 +1,17 @@
 #!/usr/bin/env bash
 
-case "$1" in
- lab)
-  INVENTORY="./environments/lab"
-  ;;
- prod)
-  INVENTORY="./environments/prod"
-  ;;
- *)
-  # else
-  echo "Error, invalid arguments"
-  exit 1
-  ;;
-esac
-
-PLAYBOOK="./playbooks/${2:-_all}.yaml"
+PLAYBOOK="./playbooks/${1:-_all}.yaml"
 
 if [ ! -f "$PLAYBOOK" ]; then
-  printHelp
   echo "Playbook $PLAYBOOK could not be found"
   exit 2
 fi
 
-shift
-shift
-
 export ANSIBLE_CONFIG="./ansible.cfg"
 
-COMMAND="ansible-playbook -i ./environments/shared -i $INVENTORY $PLAYBOOK ${@:1}"
+shift
 
-echo $COMMAND
+COMMAND="ansible-playbook -i ./inventory $PLAYBOOK ${@:1}"
 
 # Execute playbook
 eval $COMMAND
\ No newline at end of file
diff --git a/tools/clearkeys.sh b/tools/clearkeys.sh
deleted file mode 100755
index d937eb7..0000000
--- a/tools/clearkeys.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-
-ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.11
-ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.12
-ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.13
diff --git a/tools/install.sh b/tools/install.sh
index a07ed6e..7b4ad94 100755
--- a/tools/install.sh
+++ b/tools/install.sh
@@ -4,5 +4,4 @@
 
 ansible-galaxy install -r ./requirements.yaml --force
 ansible-playbook ./playbooks/local/setup.yaml
-ansible-playbook -i ./environments/lab/ ./playbooks/local/ssh.yaml
-ansible-playbook -i ./environments/prod/ ./playbooks/local/ssh.yaml
\ No newline at end of file
+ansible-playbook -i ./inventory/ ./playbooks/local/ssh.yaml
\ No newline at end of file
diff --git a/tools/tests.sh b/tools/tests.sh
deleted file mode 100755
index 917fd0b..0000000
--- a/tools/tests.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-ENV_NAME=$1
-
-echo "Loading environment variables..."
-
-set -a
-source ./tests/environments/$ENV_NAME.env
-set +a
-
-if [ -z "${WEBDRIVER_HOST}" ]; then
-    export WEBDRIVER_HOST="localhost"
-fi
-
-if [ -z "${WEBDRIVER_PORT}" ]; then
-    export WEBDRIVER_PORT="4444"
-fi
-
-if [ "${SKIP_SELENIUM_CONTAINER}" != "1" ]; then
-    echo "Starting webdriver container..."
-    docker compose -f ./tests/client/docker-compose.yaml up --force-recreate --detach --remove-orphans
-
-    echo "Waiting for the webdriver to be ready..."
-
-    x=1
-    READY=$(curl http://${WEBDRIVER_HOST}:${WEBDRIVER_PORT}/status 2>/dev/null | jq .value.ready)
-    while [[ "${READY}" -ne "true" ]]
-    do
-        sleep 10
-        x=$(( $x + 1 ))
-
-        if [ $x -gt 10 ]
-        then
-            echo "The selenium container did not get ready in time, ending test run..."
-            exit 255
-        fi
-
-        READY=$(curl http://${WEBDRIVER_HOST}:${WEBDRIVER_PORT}/status 2>/dev/null | jq .value.ready)
-    done
-
-    echo "Webdriver ready..."
-fi
-
-echo "Running nightwatch..."
-TST_COMMAND="nightwatch ${@:2}"
-eval $TST_COMMAND
diff --git a/tools/validations.js b/tools/validations.js
deleted file mode 100644
index 7ec4ecc..0000000
--- a/tools/validations.js
+++ /dev/null
@@ -1,44 +0,0 @@
-const {
-  diffDirs
-} = require("@homecentr/yaml-diff")
-
-const options = {
-  fileNameGlob: "**/*.{yml,yaml}",
-  sopsFilesGlob: "**/*.sops.{yml,yaml}",
-  ignoreListFunc: (fileName) => {
-    if(fileName == "hosts.yml") {
-      return true
-    }
-
-    if(fileName.match(/pve\d\.y(a)?ml/)) {
-      return [
-        // Managed manually in prod due to bonded NICs
-        "network_interfaces"
-      ]
-    }
-
-    if(fileName.match(/kube\d\.y(a)?ml/)) {
-      return [
-        // Drivers depend on hardware configuration which differs across environments
-        "nvidia_drivers_driver_package_name"
-      ]
-    }
-    
-    return []
-  }
-}
-
-const differences = diffDirs(
-  "./environments/lab",
-  "./environments/prod",
-  options)
-
-if (differences.length == 0) {
-  console.log(`✔️ All files have matching structures`)
-} else {
-  process.exitCode = 1
-
-  differences.forEach(difference => {
-    console.log(`❌ ${difference.message}`)
-  })
-}
\ No newline at end of file

From 46e57c15a3559bd547e6df61175ecd57d392c2f6 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 19 Jul 2024 16:25:15 +0200
Subject: [PATCH 43/51] Check 2

---
 .sops.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.sops.yaml b/.sops.yaml
index ddd2523..cbedd00 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,5 +1,5 @@
 creation_rules:
-  - path_regex: ".*environments.*\\.sops\\.ya?ml$"
+  - path_regex: ".*inventory.*\\.sops\\.ya?ml$"
     # Workaround for https://github.com/mozilla/sops/issues/1103 where sops does not currently work correctly with age via YubiKey
     pgp: 2D1D9C803F35BBC24014C3906601E1EB2454827F # lholota
     age: >  # GitHub

From 14449e35dc1fc79a733332d3ddedf33465ce7b68 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Fri, 19 Jul 2024 16:26:00 +0200
Subject: [PATCH 44/51] Obsolete files

---
 .../lab/group_vars/all/environment.yaml       |   9 ---
 .../lab/group_vars/all/users.sops.yaml        |  53 ------------
 .../group_vars/cloudflared/secrets.sops.yaml  |  44 ----------
 .../group_vars/containers/app_container.yaml  |   1 -
 .../lab/group_vars/pve_nodes/general.yaml     |  10 ---
 .../group_vars/pve_nodes/secrets.sops.yaml    |  58 -------------
 .../lab/host_vars/frigate/cameras.sops.yaml   |  46 -----------
 .../lab/host_vars/frigate/container.yaml      |  13 ---
 environments/lab/host_vars/pomerium.sops.yaml |  45 -----------
 environments/lab/host_vars/pomerium.yaml      |   2 -
 .../lab/host_vars/smtp_relay.sops.yaml        |  47 -----------
 .../prod/group_vars/all/environment.yaml      |   9 ---
 .../prod/group_vars/all/users.sops.yaml       |  53 ------------
 .../group_vars/cloudflared/secrets.sops.yaml  |  44 ----------
 .../group_vars/containers/app_container.yaml  |   1 -
 .../prod/group_vars/pihole/pihole.yaml        |   4 -
 .../prod/group_vars/pve_nodes/general.yaml    |  16 ----
 .../group_vars/pve_nodes/secrets.sops.yaml    |  59 --------------
 .../prod/host_vars/frigate/cameras.sops.yaml  |  46 -----------
 .../prod/host_vars/frigate/container.yaml     |  13 ---
 .../prod/host_vars/pomerium.sops.yaml         |  45 -----------
 environments/prod/host_vars/pomerium.yaml     |   2 -
 environments/prod/host_vars/pve1.yaml         |   2 -
 environments/prod/host_vars/pve2.yaml         |   2 -
 environments/prod/host_vars/pve3.yaml         |   2 -
 .../prod/host_vars/smtp_relay.sops.yaml       |  47 -----------
 environments/shared/group_vars/all/env.yaml   |  16 ----
 .../shared/group_vars/all/general.yaml        |   4 -
 .../group_vars/cloudflared/cloudflared.yaml   |   2 -
 .../group_vars/containers/app_container.yaml  |   5 --
 .../shared/group_vars/pihole/container.yaml   |  10 ---
 .../shared/group_vars/pve_nodes/firewall.yaml |  59 --------------
 .../shared/group_vars/pve_nodes/general.yaml  |  48 -----------
 .../shared/host_vars/cloudflared1.yaml        |  23 ------
 .../shared/host_vars/cloudflared2.yaml        |  16 ----
 environments/shared/host_vars/frigate.yaml    |  36 ---------
 .../shared/host_vars/homepage/bookmarks.yaml  |  39 ---------
 .../shared/host_vars/homepage/container.yaml  |  38 ---------
 .../shared/host_vars/homepage/services.yaml   |   4 -
 .../shared/host_vars/homepage/settings.yaml   |   8 --
 .../shared/host_vars/homepage/widgets.yaml    |   4 -
 environments/shared/host_vars/monitoring.yaml |  27 -------
 environments/shared/host_vars/mqtt.yaml       |  19 -----
 environments/shared/host_vars/pihole1.yaml    |  34 --------
 environments/shared/host_vars/pihole2.yaml    |  34 --------
 environments/shared/host_vars/pomerium.yaml   |  45 -----------
 environments/shared/host_vars/pve1.yaml       |  40 ---------
 environments/shared/host_vars/pve2.yaml       |  17 ----
 environments/shared/host_vars/pve3.yaml       |  17 ----
 environments/shared/host_vars/smtp_relay.yaml |  45 -----------
 .../shared/host_vars/unifi_controller.yaml    |  39 ---------
 environments/shared/hosts.yaml                |  25 ------
 roles/app-cloudflared/tasks/configure.yaml    |  27 -------
 roles/app-cloudflared/tasks/install.yaml      |  18 -----
 roles/app-cloudflared/tasks/main.yaml         |  20 -----
 roles/app-cloudflared/tasks/systemd.yaml      |  15 ----
 roles/app-cloudflared/templates/config.j2     |  15 ----
 .../app-cloudflared/templates/credentials.j2  |   5 --
 .../app-cloudflared/templates/systemd-unit.j2 |  17 ----
 .../app-container/tasks/container-disks.yaml  |  14 ----
 roles/app-container/tasks/container.yaml      |  47 -----------
 roles/app-container/tasks/docker.yaml         |   4 -
 roles/app-container/tasks/firewall.yaml       |   9 ---
 roles/app-container/tasks/getssl.yaml         |  21 -----
 roles/app-container/tasks/ha.yaml             |  23 ------
 roles/app-container/tasks/init.yaml           |  27 -------
 roles/app-container/tasks/main.yaml           |  76 ------------------
 roles/app-container/tasks/replication.yaml    |  28 -------
 roles/app-container/tasks/ssh.yaml            |  17 ----
 roles/app-container/tasks/start.yaml          |  32 --------
 .../tasks/uid-gid-mapping-container.yaml      |  10 ---
 .../tasks/uid-gid-mapping-global.yaml         |  17 ----
 roles/app-container/tasks/zfs.yaml            |   7 --
 .../app-container/templates/getssl-config.j2  |  17 ----
 roles/app-container/templates/init-script.j2  |  37 ---------
 roles/app-container/templates/lxc-idmap.j2    |  35 --------
 roles/app-container/templates/pct-set.j2      |  31 -------
 roles/app-frigate/tasks/docker.yaml           |  10 ---
 roles/app-frigate/tasks/main.yaml             |  20 -----
 roles/app-frigate/templates/config.j2         |  47 -----------
 roles/app-frigate/templates/docker-compose.j2 |  22 -----
 roles/app-gatus/tasks/main.yaml               |  27 -------
 roles/app-gatus/templates/config.j2           |  74 -----------------
 roles/app-gatus/templates/docker-compose.j2   |  10 ---
 roles/app-haraka/tasks/disable-postfix.yaml   |   8 --
 roles/app-haraka/tasks/main.yaml              |  41 ----------
 roles/app-haraka/tasks/user.yaml              |  11 ---
 roles/app-haraka/templates/config_auth.j2     |   7 --
 roles/app-haraka/templates/config_relay.j2    |   4 -
 roles/app-haraka/templates/docker-compose.j2  |  13 ---
 roles/app-homepage/defaults/main.yaml         |   2 -
 roles/app-homepage/files/dynadot.png          | Bin 8429 -> 0 bytes
 roles/app-homepage/files/favicon.ico          | Bin 101869 -> 0 bytes
 roles/app-homepage/files/homecentr.png        | Bin 1532 -> 0 bytes
 roles/app-homepage/files/onedrive.png         | Bin 13675 -> 0 bytes
 roles/app-homepage/files/sendgrid.png         | Bin 1066 -> 0 bytes
 roles/app-homepage/tasks/configure.yaml       |  13 ---
 roles/app-homepage/tasks/docker.yaml          |  10 ---
 roles/app-homepage/tasks/icons.yaml           |   9 ---
 roles/app-homepage/tasks/main.yaml            |  28 -------
 roles/app-homepage/tasks/user.yaml            |  11 ---
 .../app-homepage/templates/docker-compose.j2  |  18 -----
 roles/app-mosquitto/tasks/main.yaml           |  18 -----
 roles/app-mosquitto/templates/config.j2       |   7 --
 roles/app-pihole/handlers/main.yaml           |   8 --
 roles/app-pihole/tasks/dns.yaml               |  26 ------
 roles/app-pihole/tasks/http.yaml              |   6 --
 roles/app-pihole/tasks/install.yaml           |  17 ----
 roles/app-pihole/tasks/main.yaml              |  34 --------
 roles/app-pihole/templates/custom-hosts.j2    |  15 ----
 .../templates/dnsmasq-forwarders.j2           |   3 -
 roles/app-pihole/templates/dnsmasq-local.j2   |   2 -
 roles/app-pihole/templates/setup-vars.j2      |  17 ----
 roles/app-pomerium/defaults/main.yaml         |   2 -
 roles/app-pomerium/tasks/configure.yaml       |   9 ---
 roles/app-pomerium/tasks/install.yaml         |  17 ----
 roles/app-pomerium/tasks/main.yaml            |  15 ----
 roles/app-pomerium/tasks/systemd.yaml         |  24 ------
 roles/app-pomerium/tasks/user.yaml            |  11 ---
 roles/app-pomerium/templates/config.j2        |  58 -------------
 roles/app-unifi-controller/tasks/main.yaml    |   7 --
 roles/app-unifi-controller/tasks/mongodb.yaml |  16 ----
 roles/app-unifi-controller/tasks/unifi.yaml   |  16 ----
 roles/docker/tasks/main.yaml                  |   8 --
 roles/hosts/tasks/main.yml                    |   6 --
 roles/pve_cluster_firewall/tasks/main.yaml    |  17 ----
 .../files/getssl-copy-container-all.sh        |   9 ---
 .../files/getssl-copy-container.sh            |  59 --------------
 .../files/getssl-copy-pveproxy.sh             |  19 -----
 roles/pve_cluster_getssl/tasks/configure.yaml |  45 -----------
 roles/pve_cluster_getssl/tasks/cron.yaml      |  26 ------
 roles/pve_cluster_getssl/tasks/main.yaml      |  28 -------
 roles/pve_cluster_getssl/tasks/scripts.yaml   |  11 ---
 .../templates/getssl-certificate.j2           |   5 --
 .../templates/getssl-root.j2                  |  18 -----
 roles/pve_cluster_ha/tasks/main.yaml          |  15 ----
 roles/pve_cluster_ha/templates/ha-groups.j2   |  12 ---
 roles/pve_cluster_options/tasks/main.yaml     |   8 --
 roles/pve_cluster_vxlan/tasks/configs.yaml    |  35 --------
 roles/pve_cluster_vxlan/tasks/ipam.yaml       |   7 --
 roles/pve_cluster_vxlan/tasks/main.yaml       |  25 ------
 .../templates/subnet-list.j2                  |   9 ---
 roles/pve_cluster_vxlan/templates/subnets.j2  |  12 ---
 roles/pve_cluster_vxlan/templates/vnets.j2    |   8 --
 roles/pve_cluster_vxlan/templates/zones.j2    |   6 --
 roles/pve_firewall_common/tasks/main.yaml     |  46 -----------
 .../templates/firewall-file.j2                |  28 -------
 .../templates/firewall-rule.j2                |  22 -----
 roles/pve_firewall_common/templates/ipset.j2  |   9 ---
 .../templates/partials/destination-port.j2    |   3 -
 .../templates/partials/destination.j2         |   3 -
 .../templates/partials/host-expression.j2     |   7 --
 .../templates/partials/interface.j2           |   3 -
 .../templates/partials/log.j2                 |   1 -
 .../templates/partials/protocol.j2            |   3 -
 .../templates/partials/source-port.j2         |   3 -
 .../templates/partials/source.j2              |   3 -
 .../templates/security-group.j2               |   5 --
 tests/client/docker-compose.yaml              |  14 ----
 tests/environments/lab.local.env              |   2 -
 tests/environments/prod.local.env             |   2 -
 tests/environments/remote.env                 |   2 -
 tests/environments/secrets.lab.sops.yaml      |  33 --------
 tests/environments/secrets.prod.sops.yaml     |  35 --------
 tests/haraka-relay.spec.js                    |  33 --------
 tests/nightwatch/assertions/isAadErrorPage.js |  39 ---------
 .../assertions/isAadPermissionRejectedPage.js |  14 ----
 ...isCloudflareOrAadPermissionRejectedPage.js |  14 ----
 ...udflareOrPomeriumPermissionRejectedPage.js |  14 ----
 .../isCloudflarePermissionRejectedPage.js     |  39 ---------
 .../isPomeriumPermissionRejectedPage.js       |  39 ---------
 tests/nightwatch/commands/signIn.js           |  26 ------
 tests/nightwatch/commands/signInAsAdmin.js    |   7 --
 tests/nightwatch/commands/signInAsNonAdmin.js |   7 --
 tests/nightwatch/commands/subdomain.js        |   5 --
 tests/nightwatch/globals.js                   |  22 -----
 tests/proxmox-ve-local.spec.js                |  28 -------
 tests/proxmox-ve-remote.spec.js               |  24 ------
 178 files changed, 3532 deletions(-)
 delete mode 100644 environments/lab/group_vars/all/environment.yaml
 delete mode 100644 environments/lab/group_vars/all/users.sops.yaml
 delete mode 100644 environments/lab/group_vars/cloudflared/secrets.sops.yaml
 delete mode 100644 environments/lab/group_vars/containers/app_container.yaml
 delete mode 100644 environments/lab/group_vars/pve_nodes/general.yaml
 delete mode 100644 environments/lab/group_vars/pve_nodes/secrets.sops.yaml
 delete mode 100644 environments/lab/host_vars/frigate/cameras.sops.yaml
 delete mode 100644 environments/lab/host_vars/frigate/container.yaml
 delete mode 100644 environments/lab/host_vars/pomerium.sops.yaml
 delete mode 100644 environments/lab/host_vars/pomerium.yaml
 delete mode 100644 environments/lab/host_vars/smtp_relay.sops.yaml
 delete mode 100644 environments/prod/group_vars/all/environment.yaml
 delete mode 100644 environments/prod/group_vars/all/users.sops.yaml
 delete mode 100644 environments/prod/group_vars/cloudflared/secrets.sops.yaml
 delete mode 100644 environments/prod/group_vars/containers/app_container.yaml
 delete mode 100644 environments/prod/group_vars/pihole/pihole.yaml
 delete mode 100644 environments/prod/group_vars/pve_nodes/general.yaml
 delete mode 100644 environments/prod/group_vars/pve_nodes/secrets.sops.yaml
 delete mode 100644 environments/prod/host_vars/frigate/cameras.sops.yaml
 delete mode 100644 environments/prod/host_vars/frigate/container.yaml
 delete mode 100644 environments/prod/host_vars/pomerium.sops.yaml
 delete mode 100644 environments/prod/host_vars/pomerium.yaml
 delete mode 100644 environments/prod/host_vars/pve1.yaml
 delete mode 100644 environments/prod/host_vars/pve2.yaml
 delete mode 100644 environments/prod/host_vars/pve3.yaml
 delete mode 100644 environments/prod/host_vars/smtp_relay.sops.yaml
 delete mode 100644 environments/shared/group_vars/all/env.yaml
 delete mode 100644 environments/shared/group_vars/all/general.yaml
 delete mode 100644 environments/shared/group_vars/cloudflared/cloudflared.yaml
 delete mode 100644 environments/shared/group_vars/containers/app_container.yaml
 delete mode 100644 environments/shared/group_vars/pihole/container.yaml
 delete mode 100644 environments/shared/group_vars/pve_nodes/firewall.yaml
 delete mode 100644 environments/shared/group_vars/pve_nodes/general.yaml
 delete mode 100644 environments/shared/host_vars/cloudflared1.yaml
 delete mode 100644 environments/shared/host_vars/cloudflared2.yaml
 delete mode 100644 environments/shared/host_vars/frigate.yaml
 delete mode 100644 environments/shared/host_vars/homepage/bookmarks.yaml
 delete mode 100644 environments/shared/host_vars/homepage/container.yaml
 delete mode 100644 environments/shared/host_vars/homepage/services.yaml
 delete mode 100644 environments/shared/host_vars/homepage/settings.yaml
 delete mode 100644 environments/shared/host_vars/homepage/widgets.yaml
 delete mode 100644 environments/shared/host_vars/monitoring.yaml
 delete mode 100644 environments/shared/host_vars/mqtt.yaml
 delete mode 100644 environments/shared/host_vars/pihole1.yaml
 delete mode 100644 environments/shared/host_vars/pihole2.yaml
 delete mode 100644 environments/shared/host_vars/pomerium.yaml
 delete mode 100644 environments/shared/host_vars/pve1.yaml
 delete mode 100644 environments/shared/host_vars/pve2.yaml
 delete mode 100644 environments/shared/host_vars/pve3.yaml
 delete mode 100644 environments/shared/host_vars/smtp_relay.yaml
 delete mode 100644 environments/shared/host_vars/unifi_controller.yaml
 delete mode 100644 environments/shared/hosts.yaml
 delete mode 100644 roles/app-cloudflared/tasks/configure.yaml
 delete mode 100644 roles/app-cloudflared/tasks/install.yaml
 delete mode 100644 roles/app-cloudflared/tasks/main.yaml
 delete mode 100644 roles/app-cloudflared/tasks/systemd.yaml
 delete mode 100644 roles/app-cloudflared/templates/config.j2
 delete mode 100644 roles/app-cloudflared/templates/credentials.j2
 delete mode 100644 roles/app-cloudflared/templates/systemd-unit.j2
 delete mode 100644 roles/app-container/tasks/container-disks.yaml
 delete mode 100644 roles/app-container/tasks/container.yaml
 delete mode 100644 roles/app-container/tasks/docker.yaml
 delete mode 100644 roles/app-container/tasks/firewall.yaml
 delete mode 100644 roles/app-container/tasks/getssl.yaml
 delete mode 100644 roles/app-container/tasks/ha.yaml
 delete mode 100644 roles/app-container/tasks/init.yaml
 delete mode 100644 roles/app-container/tasks/main.yaml
 delete mode 100644 roles/app-container/tasks/replication.yaml
 delete mode 100644 roles/app-container/tasks/ssh.yaml
 delete mode 100644 roles/app-container/tasks/start.yaml
 delete mode 100644 roles/app-container/tasks/uid-gid-mapping-container.yaml
 delete mode 100644 roles/app-container/tasks/uid-gid-mapping-global.yaml
 delete mode 100644 roles/app-container/tasks/zfs.yaml
 delete mode 100644 roles/app-container/templates/getssl-config.j2
 delete mode 100644 roles/app-container/templates/init-script.j2
 delete mode 100644 roles/app-container/templates/lxc-idmap.j2
 delete mode 100644 roles/app-container/templates/pct-set.j2
 delete mode 100644 roles/app-frigate/tasks/docker.yaml
 delete mode 100644 roles/app-frigate/tasks/main.yaml
 delete mode 100644 roles/app-frigate/templates/config.j2
 delete mode 100644 roles/app-frigate/templates/docker-compose.j2
 delete mode 100644 roles/app-gatus/tasks/main.yaml
 delete mode 100644 roles/app-gatus/templates/config.j2
 delete mode 100644 roles/app-gatus/templates/docker-compose.j2
 delete mode 100644 roles/app-haraka/tasks/disable-postfix.yaml
 delete mode 100644 roles/app-haraka/tasks/main.yaml
 delete mode 100644 roles/app-haraka/tasks/user.yaml
 delete mode 100644 roles/app-haraka/templates/config_auth.j2
 delete mode 100644 roles/app-haraka/templates/config_relay.j2
 delete mode 100644 roles/app-haraka/templates/docker-compose.j2
 delete mode 100644 roles/app-homepage/defaults/main.yaml
 delete mode 100644 roles/app-homepage/files/dynadot.png
 delete mode 100644 roles/app-homepage/files/favicon.ico
 delete mode 100644 roles/app-homepage/files/homecentr.png
 delete mode 100644 roles/app-homepage/files/onedrive.png
 delete mode 100644 roles/app-homepage/files/sendgrid.png
 delete mode 100644 roles/app-homepage/tasks/configure.yaml
 delete mode 100644 roles/app-homepage/tasks/docker.yaml
 delete mode 100644 roles/app-homepage/tasks/icons.yaml
 delete mode 100644 roles/app-homepage/tasks/main.yaml
 delete mode 100644 roles/app-homepage/tasks/user.yaml
 delete mode 100644 roles/app-homepage/templates/docker-compose.j2
 delete mode 100644 roles/app-mosquitto/tasks/main.yaml
 delete mode 100644 roles/app-mosquitto/templates/config.j2
 delete mode 100644 roles/app-pihole/handlers/main.yaml
 delete mode 100644 roles/app-pihole/tasks/dns.yaml
 delete mode 100644 roles/app-pihole/tasks/http.yaml
 delete mode 100644 roles/app-pihole/tasks/install.yaml
 delete mode 100644 roles/app-pihole/tasks/main.yaml
 delete mode 100644 roles/app-pihole/templates/custom-hosts.j2
 delete mode 100644 roles/app-pihole/templates/dnsmasq-forwarders.j2
 delete mode 100644 roles/app-pihole/templates/dnsmasq-local.j2
 delete mode 100644 roles/app-pihole/templates/setup-vars.j2
 delete mode 100644 roles/app-pomerium/defaults/main.yaml
 delete mode 100644 roles/app-pomerium/tasks/configure.yaml
 delete mode 100644 roles/app-pomerium/tasks/install.yaml
 delete mode 100644 roles/app-pomerium/tasks/main.yaml
 delete mode 100644 roles/app-pomerium/tasks/systemd.yaml
 delete mode 100644 roles/app-pomerium/tasks/user.yaml
 delete mode 100644 roles/app-pomerium/templates/config.j2
 delete mode 100644 roles/app-unifi-controller/tasks/main.yaml
 delete mode 100644 roles/app-unifi-controller/tasks/mongodb.yaml
 delete mode 100644 roles/app-unifi-controller/tasks/unifi.yaml
 delete mode 100644 roles/docker/tasks/main.yaml
 delete mode 100644 roles/hosts/tasks/main.yml
 delete mode 100644 roles/pve_cluster_firewall/tasks/main.yaml
 delete mode 100644 roles/pve_cluster_getssl/files/getssl-copy-container-all.sh
 delete mode 100644 roles/pve_cluster_getssl/files/getssl-copy-container.sh
 delete mode 100644 roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh
 delete mode 100644 roles/pve_cluster_getssl/tasks/configure.yaml
 delete mode 100644 roles/pve_cluster_getssl/tasks/cron.yaml
 delete mode 100644 roles/pve_cluster_getssl/tasks/main.yaml
 delete mode 100644 roles/pve_cluster_getssl/tasks/scripts.yaml
 delete mode 100644 roles/pve_cluster_getssl/templates/getssl-certificate.j2
 delete mode 100644 roles/pve_cluster_getssl/templates/getssl-root.j2
 delete mode 100644 roles/pve_cluster_ha/tasks/main.yaml
 delete mode 100644 roles/pve_cluster_ha/templates/ha-groups.j2
 delete mode 100644 roles/pve_cluster_options/tasks/main.yaml
 delete mode 100644 roles/pve_cluster_vxlan/tasks/configs.yaml
 delete mode 100644 roles/pve_cluster_vxlan/tasks/ipam.yaml
 delete mode 100644 roles/pve_cluster_vxlan/tasks/main.yaml
 delete mode 100644 roles/pve_cluster_vxlan/templates/subnet-list.j2
 delete mode 100644 roles/pve_cluster_vxlan/templates/subnets.j2
 delete mode 100644 roles/pve_cluster_vxlan/templates/vnets.j2
 delete mode 100644 roles/pve_cluster_vxlan/templates/zones.j2
 delete mode 100644 roles/pve_firewall_common/tasks/main.yaml
 delete mode 100644 roles/pve_firewall_common/templates/firewall-file.j2
 delete mode 100644 roles/pve_firewall_common/templates/firewall-rule.j2
 delete mode 100644 roles/pve_firewall_common/templates/ipset.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/destination-port.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/destination.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/host-expression.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/interface.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/log.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/protocol.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/source-port.j2
 delete mode 100644 roles/pve_firewall_common/templates/partials/source.j2
 delete mode 100644 roles/pve_firewall_common/templates/security-group.j2
 delete mode 100644 tests/client/docker-compose.yaml
 delete mode 100644 tests/environments/lab.local.env
 delete mode 100644 tests/environments/prod.local.env
 delete mode 100644 tests/environments/remote.env
 delete mode 100644 tests/environments/secrets.lab.sops.yaml
 delete mode 100644 tests/environments/secrets.prod.sops.yaml
 delete mode 100644 tests/haraka-relay.spec.js
 delete mode 100644 tests/nightwatch/assertions/isAadErrorPage.js
 delete mode 100644 tests/nightwatch/assertions/isAadPermissionRejectedPage.js
 delete mode 100644 tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js
 delete mode 100644 tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js
 delete mode 100644 tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js
 delete mode 100644 tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js
 delete mode 100644 tests/nightwatch/commands/signIn.js
 delete mode 100644 tests/nightwatch/commands/signInAsAdmin.js
 delete mode 100644 tests/nightwatch/commands/signInAsNonAdmin.js
 delete mode 100644 tests/nightwatch/commands/subdomain.js
 delete mode 100644 tests/nightwatch/globals.js
 delete mode 100644 tests/proxmox-ve-local.spec.js
 delete mode 100644 tests/proxmox-ve-remote.spec.js

diff --git a/environments/lab/group_vars/all/environment.yaml b/environments/lab/group_vars/all/environment.yaml
deleted file mode 100644
index 3b96f38..0000000
--- a/environments/lab/group_vars/all/environment.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-env:
-  name: lab
-  suffix: -lab
-  suffix_display: -Lab
-  domain: homecentr.one
-
-subnets:
-  services: 10.1.8.0/24
-  services_storage: 192.168.8.0/24
\ No newline at end of file
diff --git a/environments/lab/group_vars/all/users.sops.yaml b/environments/lab/group_vars/all/users.sops.yaml
deleted file mode 100644
index 5b54fe2..0000000
--- a/environments/lab/group_vars/all/users.sops.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-users_root_password: ENC[AES256_GCM,data:WqfgANAG09A=,iv:Z1MYPc/rSo3/IiXgga6GFJVN2Z88p3vyPMvggezMTx4=,tag:KUyrZZVP22xGgAMIQuw9ZQ==,type:str]
-users_root_password_salt: ENC[AES256_GCM,data:dij7KwvSFi4zmPZ76g63gg==,iv:b6Qs6l6jCTpS/NY/J5jnsx9rKHqv0cN23hst8hQF+WM=,tag:g8ttOfq3fbeIA2niJVI8kw==,type:str]
-users_admin_users:
-    - username: ENC[AES256_GCM,data:23qvthC31A==,iv:UN6wzhHNOc7gRP5W7SlH2sBolkdUFcz6D9kOHy060Bs=,tag:c+0a0XctXby5qRLItl1nTA==,type:str]
-      public_keys:
-        - ENC[AES256_GCM,data:ygStKsWsInOzWR0l+wie+/NbHFVolmAL5rFgGPPwQ5OhRIyaMUTEmeY4CvXoh7xbb/ShRlNVbhIwNbI9DKwGyTHGWhOKdIsiohB/Jz9m1Ns8fQqE1S0ajiAICO352gLVEeaFN8Y8M/jktcbHVzde+v6B0j0ggvPctIuBSeS1DghJpyzPEnqfAZS2+lT1HAIGI9fUQyWabgfo3mWfzlwVC2Q0+vWlYgVqgluHU33TFuTKgN/e5syFbq7FTRYpLncijegXlg8OnEVVp/tQIWlmBnUoG5W7MVPrwW2WbcoCwtso1DLG/c7YAhUJ/whpKMCesyMYFtmulXThR1kchxkc4DB7RrMlQXLj13GaiWId6cxuCkpGiRShPtwwaU6/vr7uiJWvoLFqMzNUuKWQaLr6n7L9hDsudqWhYH4eiDIMY54cOe/RXBsEejYBvL4lBUt1HXqY/sUUdjwYDGhB6vDfM6aGHGgex4chaltGjuFfuAukoxbBMSXVubM3IEILt+jjMvNSIvvvV31fZN1mOD57Dvt6I1XFJsMEGLKzAoqpnEHdWZjjmihohNbANgiax+TcUsOi2GBI6noZl8oLKBWki4o+JjLA8R3fHd44XBTB+Axyb1eArZBtrfkU9jGfho6W1z95bDO6CbFmVlcTnGeY7502NzOfoY4P6c2io62OpBlNz/wPuP2nN3AZaMiHOCCDoQ94gONAxVVtwJIqn5idk7folEkObRKyg/NtJvVT7IVtnsl0Nixz+QmtoMmhIlKjcGbT10hoPBj47as6bBr63Uz2KnmVoMVDWdJMb892q4HVqI1u4yFR1qJM4iN18MSFy5sPM5jnllQfHFYsxh+kK7NzR66dbw0eMvJvZiL1k8T7MqVwjKiOTiVqC+/WBVL5FYeAseYBtzbgpeUOEroCV5MwbHFZd/9l+Bhtys2SWs1afuEBBM11v/uIazHJSef+LXvlBA==,iv:nBIUDYCNHMNKP0eeo1E5skuE49mhNrxBMJwRv1wlEfo=,tag:ttM3RRhPpWEQ2sgI4Jc1OA==,type:str]
-        - ENC[AES256_GCM,data:aimADJJk35W6Xs76RTQk5UhGaZ9pAuwdXlMTv/t14lJIM+1Of5yAMt815v/yNCM6hKApJzlnALVPXYgWENUod5BUn/EynvhRJSHSB0FPGnp3zMyS2lyuduKHPSWh39mQgr8kX7Cll1GLAtbNUcVyRrmL/Gehe8hkW4fcB0+o7/O1FoaIeuJ0MQDamsyKntlbRCYkc+ss+qJRsUbMJ8umPlR+f1xj8ei6BoHcMWYVsljIzbeS/oFXQ0GFbvQElxVwU1W47zJV5R7l3sW9v9f3tzXEIYyXBGh3OHA0S/HUD87/0F2MIk8fgmbXLKO2hpfM9ATqPRpD+E4i0BavY1a0PmKpouD4T+/oPx5l9ROEbIjFk9plZlui5L0jD7TZc1jhBWKVMhz8AS/7LdkfwBXK6rFq6lH/QkKNia2s7TuujgKxCXJgWrV6EYeOwdXfAE53HBmkcYECSzvbsysySHq0VB+IlqaHXbFKV/BerWpwdv3duYCHLmpXl0e6SmBprwE0vYwTXbIpk7ebhKSaOsAM8jXpGTKup7BqKoxNyIkWZXSb4VACdhOMZFUrEy0fxmig2ueTaeyjbHX/s60horBKdgVUsoofAc6e3HttkkSnMHtJDzGdVu5dX8ekwsDWoPC3z0jNQeWEiGxFEpyJXRiIpX3f/iCRacHXgvH2Y5PAaGWGjmc5h3VbfyQIurAr52zyfbV/ZzJ+S/t01wUMOPqX2PuhcOt8Zvqhsj2fUAjR7wbBGKYT5QuuVDT7BE/bGbySFl9egXfsc0dkeultWz+IXGUpa69XFovAMANl1MYL9JZmkHo7Z0kIDahTYl0m7P+c2ersV+UgkNtjTgPyyQ36YfNvU6zGsYYiodWlrKqhLHZTld50995ELEmlD7YuwHqTFVl3RvqYS20tyIzfH5O/wjomzfBak0iqn/JKdhLuba9qGtM3tvaxpsSedz/AfHyXpFTciRRoyOE28283g3Yi+URg1Q==,iv:Y5veZSFVeXZVQlTQOsASkl6gH4imccx0Q3l2gBlgNEM=,tag:GOsoYHatfHc7fF7KWSw3gQ==,type:str]
-    - username: ENC[AES256_GCM,data:JkS+p8w23VmYph/wEQ==,iv:I/pE+iUYCh6GcNtNghTzm1esxKDhd+dVyP7SnbgpNXQ=,tag:EiT+9PK5a8NPCEwbB8h1dQ==,type:str]
-      public_keys:
-        - ENC[AES256_GCM,data:x1MdHyd9in/x4ceJtAaRtYJ+tto93qTEqscplJKvL3l7TbRvv9I5ZktIiNUyU3Ow/jLWxjXJWWJYBm5blEMZCjkL3JMkgQObpHxMB5qXRMc4K6mM/vq5nOsfJwlK6VoEkIQ8mSFamsWbzdXgS95DIlOr/LWsNyN1enwFU2kjxokaeHlY/FLk6rQT+OVM5JUzsCjsZxfOfYIPZDD7PSRD+YMIErxCq5qvecuetsHGnLT/AWWNR0xwPwRci4xdRwhetyneAdUAlqVnzHLNc4Z2+jivS/DDnIi9OHeHTE1U0/FMw1pgXs3BFaVFfVMpNmb5XAKxeSVB2FSFIH2bXj5YpmX2EgP1hhBoP5Tyo/W7ejOSJKwfxYmYqqvqpMrI9D/7VpJFgZ9uf8C4TaI0kTn7rJwtqo2Hf0jeqWg96oNbkjv3/jKkpar9lv/DWn5ckR2TyDWoEjUFV6MA2EkzYI0s1bhqeoHq7cY8NiUO8iMG3aOcxthSUmABw/EVaid9MWqF3F2awEWmMPf8dyXOEnd0CZrwD1Iovx6hEV4jCBJJGi+Qvtggyy/8ruFXMLcbQp46ONd3M+qUNglFrGLzZQ7lzYEdcZNGDRdwep6w/lUqJFDYyBB/tgALJsjCvFzOIZi6gvMQDtVHdw16dMN39/JCpc0Ec1FAcvTbucBX7qPrlW+MD9UtS0FKKk6WDoSw3krwDQQUed2k2dtkA7AzlKtPLwV2BrO+CvWRVJ8KDBxgtskL1Ac+5BEq4VN/XmTNZqwOm3T6X8zazmkENxoLeH0CusfzqPK/5YimUMKlp5paLA4qyfIpbKbFEt6OnYSYePS/rPTKKvA/SkoIRY6LfluB7h0DNBbDtNxt20o6XwQbr+BmAq1mye1vNlQvkTgamt2wkF7GoWIJqQfgYUXOWXuXl8lE7Zct54SJO0YMFTIp+hPpkKPnfZpnsvvqksr7jw8LqCfVpBrRYMERT1e2ZwWhJgEPTkhWq3ontIljs4bRMWE=,iv:kQhLEYvXF8UnDLkVxPygy1xcFxhYCt/bR1eQCVQlcko=,tag:ObZUXy4j0wukwa/n6fwflQ==,type:str]
-ssh_allowed_users:
-    - ENC[AES256_GCM,data:R86lgGuYkA==,iv:noWOgzYjG0HIt7sA5WXHpC7DvrVpzyjXwnIPqYn//Fk=,tag:Dvk4AGE8GLDfdDmHiONkCA==,type:str]
-    - ENC[AES256_GCM,data:ZHRqCVi4qaiisMAZFA==,iv:Gq7PMwTEVt5l3raw+zjFTHCPtZcF4iY+SeCcC2VwJKs=,tag:YSCQDmLUNWk1cVShgWO5jQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSmUxZ2l2VnFORkxnemRD
-            Z1V5TnNnd1RCV1FiMVJDbTZUYXJwYnN3NmxVCmJhVGFIcFF2eVZaZFk5dHJSQThS
-            VkpPbmo3VmphNVg5bWg5QlV5byttNnMKLS0tIGh5UjVqVDFUaHV4dE5DbUZPYlBI
-            NnZPRWE2RGdFR1FFR1NBNXo0RWdnQnMKJ3GJHdONi+PAfaRitgS7LmK79basFeuD
-            GTPX7qPu7C8F7VUyoV4P94aa971mNKxcwL+5Qphm7qL+W8w+fnP6fQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-04T20:42:52Z"
-    mac: ENC[AES256_GCM,data:nOBJYsYUX07wrVsVucFk8J2i1fthJsDMqvfqNTuUq8vTl+3IwcnLRGNv+qIGvq1Ra1znwF8nndN0r2EBccehEl/bwKtuabxXBZkEvdGQlYy3DD45uwGuP9uaH2+r9IGTFhnb6LP9BDCN8bV7j8zOL6XScM89NPmhg3/SFaZr8bc=,iv:7+4Sjln8JhQeP2Z/7jhbXSCDRJgwW7tq5HjTms4YPNU=,tag:v322eLE5Z8DKkkf50BcSJA==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:53Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//QPwgwg0fLZ3pNSHaNiYu0xLJ8njYYwarzb8sYi98VZQ9
-            ngN+h26f0hX0f6JSdLO4TFuSjWp5FtncmAnuNAckZ9f2ZPGOqfqz4sGi/NFC5fbS
-            H9BwhKz6KsfRKMY74Mj8OX7n/oOAM3tGbyL7S4yrwj7hpTKvjCE+GOjuG4oJmwnE
-            +z1sp2vj16hJVkW1wPHJrhJcu//9MlEOVpbRm8Es5acIbcSUcE/DYablzZ/VTZMp
-            050F9BVs2FeYZopI9gGcmwCYDfrfnE9bglDX2L4P0C6yPCKN5gQOO41Q7Vecgbrn
-            nimu6W4ZiA2X5IDNLwdkd5+587aKlA+aTzrs2Leyn+jkvdDPSZ06CrGCTDnhcqpi
-            lDrxUaunuOpzCtl9Gj+j1F4ycHWvKwLeinapvMtP3jpyezYWFUJBpYXKxB34gHGN
-            QOAL9WWoQPUXkBLYw/7XFtSotXQnjImEqu5Qs7LYZTCQWrsRD7g4IUNOotr9CAfl
-            YZkG6Sw3NuUXcPK8efkPAlVHCBwZBgI28+gKWShj6nTXY/jUNTw1WkEUGxgfkwVu
-            a8W+jyOanZNgFCQeqDGqPGPzqf4hmE0zCaCWjm3zUQDTzvhes205yU1n+Qnwujzn
-            vYgPDB/oOGu8+XmLA5f93zz/Mq7ni2HQwEcSmgRn1G4Mc7XWZLBN6UrKM8lidKDS
-            XgFuShY3HHkS/hR3rOPju7PveFZgvymduZ270VbsuoTcRKGfBIdmi/N8LRFwmdTt
-            AAzidpeZGv1OgLiJ5TuJhIlv6MSn3+Usp6hfPW6YJmTjooSmgn45Efd/SVW7naI=
-            =rgC7
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/lab/group_vars/cloudflared/secrets.sops.yaml b/environments/lab/group_vars/cloudflared/secrets.sops.yaml
deleted file mode 100644
index dc7bf41..0000000
--- a/environments/lab/group_vars/cloudflared/secrets.sops.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-app_cloudflared_tunnel_credentials:
-    account_id: ENC[AES256_GCM,data:lHYUZQtyoElAaCmI+UFgmpuvOf2Wc9HMISigDXtG1f8=,iv:N3eWIzlCqwdgg0loMYgwq728sLXI3QeGEO1zenSniyE=,tag:NDWGpbN6GvhKYg+CBlywyA==,type:str]
-    tunnel_secret: ENC[AES256_GCM,data:lzQYiB8iCWx1Egf4Xiwmly43S3ezwSjczDJjptnv6a6HzW4zmcG49JvEI9mqlf9kivhJUCuLFGnPNwbTt6FBsKC5hTrmQ9av9Tp124TEhNyOFog/sBuEsM7reUzCyi8K5sOEBtMALwyZaOrb3Ub2N/wUjJ5/4+KqLo68uv6YRCE=,iv:BSDr9ag0RGQth8ht2+VIlcstaLw3Nfd16T17Hmu9Ex4=,tag:wq5DlS99ByOAWpTiilovug==,type:str]
-    tunnel_id: ENC[AES256_GCM,data:ybOeL0E/jS0aUq7fgZnhLoy3BQENOaJ2TJLFNjYR7iT2wPf5,iv:8lxdXASk9hC7MC8tNdlH1dLwOIqdkZaXakzIGCPfqcg=,tag:QZmT8ph/v0ySkDx4TFiYow==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTNpMjB2V3h2a2pJeWNB
-            QmtZRTVDeERpSTBDYnpsYzVoMkpXTnpTRmtZClpXcTRKQzBUN010OWIzMERoMEhZ
-            dVJYME5HTmwxeFpIUHNiU3EyazFFRGMKLS0tIC9vZGpsN0d5dWc0RzhLdXk2bnpy
-            SklacmRSa2ZZOHREdTR0ekRGc0ZmVlEK/qmTVEdCSNwWwciH448cJ4HjCqwFixkV
-            mqJoQLFUFv5u7sggZ3tKOp+ykwmlsVT6mjuhI3BVJALtUPBKQ35tyQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-11T21:32:23Z"
-    mac: ENC[AES256_GCM,data:fHEWzn3rr7CIoizYRRmBYNRXBjuhpKVopNTGGkzsi15SAKZtb691KswoZxcDiWFyGvNiWal7kC7zzKbhk5NEnkYfgf2OPFDUm3AfkhEK/wUepWCbk76RwbV3VDlGVoZVYnHNmB02fwnbHHEdaVqM/VJLgWIA/lzh1UvcP2ucdKc=,iv:ovA3llpgXuQ9tU1UFSb8gEC7G3bq7Sg4NiC9dg0BMvY=,tag:3CK0HEIfVkujxyNE9+4Z1A==,type:str]
-    pgp:
-        - created_at: "2024-03-11T21:28:35Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//TM7gncqbBG572oPVgHhGzJITC/0VnmCaeau7I1TWLGyz
-            vCe094qMCkBFBTKzpnkQIVvhyK186yojpiSwZkW69OntXXdj14pGVQS20LBhBdxr
-            5RZ++wrx+IQxaT+tRWhUPQTA5249Ywo8HxcpTXk4pbAC9w5Ruakgb3ssNdpkIx+g
-            +v5DTPajpI52f2bP1tNAet5a34Bcz5jxkzQjVVrVcigVw/YO/cFCtZtCoAPA567v
-            QRYa7OOj4GkVePgl+IjDtGi0G+gsTA9cZWnUb2qyE6XLLJs5j1lct/6wmGzQvi5b
-            0ZrSrPoYuCKEHv2nojKP0yfye+HLcfo84Mudz9dm0UbJvLcSHK9Wa5x0XLaPtB6o
-            Vg2Vy5cxDQQpyosc1WBS1wrTwRSntPQhyFjd5CfgSbYHh3Q4Ms9J+HlIodHK63+U
-            ZGArCHdD7a9ezVhNyLp1jmymBI3d3A+zy8a3ZbfsuHjaDIr0dahbO0hgvoDLN8jE
-            zna4aMDbbfxrL1xQAXfyxhD7jZGoBcLPDQ8uADe5qjyP+p+15+UfUXtRgzTiEEvU
-            1ARra95iFpnpXyc9g66ODYa5LmCYv4QnBDbcDUWXCzHK80sFzuk/ak7pgjRoAHUo
-            rFFk48Bufy1r2rztpG+fWUfGRjAtuHhitBvU8D6aFEn5VuTNxASlLO84kfAArZXS
-            XAG44iMMhwmww7HeKHfBtI7ZE6aoi8/1qnsTDuRUCXP8qg+z6E1H8ik1c9215EOG
-            2qeUzhcu3x5H+CyFwISbp4gR8P1BczUL8cevkjGP1TamQXUVYCeCsaHSTr3e
-            =Uq6G
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/lab/group_vars/containers/app_container.yaml b/environments/lab/group_vars/containers/app_container.yaml
deleted file mode 100644
index 8183527..0000000
--- a/environments/lab/group_vars/containers/app_container.yaml
+++ /dev/null
@@ -1 +0,0 @@
-app_container_storage_name: dpool
\ No newline at end of file
diff --git a/environments/lab/group_vars/pve_nodes/general.yaml b/environments/lab/group_vars/pve_nodes/general.yaml
deleted file mode 100644
index 4610bcd..0000000
--- a/environments/lab/group_vars/pve_nodes/general.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-pve_zfs_max_arc_size_gb: 0.5
-
-ups_name: dummy-ups1
-
-ups_devices:
-  - name: dummy-ups1
-    driver: dummy-ups
-    description: Dummy UPS
-    port: evolution500.seq
-    monitored_by: pve1
diff --git a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml b/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
deleted file mode 100644
index ca7f7e1..0000000
--- a/environments/lab/group_vars/pve_nodes/secrets.sops.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-pve_default_realm_name: ENC[AES256_GCM,data:LmEM,iv:UsZ8tl8OnszjUJcR4/qPlbFisBztJR2CFBtYaQpdc04=,tag:qDjdqYyhk8/tBwPpAyHI6Q==,type:str]
-pve_openid_realms:
-    - name: ENC[AES256_GCM,data:Ngni,iv:TdTMcGhXOG6n3xtMgdPVE8pQzmXxAnAVdyI8+HPit2g=,tag:yUmBp4n5T4+lrUiV3Ypp1w==,type:str]
-      display_name: ENC[AES256_GCM,data:HtobIhXh4/hXD8E+W9nY/vDOUkDHaw==,iv:BqMgdq2Lq/OuTAb3VvSM/mVMzpKyUyWlorANJFCWKZs=,tag:h0x4lx3CNT9p69PPTTlxTA==,type:str]
-      client_id: ENC[AES256_GCM,data:LfW/VrjD3sW+KgAc5vsvUribwri7isrroxQb/+JCFZlvd1s3,iv:5FMcT9YaN/fvcC3FUV8r37S4j2H7SLm5+TJWqshhqak=,tag:jQG9edH+QvS9HiVYsxzyFQ==,type:str]
-      #ENC[AES256_GCM,data:JtE4/ZbkyLBsWqGQIn970Qxt0XF+V6rWMZzmLXYgcJ4WyhUoNzMJogsKXOzBgr1Tuv/ruWPSpGYd2hXPcA==,iv:Lv++gJYKOyDyQHE0cVj7OEkpSODYGUHsZTNvD00T0e8=,tag:1WYZSiGOHRtsw5fgp/Qg3Q==,type:comment]
-      client_secret: ENC[AES256_GCM,data:DC0TXY6CAN0jkNctbNMJ145uLAnwk/cKbuBlUVZzQIh8F5tIg99qXw==,iv:ySlpvvfrvILHEOHBpA0r596tw2kz17SuZdqkvepLbRg=,tag:vU52ajV/cMAziORn2GOiyg==,type:str]
-      url: ENC[AES256_GCM,data:ZKPBz5C0QJEGEOpu89ReR4YWF+71IO4H+G05FGBbaFB4Y9GNwQdb1RMKe5Ov5JUZlkLNmEMZJK56tIxhTLoIUHjK8WxMQ9UItTqC,iv:PNLeOaLktZR4kIsw6XHvM8etFxhqgq1f3UOAAmH57/Y=,tag:1gkvM54D7zQZj/WAmhfGvw==,type:str]
-      autocreate_users: ENC[AES256_GCM,data:R3TfEQ==,iv:7bbE2lZ3a52dvRPTyacmxPmM/bZYw77JVofkNAz3ELw=,tag:ouf/dZXAiDGZA3jbdawzMg==,type:bool]
-      username_claim: ENC[AES256_GCM,data:xGMUZG0=,iv:6WxIlPX8TuJP59IHDM2OJzm5tGvWHaoVqlNKEYQ75Ew=,tag:1zDnG5YW7S3bWqG1+XxEiw==,type:str]
-      scopes: ENC[AES256_GCM,data:ybs2FlTy9pM7j9p+,iv:MLD0RPld62adtqNO8qASe7URvbfSiu95IQkzhOTaZEI=,tag:Bwi4kh681tLDBvwHlbh46A==,type:str]
-pve_users:
-    - username: ENC[AES256_GCM,data:2D+iIF7pqUMRGMIOgrE=,iv:IHHn+2fgR0ZLpGuUImGVfCBFO512dXBTowXfpWJyrog=,tag:I8vpTbN6H175cXKbbVg/WA==,type:str]
-      realm: ENC[AES256_GCM,data:DPWs,iv:9MY6tmNt78tm5nJ/a9I1VUM8mCj2YebZorJNsV0upd8=,tag:i8oh9wJdgFguNX22rAKj0Q==,type:str]
-      enabled: ENC[AES256_GCM,data:yFP23Q==,iv:8aEof9pf2UwnPK1WMsdlWz3NRcgpdiDuT/hjqZ3q31U=,tag:N6K+vhAW3cwrs6O6ZQcBew==,type:bool]
-      first_name: ENC[AES256_GCM,data:fbtwrOk=,iv:hBEni6c/okYPGzDUyCZez5DQaUkFcmUfb+jFevoiffs=,tag:TdJr/21W3GKVn6323PgOHw==,type:str]
-      last_name: ENC[AES256_GCM,data:apk2B68a,iv:w1RT4qoPP7CjlX43f+jlbBmrNCoD71hlvMev61W2Xvc=,tag:ZDq/pt+jvhGKBLJmhBKB8A==,type:str]
-      email: ENC[AES256_GCM,data:pdeTOaqtMd1Fi1SzuuE=,iv:ljuxtVBGskDW9UpgVj0NtS13216EE6hMzCIDl7xYzjk=,tag:w65/QnFW+t2Ut27+3+HofA==,type:str]
-      permissions:
-        - scope: ENC[AES256_GCM,data:yw==,iv:AwDmZEE54njW5k3Uh1XOxOGq9/9RCHPiFiw2+iNylQM=,tag:WZW3X8vDKPGydmJkDJsNmA==,type:str]
-          roles:
-            - ENC[AES256_GCM,data:KmlkRgsHCidvqtudDg==,iv:dUcsKM7NaJDSoDm5l8ksfawAQs/XGJfrcdKATPix0U8=,tag:VykuXfFbLnyVpGM8yYqmbA==,type:str]
-getssl_version: ENC[AES256_GCM,data:6ohx8A==,iv:CKY6tt3+3x3yt7hElnn9R3y+6EdH4iGfyLv6yMJvW+4=,tag:Frius2gEErin2yzT4dObmA==,type:float]
-getssl_acme_email: ENC[AES256_GCM,data:3YxxDwf4yHZq3tbyfCsJM+3SNMAqyOY=,iv:JaO2Po08nnnM8GOvxxsE7eX65W4CuwabZX4bl6YA8EM=,tag:Jy3NVizrHL9ER8pzeviTfg==,type:str]
-getssl_certificates:
-    - domain: ENC[AES256_GCM,data:p0oK4ut4fng3aibtD+ZB,iv:GAKzyETL6nZJLPH92plmEmHGJyGq2eIxstLhuBwDv6w=,tag:rdYAFOI7jjVPm1coIcrX1A==,type:str]
-      pveproxy: ENC[AES256_GCM,data:3SJdBQ==,iv:qPywxGpK/FCJLLaTMJ9j/x9z/GptLHfmqhlo1VnBYuk=,tag:yzASyPIqetiaZmp9/D2Ngg==,type:bool]
-getssl_cloudflare_email: ENC[AES256_GCM,data:G6Ixtl6Lf8I4T8HupxePJlBLvv0CqQ==,iv:L4i+g6908jnf03HcikeM9f3Zoa5jhDP2IHkvDxWhO3M=,tag:8Oc046w1pYAVVsPd5NAEYw==,type:str]
-getssl_cloudflare_api_token: ENC[AES256_GCM,data:++P52Hl/14yekKI/pTfMKlQKHqISkotNFj7SToHzqUk0Z6wiL/eL4g==,iv:UFD41XQNKJz2tHDB5IG+PmhgoXFYPqHZC0DkeZpSkjY=,tag:23aditConHxuY3AaW2owWA==,type:str]
-ups_slave_password: ENC[AES256_GCM,data:LSkvc2D5JLs=,iv:kfdGQjVMi4Ujle6WzL1XN+6kV6tZdKdUKpEA6K3s4BQ=,tag:XX3BibPR3MZH58uUpH7aOA==,type:str]
-pve_smtp_username: ENC[AES256_GCM,data:X0IdKdfrPDVmsVZqupp0eU8Wf3GYMw==,iv:drM4tPsuLbGj8LpNXLFufUww9dRwHUVGZwBIsc3GAuA=,tag:m8hRaKS5/zKQdsQ4Trf62A==,type:str]
-pve_smtp_password: ENC[AES256_GCM,data:kTPfF1tsbgaNlxHIHPgsjHVH0WIc05ZJ0Cet47gJdVqtRB0Rh2xfCNF/hEzBhEw2caDm71y2vafui7d5eoeaynzRyTpe6HsveFDpKFG3poXvK4ckaXHJWkse,iv:x/catZEn5xD3eUzgYFNty9txZFbiprjW5mnKSaapWaI=,tag:TcX4U705mu8afO/MjnX67w==,type:str]
-pve_smtp_host: ENC[AES256_GCM,data:rBqZTGetloUR/d4ZEgHZVanK+ro=,iv:f2g+hEAIkCb9Iity3gJ4qzWVnjn/oRgTXKOCWHTNuAI=,tag:abOj7coVqpxRibOUdhlAhQ==,type:str]
-pve_smtp_port: ENC[AES256_GCM,data:mYqC,iv:0ExWSn/DWX1jD5D0HoqtQ4d9xGeuVYIFqMaZ+Et5TrU=,tag:ZNjzZWk4KO0Ap9clPnk9uA==,type:int]
-pve_smtp_tls: ENC[AES256_GCM,data:jc+UyQ==,iv:JcrmfgzHIjtY3RaNISmX0SSNyqkkpKrZQkHEsafFYEg=,tag:uPJQTQIwkZpec+b3DHs3xg==,type:bool]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWXkrWityZHMwRHBWaVJD
-            dUJ0QU9nd1YzMzltc3M3ODhKTDNaWTNoTFJNCkxidEl4Z2VIbHkxMjdqTzRIQjEy
-            alJEQnJBQ0NxV1lDa05vQ24wMlhXQXMKLS0tIGdReS9ocnBDR1NIWVZUNGd0NWZo
-            QWU4OTVNQU9nRU12REp3dkpYdWpjbVEKkKpnxWW2iUkjQv3UzO8b0pUXJ2s72HdQ
-            tQkvIENt6fns2f3WwAoMsouPsTzZSn4PXGrG9OAIWVcfkGtF/RRdHA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-19T16:36:03Z"
-    mac: ENC[AES256_GCM,data:QFsHz55xCmpHHf6w/RSOeDHwj4BNSezUJNLtzmYDkAYHDLq3vem+SLyNtkE61a1XbZBvkC22BzBEYuGRg3J9+z/ovpoi7ot0IuB/ZK4QYUI1K0eOhJdOjk/MdPsJNnL7MFknWB6bG4/MK5yulL1WjRLr9rdyxa5YxJfci0kiGtE=,iv:6+YAalHHo16ZqrepV1dvfLhTw0L8xWMIxVG1ZIxpd/U=,tag:7eRbgWdwB9IbLchZT9uaFA==,type:str]
-    pgp:
-        - created_at: "2023-06-05T08:57:01Z"
-          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//a0vf1Oh3Tiyv++/rqq6X00JVXl2CZjoQ8BOKeGsX1wOY\r\nHIV7on7BJ4kW9gjIwOGIhsMLPryVIR7yJAJPu/qjQiQFBEk5To8xjoaMib0f3yvI\r\nQRDB2nvgChd04NHE7rYbwl+0aZcK1E88LA2uzXietlri4VzcmoMA9JBZn5/65Eaj\r\n+f2Ari4TKWTomYhseYPUVFCqtm5W64FehtGKao7iNcMAX/vxIupWUwRRDg6EsZu7\r\nP0nGszRVWwiucJ8BfDU2FQVrJKJuoEyerSUYW0tHEhAai+HTV47j2ST/ZvK18D5c\r\n+16RJzp1a3QFCViM3PlOAAVtunoUFQxMwfiLgniUB8kCjFBOMQ5wST8xZFUHrmjw\r\n07tkmV5/eRVA9/Vl5jRqM4sRf2f3Ou0YXbeOeJ3fzLrZgWOliUtTq7YzvN4AnNhg\r\nJfHSQsMR5nYi9wHfq6doTWXArXKp82Z2u/pZoVY5xlAaU9uerxgs6GTs7iRbW4BM\r\n+7WkqxnRo/agFzhLpDWBxehpP0XKx49JgxPdmQXlYDQY6AYc5jPswBsePSYL1LNz\r\nhoPUbCfgPik5nrdAy4pVW6ijBcf8KqgVH8eZAQa1M2GpdyO8tIL5paTLaM+oiyWN\r\nFEjT+GDjxAoxFvDW8ZSOTSlu9GdrLquFMF2hp3zZ0bZ6EfHr3K3cyRXAhkVuLUTS\r\nXgEQAAk4rZa7lH9ODHkKNzOhIfm69V2sAgH5oWHgiBAAJU44ZE5voZSQokVZPu+b\r\nK9ldX8+2W8XoE1CGuWXNtb5GYlWlVFpShFfhPCm1l5b4w9Y5lDhXmEXf8Opdw3c=\r\n=t7MQ\r\n-----END PGP MESSAGE-----\r\n"
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/lab/host_vars/frigate/cameras.sops.yaml b/environments/lab/host_vars/frigate/cameras.sops.yaml
deleted file mode 100644
index af4724e..0000000
--- a/environments/lab/host_vars/frigate/cameras.sops.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-app_frigate_cameras:
-    - name: ENC[AES256_GCM,data:K25rEW2YZ9k=,iv:3F+cPXgvnpqDX3Jul8Bd+CpgUVK4EBk6SSqK/7nsiTk=,tag:MjTIJKnJNRrm9r1C5DAILw==,type:str]
-      type: ENC[AES256_GCM,data:VWA/UV1mWA==,iv:wnOsUQPwYyluSKd+pgzBXrNlFNYdsUuV7iMOEg3zLCY=,tag:Bf90sQ0Xi/6GY6gGnAm2Sw==,type:str]
-      ip: ENC[AES256_GCM,data:bcgx95kQUEEF,iv:URoVES75H5OaTjoPnwrTacxvoS0pWrIdDopMDo1qRpk=,tag:yS/IoVOFbunyXFxET3lubQ==,type:str]
-      username: ENC[AES256_GCM,data:Jb/lH4qKqw==,iv:N6rrdzEnaS6IkvyuH/GVsNsutzkrx1wZ2kWnVo37NE4=,tag:kbWDUwIZNcSPzJsTv9E7ZQ==,type:str]
-      password: ENC[AES256_GCM,data:IvToLCZj1wq5KH2MQaaTu7dCQcSWW8LdxLnykcs=,iv:yB03KVTEtB5PwXvv4zfj/zMQLKIr76fNjjv3rcyc2bA=,tag:CKw79/Hye5imT3v4Blp0sw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWWFad3hDUi8vWFpIQ3E1
-            QktDNVVtdXluVlQ1UzJjQ1BZWFRXUlpUc1NjClV2WEd0bFRhK2JlcDBwOUVUWmNo
-            RHBFbWFsY1lRYWtaRE5ScXBrZ0UzanMKLS0tIDByNmd0K3drUUpGU3hmcmJUQmpu
-            L0w0ZXlhN2hPS0xWR0lITW96Mm5kMU0KgOqDc2YVPVQtP2+5lfjUXyFLMj0idIEn
-            NnVcBcGCpRaU2NOh2vTSIJTPDF8oq1wCR1MCxycKV4U9Za5caPurbw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T15:14:03Z"
-    mac: ENC[AES256_GCM,data:vqkakCWFV2k9zct5w2vDpvJTsdsrU86TVTplcrMOZm3e9dPMDARpHXZI4vYBTBPtU7JNhDNFgQNPUB/D/A+Ig5BGvL3C1iPmKTvmGjv/w4NaEn8yRj4k0+2h5XSZNEaIQoq65Ymzbbkz714kuTRn2ctrQxfJCbj8Tas9aoDbM/0=,iv:FaTwuWFR7FPpNMuufSUsiL5AhgMWc+9KLr3tfRMpyK0=,tag:GT/yiuF5LY1RS2uql2OIlA==,type:str]
-    pgp:
-        - created_at: "2024-03-14T15:10:37Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//chnODy6vHHlkjG7FCrZIk3sL6OgnSjadjNhoxTvuYEuK
-            WNIiS1zMw3aVVrqVYq1+SXeUgwPTB63GP1fzNrLYY9B4g1zvxq4ySjQ1l5AFtKse
-            PmOcPWQrkSzahquMFsNDiJlwEIlVmoAm1V14uI85TehIBmXjlBIJcckvikkf2xBi
-            /7FGoLqXdnrpCdeEYWIiujujJF1saIuhBWLEcPyzzL7fgtlrOQH+IcTkqLvEP92k
-            p0FA4152ohwP2duAsH4By3AR5iWTywP19tKzp7E/cu16g0cbqbD/L7kpoMB1wkmI
-            6nXJ5SHrSZ1RD7PppX/PQbeTOaYRbW6jnqLvI/2AOx8ChNO6DdXJr4qi/TuTyAQR
-            RSapnAyYVyfxffQdozT0vjJPrHR7AQSlz6q3/3O0b4VL3SkUDH8eoLjaIIAt0oz5
-            57Fjrrr9gtRdLZM+DrxFqmUk+q0PFEmriYY0gqBjDeTMS/gWJ7r4DoBgsH5QeN4p
-            zti3fEEysaVUVs5GaDKeV2yXgT3j3DqVdiLGoO7YeLiO4uAU4Z2gOPZs+vy7Xptb
-            UVGgQqm6BQe9pkEq94zbGqSe9+6+16pZ/PGeGZ+riE8XvioJ2r+O9M/zaSO8dSn6
-            IKkxeWDcvDD4LL6KJyqT8uWtYncKEorMp6TRa7ZGaj6gbPQXhhPKUVqt79Yj1lfS
-            XgFpmG+dMte5yG5aX5WyFzfk9GqVJck2LU3HoQyOb7KqA5KblSZc54jESc1mkH2d
-            tALRYJzfO18P9RNv9HWtVKBgr4GZ42XR13r3rOJAF9mypPkOp9bCoCvT8kAGmF0=
-            =ltPj
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/lab/host_vars/frigate/container.yaml b/environments/lab/host_vars/frigate/container.yaml
deleted file mode 100644
index ddaf476..0000000
--- a/environments/lab/host_vars/frigate/container.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-app_container_memory: 2048
-app_container_storage_name: dpool
-app_container_storage_size_gb: 5
-
-app_container_mounts:
-  - type: disk
-    storage_name: dpool
-    index: 2
-    size_gb: 2
-    target_path: /nvr
-
-app_frigate_cache_size_gb: 1
-app_frigate_shm_size_gb: 1
diff --git a/environments/lab/host_vars/pomerium.sops.yaml b/environments/lab/host_vars/pomerium.sops.yaml
deleted file mode 100644
index bba55ce..0000000
--- a/environments/lab/host_vars/pomerium.sops.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-app_pomerium_idp_provider: ENC[AES256_GCM,data:VpQAf9E=,iv:PIREcAiLh9nrTUp6yLwnvyfnAXmnvetoCQWqLswrKXo=,tag:y3b77ECYZ5XgRH2f7lifyA==,type:str]
-app_pomerium_idp_client_id: ENC[AES256_GCM,data:Wpz/jOMkBel3eUsrpfiRUz7qOdMBSE3/FIYwbXrmKdw8pS5j,iv:bJd0Hwf2Z14oXayoB1Zf0tYxJqupvr3GjMNXuzzrebU=,tag:lmjnOH/jLM87+GuBE/kBLg==,type:str]
-app_pomerium_idp_client_secret: ENC[AES256_GCM,data:RUAcrW/hIBPpPffbX3XTZDQHqdrYyF1/eByga1yZSiARUl/cdSsNYA==,iv:KPpimeDMB7oxpFMDb8AFZpySGfJtIAnB0ZXaDgzAlyQ=,tag:16b8scdDn8t9nNqKBVRgAw==,type:str]
-app_pomerium_idp_provider_url: ENC[AES256_GCM,data:HxSh2Xu4EvYn3fGgpTc5ZnoEv2hL62Lg/gMX3aO3PuasMM+Y0b8ixLDNz2QGMzzWmMhJlYvTzS24+M2RDBFWnakYLpfELT404evz,iv:zxQ2M25o2HbzBbKyrNCL2i32gXEc0WZiDwdA4OD4uoU=,tag:NuLhRcVakfEFE3RrYRNo6A==,type:str]
-app_pomerium_cookie_secret: ENC[AES256_GCM,data:AxSiccltyyhamL/ddS3656P7wfVZVnA7lsdogOhO6/l9GHZO+RWERCVhcnc=,iv:KApzn0Ce5Zp49FIa2rqEwPHqD+vrbETM59GL3pIdj4g=,tag:vXY0jb54xR6tFh6QNEU6zg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSHZGZnQ2Szh3OXk1MVlJ
-            dTQydEZxSWRGRXczcDdEb1J4S1VPR3JqbXlnCndyOExGZDJqQUpneXdCMC8vcndK
-            QklvS3Rtc1ZHOFRBTnp6NzdNZ3JmdDgKLS0tIExJTTF1SUxlN0psbmpYdXV5c0Fh
-            SHpnRHlnWnBwWUQwTk5jVHJSdEdCUUkK59zwMk1ZNsBdvo4I26Hv7lrrkmJ5jeVE
-            TwbEthfwlCwmCOtId+zuolCZwZbAxrayIdWgtlOCpX0myDrGX0qx4g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T16:00:08Z"
-    mac: ENC[AES256_GCM,data:hrwepSok3V6wN90N6bDWsujXg4s0B1ZL/TuTQE8SEy3yboC44ORDgWbN+EDh5em3+2BC+S/3Ai5GhjGlWAlrPI2UU8/YLVM5VpbI1pD7KmnuWh+bzihewGkNlxfkCzVpX35czd1lDZFMXZkuRY5IScT16WQdk8k2hwGR/7+G63w=,iv:L0FE6/xKCzckL+FGbWn1n4wr+pnVa6APFlUKdPyMwW8=,tag:GvulVRmHZYJK6a29rGplHQ==,type:str]
-    pgp:
-        - created_at: "2024-03-07T21:01:19Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//TaWYnk0QfSwq39kQKGNkH3C1pq0DHjjDcosttXRKVT6A
-            dBo+hjvfrxHWOaRrP2ABuNzmkbcZ98Os8qk+Z0NFioZllL42mGrB8+p4TyZl9n9D
-            ai9tGncA/ByWEgdzBCqp8utZk6nG0BJ+PfyA9014mAU0GROek5y+OUwjNDkZXZ6u
-            YbPQsoUj316rONWtSgf/8+SDeu7J5k9gKwhkDcj2V6KDVC6VdCF6NAXQKvrYTKfh
-            X2MAABCE/yn6Gs7pYymjJJGxPYGxjh5huk0C89nZW1kcmW/DaDh1e5o0CYR/p8RK
-            iaJmF8i6N6DNFrI3GcCMHb4wqBzDTCBkm+jsFT5f+VUkivANxb/IqfuDJZn54OFz
-            hke4g0oLnB+JueGVU/wfzYKviVegCVbEbM0dYmSjI24Bp8DDHv/FroUoPAA87lE6
-            veTt5mEaayHCBI4ivhQtuPlHBL2ij6DDHSdx4Roi5gGxUmLtUqSg5nQwiItSNdn5
-            eaRGfKCaKrpurDECobqTjUZpubxbDbKE52vvJDphB0+TTxVaiTnWjXt/pJ2nhMvS
-            9RMiOyJQttrKkDuRR9TOMEVg+urtTlix8Cp7UuCF9RTMqwQu1oQenBHOByHVVrXn
-            k3Lf5Ue55G9CWtBiUekP4ohsd1JBiz2QDXnkJ6wEA88srzMY8YgrH0ukBnHFOM7S
-            XgFQig9vICka+uxescA7IbP8g7adUaduepOCewa4HU0Vrun59JZr1b0JzNp8oHVk
-            Fspn4I9u/EG27gSIdf4M2cEhhvugG5O5n5WWSPv4ovUOFTVEHGk7+tTU1gdMGS0=
-            =jN6m
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/lab/host_vars/pomerium.yaml b/environments/lab/host_vars/pomerium.yaml
deleted file mode 100644
index e5f0998..0000000
--- a/environments/lab/host_vars/pomerium.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-app_pomerium_groups_administrators: b77c210d-8ae3-4292-9e95-c7d42a2f254f
-app_pomerium_groups_users: ba84af15-129a-42c3-806c-62700ea31a7c
\ No newline at end of file
diff --git a/environments/lab/host_vars/smtp_relay.sops.yaml b/environments/lab/host_vars/smtp_relay.sops.yaml
deleted file mode 100644
index a424736..0000000
--- a/environments/lab/host_vars/smtp_relay.sops.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-app_haraka_users:
-    - username: ENC[AES256_GCM,data:wIFb,iv:/n/Zv39xiZKWl+TsiWq/+xPfpS/bMxLmmvcludsfOMA=,tag:sL8/YeRNq/w5+nxVjIRATA==,type:str]
-      password: ENC[AES256_GCM,data:5xQSIu1SKQ2YICc9k2TgH/gZzKQ=,iv:QZ/wW7hoYd9HyrIEXZxG2EePyE2XV06pRpM7hOoBqXU=,tag:h57JAYLn+r49D66JKjrV3g==,type:str]
-app_haraka_smtp_username: ENC[AES256_GCM,data:W88iwjJhJFMdxJ1s5BaqtU1eQXxvWQ==,iv:fxIOt+0LBjjoLB1xo0KWOBJ9R8g4Q2U+gB+ujT7KXu0=,tag:cJjMQnjTJTtB6Gx0o3QWvw==,type:str]
-app_haraka_smtp_password: ENC[AES256_GCM,data:SZDS4dCriQArJ7DaRzyRZLFvWJZLYgZD3c/kxjRzQo0AnjlwDN1KVipCIQE7n8xe7lqeMeM7hemtTOg5XeO4VHUfY6cGJHfyR90+H7LcDKxnRwuL61K7IIfG,iv:RcIHxnyLeu6/2mVDeJQR2eMP0dPJpN4QL3RyT7GoUmg=,tag:knIuTFyo2YcZeu+61F4ueQ==,type:str]
-app_haraka_smtp_host: ENC[AES256_GCM,data:BSaVrZGb++wnK39Dt3+UrAqbfSI=,iv:hlipTNIV5PJ4wIsH/ORTHp8C5V8kjzsX7dQyG+tvqno=,tag:xQgicmiGvMRBreLAdDlvTQ==,type:str]
-app_haraka_smtp_port: ENC[AES256_GCM,data:bqtZ,iv:RC8tIIBHvOWXNGs7NDGi46ss92oyq6C9vnbnyPGr5hw=,tag:DTd3Wd706FR48MDXza55OA==,type:int]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNjdnUWhha0JvUkVkQ1J0
-            K2RVclB0NTljWkx0SXo2QjM0S290TVcxb0JZCit5SVBxanRsNFJ6aTRKYUZ5ZHpK
-            T3czaHBISTl1N1pJeUhqWVBrdEFRSzgKLS0tIHQvT255a1dhQjBON0tOaHl3Zmkr
-            U1RuL2xVbC9pRFppQ3BEUmFkV1ZDTzAKgBEI44mfeId4G4VrnOTi20q0jeLPLvEI
-            Xpy6J8rcP/ixbN+bns2Y8dC55+uFEpQQdVObCBzyYgSqapFM9cYpHQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-17T13:30:25Z"
-    mac: ENC[AES256_GCM,data:O5tiqklG+puBWPNH2nLaRbRGN8WoQ6ToZ8R/bpnG9Olxa9HDS18Rtzotvc+Q4nT3HxzjJZrznR3MYCGfw3mO3DK0njSP0NBKvwXIyC2H9LPTpLIalALrPh1xA0Ebgwrl/ILzduCVi/B5vvgdaa8rbav3Fe/nVpnjQbcevgbFdQc=,iv:bptYFWdv6jz/yoRBKGIzqi5RF/PD+KNIyyPUhjnkWAk=,tag:6M9hkvCsyyul6BsdyofXSQ==,type:str]
-    pgp:
-        - created_at: "2024-04-17T13:26:16Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CARAAkUwBdOFb6cNMqPIHyxrKLrh6syCc0Icu/OnvyBsINnV0
-            qT7l8sneOVd0g6YKuJXTXH87iUxS01fXSZBa5A5NZhohGSufhMhpy2AbtpiDeWBg
-            zQuEwwjb0l/T4AVUVNPWHrC5ctFXuA1xF4e4pFPmyY2aCXURPR8vjWpIDwMIXWdp
-            nxHDwQADoE2MtM5mzHBKjL1HVJDtfh2fzvKl6R0SVg9a9gEL8tVbheNnwo5FfSU4
-            6RX5T7xNo5nDLwXaHKfQttlMCHbMqEDeQxQaXJ2fg2byz8C+HaOvNdUAhvI8dHRA
-            tPwavu8l0dTLYMU77/+mQo17+LWql29uCZFHQRhvEB88kLbJ8T2KKLE4jqdzFiuk
-            c3lfMEmMoq0XZ1L7S2Us+IPZOz03mvAYeKaBiJwsAcUyy+qhoZ2UVm7pV6TIrSxw
-            6W/iKjXCczfmIjgjkLEJCYys6P3dHdOnBlp0XnLnr4QRvb415oRyAzNIkO6iYdy3
-            qy7bf7k61mk1GYR7EoZt4p0CYAlK1T8SYOOVO0AlaPIqX9l6jhI55D5HwbzXsLP4
-            y2AbIj/rQ6ZzmeLtAkcMapmZduvz7Qv0VSsLS6c2MiMMChW6P6qcR/w9K/zE/VCF
-            RHIAm7vzsT+A/6bbq1ECORMIn7qry+5hSPgqYJxbhuRpZuL8FtydZoAAw47gPkrS
-            XgHqmQsENy6eCGaPmkA769tgw+7C9/k1ZBRiuoAFw2xASiryfjPrF1DNNOrEm4OS
-            MgJW9EiGMc/WCY5KVrBdMU1KKfvQrOi+9KNNelOgOYaTcRRclR5LAP80AynUOd4=
-            =4mv+
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/prod/group_vars/all/environment.yaml b/environments/prod/group_vars/all/environment.yaml
deleted file mode 100644
index 2ea7bf7..0000000
--- a/environments/prod/group_vars/all/environment.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-env:
-  name: prod
-  suffix: ""
-  suffix_display: ""
-  domain: homecentr.one
-
-subnets:
-  services: 10.1.2.0/24
-  services_storage: 10.1.7.0/24
\ No newline at end of file
diff --git a/environments/prod/group_vars/all/users.sops.yaml b/environments/prod/group_vars/all/users.sops.yaml
deleted file mode 100644
index 9df9ad8..0000000
--- a/environments/prod/group_vars/all/users.sops.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-users_root_password: ENC[AES256_GCM,data:eQB825IroAAna/XBIMUMuEUqeoJABWshyAo=,iv:GZzUc4/mjzbZucfSbeaVHdCVIyV7e9mjoizNZGWoLZI=,tag:FX4O+FC2MzCsdB/YxfYSUg==,type:str]
-users_root_password_salt: ENC[AES256_GCM,data:ow2yKqOruFRJRqMs9e7aGA==,iv:pf8VAYaJqchNTImR56m5JwY1yUK/OCKu5lMfCDdVrG8=,tag:UteFoWFXcNsxZbqdUM6C+A==,type:str]
-users_admin_users:
-    - username: ENC[AES256_GCM,data:IiH/5tGxww==,iv:MtuXPDoTp1X1dAlJ39xV1l/gNGFgbA98sLhhx4AtomU=,tag:7g/8IlL2UIfEoOfMZgxuPQ==,type:str]
-      public_keys:
-        - ENC[AES256_GCM,data:fem+nYEnzrc7p43txjY0920r3M5HAdTgUiyMsJbGs5Gm/7a8CPchBx5XIFUQfQdU2tN2jjjwybQ1hpB0A8Kq4l528Kr0KM0jT6nnork5oIYdU096fMwK7CExHVdyq50NDtf2ianQ5Osapw0EDyM/kcgTsUzAO50esGUdw5CWq0BG0dU8l6cD7n4MrACSdAIdO/clJ/8TZJ4Yqsc8r1vSRJVtwKOYIgmGonJZVs8NRyG8rnzDkjXDN7GgxMWyCTLBcBpt64CmRdHT8qEwLH2Fj6ys3WeebKU+lohrmbCHrvZIKT3I+OsedwPXdaRIHhrAKBNjmYe1+SctugJOEqc4FDYa6RD3rgKm0keFCz7wvvoxSr2z/k2jL/dhSQoGPWsDS4u3ZuXkt1UF8r4kh/ZNyiTOLohIGjWEnkwMjUyaD5VfykPG5zvda9gChsNJGTbthz6FeZGNgtlAt2fPFGcP2yEbm3GKHRNuuB4o8N4Vcn+HpCb/mI1WtgDugoqHc1eedz5pDk2kvtMhSMIJh2R/rceol2LrtLttovl34Pcib6xizR6HLtB5IFHYZen2bFx9OPl1ia6yCe/vfV1Tq/nUwX3DycwC+faRbVytVGWTfvcHw5typQffd+bY6Vg6G7twPNB+gixphVL8x7ME3rTs2CzAOUilXf6eRQ3CIxjvwIYp0fhaeh4xPn+AzsrniGNaAe4xk+CYg7D9wrrjV80WBY/nUea9LWmxc2m6ob6Flp9IoQjsFthEWtbomiLDBenih0FROIujXzsHL2WAbrlwKEgRrE/d7pM17kJT41qeFNHK2YwkTcA4NHbp6Yh35Gb58L0aF60V9WLUWabWTScOk3Crl7zECfMWKkuo6F7Po5BdXVArhFcGP+E0QkJdY/rlMNStc11nswarJUAogYsASLd0oARGZE+Afe+DOXelr6Bf/MirF5IG/rzcN5/QfvNFUoxAOQ==,iv:lffsvnH3gzYIXCgyS/lK3Y4Elbqg+HioPb3I0WZUOPQ=,tag:FOg1pOIeYI5d+XDNjzQGAQ==,type:str]
-        - ENC[AES256_GCM,data:nEC87xGrdsf6bWYEEhPN3v/rC81wrC6KxoEv6SUdZLcI4WZhXghSzKQck3GxtGaTXjjFfckLcdorkEa3XTvkUseCoOfLg2ASURVcnc4a/3LRvQzNtj0zlzfFQa08/xfFhWMiAZndz8GjzfrtzzBEkv2v8vasVfbcNkEnuQks25QJWP9VFi9F9zfngZLyeexX3CXSGgeE2qEJ+/haXIlwNu8RVCMhp2jmXecDDPdbkIfuCwKY33CgPTAKsJ5G4PH+fc/5G04LbTHQ1NCjyINFyQgbIXNl0j6+rEO2VeUeQJ26lDgHeOn/5ebFd8j7nXaVdmmnO6OPYj2PKP0O7F+MuYqVUdcTTDtnRKlDWDNNw+62J2SX8ea/xwG3HLvQtAg/obSOZXCYo1lvcsSBCB0xSZu58Z58EbVxMFuWRQTIfnig9CA1zn5XXsVBSWkBLUFmu91BYe3qooRVD9IdzlPvke9HRELkhBiLG38FdjkOuRyB8qpklWo0fRCjy99kWe7t6g8xL3mYubGtJW1IPMaQXTY7eBPZiGm5s920eF45wokDLhoZ5d88o7FDYSi3+G4hMZ5L3imD8AujqINiJCUR4xIzz94jR6eECgQQ/BngVnxQ2qUCc0UuqT9ZtywmNH+wcy+PkzZ7KNYb/ltVe4VFt1maBEyCwuHD1jkB3dEKouh/A3/DFnj1z5WAGyHyeX4phO9NH/RvZC/JcCLOskD8G3KXDIMoc3j51QnHa14x66m/FeOlUMjo6LDeVaXeYj/EqKw3AjwXr6yMozTax0kVBzWk8Uce7UC24dHJwh3+gDueSuOUjzdF5ngxeKNYxIFdPllX1UNs+JkjUNv2vK5L8WRT5mTcBtsbhSM0/cLuz4hGNl+sh6V2iNmF2fEa8KZ4wHTrfV4PdUBPF8N2j+VcDo2roVgtzp980Glb4VF4JEI9wsmYTPkCviy7W1Z0amVbrqCJ+q7imqKBBMDIaCwjJCiJXw==,iv:B9gVFmR9RLajkcUfNIe/5Tpi4z5CcfZyI76bmLFOBxo=,tag:6YzAEaKpmsE7nrlnqVq+GA==,type:str]
-    - username: ENC[AES256_GCM,data:5UAVVmm2rSdodkMrvA==,iv:IVBaDzpChyxqbCcMxh/ZmQAIfdFfVgqcdHFIMRTjujc=,tag:HH8dfEpPOMfw3wkW1etd+Q==,type:str]
-      public_keys:
-        - ENC[AES256_GCM,data:+khpCavR/ImMDWBc8giBTbeLJR5xWwLp+/i4sS846VE800rASFdIzxZgdB6rjYVTDEbBTyMcbe+vc6BKYyNeubdVOxFJ8F8X4/GldY0Ezx2QxuTLHw2dYsv4y+hsv1ReOwuaGD4/6DysNbAbNIOi7fsy0W+c98rSC0liWwA1PFn1N3X6iXSU8jhE7xuqEZzJh4LVJtRPohaZmUu5w0Kp3zFmcgHwp0XgHRrUNB+rCiydWO4juU4imub8OeRxYsrcCdWU0o42B8Ko1nTGPC/JwojbhTr4UyUYlhVp59qCdpwrbew8qzY5UOUSnlf+PmrZSLuqmhxK7nFAOVDSjOPepPNhwR4XZLtZAOCEkC0DUBJocFjdci3SZAxr55C6KjE9z8TJO9sOYsiU3rINZPftuPxSJTMN+M+dXLmg9Rp/Tq6C0Hr30otduLGNWoieN9EFV3QJKX1nZipjEEdgxSM5l+WE+nejN7dPCGskbE7LoolMVdzHTVcE1ynQVrT0MY6W+JSNR7/QBzmdAI2VJ5IAqskBSch1wH7O+h/V7RRsq1kGNbA4w852VygtXTTIV5YQmTdkI/dcOmawJpu7JDeEFIBikb57zStVcnKiV8pmbYhkwiwqiax6jV6psk30GzcXGQBuvGhG22cLRoqlOm7K4To90uk0CYAGmDvhllI9kzBqMykt15U0B6ucz4A1aGTcqAJLY7Wun3y4CZQDp0rCFDl4cBisvcDRUUNqMAiQH06jZgXdMShk6khZ1j0i5Wxa8K9n688HCVGQPxtiN1FPGVEj9KSOwbEB69EXWInisQsvcmgl87TwwupgT8oiSWh9whUYle1xhwSlBvwjWMk4ZKWQlhsuRz6Tk1IBS8/Uq+SdjRySqyaMD4AXVy2V2UWfCO/zaJuYgJAD991Io4/X3fKzRTkXKBStR5tqLytCvSPgT6DA2kGSxOx2QJHVB28lfpIgavpbeGtUeQTeLuZylVo+3bvrtvbVdQkDb5jxQgE=,iv:VgeFMjLn+z7nYmEETvJ43xWv7TrDKEDJ8K3jqtMMghk=,tag:/+jxTjcicr5RZbfl7q1w6Q==,type:str]
-ssh_allowed_users:
-    - ENC[AES256_GCM,data:HF8YTmKN+Q==,iv:aHIWB34sk+gLbuWB4ZD5oOIpM09egrYizhWLxc13mh0=,tag:CPEdUBdDpcJpTrqWUJYgqQ==,type:str]
-    - ENC[AES256_GCM,data:YNR0UGlGGI8DBU/GNw==,iv:HAwpRCsnz/jjYaT54M3zih4h8uaz0XiUlk3xhBARrFM=,tag:5HwUrFzewflbYu+p/dTpPw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Sndlcjd3bUtycHhBWXF5
-            NnBFdEVHc2hzR1pMRHhDMDJKWWpxUXBlblMwCnJ4WGxSeUM0MkRIenVqTmlGQ3dx
-            UTBvZkI0ZmZVSnhjazJYVUM2allJUGcKLS0tIDdJWitBSFpEb29Gc3NIMldVdGRV
-            aWN1V0VMcVVSTUI4eDY1L3dmaCs0SU0KkzPO20YfskpLYPYeNu09SGA6243cVGTf
-            MDOHatdRs2CkZNEw2A6xaoIXnj0Rr+N9sfrdAWRsCBBRxyfgxw1Bog==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-04T20:42:51Z"
-    mac: ENC[AES256_GCM,data:JYTu3yhVocuTnL01t5IU/LRVNd9HtTOVTHnEdXm65h4OoesytvHNmh2Csq7MfvYSWTuComOWxCGn4n2upwrEHL7IVietDX4A728GBOqDKD2ruHCetAqPqvFVInQoqzFWVAIvOrQhO/mLo7L6NlFRveNPw0SJn3koxtdj+JrVS/A=,iv:58T9mNgwmwsuAk496VFCBuK9h/jaT8YX8y/NORpDdlU=,tag:KTn1uE4Y7gMknB+EV0RpMg==,type:str]
-    pgp:
-        - created_at: "2023-06-05T09:01:59Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CARAAhgn5QVDIe74f3jPc6UeLebhptknDLqxrD/zO0xEs7BX9
-            XOy47z0jhdLruO+i9AxpFJxSX6VQ/D3DuLKTTikvTk0UYU6BEIVbw90UsLdY+g2K
-            beRsFeql7tKAYF2FQuPWGKzE7ee6TVypLD+VBXYuQOvpdd4sZCJ/qMlfMGMBrALZ
-            sV19IPtHnvFjtLKXO2/QyFk4OJfLAG6i+vuwtAokxSGMGab+F0iDhoCXo+YjbTR+
-            aTropldbOOudDDb4VFNDSkza7TI2gm4vyOjYN+i27D001ulywsBzO0/pXlb+ajZS
-            BlN4rGU+I4wsBDp841FTNZPy9Lf7vYsVPD+WFQpqr1VJOn3TAt/Dw5GsPVuux77Z
-            WjsVpxtXGWSt3esX6uOCT8ErOWN45ZmMdHK8Fdq63P11RlmUwox2GhNIcouT+s44
-            nhnpL2ZgLmZ1LS8DxG/ZRylgelGSnZjIxCDjtZ1zuqUJYJSyZWV57fD0Gs8mEHMk
-            SGntsuvkIqAUY0lk4kDFWqbLveyZgvu2hU4KvdWZEhfOK44fc2NAXGQY9O/ucdWD
-            Cae1jeygtFREp+ANsCkyErnSg4wrxZd29rJVjvUx4B3n4yMzgk15rO4r2i2QGeNE
-            T3QQC/JeLqFfvlhIYRjuZY+dqW0PomEjWDdSJF4ReXRvw/L2Usik5ktZgPJHQKvS
-            XAG4cJV6FNAEsnVzoDFN66sWq3RoGDSktvP765CHi1A3K+8WMrB765fn4eIyEye3
-            6aPbn7PNYSNluMdh9Z44nUrmS+tve+gBlLocwHHYZ6MyyIngsuhbEXKAEPIh
-            =3kz5
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/environments/prod/group_vars/cloudflared/secrets.sops.yaml b/environments/prod/group_vars/cloudflared/secrets.sops.yaml
deleted file mode 100644
index 05769c4..0000000
--- a/environments/prod/group_vars/cloudflared/secrets.sops.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-app_cloudflared_tunnel_credentials:
-    account_id: ENC[AES256_GCM,data:lHYUZQtyoElAaCmI+UFgmpuvOf2Wc9HMISigDXtG1f8=,iv:N3eWIzlCqwdgg0loMYgwq728sLXI3QeGEO1zenSniyE=,tag:NDWGpbN6GvhKYg+CBlywyA==,type:str]
-    tunnel_secret: ENC[AES256_GCM,data:zYWl/KGhRhIqekDlICtqkuHb+T/Me4xCfoqTCPrExQRb14NCABhqKH0ySelH2pIAlxY/uB3LPZRXAOp2Z/oE7b2FSaH0amK+yiOomZJ55dZ81m/9VSXA/SWD2hFJ3ZfFJ+4RTirVkqIuujM9VFdvbRa4L1vAd9iWW/DlC3KM1/o=,iv:hM6B/KzFl1TkS+vuq15oYs6j1z0beS8gWsc9bACG7xA=,tag:1NN63rJiSVADlV4qJAIk/A==,type:str]
-    tunnel_id: ENC[AES256_GCM,data:59gMzw70zaDo1vBW4gQe9K+UgZGFuJNlSaoYFZzTAOgBovhN,iv:yQC44RH+DdrXA9YYvCr4jn0FsHueuah5wmtcjQiCk00=,tag:8QtLFjCbJ0vomLlEDaFGAw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTNpMjB2V3h2a2pJeWNB
-            QmtZRTVDeERpSTBDYnpsYzVoMkpXTnpTRmtZClpXcTRKQzBUN010OWIzMERoMEhZ
-            dVJYME5HTmwxeFpIUHNiU3EyazFFRGMKLS0tIC9vZGpsN0d5dWc0RzhLdXk2bnpy
-            SklacmRSa2ZZOHREdTR0ekRGc0ZmVlEK/qmTVEdCSNwWwciH448cJ4HjCqwFixkV
-            mqJoQLFUFv5u7sggZ3tKOp+ykwmlsVT6mjuhI3BVJALtUPBKQ35tyQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T22:37:26Z"
-    mac: ENC[AES256_GCM,data:FTn7487oIN5J5sS+9Stm8DcAvJAarGl9z+2bdtB5nu9kRvhD4JYRt00yy8aH5cSXywfyh89mbQq1ZtJXtGB1H0wPJgwMDngVv31TGnGKEIRJyub2ynGjMukOopDcs99ctlndmHVP1DxiOCASYt2HU/snuN3u8sOhput/JiowysY=,iv:IUqst4pi3ZNTuClNr0Ot1r23OZM+qdjsZKD8iRlPHcw=,tag:4Qt/Vix+J/0436zkMsr4mQ==,type:str]
-    pgp:
-        - created_at: "2024-03-11T21:28:35Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//TM7gncqbBG572oPVgHhGzJITC/0VnmCaeau7I1TWLGyz
-            vCe094qMCkBFBTKzpnkQIVvhyK186yojpiSwZkW69OntXXdj14pGVQS20LBhBdxr
-            5RZ++wrx+IQxaT+tRWhUPQTA5249Ywo8HxcpTXk4pbAC9w5Ruakgb3ssNdpkIx+g
-            +v5DTPajpI52f2bP1tNAet5a34Bcz5jxkzQjVVrVcigVw/YO/cFCtZtCoAPA567v
-            QRYa7OOj4GkVePgl+IjDtGi0G+gsTA9cZWnUb2qyE6XLLJs5j1lct/6wmGzQvi5b
-            0ZrSrPoYuCKEHv2nojKP0yfye+HLcfo84Mudz9dm0UbJvLcSHK9Wa5x0XLaPtB6o
-            Vg2Vy5cxDQQpyosc1WBS1wrTwRSntPQhyFjd5CfgSbYHh3Q4Ms9J+HlIodHK63+U
-            ZGArCHdD7a9ezVhNyLp1jmymBI3d3A+zy8a3ZbfsuHjaDIr0dahbO0hgvoDLN8jE
-            zna4aMDbbfxrL1xQAXfyxhD7jZGoBcLPDQ8uADe5qjyP+p+15+UfUXtRgzTiEEvU
-            1ARra95iFpnpXyc9g66ODYa5LmCYv4QnBDbcDUWXCzHK80sFzuk/ak7pgjRoAHUo
-            rFFk48Bufy1r2rztpG+fWUfGRjAtuHhitBvU8D6aFEn5VuTNxASlLO84kfAArZXS
-            XAG44iMMhwmww7HeKHfBtI7ZE6aoi8/1qnsTDuRUCXP8qg+z6E1H8ik1c9215EOG
-            2qeUzhcu3x5H+CyFwISbp4gR8P1BczUL8cevkjGP1TamQXUVYCeCsaHSTr3e
-            =Uq6G
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/prod/group_vars/containers/app_container.yaml b/environments/prod/group_vars/containers/app_container.yaml
deleted file mode 100644
index 2c77daa..0000000
--- a/environments/prod/group_vars/containers/app_container.yaml
+++ /dev/null
@@ -1 +0,0 @@
-app_container_storage_name: dpool1
\ No newline at end of file
diff --git a/environments/prod/group_vars/pihole/pihole.yaml b/environments/prod/group_vars/pihole/pihole.yaml
deleted file mode 100644
index 54e0b6a..0000000
--- a/environments/prod/group_vars/pihole/pihole.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-app_pihole_custom_forwarders:
-  # Forward lab queries to lab nameserver
-  - domain_pattern: "*-lab.homecentr.one"
-    nameserver: 10.1.8.64
\ No newline at end of file
diff --git a/environments/prod/group_vars/pve_nodes/general.yaml b/environments/prod/group_vars/pve_nodes/general.yaml
deleted file mode 100644
index 03556f8..0000000
--- a/environments/prod/group_vars/pve_nodes/general.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-ups_devices:
-  - name: ups1
-    driver: usbhid-ups
-    description: Eaton 1100
-    port: auto
-    monitored_by: pve1
-    # vendor: 0463
-    # product: ffff
-
-  - name: ups2
-    driver: usbhid-ups
-    description: Eaton 1500
-    port: auto
-    monitored_by: pve2
-    # vendor: 0463
-    # product: ffff
\ No newline at end of file
diff --git a/environments/prod/group_vars/pve_nodes/secrets.sops.yaml b/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
deleted file mode 100644
index 69bc19f..0000000
--- a/environments/prod/group_vars/pve_nodes/secrets.sops.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-pve_default_realm_name: ENC[AES256_GCM,data:bzfN,iv:d8vcjxmyLv7UFViWW2DcLdg4Lys5FelqfvNX6U2L95k=,tag:PkXnC2/E3B53Tv4gML1DGQ==,type:str]
-pve_openid_realms:
-    - name: ENC[AES256_GCM,data:mfuc,iv:tC7/gOtlqNY5c1IFYq1JxvFsxrJ6zr8ash3OJ2VOkZE=,tag:uUQS0KgFTmwRUqclknh9PQ==,type:str]
-      display_name: ENC[AES256_GCM,data:tzcQxB0Y9ETNYn/bYCmgtk1n9NYlwQ==,iv:kHTMrfeGvzH5lDFUce74khRfFwVP+6VS6X3ngLZvg1w=,tag:sZzWXE8oBubDODAo0W5GWw==,type:str]
-      client_id: ENC[AES256_GCM,data:W7PYHIc7uBmpNYgZW/HUNPdIp7JBBGhwjxtU9W637bB2ifp1,iv:deoJTnOO49nu4FnnaNEN5Jnj4QTciSlVg9xeiGRL/yI=,tag:YfGGnSoiDzQhlrec2BC4og==,type:str]
-      #ENC[AES256_GCM,data:uOM9rF7mlo46OZ6p++wd14kDNh5NWg1OeJoCsHCBRgCte66LSgRFiQKNmh0YMe7cEIbpa0AeOK3nm+Lniw==,iv:8VAORrBMc9uBwGbS9lTbpgO5quPYZF6t1JOOgc/1a9E=,tag:SDXGx/MR1BHNgnxxcxFCrg==,type:comment]
-      client_secret: ENC[AES256_GCM,data:Qjgmx464eb3ZZl7J6tvwnsvTLjZA91CzFQWVgpi0UXcUzvvfLZTGEw==,iv:/hphsJG0mxYPLMBkSuHCVoekFpy1TRI7A0QNDcE2m70=,tag:vgNLwYcOPJRfw0YSaqXdmg==,type:str]
-      url: ENC[AES256_GCM,data:ObYigFQRkuMsqLeloivEA+u53rPpUqsedRgCtglNMrGMfbDhYhYfeAEmVIh54wdTXJB4CV5yplFlD5vKkryCY36QYkKlsbNewi3m,iv:s0iV2K3Ipy55JNBcD/Ze8VERKdgjsJfNTw6wglF2NE0=,tag:bmR/dkuPMs8mtINTQYJGvA==,type:str]
-      #ENC[AES256_GCM,data:6iSY8pFz7hjXEiSMnyCihQfRR48JL2HoYxssAW4f/n4tEeEWWYD+mIUEzxRcCwO2jezt81HTWg4=,iv:Mow6UjPPbCHjs1pXaPx/HyzZjFVi+vB4yFnThd512xs=,tag:agwSLBWxeVI4d3NYgcrQhQ==,type:comment]
-      autocreate_users: ENC[AES256_GCM,data:qSKfG2I=,iv:E1KRdMvhkiebrMhP98TDqLKR6cZ8gVt9y22j58EIPBo=,tag:5S/tvuNw4Q2zHdNcprG+Cw==,type:bool]
-      username_claim: ENC[AES256_GCM,data:/pL0bUY=,iv:zWijUmMUibDHWaWamW8agkwxArts2J4XL4XdhdsDb20=,tag:OXd4cCHqelGjqtJuFP5z5A==,type:str]
-      scopes: ENC[AES256_GCM,data:0S3J1hohqWn0QZ3S,iv:lnIdEIPkwYDhyw0pBz6sI+F+3AkeGidEKT9CzwOnlA0=,tag:9ncSrfrzVnmAxuSZDgXlBg==,type:str]
-pve_users:
-    - username: ENC[AES256_GCM,data:OIBqV4tYCOTlDM/liHY=,iv:nZkxupQ/pGbVNv9RbFWabqhLUJspWzQzAILofPE6Ahk=,tag:aVs8XL1bwws1JPIA2MqKxA==,type:str]
-      realm: ENC[AES256_GCM,data:kuW1,iv:3byfV+tw7gk32qR4r5te4YgGIXcq4Thwe5pSSqiUjPY=,tag:qWGB0P498zKhNh7CBoA6SA==,type:str]
-      enabled: ENC[AES256_GCM,data:FwlRPg==,iv:RSrCBTY19GiMiurChHTcIFkIsfSzO6hB9FjQ9JfavlU=,tag:NBjYo9zJSnvF871w4hqzzw==,type:bool]
-      first_name: ENC[AES256_GCM,data:r/Odfmk=,iv:SIsdYYQ5TCsIkb+IB+5nOZMxn0DiGctjxhX5mKiNCq4=,tag:UlCYEZrcMR1ZaoDVgfF6ew==,type:str]
-      last_name: ENC[AES256_GCM,data:ho5hlG4N,iv:tLbgbaHJjA4mChgfMagE3Q0tLROn1/sEuK7o+YbvrR0=,tag:Ov0Q4RuB/Gvc+VMTrcnKyA==,type:str]
-      email: ENC[AES256_GCM,data:oAZxXPuPe5EewmIO3Ws=,iv:IAW8KWxDbEtCTuty3FFzlzVHIsyQMCPYVWU8sV2K9X0=,tag:w4gxLRN0DUBME0+CJjF+pA==,type:str]
-      permissions:
-        - scope: ENC[AES256_GCM,data:Cg==,iv:2RvUL3kotpA/kcwh+PobdoWWSaqgfpnLUgqlDzfvIAw=,tag:UZZ88ahjivHWniJrhEJyvQ==,type:str]
-          roles:
-            - ENC[AES256_GCM,data:aHCPHTCOUwVcoZ7jSg==,iv:MjsGcG5XBi0mhsXuAIKgpkrxq+omCFTDtdDLuKYwAtA=,tag:WPnV29kkE51om/JIvX08Lw==,type:str]
-getssl_version: ENC[AES256_GCM,data:z19Gww==,iv:LR3j0Qs3cKM6RqPggKjclbnlilKv4PMZZWjjL98kt3k=,tag:4fVk2UQWLe5PP7CCaxxvRA==,type:float]
-getssl_acme_email: ENC[AES256_GCM,data:6K86ki50K+ySrvTqQFG5n2DuAkY6ShA=,iv:EKfpa/RMVNm5qmfzRQXvQ3MgINSp44MsnIkk2nrBrpI=,tag:6ZdNE9SQ1sxyTg94Zf2rYw==,type:str]
-getssl_certificates:
-    - domain: ENC[AES256_GCM,data:1dSKHfcpBvXqqevb1CIZ,iv:vmNvV/1kdgpFXa6fD122sW+zg2Ohninl0lphB7jaUEY=,tag:hB+BCpvY9NUXRpbAQeo8/Q==,type:str]
-      pveproxy: ENC[AES256_GCM,data:nce3Yw==,iv:vgv/qEJAgBRroHv2SEP1pfJbuUg9IvKGmdnmxasYWok=,tag:K1Rnv3hXr2dQnnkttyQXRw==,type:bool]
-getssl_cloudflare_email: ENC[AES256_GCM,data:8oS0LQt1MVH8dPwZ7Xwq+2vAs799Mw==,iv:rgjAafCDLtKQfGSKOXG6Sv7foFvoCOdv9n6mI+hmbro=,tag:n4qkIbDkC92lcym8CD13pg==,type:str]
-getssl_cloudflare_api_token: ENC[AES256_GCM,data:YEG3q5gMQ405UNqal6o4sQ95CNLMFrxjnBdlbHwxEvMEerhkRVMOzg==,iv:maYf2UCkIwwYKOLvy+PDSsG1LDgR8AbvGeduXcVKVms=,tag:i2f8PyLgv3wFe+Ir86aaCw==,type:str]
-ups_slave_password: ENC[AES256_GCM,data:lmUebjuRsVL0qnP7g53bnGb6PMONZI1OzikV,iv:vPzdPgjMA5AMXXbI9f2K/zE2OgbbNSOJgxntKGuYcPI=,tag:YDBva18phZQG+FOD42wGJA==,type:str]
-pve_smtp_username: ENC[AES256_GCM,data:jK/v4zPqS46SdpscEg/OrPmT/rtglA==,iv:eHPflyJMzh4xLc7h1fUdR+m8m1i38WdTF47jDWtFhv8=,tag:ncXuOYM3gOaQJduksgzpZQ==,type:str]
-pve_smtp_password: ENC[AES256_GCM,data:maPzOcH/vPLlf5yh+sq2wSGVkNTecSa/+pX2thGj0KyWl4zPGFoB5+4/A4HBhJHzcgQsAEkgRlmpvTR39v6LiIof5/fSKfbt82CugEPpxXQX/lumiz3eq2c4,iv:OlwHIGAnKvys3jeEP52BRrcSvqBJ6FKBTJ9/7BFYYtw=,tag:Jm+4/wdRxAff0uOyDBd2Vw==,type:str]
-pve_smtp_host: ENC[AES256_GCM,data:zS3YuMC/Cp4THOrUtaw/jTO1jAE=,iv:a6D4ooZQBKM3MhQEYav1alAH5dYN8abZB01ndV+IvbM=,tag:4magRUDY8WIhVBBOt8F3fg==,type:str]
-pve_smtp_port: ENC[AES256_GCM,data:O5zo,iv:m8cpc8bQ72XDnwnndoit33WPMYBfuP9I9LZLm+sDoHA=,tag:YMMidNk8QdMGla+TJG4UYA==,type:int]
-pve_smtp_tls: ENC[AES256_GCM,data:ILd6SQ==,iv:uTart7c/4XUNUivNTdbl3NVLFjdeQp9czDXjjuwc250=,tag:Fzs1Q0fGuwU1X3mj9As//A==,type:bool]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVlhTaVg1QlhSV0E1M0JR
-            N21hdWVWN2crd3QxOGcxWVU2MEVuVlRvT21vClJ5TlRnYzBsSHgzZHMrRE1YYjA3
-            MjRCaXBtSHJ4WDcrN3pNQUdscHpUZm8KLS0tIHplU0VBWVhtNjRqVnFXWjVnOUta
-            K2p6NzNleVJLVXIwR3gvdFk3VjNuSnMKVoTukJFUyfcpAi2Sihnhzy8zpFBiHJrM
-            Mhsg+k/UeeDGy8dntttNwwLUiDoZSy2q4yWjJo2ZL8dNJIfxx0UWxA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-19T16:58:14Z"
-    mac: ENC[AES256_GCM,data:vdI5CEqUyduqQdJ+rfuyU0AfyOr7wFNkwxaIN1ueTUuO4CW4QABgaSp3S1FgskTUW7UKDdGft9Y9FDa6Wgydic7jKn1+E5Cgp61Fzc4OIgPvg7/XHboMgksZPgZFvgcH2XsTZW0PZ4xSLRWdf8Auaib9kUiPR254dOjOn0AfP+w=,iv:V9Sn0TC54n+MVJPq+8442qeI5xufy8YbIq8NhsYtaRg=,tag:JDaDbP/ooQtw6XkmiyT24A==,type:str]
-    pgp:
-        - created_at: "2023-06-05T08:58:32Z"
-          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//e3QKIVOOfBuOF2Q3avCCJNjI8PEJ93pTo/FzTQYYGUOU\r\nOacmnaizo/c3f9IUjax0jbtt2TepYyU0xNmQLZPMjH+mv3l5fzShjUjbtyJyrEJN\r\ncDSV9uktt5BCYKU7wfixK+aNlu8v+5TSPh67DzfX8gnObp5FuZl9lZfFG34nKTuM\r\nIQ2/1h+jiqX1YzTlen43oYGw2vl9AN+irWaKHFXcp4MrJ09RmwdNN6BQERXyBggq\r\nvYyOO46D2zfB6LpvZOsYsLIQ5r2Q5HkT6iYIBQdiiYcXXblkFub4QX1Xidhqbye8\r\nkF3xWPSM4Ah2E/Vle8K0WaECBEjEgntGQUG9Ox1Rx4TZu2dE/kYzbSSZJEAjOrdq\r\nLmjjoeZb9GgulVx8bosB+nu5uBLFENUFRAX13/OIV3wFMgWNq4GEuFx4o1bAYGyY\r\nQJBQPPTNWAg7KILXHJGurkPJQFm+97wJr6movUbYIm8kZQddUltoHuU+WF2ziTii\r\ntlavjA5+YBlww3fLvxAwOGbMLDew7QVdS+jlytAFE/WiY4+DevhCscZ0HMFC8gxF\r\nHGTHQoGMmrDRbceuOLfjAriGJGteAzFTA92U8tFNiHMDtOOI6A0ZWy3qdSWVECid\r\nD9vj0i/eLei30Fsx8Cy572oTqt8aP2/hEZLtxUfLj3JDWq/D1AAStuUEFPFvqKrS\r\nXgFqcNjohYoLdsm2ARos+Jpp0UIQn8pnqLlqzdaj3Lg6OymMwaP+NoTg8vKs9WCb\r\n53ui5uz1ds2oQRkFAFibUap+Mb9iNo4xgSjtRenS7KoGqQr1xWVHASSHffP7kgk=\r\n=/TSI\r\n-----END PGP MESSAGE-----\r\n"
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/prod/host_vars/frigate/cameras.sops.yaml b/environments/prod/host_vars/frigate/cameras.sops.yaml
deleted file mode 100644
index af4724e..0000000
--- a/environments/prod/host_vars/frigate/cameras.sops.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-app_frigate_cameras:
-    - name: ENC[AES256_GCM,data:K25rEW2YZ9k=,iv:3F+cPXgvnpqDX3Jul8Bd+CpgUVK4EBk6SSqK/7nsiTk=,tag:MjTIJKnJNRrm9r1C5DAILw==,type:str]
-      type: ENC[AES256_GCM,data:VWA/UV1mWA==,iv:wnOsUQPwYyluSKd+pgzBXrNlFNYdsUuV7iMOEg3zLCY=,tag:Bf90sQ0Xi/6GY6gGnAm2Sw==,type:str]
-      ip: ENC[AES256_GCM,data:bcgx95kQUEEF,iv:URoVES75H5OaTjoPnwrTacxvoS0pWrIdDopMDo1qRpk=,tag:yS/IoVOFbunyXFxET3lubQ==,type:str]
-      username: ENC[AES256_GCM,data:Jb/lH4qKqw==,iv:N6rrdzEnaS6IkvyuH/GVsNsutzkrx1wZ2kWnVo37NE4=,tag:kbWDUwIZNcSPzJsTv9E7ZQ==,type:str]
-      password: ENC[AES256_GCM,data:IvToLCZj1wq5KH2MQaaTu7dCQcSWW8LdxLnykcs=,iv:yB03KVTEtB5PwXvv4zfj/zMQLKIr76fNjjv3rcyc2bA=,tag:CKw79/Hye5imT3v4Blp0sw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWWFad3hDUi8vWFpIQ3E1
-            QktDNVVtdXluVlQ1UzJjQ1BZWFRXUlpUc1NjClV2WEd0bFRhK2JlcDBwOUVUWmNo
-            RHBFbWFsY1lRYWtaRE5ScXBrZ0UzanMKLS0tIDByNmd0K3drUUpGU3hmcmJUQmpu
-            L0w0ZXlhN2hPS0xWR0lITW96Mm5kMU0KgOqDc2YVPVQtP2+5lfjUXyFLMj0idIEn
-            NnVcBcGCpRaU2NOh2vTSIJTPDF8oq1wCR1MCxycKV4U9Za5caPurbw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T15:14:03Z"
-    mac: ENC[AES256_GCM,data:vqkakCWFV2k9zct5w2vDpvJTsdsrU86TVTplcrMOZm3e9dPMDARpHXZI4vYBTBPtU7JNhDNFgQNPUB/D/A+Ig5BGvL3C1iPmKTvmGjv/w4NaEn8yRj4k0+2h5XSZNEaIQoq65Ymzbbkz714kuTRn2ctrQxfJCbj8Tas9aoDbM/0=,iv:FaTwuWFR7FPpNMuufSUsiL5AhgMWc+9KLr3tfRMpyK0=,tag:GT/yiuF5LY1RS2uql2OIlA==,type:str]
-    pgp:
-        - created_at: "2024-03-14T15:10:37Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//chnODy6vHHlkjG7FCrZIk3sL6OgnSjadjNhoxTvuYEuK
-            WNIiS1zMw3aVVrqVYq1+SXeUgwPTB63GP1fzNrLYY9B4g1zvxq4ySjQ1l5AFtKse
-            PmOcPWQrkSzahquMFsNDiJlwEIlVmoAm1V14uI85TehIBmXjlBIJcckvikkf2xBi
-            /7FGoLqXdnrpCdeEYWIiujujJF1saIuhBWLEcPyzzL7fgtlrOQH+IcTkqLvEP92k
-            p0FA4152ohwP2duAsH4By3AR5iWTywP19tKzp7E/cu16g0cbqbD/L7kpoMB1wkmI
-            6nXJ5SHrSZ1RD7PppX/PQbeTOaYRbW6jnqLvI/2AOx8ChNO6DdXJr4qi/TuTyAQR
-            RSapnAyYVyfxffQdozT0vjJPrHR7AQSlz6q3/3O0b4VL3SkUDH8eoLjaIIAt0oz5
-            57Fjrrr9gtRdLZM+DrxFqmUk+q0PFEmriYY0gqBjDeTMS/gWJ7r4DoBgsH5QeN4p
-            zti3fEEysaVUVs5GaDKeV2yXgT3j3DqVdiLGoO7YeLiO4uAU4Z2gOPZs+vy7Xptb
-            UVGgQqm6BQe9pkEq94zbGqSe9+6+16pZ/PGeGZ+riE8XvioJ2r+O9M/zaSO8dSn6
-            IKkxeWDcvDD4LL6KJyqT8uWtYncKEorMp6TRa7ZGaj6gbPQXhhPKUVqt79Yj1lfS
-            XgFpmG+dMte5yG5aX5WyFzfk9GqVJck2LU3HoQyOb7KqA5KblSZc54jESc1mkH2d
-            tALRYJzfO18P9RNv9HWtVKBgr4GZ42XR13r3rOJAF9mypPkOp9bCoCvT8kAGmF0=
-            =ltPj
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/prod/host_vars/frigate/container.yaml b/environments/prod/host_vars/frigate/container.yaml
deleted file mode 100644
index 2ec62ee..0000000
--- a/environments/prod/host_vars/frigate/container.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-app_container_memory: 8096
-app_container_storage_name: dpool1
-app_container_storage_size_gb: 10
-
-app_container_mounts:
-  - type: disk
-    storage_name: dpool-nvr
-    index: 1
-    size_gb: 2500
-    target_path: /nvr
-
-app_frigate_cache_size_gb: 16
-app_frigate_shm_size_gb: 8
diff --git a/environments/prod/host_vars/pomerium.sops.yaml b/environments/prod/host_vars/pomerium.sops.yaml
deleted file mode 100644
index ec84077..0000000
--- a/environments/prod/host_vars/pomerium.sops.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-app_pomerium_idp_provider: ENC[AES256_GCM,data:VpQAf9E=,iv:PIREcAiLh9nrTUp6yLwnvyfnAXmnvetoCQWqLswrKXo=,tag:y3b77ECYZ5XgRH2f7lifyA==,type:str]
-app_pomerium_idp_client_id: ENC[AES256_GCM,data:f+/xseMu8sfxGCYSZQBgeyRNV+5r2Agl77Vjgj1NX56iru3A,iv:KT/bdCe/Kq3p0G5d7EtS9l+6Sm/nJ9RuEI+TTA+x4Ho=,tag:hTR4/olk/2X+84EjttjWyQ==,type:str]
-app_pomerium_idp_client_secret: ENC[AES256_GCM,data:r/mfqDZTd7KWVlpYgDy2iUwLQdb17x8fLkoyJ9Mx8BMP027vWAX0VA==,iv:+sZBP+85lRB55a9bkvcaM2E2GXso/NdK7EMFGEZqREM=,tag:Vx/5DoZDNyCc/MnFFtktGQ==,type:str]
-app_pomerium_idp_provider_url: ENC[AES256_GCM,data:bSKc/XqRKhRmWuR1yRU4kDDARJ1j+jcnjDmNaM+pdqJJ+pOLHnTnO21BiItwx1+vokhS+OAIgudMisT32327NVawBcLN0cqWFfIs,iv:sq2ipwCpce6P24xKCwznetJB0xiW76A4T3AfWT9wZo4=,tag:1rSLMf+gAqwSaNb04NR+pg==,type:str]
-app_pomerium_cookie_secret: ENC[AES256_GCM,data:AxSiccltyyhamL/ddS3656P7wfVZVnA7lsdogOhO6/l9GHZO+RWERCVhcnc=,iv:KApzn0Ce5Zp49FIa2rqEwPHqD+vrbETM59GL3pIdj4g=,tag:vXY0jb54xR6tFh6QNEU6zg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSHZGZnQ2Szh3OXk1MVlJ
-            dTQydEZxSWRGRXczcDdEb1J4S1VPR3JqbXlnCndyOExGZDJqQUpneXdCMC8vcndK
-            QklvS3Rtc1ZHOFRBTnp6NzdNZ3JmdDgKLS0tIExJTTF1SUxlN0psbmpYdXV5c0Fh
-            SHpnRHlnWnBwWUQwTk5jVHJSdEdCUUkK59zwMk1ZNsBdvo4I26Hv7lrrkmJ5jeVE
-            TwbEthfwlCwmCOtId+zuolCZwZbAxrayIdWgtlOCpX0myDrGX0qx4g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-14T16:01:18Z"
-    mac: ENC[AES256_GCM,data:xlzxneWrPjW2Mj3iJawvzWoHHVo2kZ2t+dZHIqXvqA4Z5kboPDEzZ85/+ci+RM2ig7VqZ69AVw99oFawXV+Zn49nRH4Ol5BCARD/dauNpvmXcZDt6PcXgSpRnHFREBNDM7NGj0SFpoDvJxNwJ8REofy6MtYkIYsmyVfP5E2rl1I=,iv:WUEA+TvES30zuG/NedwGChu0TIZb4idHA4Qh8put3WM=,tag:DpL0kx2RD1FMdBJBqFl/mg==,type:str]
-    pgp:
-        - created_at: "2024-03-07T21:01:19Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CAQ//TaWYnk0QfSwq39kQKGNkH3C1pq0DHjjDcosttXRKVT6A
-            dBo+hjvfrxHWOaRrP2ABuNzmkbcZ98Os8qk+Z0NFioZllL42mGrB8+p4TyZl9n9D
-            ai9tGncA/ByWEgdzBCqp8utZk6nG0BJ+PfyA9014mAU0GROek5y+OUwjNDkZXZ6u
-            YbPQsoUj316rONWtSgf/8+SDeu7J5k9gKwhkDcj2V6KDVC6VdCF6NAXQKvrYTKfh
-            X2MAABCE/yn6Gs7pYymjJJGxPYGxjh5huk0C89nZW1kcmW/DaDh1e5o0CYR/p8RK
-            iaJmF8i6N6DNFrI3GcCMHb4wqBzDTCBkm+jsFT5f+VUkivANxb/IqfuDJZn54OFz
-            hke4g0oLnB+JueGVU/wfzYKviVegCVbEbM0dYmSjI24Bp8DDHv/FroUoPAA87lE6
-            veTt5mEaayHCBI4ivhQtuPlHBL2ij6DDHSdx4Roi5gGxUmLtUqSg5nQwiItSNdn5
-            eaRGfKCaKrpurDECobqTjUZpubxbDbKE52vvJDphB0+TTxVaiTnWjXt/pJ2nhMvS
-            9RMiOyJQttrKkDuRR9TOMEVg+urtTlix8Cp7UuCF9RTMqwQu1oQenBHOByHVVrXn
-            k3Lf5Ue55G9CWtBiUekP4ohsd1JBiz2QDXnkJ6wEA88srzMY8YgrH0ukBnHFOM7S
-            XgFQig9vICka+uxescA7IbP8g7adUaduepOCewa4HU0Vrun59JZr1b0JzNp8oHVk
-            Fspn4I9u/EG27gSIdf4M2cEhhvugG5O5n5WWSPv4ovUOFTVEHGk7+tTU1gdMGS0=
-            =jN6m
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/prod/host_vars/pomerium.yaml b/environments/prod/host_vars/pomerium.yaml
deleted file mode 100644
index 0e2ff3b..0000000
--- a/environments/prod/host_vars/pomerium.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-app_pomerium_groups_administrators: 64d004bd-9218-4fae-9919-0505ff5eeb8e
-app_pomerium_groups_users: aac23af7-2d73-497f-b93c-b8ca4007638d
\ No newline at end of file
diff --git a/environments/prod/host_vars/pve1.yaml b/environments/prod/host_vars/pve1.yaml
deleted file mode 100644
index 483191b..0000000
--- a/environments/prod/host_vars/pve1.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-pve_zfs_max_arc_size_gb: 4
-ups_name: ups1
\ No newline at end of file
diff --git a/environments/prod/host_vars/pve2.yaml b/environments/prod/host_vars/pve2.yaml
deleted file mode 100644
index 934309d..0000000
--- a/environments/prod/host_vars/pve2.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-pve_zfs_max_arc_size_gb: 4
-ups_name: ups2
\ No newline at end of file
diff --git a/environments/prod/host_vars/pve3.yaml b/environments/prod/host_vars/pve3.yaml
deleted file mode 100644
index 2bc2b16..0000000
--- a/environments/prod/host_vars/pve3.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-pve_zfs_max_arc_size_gb: 0.5
-ups_name: ups1
\ No newline at end of file
diff --git a/environments/prod/host_vars/smtp_relay.sops.yaml b/environments/prod/host_vars/smtp_relay.sops.yaml
deleted file mode 100644
index 396725c..0000000
--- a/environments/prod/host_vars/smtp_relay.sops.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-app_haraka_users:
-    - username: ENC[AES256_GCM,data:wIFb,iv:/n/Zv39xiZKWl+TsiWq/+xPfpS/bMxLmmvcludsfOMA=,tag:sL8/YeRNq/w5+nxVjIRATA==,type:str]
-      password: ENC[AES256_GCM,data:5xQSIu1SKQ2YICc9k2TgH/gZzKQ=,iv:QZ/wW7hoYd9HyrIEXZxG2EePyE2XV06pRpM7hOoBqXU=,tag:h57JAYLn+r49D66JKjrV3g==,type:str]
-app_haraka_smtp_username: ENC[AES256_GCM,data:W88iwjJhJFMdxJ1s5BaqtU1eQXxvWQ==,iv:fxIOt+0LBjjoLB1xo0KWOBJ9R8g4Q2U+gB+ujT7KXu0=,tag:cJjMQnjTJTtB6Gx0o3QWvw==,type:str]
-app_haraka_smtp_password: ENC[AES256_GCM,data:5F7M77Jv5rcKTjEvbWmGLty7+lbd9WJIA7OzyHMRbSGOpGmdiJWwKFjHKsBlotBW0gofJHDoBh05nID1B8FYM36jkd+0TkQTB3kqdB/onXHmLn0Hy2M/PgAX,iv:mMLZS79WYtVyg4BL0O1r1LOsFMSkDMTN3+oN68jlmeU=,tag:jpT0V2IZWImu19VbbH0zow==,type:str]
-app_haraka_smtp_host: ENC[AES256_GCM,data:BSaVrZGb++wnK39Dt3+UrAqbfSI=,iv:hlipTNIV5PJ4wIsH/ORTHp8C5V8kjzsX7dQyG+tvqno=,tag:xQgicmiGvMRBreLAdDlvTQ==,type:str]
-app_haraka_smtp_port: ENC[AES256_GCM,data:bqtZ,iv:RC8tIIBHvOWXNGs7NDGi46ss92oyq6C9vnbnyPGr5hw=,tag:DTd3Wd706FR48MDXza55OA==,type:int]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNjdnUWhha0JvUkVkQ1J0
-            K2RVclB0NTljWkx0SXo2QjM0S290TVcxb0JZCit5SVBxanRsNFJ6aTRKYUZ5ZHpK
-            T3czaHBISTl1N1pJeUhqWVBrdEFRSzgKLS0tIHQvT255a1dhQjBON0tOaHl3Zmkr
-            U1RuL2xVbC9pRFppQ3BEUmFkV1ZDTzAKgBEI44mfeId4G4VrnOTi20q0jeLPLvEI
-            Xpy6J8rcP/ixbN+bns2Y8dC55+uFEpQQdVObCBzyYgSqapFM9cYpHQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-19T17:02:22Z"
-    mac: ENC[AES256_GCM,data:rCzgrm7Plp0Ubd3kXLYXY5hhKGS3OdR3TiCM9sqBl+8CfrfBXYtg8DLo8z+pTJQBAw8sjAC1kt+xHzHoKnuy8mHpJiDiiXeOb7U1+4qbjA2x3HaY/cf8IxW5tPNZwy6XH27AI7/dYSQVrt1NGnkgE8eka+6wOlGDQC0EdbiHRXM=,iv:hO/j1nJjmmsn4zZcE0eeKov2tXU6NAyOpi0CpFhVp70=,tag:K9qRW4INTmb/zfbZvHJhLA==,type:str]
-    pgp:
-        - created_at: "2024-04-17T13:26:16Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7Pg+ndCcR5CARAAkUwBdOFb6cNMqPIHyxrKLrh6syCc0Icu/OnvyBsINnV0
-            qT7l8sneOVd0g6YKuJXTXH87iUxS01fXSZBa5A5NZhohGSufhMhpy2AbtpiDeWBg
-            zQuEwwjb0l/T4AVUVNPWHrC5ctFXuA1xF4e4pFPmyY2aCXURPR8vjWpIDwMIXWdp
-            nxHDwQADoE2MtM5mzHBKjL1HVJDtfh2fzvKl6R0SVg9a9gEL8tVbheNnwo5FfSU4
-            6RX5T7xNo5nDLwXaHKfQttlMCHbMqEDeQxQaXJ2fg2byz8C+HaOvNdUAhvI8dHRA
-            tPwavu8l0dTLYMU77/+mQo17+LWql29uCZFHQRhvEB88kLbJ8T2KKLE4jqdzFiuk
-            c3lfMEmMoq0XZ1L7S2Us+IPZOz03mvAYeKaBiJwsAcUyy+qhoZ2UVm7pV6TIrSxw
-            6W/iKjXCczfmIjgjkLEJCYys6P3dHdOnBlp0XnLnr4QRvb415oRyAzNIkO6iYdy3
-            qy7bf7k61mk1GYR7EoZt4p0CYAlK1T8SYOOVO0AlaPIqX9l6jhI55D5HwbzXsLP4
-            y2AbIj/rQ6ZzmeLtAkcMapmZduvz7Qv0VSsLS6c2MiMMChW6P6qcR/w9K/zE/VCF
-            RHIAm7vzsT+A/6bbq1ECORMIn7qry+5hSPgqYJxbhuRpZuL8FtydZoAAw47gPkrS
-            XgHqmQsENy6eCGaPmkA769tgw+7C9/k1ZBRiuoAFw2xASiryfjPrF1DNNOrEm4OS
-            MgJW9EiGMc/WCY5KVrBdMU1KKfvQrOi+9KNNelOgOYaTcRRclR5LAP80AynUOd4=
-            =4mv+
-            -----END PGP MESSAGE-----
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/environments/shared/group_vars/all/env.yaml b/environments/shared/group_vars/all/env.yaml
deleted file mode 100644
index 5456aa4..0000000
--- a/environments/shared/group_vars/all/env.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-ipam:
-  pve1: "{{ subnets.services | ansible.utils.ipmath(11) }}"
-  pve2: "{{ subnets.services | ansible.utils.ipmath(12) }}"
-  pve3: "{{ subnets.services | ansible.utils.ipmath(13) }}"
-
-  pihole1: "{{ subnets.services | ansible.utils.ipmath(64) }}"
-  pihole2: "{{ subnets.services | ansible.utils.ipmath(65) }}"
-  smtp_relay: "{{ subnets.services | ansible.utils.ipmath(74) }}"
-  pomerium: "{{ subnets.services | ansible.utils.ipmath(66) }}"
-  mqtt: "{{ subnets.services | ansible.utils.ipmath(67) }}"
-  monitoring: "{{ subnets.services | ansible.utils.ipmath(68) }}"
-  frigate: "{{ subnets.services | ansible.utils.ipmath(69) }}"
-  cloudflared1: "{{ subnets.services | ansible.utils.ipmath(70) }}"
-  cloudflared2: "{{ subnets.services | ansible.utils.ipmath(71) }}"
-  homepage: "{{ subnets.services | ansible.utils.ipmath(72) }}"
-  unifi_controller: "{{ subnets.services | ansible.utils.ipmath(73) }}"
\ No newline at end of file
diff --git a/environments/shared/group_vars/all/general.yaml b/environments/shared/group_vars/all/general.yaml
deleted file mode 100644
index 42f9e18..0000000
--- a/environments/shared/group_vars/all/general.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-ansible_user: lholota
-ansible_python_interpreter: "/usr/bin/python3"
-
-domain: homecentr.one
\ No newline at end of file
diff --git a/environments/shared/group_vars/cloudflared/cloudflared.yaml b/environments/shared/group_vars/cloudflared/cloudflared.yaml
deleted file mode 100644
index d50e87b..0000000
--- a/environments/shared/group_vars/cloudflared/cloudflared.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-app_cloudflared_package_version: 2024.4.0
-app_cloudflared_healthcheck_hostname: "tunnel-health{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/group_vars/containers/app_container.yaml b/environments/shared/group_vars/containers/app_container.yaml
deleted file mode 100644
index 6fa97b4..0000000
--- a/environments/shared/group_vars/containers/app_container.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-app_container_ostemplate: local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst
-app_container_pve_replication_cron_expression: "*/5"
-app_container_pve_ha_group_name: non-critical
-
-app_container_nameserver: "{{ ipam.pihole1 }},{{ ipam.pihole2 }}"
\ No newline at end of file
diff --git a/environments/shared/group_vars/pihole/container.yaml b/environments/shared/group_vars/pihole/container.yaml
deleted file mode 100644
index f130ab7..0000000
--- a/environments/shared/group_vars/pihole/container.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-app_container_nameserver: 1.1.1.1
-app_container_memory: 512
-app_container_storage_size_gb: 5
-
-app_pihole_version: 5.17.3
-app_pihole_forwarders:
-  - 1.1.1.1
-  - 1.0.0.1
-
-app_pihole_blocking_enabled: false
\ No newline at end of file
diff --git a/environments/shared/group_vars/pve_nodes/firewall.yaml b/environments/shared/group_vars/pve_nodes/firewall.yaml
deleted file mode 100644
index 1b72d9f..0000000
--- a/environments/shared/group_vars/pve_nodes/firewall.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-pve_cluster_firewall_enabled: false
-
-pve_cluster_firewall_aliases:
-  - name: subnet-home
-    cidr: 10.1.3.0/24
-  - name: subnet-services
-    cidr: "{{ subnets.services }}"
-
-  - name: "pve1{{ env.suffix }}"
-    cidr: "{{ ipam.pve1 }}/32"
-  - name: "pve2{{ env.suffix }}"
-    cidr: "{{ ipam.pve2 }}/32"
-  - name: "pve3{{ env.suffix }}"
-    cidr: "{{ ipam.pve3 }}/32"
-
-  - name: "ct-pihole{{ env.suffix }}"
-    cidr: "{{ ipam.pihole }}/32"
-  - name: "ct-smtp-relay{{ env.suffix }}"
-    cidr: "{{ ipam.smtp_relay }}/32"
-  - name: "ct-pomerium{{ env.suffix }}"
-    cidr: "{{ ipam.pomerium }}/32"
-  - name: "ct-mqtt{{ env.suffix }}"
-    cidr: "{{ ipam.mqtt }}/32"
-  - name: "ct-monitoring{{ env.suffix }}"
-    cidr: "{{ ipam.monitoring }}/32"
-  - name: "ct-frigate{{ env.suffix }}"
-    cidr: "{{ ipam.frigate }}/32"
-  - name: "ct-cloudflared1{{ env.suffix }}"
-    cidr: "{{ ipam.cloudflared }}/32"
-  - name: "ct-cloudflared2{{ env.suffix }}"
-    cidr: "{{ ipam.cloudflared }}/32"
-  - name: "ct-homepage{{ env.suffix }}"
-    cidr: "{{ ipam.homepage }}/32"
-  - name: ct-unifi-controller{{ env.suffix }}"
-    cidr: "{{ ipam.unifi_controller }}/32"
-
-pve_cluster_firewall_ipsets:
-  - name: management
-    items:
-      - type: alias
-        name: subnet-home
-      - type: alias
-        name: monitoring
-  - name: proxmox
-    items:
-      - type: alias
-        name: "pve1{{ env.suffix }}"
-      - type: alias
-        name: "pve1{{ env.suffix }}"
-      - type: alias
-        name: "pve1{{ env.suffix }}"
-  - name: cloudflared
-    items:
-      - type: alias
-        name: "ct-cloudflared1{{ env.suffix }}"
-      - type: alias
-        name: "ct-cloudflared2{{ env.suffix }}"
-
-pve_cluster_firewall_security_groups: []
diff --git a/environments/shared/group_vars/pve_nodes/general.yaml b/environments/shared/group_vars/pve_nodes/general.yaml
deleted file mode 100644
index 10cf633..0000000
--- a/environments/shared/group_vars/pve_nodes/general.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-# This is required for VNC proxy between the nodes
-ssh_allow_root_login_trusted_clients:
-  - pve1
-  - pve2
-  - pve3
-
-pve_cluster_options_migration_network: "{{ subnet.services_storage }}"
-
-pve_cluster_ha_groups:
-  - name: critical-priority-pve1
-    nodes:
-      - name: pve1
-        priority: 1000
-      - name: pve2
-        priority: 1
-    restricted: false
-    nofailback: false
-  - name: critical-priority-pve2
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1000
-    restricted: false
-    nofailback: false
-  - name: critical
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1
-    restricted: false
-    nofailback: false
-  - name: non-critical
-    nodes:
-      - name: pve1
-        priority: 1
-      - name: pve2
-        priority: 1
-    restricted: true
-    nofailback: false
-
-pve_nameservers:
-  - 1.1.1.1
-  - 1.0.0.1
-
-pve_ct_templates:
-- http://download.proxmox.com/images/system/debian-12-standard_12.2-1_amd64.tar.zst
diff --git a/environments/shared/host_vars/cloudflared1.yaml b/environments/shared/host_vars/cloudflared1.yaml
deleted file mode 100644
index ac2881d..0000000
--- a/environments/shared/host_vars/cloudflared1.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-ansible_host: "{{ ipam.cloudflared1 }}"
-ansible_hostname: "ct-cloudflared1{{ env.suffix }}"
-
-app_container_memory: 512
-app_container_storage_size_gb: 1
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.cloudflared1 }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
-  
-app_gatus_monitored_endpoints:
-  - name: Cloudflare Tunnel
-    group: Cloudflared
-    type: https
-    dns_resolver: tcp://1.1.1.1:53
-    host: "tunnel-health{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/cloudflared2.yaml b/environments/shared/host_vars/cloudflared2.yaml
deleted file mode 100644
index 7650109..0000000
--- a/environments/shared/host_vars/cloudflared2.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-ansible_host: "{{ ipam.cloudflared2 }}"
-ansible_hostname: "ct-cloudflared2{{ env.suffix }}"
-
-app_container_memory: 512
-app_container_storage_size_gb: 1
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.cloudflared2 }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: critical-priority-pve2
-app_container_pve_replication_nodes:
-  - pve1
diff --git a/environments/shared/host_vars/frigate.yaml b/environments/shared/host_vars/frigate.yaml
deleted file mode 100644
index c89f636..0000000
--- a/environments/shared/host_vars/frigate.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-ansible_host: "{{ ipam.frigate }}"
-ansible_hostname: "ct-frigate{{ env.suffix }}"
-
-app_container_docker_support: true
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.frigate }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve1
-
-app_frigate_image_tag: 0.13.2
-
-app_pihole_records:
-  - hostname: "frigate{{ env.suffix }}"
-    type: pomerium_proxy
-
-app_pomerium_routes:
-  - hostname: "frigate{{ env.suffix }}"
-    target_port: 5000
-    auth_mode: users
-
-app_gatus_monitored_endpoints:
-  - name: Web UI / container
-    group: Frigate
-    type: http
-    host: "ct-frigate{{ env.suffix }}"
-    port: 5000
-  - name: Web UI / via proxy
-    group: Frigate
-    type: https-pomerium-proxy
-    host: "frigate{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/homepage/bookmarks.yaml b/environments/shared/host_vars/homepage/bookmarks.yaml
deleted file mode 100644
index 75da61f..0000000
--- a/environments/shared/host_vars/homepage/bookmarks.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-app_homepage_bookmarks:
-  - Homelab:
-      - "Homecentr documentation":
-          - icon: /icons/homecentr.png
-            href: https://docs.homecentr.one
-
-      - "Homecentr on Github":
-          - icon: github-light
-            href: https://github.com/homecentr/
-
-  - "Cloud tools":
-      - OneDrive:
-          - icon: /icons/onedrive.png
-            href: https://onedrive.com
-
-      - Gmail:
-          - icon: gmail
-            href: https://gmail.com
-
-  - "Cloud infrastructure":
-      - Azure:
-          - icon: azure
-            href: https://portal.azure.com
-
-      - Cloudflare:
-          - icon: cloudflare
-            href: https://cloudflare.com
-
-      - PagerDuty:
-          - icon: pagerduty
-            href: https://pagerduty.com
-
-      - SendGrid:
-          - icon: /icons/sendgrid.png
-            href: https://sendgrid.com
-
-      - Dynadot:
-          - icon: /icons/dynadot.png
-            href: https://dynadot.com
\ No newline at end of file
diff --git a/environments/shared/host_vars/homepage/container.yaml b/environments/shared/host_vars/homepage/container.yaml
deleted file mode 100644
index 7ffa91d..0000000
--- a/environments/shared/host_vars/homepage/container.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-ansible_host: "{{ ipam.homepage }}"
-ansible_hostname: "ct-homepage{{ env.suffix }}"
-
-app_container_docker_support: true
-app_container_memory: 512
-app_container_storage_size_gb: 1
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.homepage }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve1
-
-app_homepage_image_tag: v0.8.9
-
-app_pomerium_routes:
-  - hostname: "homepage{{ env.suffix }}"
-    target_port: 3000
-    auth_mode: users
-
-app_pihole_records:
-  - hostname: "homepage{{ env.suffix }}"
-    type: pomerium_proxy
-
-app_gatus_monitored_endpoints:
-  - name: Homepage / container
-    group: Homepage
-    type: http
-    host: "ct-homepage{{ env.suffix }}.homecentr.one"
-    port: 3000
-  - name: Homepage / via proxy
-    group: Homepage
-    type: https-pomerium-proxy
-    host: "homepage{{ env.suffix }}.homecentr.one"
diff --git a/environments/shared/host_vars/homepage/services.yaml b/environments/shared/host_vars/homepage/services.yaml
deleted file mode 100644
index 5e25c93..0000000
--- a/environments/shared/host_vars/homepage/services.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-app_homepage_services:
-  - Apps: []
-  - Development: []
-  - Infrastructure: []
\ No newline at end of file
diff --git a/environments/shared/host_vars/homepage/settings.yaml b/environments/shared/host_vars/homepage/settings.yaml
deleted file mode 100644
index b2476e7..0000000
--- a/environments/shared/host_vars/homepage/settings.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-app_homepage_settings:
-  title: "Homecentr{{ env.suffix_display }}"
-  favicon: /icons/favicon.ico
-  background: https://images.unsplash.com/photo-1519681393784-d120267933ba
-  backgroundOpacity: 0.3
-  theme: dark
-  color: neutral
-  headerStyle: clean
\ No newline at end of file
diff --git a/environments/shared/host_vars/homepage/widgets.yaml b/environments/shared/host_vars/homepage/widgets.yaml
deleted file mode 100644
index 6ab1887..0000000
--- a/environments/shared/host_vars/homepage/widgets.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-app_homepage_widgets:
-    - search:
-        provider: google
-        target: _blank
\ No newline at end of file
diff --git a/environments/shared/host_vars/monitoring.yaml b/environments/shared/host_vars/monitoring.yaml
deleted file mode 100644
index ea2446e..0000000
--- a/environments/shared/host_vars/monitoring.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-ansible_host: "{{ ipam.monitoring }}"
-ansible_hostname: "ct-monitoring{{ env.suffix }}"
-
-app_container_docker_support: true
-app_container_memory: 512
-app_container_storage_size_gb: 5
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.monitoring }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve1
-
-app_gatus_image_tag: v5.7.0
-
-app_pomerium_routes:
-  - hostname: "status{{ env.suffix }}"
-    target_port: 8080
-    auth_mode: public
-
-app_pihole_records:
-  - hostname: "status{{ env.suffix }}"
-    type: pomerium_proxy
diff --git a/environments/shared/host_vars/mqtt.yaml b/environments/shared/host_vars/mqtt.yaml
deleted file mode 100644
index 9599e4c..0000000
--- a/environments/shared/host_vars/mqtt.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-ansible_host: "{{ ipam.mqtt }}"
-ansible_hostname: "ct-mqtt{{ env.suffix }}"
-
-app_container_memory: 512
-app_container_storage_size_gb: 5
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.mqtt }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve2
-
-app_pihole_records:
-  - hostname: "mqtt{{ env.suffix }}"
-    type: ansible_host
diff --git a/environments/shared/host_vars/pihole1.yaml b/environments/shared/host_vars/pihole1.yaml
deleted file mode 100644
index 0d49281..0000000
--- a/environments/shared/host_vars/pihole1.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-ansible_host: "{{ ipam.pihole1 }}"
-ansible_hostname: "ct-pihole1{{ env.suffix }}"
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.pihole1 }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
-
-app_pomerium_routes:
-  - hostname: "pihole1{{ env.suffix }}"
-    auth_mode: administrators
-
-app_pihole_records:
-  - hostname: "pihole1{{ env.suffix }}"
-    type: pomerium_proxy
-
-app_gatus_monitored_endpoints:
-  - name: pihole1 / Web UI
-    group: Pi-hole
-    type: https-pomerium-proxy
-    host: "pihole1{{ env.suffix }}.homecentr.one"
-  - name: pihole1 / DNS
-    group: Pi-hole
-    type: dns
-    host: "{{ ipam.pihole1 }}"
-    dns_query_name: "login{{ env.suffix }}.homecentr.one"
-    dns_query_type: "A"
-    dns_query_answer: "{{ ipam.pomerium }}"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pihole2.yaml b/environments/shared/host_vars/pihole2.yaml
deleted file mode 100644
index 6505771..0000000
--- a/environments/shared/host_vars/pihole2.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-ansible_host: "{{ ipam.pihole2 }}"
-ansible_hostname: "ct-pihole2{{ env.suffix }}"
-
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.pihole2 }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve2
-app_container_pve_ha_group_name: critical-priority-pve2
-app_container_pve_replication_nodes:
-  - pve1
-
-app_pomerium_routes:
-  - hostname: "pihole2{{ env.suffix }}"
-    auth_mode: administrators
-
-app_pihole_records:
-  - hostname: "pihole2{{ env.suffix }}"
-    type: pomerium_proxy
-
-app_gatus_monitored_endpoints:
-  - name: pihole2 / Web UI
-    group: Pi-hole
-    type: https-pomerium-proxy
-    host: "pihole2{{ env.suffix }}.homecentr.one"
-  - name: pihole2 / DNS
-    group: Pi-hole
-    type: dns
-    host: "{{ ipam.pihole2 }}"
-    dns_query_name: "login{{ env.suffix }}.homecentr.one"
-    dns_query_type: "A"
-    dns_query_answer: "{{ ipam.pomerium }}"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pomerium.yaml b/environments/shared/host_vars/pomerium.yaml
deleted file mode 100644
index 71d3d18..0000000
--- a/environments/shared/host_vars/pomerium.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-ansible_host: "{{ ipam.pomerium }}"
-ansible_hostname: "ct-pomerium{{ env.suffix }}"
-
-app_container_memory: 512
-app_container_storage_size_gb: 2
-app_container_pve_replication_cron_expression: "*/5"
-app_container_mapped_uids:
-  - 7000
-app_container_mapped_gids:
-  - 7000
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.pomerium }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
-
-app_container_getssl_certificates:
-  - name: "*.homecentr.one"
-    fullchain_filename: "wildcard_fullchain.crt"
-    cert_filename: "wildcard.crt"
-    key_filename: "wildcard.key"
-    user: 7000
-    group: 7000
-    mode: 0440
-
-app_pihole_records:
-  - hostname: "login{{ env.suffix }}"
-    type: ansible_host
-
-app_gatus_monitored_endpoints:
-  - name: Pomerium
-    group: Pomerium
-    type: https
-    host: "login{{ env.suffix }}.homecentr.one"
-    path: /healthz
-
-app_pomerium_hostname: "login{{ env.suffix }}.homecentr.one"
-
-app_pomerium_certificates:
-  - fullchain_path: /getssl/wildcard_fullchain.crt
-    key_path: /getssl/wildcard.key
diff --git a/environments/shared/host_vars/pve1.yaml b/environments/shared/host_vars/pve1.yaml
deleted file mode 100644
index f0c6183..0000000
--- a/environments/shared/host_vars/pve1.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-# Common
-ansible_host: "{{ ipam.pve1 }}"
-ansible_hostname: "pve1{{ env.suffix }}"
-
-# GetSSL
-getssl_cron_renewal_hour: 16
-
-app_pomerium_routes:
-  - hostname: "pve{{ env.suffix }}"
-    auth_mode: public # Proxmox has its own authentication
-    protocol: https
-    target_port: 8006
-    tls_upstream_server_name: "pve{{ env.suffix }}.homecentr.one"
-    backend:
-      - "{{ ipam.pve1 }}"
-      - "{{ ipam.pve2 }}"
-      - "{{ ipam.pve3 }}"
-    backend_lb_policy: RING_HASH
-
-# DNS
-app_pihole_records:
-  - hostname: "pve{{ env.suffix }}"
-    type: pomerium_proxy
-
-# Monitoring
-app_gatus_monitored_endpoints:
-  - name: pve1 / ping
-    group: Proxmox VE
-    type: ping
-    host: "pve1{{ env.suffix }}.homecentr.one"
-  - name: pve1 / Web UI
-    group: Proxmox VE
-    type: https
-    host: "pve1{{ env.suffix }}.homecentr.one"
-  
-  # Can check directly root because the site is not authenticated by pomerium
-  - name: Balancing proxy / Web UI
-    group: Proxmox VE
-    type: https-pomerium-proxy
-    host: "pve{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pve2.yaml b/environments/shared/host_vars/pve2.yaml
deleted file mode 100644
index 6697b70..0000000
--- a/environments/shared/host_vars/pve2.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-# Common
-ansible_host: "{{ ipam.pve2 }}"
-ansible_hostname: "pve2{{ env.suffix }}"
-
-# GetSSL
-getssl_cron_renewal_hour: 17
-
-# Monitoring
-app_gatus_monitored_endpoints:
-  - name: pve2 / ping
-    group: Proxmox VE
-    type: ping
-    host: "pve2{{ env.suffix }}.homecentr.one"
-  - name: pve2 / http
-    group: Proxmox VE
-    type: https
-    host: "pve2{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/pve3.yaml b/environments/shared/host_vars/pve3.yaml
deleted file mode 100644
index e5829d7..0000000
--- a/environments/shared/host_vars/pve3.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-# Common
-ansible_host: "{{ ipam.pve3 }}"
-ansible_hostname: "pve3{{ env.suffix }}"
-
-# GetSSL
-getssl_cron_renewal_hour: 18
-
-# Monitoring
-app_gatus_monitored_endpoints:
-  - name: pve3 / ping
-    group: Proxmox VE
-    type: ping
-    host: "pve3{{ env.suffix }}.homecentr.one"
-  - name: pve3 / http
-    group: Proxmox VE
-    type: https
-    host: "pve3{{ env.suffix }}.homecentr.one"
\ No newline at end of file
diff --git a/environments/shared/host_vars/smtp_relay.yaml b/environments/shared/host_vars/smtp_relay.yaml
deleted file mode 100644
index 052929d..0000000
--- a/environments/shared/host_vars/smtp_relay.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-ansible_host: "{{ ipam.smtp_relay }}"
-ansible_hostname: "ct-smtp-relay{{ env.suffix }}"
-
-app_container_docker_support: true
-app_container_memory: 512
-app_container_storage_size_gb: 2
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.smtp_relay }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: critical-priority-pve1
-app_container_pve_replication_nodes:
-  - pve2
-
-app_container_mapped_uids:
-  - 7000
-app_container_mapped_gids:
-  - 7000
-
-app_container_getssl_certificates:
-  - name: "*.homecentr.one"
-    fullchain_filename: "wildcard_fullchain.crt"
-    cert_filename: "wildcard.crt"
-    key_filename: "wildcard.key"
-    user: 7000
-    group: 7000
-    mode: 0440
-
-app_haraka_uid: 7000
-app_haraka_gid: 7000
-app_haraka_image_tag: 1.1.0
-
-app_pihole_records:
-  - hostname: "smtp{{ env.suffix }}"
-    type: ansible_host
-
-app_gatus_monitored_endpoints:
-  - name: Haraka
-    group: SMTP Relay
-    type: starttls
-    host: "smtp{{ env.suffix }}.homecentr.one"
-    port: 25
\ No newline at end of file
diff --git a/environments/shared/host_vars/unifi_controller.yaml b/environments/shared/host_vars/unifi_controller.yaml
deleted file mode 100644
index 7a024c0..0000000
--- a/environments/shared/host_vars/unifi_controller.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-ansible_host: "{{ ipam.unifi_controller }}"
-ansible_hostname: "ct-unifi-controller{{ env.suffix }}"
-
-app_container_memory: 1024
-app_container_swap: 1024
-app_container_storage_size_gb: 5
-app_container_network_interfaces:
-  - name: eth0
-    bridge: vmbr0
-    ipv4_address: "{{ ipam.unifi_controller }}/24"
-    ipv4_gateway: "{{ subnets.services | ansible.utils.ipmath(1) }}"
-
-app_container_pve_node: pve1
-app_container_pve_ha_group_name: non-critical
-app_container_pve_replication_nodes:
-  - pve2
-
-app_pihole_records:
-  - hostname: "unifi{{ env.suffix }}"
-    type: pomerium_proxy
-
-app_pomerium_routes:
-  - hostname: "unifi{{ env.suffix }}"
-    protocol: https
-    tls_skip_verify: true
-    target_port: 8443
-    auth_mode: public # Controller has its own authentication
-
-app_gatus_monitored_endpoints:
-  - name: Web UI / container
-    group: Unifi Controller
-    type: https
-    host: "ct-unifi-controller{{ env.suffix }}.homecentr.one"
-    insecure: true
-    port: 8443
-  - name: Web UI / via proxy
-    group: Unifi Controller
-    type: https-pomerium-proxy
-    host: "unifi{{ env.suffix }}.homecentr.one"
diff --git a/environments/shared/hosts.yaml b/environments/shared/hosts.yaml
deleted file mode 100644
index f745744..0000000
--- a/environments/shared/hosts.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-all:
-  children:
-    pve_nodes:
-      hosts:
-        pve1:
-        pve2:
-        pve3:
-    containers:
-      hosts:      
-        frigate:
-        homepage:
-        monitoring:
-        mqtt:
-        pomerium:
-        smtp_relay:
-        unifi_controller:
-      children:
-        cloudflared:
-          hosts:
-            cloudflared1:
-            cloudflared2:
-        pihole:
-          hosts:
-            pihole1:
-            pihole2:
diff --git a/roles/app-cloudflared/tasks/configure.yaml b/roles/app-cloudflared/tasks/configure.yaml
deleted file mode 100644
index e216186..0000000
--- a/roles/app-cloudflared/tasks/configure.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-- name: Create config directory
-  ansible.builtin.file:
-    path: /etc/cloudflared
-    owner: cloudflared
-    group: cloudflared
-    mode: "0750"
-    state: directory
-
-- name: Create config file
-  register: app_cloudflared_config
-  ansible.builtin.copy:
-    dest: /etc/cloudflared/config.yaml
-    owner: cloudflared
-    group: cloudflared
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', 'config.j2') }}"
-
-- name: Create credentials file
-  register: app_cloudflared_credentials
-  ansible.builtin.copy:
-    dest: /etc/cloudflared/tunnel-credentials.json
-    owner: cloudflared
-    group: cloudflared
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', 'credentials.j2') }}"
\ No newline at end of file
diff --git a/roles/app-cloudflared/tasks/install.yaml b/roles/app-cloudflared/tasks/install.yaml
deleted file mode 100644
index 44fe262..0000000
--- a/roles/app-cloudflared/tasks/install.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-- name: Download repository key
-  ansible.builtin.get_url:
-    url: https://pkg.cloudflare.com/cloudflare-main.gpg
-    dest: /usr/share/keyrings/cloudflare-main.gpg
-
-- name: Add repository
-  ansible.builtin.apt_repository:
-    repo: deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main
-    filename: cloudflared
-    update_cache: true
-    state: present
-
-- name: Install cloudflared package
-  register: app_cloudflared_package
-  ansible.builtin.apt:
-    name: "cloudflared={{ app_cloudflared_package_version }}"
-    update_cache: true
-    state: present
diff --git a/roles/app-cloudflared/tasks/main.yaml b/roles/app-cloudflared/tasks/main.yaml
deleted file mode 100644
index 37672f4..0000000
--- a/roles/app-cloudflared/tasks/main.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Create cloudflared group
-  ansible.builtin.group:
-    name: cloudflared
-
-- name: Create cloudflared user
-  ansible.builtin.user:
-    name: cloudflared
-    group: cloudflared
-
-- name: Install cloudflared
-  ansible.builtin.include_tasks:
-    file: install.yaml
-
-- name: Configure cloudflared
-  ansible.builtin.include_tasks:
-    file: configure.yaml
-
-- name: Configure systemd
-  ansible.builtin.include_tasks:
-    file: systemd.yaml
\ No newline at end of file
diff --git a/roles/app-cloudflared/tasks/systemd.yaml b/roles/app-cloudflared/tasks/systemd.yaml
deleted file mode 100644
index 60d5e72..0000000
--- a/roles/app-cloudflared/tasks/systemd.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-- name: Create systemd unit file
-  ansible.builtin.copy:
-    dest: /etc/systemd/system/cloudflared.service
-    owner: root
-    group: root
-    mode: "0644"
-    content: "{{ lookup('template', 'systemd-unit.j2') }}"
-
-- name: (Re)start service
-  throttle: 1
-  ansible.builtin.systemd_service:
-    name: cloudflared
-    enabled: true
-    daemon_reload: true
-    state: "{{ 'restarted' if app_cloudflared_config.changed or app_cloudflared_credentials.changed or app_cloudflared_package.changed else 'started' }}"
diff --git a/roles/app-cloudflared/templates/config.j2 b/roles/app-cloudflared/templates/config.j2
deleted file mode 100644
index 1daa90c..0000000
--- a/roles/app-cloudflared/templates/config.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-tunnel: "{{ app_cloudflared_tunnel_credentials.tunnel_id }}"
-credentials-file: /etc/cloudflared/tunnel-credentials.json
-
-ingress:
-    {% for route in app_cloudflared_routes | default([]) %}
-    - hostname: {{ route.hostname }}
-      service: {{ route.backend }}
-      originRequest:
-          noTLSVerify: true
-    {% endfor %}
-
-    - hostname: {{ app_cloudflared_healthcheck_hostname }}
-      service: http_status:204
-
-    - service: http_status:404
\ No newline at end of file
diff --git a/roles/app-cloudflared/templates/credentials.j2 b/roles/app-cloudflared/templates/credentials.j2
deleted file mode 100644
index 04b5e78..0000000
--- a/roles/app-cloudflared/templates/credentials.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-    "AccountTag": "{{ app_cloudflared_tunnel_credentials.account_id }}",
-    "TunnelSecret":"{{ app_cloudflared_tunnel_credentials.tunnel_secret | b64encode }}",
-    "TunnelID": "{{ app_cloudflared_tunnel_credentials.tunnel_id }}"
-}
\ No newline at end of file
diff --git a/roles/app-cloudflared/templates/systemd-unit.j2 b/roles/app-cloudflared/templates/systemd-unit.j2
deleted file mode 100644
index 3b6a26c..0000000
--- a/roles/app-cloudflared/templates/systemd-unit.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=Cloudflared
-Documentation=https://coredns.io/manual/
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-User=cloudflared
-Group=cloudflared
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-Restart=always
-WorkingDirectory=/etc/cloudflared
-ExecStart=/usr/local/bin/cloudflared tunnel --config /etc/cloudflared/config.yaml --metrics 0.0.0.0:3333 run
-ExecReload=/usr/bin/kill -USR1 $MAINPID
-
-[Install]
-WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/app-container/tasks/container-disks.yaml b/roles/app-container/tasks/container-disks.yaml
deleted file mode 100644
index 1f3f976..0000000
--- a/roles/app-container/tasks/container-disks.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-- name: Get container config
-  changed_when: false
-  register: app_container_config
-  ansible.builtin.command:
-    cmd: "pct config {{ app_container_info.vmid }}"
-
-- name: Add disks
-  loop: "{{ container_vars.app_container_mounts | default([]) | selectattr('type', 'equalto', 'disk') }}"
-  loop_control:
-    loop_var: disk
-  when: not 'mp' + disk.index | string + ':' in app_container_config.stdout
-  changed_when: true
-  ansible.builtin.command:
-    cmd: "pct set {{ app_container_info.vmid }} --mp{{ disk.index }} \"{{ disk.storage_name }}:{{ disk.size_gb }},mp={{ disk.target_path }}\""
diff --git a/roles/app-container/tasks/container.yaml b/roles/app-container/tasks/container.yaml
deleted file mode 100644
index a5ad9a5..0000000
--- a/roles/app-container/tasks/container.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-- name: Create app container
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  community.general.proxmox:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: "localhost"
-    hostname: "{{ container_vars.ansible_hostname }}"
-    node: "{{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}"
-    password: "{{ users_root_password }}"
-    ostemplate: "{{ container_vars.app_container_ostemplate }}"
-    unprivileged: "{{ container_vars.app_container_unprivileged | default(1) }}"
-    disk: "{{ container_vars.app_container_storage_name }}:{{ container_vars.app_container_storage_size_gb }},replicate=1"
-    state: present
-
-- name: Wait for the container to be created
-  retries: 10
-  delay: 3
-  until: (app_container_info_raw is defined) and (app_container_info_raw.proxmox_vms | default([]) | length) > 0
-  register: app_container_info_raw
-  community.general.proxmox_vm_info:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: "localhost"
-    type: lxc
-    name: "{{ container_vars.ansible_hostname }}"
-
-- name: Flatten container info
-  ansible.builtin.set_fact:
-    app_container_info: "{{ app_container_info_raw.proxmox_vms.0 }}"
-
-- name: Get container definition
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  register: app_container_before_pct
-  ansible.builtin.slurp:
-    src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf" 
-
-- name: Update existing container values
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  changed_when: true
-  ansible.builtin.command:
-    cmd: "{{ lookup('template', 'pct-set.j2', template_vars=(dict(app_container_id=app_container_info.vmid) | combine(container_vars))) }}"
-
-- name: Get container definition
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  register: app_container_after_pct
-  ansible.builtin.slurp:
-    src: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
diff --git a/roles/app-container/tasks/docker.yaml b/roles/app-container/tasks/docker.yaml
deleted file mode 100644
index ae34b1f..0000000
--- a/roles/app-container/tasks/docker.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: Install overlayfs fuse
-  ansible.builtin.apt:
-    name: fuse-overlayfs
-    state: present
\ No newline at end of file
diff --git a/roles/app-container/tasks/firewall.yaml b/roles/app-container/tasks/firewall.yaml
deleted file mode 100644
index 12ed6f5..0000000
--- a/roles/app-container/tasks/firewall.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-- ansible.builtin.import_role:
-    name: "{{ role_path }}/../pve_firewall_common"
-  vars:
-    pve_firewall_default_scope: null
-    pve_firewall_filepath: "/etc/pve/firewall/{{ app_container_info.vmid }}.fw"
-    pve_firewall_aliases: "{{ container_vars.app_container_firewall_aliases | default([]) }}"
-    pve_firewall_ipsets: "{{ container_vars.app_container_firewall_ipsets | default([]) }}"
-    pve_firewall_rules: "{{ container_vars.app_container_firewall_rules | default([]) }}"
-    pve_firewall_enabled: "{{ container_vars.app_container_firewall_enabled | default(false) }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/getssl.yaml b/roles/app-container/tasks/getssl.yaml
deleted file mode 100644
index b5a8734..0000000
--- a/roles/app-container/tasks/getssl.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-- name: Touch passthrough config file
-  ansible.builtin.file:
-    path: "/etc/pve/getssl-containers/{{ app_container_info.vmid }}.json"
-    state: touch
-
-- name: Create passthrough config file
-  ansible.builtin.copy:
-    force: true
-    dest: "/etc/pve/getssl-containers/{{ app_container_info.vmid }}.json"
-    content: "{{ lookup('template', 'getssl-config.j2', template_vars=container_vars) }}"
-
-- name: Create mount directory
-  ansible.builtin.file:
-    path: "/var/lib/getssl/{{ app_container_info.vmid }}"
-    owner: root
-    group: root
-    state: directory
-
-- name: Copy certificates
-  ansible.builtin.command:
-    cmd: "getssl-copy-container {{ app_container_info.vmid }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/ha.yaml b/roles/app-container/tasks/ha.yaml
deleted file mode 100644
index ddb778a..0000000
--- a/roles/app-container/tasks/ha.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-- name: Touch ha resources config file
-  run_once: true
-  ansible.builtin.file:
-    path: /etc/pve/ha/resources.cfg
-    state: touch
-
-- name: Configure container as a ha resource
-  run_once: true
-  ansible.builtin.blockinfile:
-    path: /etc/pve/ha/resources.cfg
-    create: true
-    owner: root
-    group: www-data
-    mode: "0640"
-    marker: "# {mark} Ansible managed ha container {{ container_vars.ansible_hostname }}"
-    prepend_newline: true
-    block: |
-      ct: {{ app_container_info.vmid }}
-        state {{ container_vars.app_container_desired_state | default('started') }}
-        {%- if container_vars.app_container_pve_ha_group_name %}
-
-        group {{ container_vars.app_container_pve_ha_group_name }}
-        {%- endif %}
\ No newline at end of file
diff --git a/roles/app-container/tasks/init.yaml b/roles/app-container/tasks/init.yaml
deleted file mode 100644
index 8629b7e..0000000
--- a/roles/app-container/tasks/init.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-- name: Check if container has been already initialized
-  changed_when: false
-  failed_when: false
-  register: app_container_init_check
-  ansible.builtin.command:
-    cmd: "pct exec {{ app_container_info.vmid }} ls /etc/container-init"
-
-- name: Create initialization script
-  when: app_container_init_check.rc != 0
-  ansible.builtin.copy:
-    dest: "/tmp/ct-{{ app_container_info.vmid }}-init.sh"
-    owner: root
-    group: root
-    mode: 0750
-    content: "{{ lookup('template', 'init-script.j2') }}"
-
-- name: Copy init script into the container
-  when: app_container_init_check.rc != 0
-  changed_when: true
-  ansible.builtin.command:
-    cmd: "pct push {{ app_container_info.vmid }} /tmp/ct-{{ app_container_info.vmid }}-init.sh /tmp/init.sh --perms 0755"
-
-- name: Execute init script
-  when: app_container_init_check.rc != 0
-  changed_when: true
-  ansible.builtin.command:
-    cmd: "pct exec {{ app_container_info.vmid }} /tmp/init.sh"
\ No newline at end of file
diff --git a/roles/app-container/tasks/main.yaml b/roles/app-container/tasks/main.yaml
deleted file mode 100644
index 68cc3ad..0000000
--- a/roles/app-container/tasks/main.yaml
+++ /dev/null
@@ -1,76 +0,0 @@
-- name: Install Docker dependencies on Proxmox host
-  ansible.builtin.include_tasks:
-    file: docker.yaml
-
-- name: Create container
-  ansible.builtin.include_tasks:
-    file: container.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Add disks
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  ansible.builtin.include_tasks:
-    file: container-disks.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Configure SSL certificates passthrough
-  when: hostvars[container_inventory_name].app_container_getssl_certificates is defined
-  ansible.builtin.include_tasks:
-    file: getssl.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Configure mapped UID/GID in container config file
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  ansible.builtin.include_tasks:
-    file: uid-gid-mapping-container.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Configure mapped UID/GID idmap files
-  ansible.builtin.include_tasks:
-    file: uid-gid-mapping-global.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Start container
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  ansible.builtin.include_tasks:
-    file: start.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Initialize container
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  ansible.builtin.include_tasks:
-    file: init.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Add container to ssh known_hosts
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  ansible.builtin.include_tasks:
-    file: ssh.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Configure replication
-  ansible.builtin.include_tasks:
-    file: replication.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Configure high-availability
-  ansible.builtin.include_tasks:
-    file: ha.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
-
-- name: Configure container firewall
-  when: inventory_hostname == hostvars[container_inventory_name].app_container_pve_node
-  ansible.builtin.include_tasks:
-    file: firewall.yaml
-  vars:
-    container_vars: "{{ hostvars[container_inventory_name] }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/replication.yaml b/roles/app-container/tasks/replication.yaml
deleted file mode 100644
index f2092b9..0000000
--- a/roles/app-container/tasks/replication.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Create replication file if it does not exist
-  run_once: true
-  ansible.builtin.file:
-    path: "/etc/pve/replication.cfg"
-    state: touch
-
-- name: Configure storage replication
-  run_once: true
-  loop: "{{ container_vars.app_container_pve_replication_nodes }}"
-  loop_control:
-    loop_var: node
-    index_var: node_index
-  ansible.builtin.blockinfile:
-    path: "/etc/pve/replication.cfg"
-    create: true
-    owner: root
-    group: www-data
-    mode: "0640"
-    marker: "# {mark} Ansible managed replication ct{{ app_container_info.vmid }}-{{ hostvars[node].ansible_hostname }}"
-    prepend_newline: true
-    block: |
-      local: {{ app_container_info.vmid }}-{{ node_index }}
-        source {{ hostvars[container_vars.app_container_pve_node].ansible_hostname }}
-        target {{ hostvars[node].ansible_hostname }}
-        schedule {{ container_vars.app_container_pve_replication_cron_expression }}
-        {%- if container_vars.app_container_pve_replication_bandwidth | default("") != "" %}
-        rate {{ container_vars.app_container_pve_replication_bandwidth }}
-        {%- endif %}
\ No newline at end of file
diff --git a/roles/app-container/tasks/ssh.yaml b/roles/app-container/tasks/ssh.yaml
deleted file mode 100644
index 342141c..0000000
--- a/roles/app-container/tasks/ssh.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Scan for container SSH host keys
-  changed_when: false
-  run_once: true
-  retries: 5
-  until: app_container_ssh_scan.rc == 0
-  register: app_container_ssh_scan
-  ansible.builtin.shell:
-    cmd: "pct exec {{ app_container_info.vmid }} cat /etc/ssh/ssh_host_rsa_key.pub"
-
-- name: Update known_hosts
-  become: false
-  delegate_to: localhost
-  run_once: true
-  ansible.builtin.known_hosts:
-    key: "{{ container_vars.ansible_host }} {{ item }}"
-    name: "{{ container_vars.ansible_host }}"
-  with_items: "{{ app_container_ssh_scan.stdout_lines }}"
\ No newline at end of file
diff --git a/roles/app-container/tasks/start.yaml b/roles/app-container/tasks/start.yaml
deleted file mode 100644
index bd2bd1f..0000000
--- a/roles/app-container/tasks/start.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-- name: Stop the container if it's started and definition has changed
-  when: app_container_before_pct.content != app_container_after_pct.content and app_container_info.status == 'running' and (container_vars.app_container_autorestart_enabled | default(false))
-  community.general.proxmox:
-    api_user: root@pam
-    api_password: "{{ users_root_password }}"
-    api_host: "localhost"
-    hostname: "{{ container_vars.ansible_hostname }}"
-    state: stopped
-
-- name: Start container
-  run_once: true
-  community.general.proxmox:
-    api_user: root@pam
-    api_password: "{{ hostvars[container_vars.app_container_pve_node].users_root_password }}"
-    api_host: "localhost"
-    hostname: "{{ container_vars.ansible_hostname }}"
-    state: started
-
-- name: Wait for the container to start responding on SSH
-  run_once: true
-  ansible.builtin.wait_for:
-    host: "{{ container_vars.ansible_host }}"
-    port: 22
-    timeout: 400
-    sleep: 2
-    msg: "Container {{ container_vars.ansible_hostname }} did not start responding on SSH in time."
-
-- name: Run outbound ping to workaround the bug when new containers are not reachable
-  changed_when: false
-  ansible.builtin.command:
-    cmd: "pct exec {{ app_container_info.vmid }} -- bash -c 'ping -c 5 google.com'"
-
diff --git a/roles/app-container/tasks/uid-gid-mapping-container.yaml b/roles/app-container/tasks/uid-gid-mapping-container.yaml
deleted file mode 100644
index f293be3..0000000
--- a/roles/app-container/tasks/uid-gid-mapping-container.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Load current container config file
-  register: app_container_config
-  ansible.builtin.slurp:
-    path: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
-
-- name: Update config with lxc.idmap
-  ansible.builtin.copy:
-    force: true
-    dest: "/etc/pve/lxc/{{ app_container_info.vmid }}.conf"
-    content: "{{ lookup('template', 'lxc-idmap.j2', template_vars=dict(current_config=(app_container_config.content | b64decode)) | combine(container_vars)) }}"
diff --git a/roles/app-container/tasks/uid-gid-mapping-global.yaml b/roles/app-container/tasks/uid-gid-mapping-global.yaml
deleted file mode 100644
index 52bdd3b..0000000
--- a/roles/app-container/tasks/uid-gid-mapping-global.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Add mapped uids to setuid
-  loop: "{{ container_vars.app_container_mapped_uids | default([]) }}"
-  loop_control:
-    loop_var: uid
-  ansible.builtin.lineinfile:
-    path: /etc/subuid
-    create: false
-    line: "root:{{ uid }}:1"
-
-- name: Add mapped gids to setgid
-  loop: "{{ container_vars.app_container_mapped_gids | default([]) }}"
-  loop_control:
-    loop_var: gid
-  ansible.builtin.lineinfile:
-    path: /etc/subgid
-    create: false
-    line: "root:{{ gid }}:1"
diff --git a/roles/app-container/tasks/zfs.yaml b/roles/app-container/tasks/zfs.yaml
deleted file mode 100644
index 6bc5c47..0000000
--- a/roles/app-container/tasks/zfs.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: Create dataset
-  loop: "{{ container_vars.app_container_mounts | selectattr('type', 'equalto', 'zfs') }}"
-  loop_control:
-    loop_var: mount
-  community.general.zfs:
-    name: "{{ mount.zfs_pool_name }}/subvol-{{ app_container_info.vmid }}-disk-{{ mount.disk_index }}"
-    state: present
\ No newline at end of file
diff --git a/roles/app-container/templates/getssl-config.j2 b/roles/app-container/templates/getssl-config.j2
deleted file mode 100644
index 30bf95b..0000000
--- a/roles/app-container/templates/getssl-config.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-[
-    {% for cert in app_container_getssl_certificates %}
-    {
-        "name": "{{ cert.name }}",
-        "cert_filename": "{{ cert.cert_filename }}",
-        "key_filename": "{{ cert.key_filename }}",
-        "fullchain_filename": "{{ cert.fullchain_filename }}",
-        "user": "{{ cert.user }}",
-        "group": "{{ cert.group }}",
-        "permissions": "{{ cert.permissions | default('0440') }}"
-    {% if loop.last %}
-    }
-    {% else %}
-    },
-    {% endif %}
-    {% endfor %}
-]
\ No newline at end of file
diff --git a/roles/app-container/templates/init-script.j2 b/roles/app-container/templates/init-script.j2
deleted file mode 100644
index becf445..0000000
--- a/roles/app-container/templates/init-script.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-apt-get update
-apt-get install -y sudo
-
-# Enable passwordless sudo
-sed -i -E 's/%sudo\s+ALL=\(ALL:ALL\)\s+ALL/%sudo   ALL=(ALL:ALL) NOPASSWD: ALL/' /etc/sudoers
-
-{% for user in users_admin_users %}
-# Create user {{ user.username }}
-adduser --disabled-password --gecos GECOS {{ user.username }}
-usermod -a -G sudo {{ user.username }}
-
-# Create .ssh directory
-mkdir /home/{{ user.username }}/.ssh
-chown {{ user.username }} /home/{{ user.username }}/.ssh
-chgrp {{ user.username }} /home/{{ user.username }}/.ssh
-chmod 0700 /home/{{ user.username }}/.ssh
-
-# Configure public keys
-echo "" > /home/{{ user.username }}/.ssh/authorized_keys
-{% for public_key in user.public_keys %}
-echo "{{ public_key }}" >> /home/{{ user.username }}/.ssh/authorized_keys
-{% endfor %}
-{% endfor %}
-
-# Add allowed ssh users
-SSH_ALLOWED_USERS="AllowUsers {{ ssh_allowed_users | join(' ') }}"
-grep -q "AllowedUsers " /etc/ssh/sshd_config || echo "$SSH_ALLOWED_USERS" >> /etc/ssh/sshd_config
-
-# Apply sshd changes
-systemctl restart sshd
-
-# Mark container init as finished
-touch /etc/container-init
\ No newline at end of file
diff --git a/roles/app-container/templates/lxc-idmap.j2 b/roles/app-container/templates/lxc-idmap.j2
deleted file mode 100644
index 5f7f2c0..0000000
--- a/roles/app-container/templates/lxc-idmap.j2
+++ /dev/null
@@ -1,35 +0,0 @@
-{% for line in current_config | split("\n") %}
-{% if not line | regex_search("^lxc\.idmap:") %}
-{{ line }}
-{% endif %}
-{% endfor %}
-
-{% if app_container_mapped_uids is defined and app_container_mapped_uids | length > 0 %}
-{%- set sorted_uids = app_container_mapped_uids | sort %}
-lxc.idmap: u 0 100000 {{ sorted_uids | first }}
-{% for uid in sorted_uids %}
-lxc.idmap: u {{ uid }} {{ uid }} 1
-{% if not loop.last %}
-{% if sorted_uids[loop.index0 + 1] - uid > 1 %}
-lxc.idmap: u {{ uid + 1 }} {{ uid + 100000 + 1 }} {{ sorted_uids[loop.index0 + 1] - uid - 1 }}
-{% endif %}
-{% else %}
-lxc.idmap: u {{ uid + 1 }} {{ uid + 100000 + 1 }} {{ 65535 - uid - 1 }}
-{% endif %}
-{% endfor %}
-{% endif %}
-
-{% if app_container_mapped_gids is defined and app_container_mapped_gids | length > 0 %}
-{%- set sorted_gids = app_container_mapped_gids | sort %}
-lxc.idmap: g 0 100000 {{ sorted_gids | first }}
-{% for gid in sorted_gids %}
-lxc.idmap: g {{ gid }} {{ gid }} 1
-{% if not loop.last %}
-{% if sorted_gids[loop.index0 + 1] - gid > 1 %}
-lxc.idmap: g {{ gid + 1 }} {{ gid + 100000 + 1 }} {{ sorted_gids[loop.index0 + 1] - gid - 1 }}
-{% endif %}
-{% else %}
-lxc.idmap: g {{ gid + 1 }} {{ gid + 100000 + 1 }} {{ 65535 - gid - 1 }}
-{% endif %}
-{% endfor %}
-{% endif %}
\ No newline at end of file
diff --git a/roles/app-container/templates/pct-set.j2 b/roles/app-container/templates/pct-set.j2
deleted file mode 100644
index eee4b37..0000000
--- a/roles/app-container/templates/pct-set.j2
+++ /dev/null
@@ -1,31 +0,0 @@
-pct set {{ app_container_id }}
-{%- raw %} --hostname {% endraw %}{{ ansible_hostname }}
-{%- raw %} --memory {% endraw %} {{ app_container_memory }}
-{%- if app_container_cpu_cores is defined %} --cores {{ app_container_cpu_cores }}{% endif -%}
- {%- raw %} --features nesting=1{% endraw %}{% if app_container_fuse_enabled | default(false) == true %},fuse=1{% endif -%}{% if app_container_docker_support | default(false) == true %},keyctl=1,fuse=1{% endif %}
- {%- for mount in (app_container_mounts | default([])) %}
- {%- if mount.type == "bind" %}
- --mp{{ loop.index - 1 }} "{{ mount.hostpath }},mp={{ mount.target_path }}"
- {%- endif %}
- {%- endfor %}
- {%- if app_container_getssl_certificates is defined %}
- --mp{{ app_container_mounts | default([]) | length }} "/var/lib/getssl/{{ app_container_id }},mp={{ app_container_getssl_mountpoint | default('/getssl') }},replicate=0,shared=1"
- {%- endif %}
- {%- for nic in app_container_network_interfaces %}
- --net{{ loop.index - 1 }} "name={{ nic.name }},bridge={{ nic.bridge }},ip={{ nic.ipv4_address }}{{ ",gw=" + nic.ipv4_gateway if (nic.ipv4_gateway | default("")) != "" else "" }}"
- {%- endfor %}
- {%- if app_container_start_onboot is defined %}
- --onboot {{ '1' if (app_container_start_onboot | default(true)) else '0' }}
- {%- endif %}
- {%- if app_container_protection is defined %}
- --protection {{ '1' if app_container_protection else '0' }}
- {%- endif %}
- {%- if app_container_startup_order is defined %}
- --startup {{ app_container_startup_order }}
- {%- endif %}
- {%- if app_container_swap is defined %}
- --swap {{ app_container_swap }}
- {%- endif %}
- {%- if app_container_nameserver is defined %}
- --nameserver {{ app_container_nameserver }}
- {%- endif %}
\ No newline at end of file
diff --git a/roles/app-frigate/tasks/docker.yaml b/roles/app-frigate/tasks/docker.yaml
deleted file mode 100644
index 33503bc..0000000
--- a/roles/app-frigate/tasks/docker.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Create compose file
-  ansible.builtin.copy:
-    dest: /etc/frigate/docker-compose.yaml
-    force: true
-    content: "{{ lookup('template', 'docker-compose.j2') }}"
-
-- name: Start docker stack
-  community.docker.docker_compose_v2:
-    project_src: /etc/frigate
-    state: "{{ 'restarted' if app_frigate_config.changed else 'present' }}"
diff --git a/roles/app-frigate/tasks/main.yaml b/roles/app-frigate/tasks/main.yaml
deleted file mode 100644
index 1c82e4f..0000000
--- a/roles/app-frigate/tasks/main.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-- name: Create config directory
-  ansible.builtin.file:
-    path: /etc/frigate
-    owner: root
-    group: root
-    mode: "0750"
-    state: directory
-
-- name: Create config file
-  register: app_frigate_config
-  ansible.builtin.copy:
-    dest: /etc/frigate/config.yml
-    content: "{{ lookup('template', 'config.j2') }}"
-    owner: root
-    group: root
-    mode: "0640"
-
-- name: Create docker stack
-  ansible.builtin.include_tasks:
-    file: docker.yaml
diff --git a/roles/app-frigate/templates/config.j2 b/roles/app-frigate/templates/config.j2
deleted file mode 100644
index 10831d5..0000000
--- a/roles/app-frigate/templates/config.j2
+++ /dev/null
@@ -1,47 +0,0 @@
-mqtt:
-  enabled: False
-
-record:
-  enabled: True
-  retain:
-    days: 1
-  events:
-    retain:
-      default: 1
-      mode: motion
-
-detect:
-  enabled: false
-
-go2rtc:
-  streams:
-{% for camera in app_frigate_cameras %}
-{% if camera.type == "reolink" %}
-    {{ camera.name }}_main:
-      #- "rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h265Preview_01_main"
-      - "ffmpeg:rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h264Preview_01_main"
-      #- "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user={{ camera.username }}&password={{ camera.password }}#video=copy#audio=copy"
-    {{ camera.name }}_sub:
-      - "ffmpeg:rtsp://{{ camera.username }}:{{ camera.password }}@{{ camera.ip }}/h264Preview_01_sub"
-      #- "ffmpeg:http://{{ camera.ip }}/flv?port=1935&app=bcs&stream=channel0_ext.bcs&user={{ camera.username }}&password={{ camera.password }}"
-{% else %}
-TBA: Doorbell
-{% endif %}
-{% endfor %}
-
-cameras:
-{% for camera in app_frigate_cameras %}
-  {{ camera.name }}:
-    ffmpeg:
-      inputs:
-        - path: rtsp://127.0.0.1:8554/{{ camera.name }}_main?video=copy&audio=aac
-          input_args: preset-rtsp-restream
-          roles:
-            - record
-        - path: rtsp://127.0.0.1:8554/{{ camera.name }}_sub?video=copy
-          input_args: preset-rtsp-restream
-          roles:
-            - detect
-    # live:
-    #   stream_name: {{ camera.name }}_sub
-{% endfor %}
\ No newline at end of file
diff --git a/roles/app-frigate/templates/docker-compose.j2 b/roles/app-frigate/templates/docker-compose.j2
deleted file mode 100644
index 5cb2efb..0000000
--- a/roles/app-frigate/templates/docker-compose.j2
+++ /dev/null
@@ -1,22 +0,0 @@
-services:
-  frigate:
-    image: ghcr.io/blakeblackshear/frigate:{{ app_frigate_image_tag }}
-    # privileged: true # this may not be necessary for all setups
-    container_name: frigate
-    shm_size: '{{ app_frigate_shm_size_gb }}gb'
-    # TODO: Devices
-    environment:
-      FRIGATE_RTSP_PASSWORD: "password"
-    ports:
-      - "5000:5000"
-      - "8554:8554"
-      - "8555:8555/tcp"
-      - "8555:8555/udp"
-    volumes:
-      - /etc/frigate:/config
-      - /nvr:/media/frigate
-      - type: tmpfs
-        target: /tmp/cache
-        tmpfs:
-          size: {{ app_frigate_cache_size_gb * 1000000000 }}
-      
diff --git a/roles/app-gatus/tasks/main.yaml b/roles/app-gatus/tasks/main.yaml
deleted file mode 100644
index 49b954c..0000000
--- a/roles/app-gatus/tasks/main.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-- name: Create config directory
-  ansible.builtin.file:
-    path: /etc/gatus
-    state: directory
-
-- name: Create state directory
-  ansible.builtin.file:
-    path: /var/gatus
-    state: directory
-
-- name: Create config file
-  register: app_gatus_config
-  ansible.builtin.copy:
-    dest: /etc/gatus/config.yaml
-    force: true
-    content: "{{ lookup('template', 'config.j2') }}"
-
-- name: Create compose file
-  ansible.builtin.copy:
-    dest: /etc/gatus/docker-compose.yaml
-    force: true
-    content: "{{ lookup('template', 'docker-compose.j2') }}"
-
-- name: Start docker stack
-  community.docker.docker_compose_v2:
-    project_src: /etc/gatus
-    state: "{{ 'restarted' if app_gatus_config.changed else 'present' }}"
diff --git a/roles/app-gatus/templates/config.j2 b/roles/app-gatus/templates/config.j2
deleted file mode 100644
index 15e674f..0000000
--- a/roles/app-gatus/templates/config.j2
+++ /dev/null
@@ -1,74 +0,0 @@
-metrics: true
-
-storage:
-  type: sqlite
-  path: /var/gatus/gatus.db
-
-endpoints:
-{% for host in groups['all'] %}
-{% for endpoint in hostvars[host].app_gatus_monitored_endpoints | default([]) %}
-- name: {{ endpoint.name }}
-{% if endpoint.group | default('') != '' %}
-  group: {{ endpoint.group }}
-{% endif %}
-  interval: {{ endpoint.interval | default('30s') }}
-  client:
-{% if endpoint.insecure | default(false) == true %}
-    insecure: true
-{% endif %}
-{% if endpoint.dns_resolver | default('') != '' %}
-    dns-resolver: {{ endpoint.dns_resolver }}
-{% endif %}
-{% if endpoint.type == "ping" %}
-  url: "icmp://{{ endpoint.host | default(hostvars[host].ansible_host) }}"
-  conditions:
-    - "[CONNECTED] == true"
-{% elif endpoint.type == "http" %}
-  url: "http://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port | default(80) }}{{ endpoint.path | default('') }}"
-  conditions:
-    - "[STATUS] == 200"
-{% elif endpoint.type == "https" %}
-  url: "https://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port | default(443) }}{{ endpoint.path | default('') }}"
-  conditions:
-    - "[STATUS] == 200"
-{% if not (endpoint.insecure | default(false)) %}
-    - "[CERTIFICATE_EXPIRATION] > 72h"
-{% endif %}
-{% elif endpoint.type == "https-pomerium-proxy"%} 
-  url: "https://{{ endpoint.host }}{{ endpoint.path | default('') }}"
-  conditions:
-    - "[STATUS] == 200"
-    - "[CERTIFICATE_EXPIRATION] > 72h"
-{% elif endpoint.type == "tcp" %}
-  url: "tcp://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}"
-  conditions:
-    - "[CONNECTED] == true"
-{% elif endpoint.type == "wss" %}
-  url: "wss://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}"
-  body: "status"
-  conditions:
-    - "[CONNECTED] == true"
-    - "[BODY].result >= 0"
-{% elif endpoint.type == "ws" %}
-  url: "ws://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}"
-  body: "status"
-  conditions:
-    - "[CONNECTED] == true"
-    - "[BODY].result >= 0"
-{% elif endpoint.type == "dns" %}
-  url: {{ endpoint.host | default(hostvars[host].ansible_host) }}
-  dns:
-    query-name: "{{ endpoint.dns_query_name }}"
-    query-type: "{{ endpoint.dns_query_type }}"
-  conditions:
-    - "[BODY] == {{ endpoint.dns_query_answer }}"
-    - "[DNS_RCODE] == NOERROR"
-{% elif endpoint.type == "starttls" %}
-  url: starttls://{{ endpoint.host | default(hostvars[host].ansible_host) }}:{{ endpoint.port }}
-  conditions:
-    - "[CONNECTED] == true"
-    - "[CERTIFICATE_EXPIRATION] > 48h"
-{% endif %}
-
-{% endfor %}
-{% endfor %}
diff --git a/roles/app-gatus/templates/docker-compose.j2 b/roles/app-gatus/templates/docker-compose.j2
deleted file mode 100644
index 179df03..0000000
--- a/roles/app-gatus/templates/docker-compose.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-services:
-  gatus:
-    container_name: gatus
-    image: twinproduction/gatus:{{ app_gatus_image_tag }}
-    restart: always
-    ports:
-      - "8080:8080"
-    volumes:
-      - /var/gatus:/var/gatus
-      - /etc/gatus/config.yaml:/config/config.yaml:ro
diff --git a/roles/app-haraka/tasks/disable-postfix.yaml b/roles/app-haraka/tasks/disable-postfix.yaml
deleted file mode 100644
index f5147e8..0000000
--- a/roles/app-haraka/tasks/disable-postfix.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: Stop & disable postfix services
-  ansible.builtin.systemd_service:
-    name: "{{ item }}"
-    enabled: false
-    state: stopped
-  loop:
-    - "postfix"
-    - "postfix@-"
diff --git a/roles/app-haraka/tasks/main.yaml b/roles/app-haraka/tasks/main.yaml
deleted file mode 100644
index 84b8c20..0000000
--- a/roles/app-haraka/tasks/main.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-- name: Create user with fixed UID/GID
-  ansible.builtin.include_tasks:
-    file: user.yaml
-
-- name: Disable postfix
-  ansible.builtin.include_tasks:
-    file: disable-postfix.yaml
-
-- name: Create config directory
-  ansible.builtin.file:
-    path: /etc/haraka
-    state: directory
-    owner: haraka
-    group: haraka
-    mode: "0750"
-
-- name: Create config file
-  register: app_haraka_config
-  ansible.builtin.copy:
-    dest: "/etc/haraka/{{ item.dest }}"
-    owner: haraka
-    group: haraka
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', item.template) }}"
-  loop:
-    - template: config_auth.j2
-      dest: auth_flat_file.ini
-    - template: config_relay.j2
-      dest: relay_via_external.ini
-
-- name: Create compose file
-  ansible.builtin.copy:
-    dest: /etc/haraka/docker-compose.yaml
-    force: true
-    content: "{{ lookup('template', 'docker-compose.j2') }}"
-
-- name: Start docker stack
-  community.docker.docker_compose_v2:
-    project_src: /etc/haraka
-    state: "{{ 'restarted' if app_haraka_config.changed else 'present' }}"
\ No newline at end of file
diff --git a/roles/app-haraka/tasks/user.yaml b/roles/app-haraka/tasks/user.yaml
deleted file mode 100644
index e0b193c..0000000
--- a/roles/app-haraka/tasks/user.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Create haraka group with fixed GID
-  ansible.builtin.group:
-    name: haraka
-    gid: "{{ app_haraka_gid }}"
-
-- name: Create pomerium user with fixed UID
-  ansible.builtin.user:
-    name: haraka
-    group: haraka
-    uid: "{{ app_haraka_uid }}"
-    create_home: true
diff --git a/roles/app-haraka/templates/config_auth.j2 b/roles/app-haraka/templates/config_auth.j2
deleted file mode 100644
index d6aab49..0000000
--- a/roles/app-haraka/templates/config_auth.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-[core]
-methods=PLAIN,LOGIN,CRAM-MD5
-
-[users]
-{% for user in app_haraka_users %}
-{{ user.username }}={{ user.password }}
-{% endfor %}
\ No newline at end of file
diff --git a/roles/app-haraka/templates/config_relay.j2 b/roles/app-haraka/templates/config_relay.j2
deleted file mode 100644
index 30281ba..0000000
--- a/roles/app-haraka/templates/config_relay.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-auth_user={{ app_haraka_smtp_username }}
-auth_pass={{ app_haraka_smtp_password }}
-exchange={{ app_haraka_smtp_host }}
-port={{ app_haraka_smtp_port }}
\ No newline at end of file
diff --git a/roles/app-haraka/templates/docker-compose.j2 b/roles/app-haraka/templates/docker-compose.j2
deleted file mode 100644
index f07b0ed..0000000
--- a/roles/app-haraka/templates/docker-compose.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-services:
-  haraka:
-    container_name: haraka
-    image: homecentr/haraka-relay:{{ app_haraka_image_tag }}
-    restart: unless-stopped
-    ports:
-      - "25:2525"
-      - "9904:9904"
-    volumes:
-      - /getssl/wildcard_fullchain.crt:/haraka/config/tls_cert.pem:ro
-      - /getssl/wildcard.key:/haraka/config/tls_key.pem:ro
-      - /etc/haraka/auth_flat_file.ini:/haraka/config/auth_flat_file.ini:ro
-      - /etc/haraka/relay_via_external.ini:/haraka/config/relay_via_external.ini:ro
\ No newline at end of file
diff --git a/roles/app-homepage/defaults/main.yaml b/roles/app-homepage/defaults/main.yaml
deleted file mode 100644
index 1a79368..0000000
--- a/roles/app-homepage/defaults/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-app_homepage_uid: 7000
-app_homepage_gid: 7000
\ No newline at end of file
diff --git a/roles/app-homepage/files/dynadot.png b/roles/app-homepage/files/dynadot.png
deleted file mode 100644
index 58839b1db7cc45fbbbb14cfe1950955d200ccb5d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8429
zcmV<JAQIn+P)<h*8VUda01Zh<L{b0%0Du4h0DuSv0002PK4HrM0004VQb$4nuFf3k
z00004XF*Lt006O%3;baP00009a7bBm000id000id0mpBsWB>plgGod|RCr$PT?u>?
zMb@vX?w-j^?u3LSNC>%u$R&shD2Rx{A`%f05EPKZU9V4BZ&`I!SY20Fko!)M0CI|`
zh{z$LfE=<R_d!mMgj_S3qmS>sp2Wp9i6NOuCSm?RnoL)BS69{h*L$zdCN8+(f(tIV
z;DQS-xZr{dE;JU;?agO3KV7))@W#nsg+FRr4z2m=LVL!TO&K(HZ5l`3ImO}m!XGX~
z4f`zHUA^c+`^JNxWvfE3#n6O|84qmDPM>?A$Pdq_>^|?(0__nUmz<-zg~`7PKW<g(
z?E%YE_699WQOLiN|AAov%TopQVjG0ZiKz!;cjVF@tJC-kv*VQNzjTwH+>>`#=<2l3
zFNn(bl#;uxP~WMRs)D~{krnl!HV791>cYRyvMr;#C}$pv7XSKbhTGjq*#|!@Fzz!*
z@<@&m5em%$Bp|_Bs+M1{TiezCE&^PI2Y2K!pQR}RdA7TZ=Y!X$KeM_@Jae+#JcuU>
z;R%tz7VwfnRFiOrzncmF_VL!>pEd~>0ctVy3;NmUFu812taVsoM&Iu1(l4Z%q<=9=
zq6Db*pyN@^bMT+cQNkHSrO2J}f5S)5RZ0^6ZHu_>2{0frgOO*BGO}-kGVefP$V~|u
zD^3`!2MSG6phO7@77aX9e)1bV4}s#!`){bm-&vIwHLNY-x+cJ&jakC?lOkpE;jMD~
zXIX#Vo@Xd1G>X#&M)ev-K>n(#|6LiODhSb1<(qGFRZ>KIB0t(Du1f;U`20La{&9vo
zG$Gvj^v>Lv+c#$ZwCA#UVS!O3D0sL<0U`gU-CqkVFatONah_VQp+iDd0u1e-!#`~j
z*Bt>umZ$P7{uC;azxI&EZO?sveNpwdsg>4#UK~|;Miub>Q1A`8^@;*lD-~r8rBo)5
z9iWRxg`!eulelgOFg7WRhAcbB7d{>%zIUiNDrRNs`X5S7?=eO~1WH7>g@P0t61)ny
zN6|nV@KBL)3!eKA2)d>+#2!O9oTl8b3j*A+A(P)SK3plB87JPdHa&iQc4b<Lq)ax+
zipWz{-8b5ZgMFYKp&2mPN9&2_5%9Y)`0#KM9g>vAuNxVvz#%&e3EDLQ4xK5X<l%4G
z!HE&#FW(jU1+GYW_7{`*S)NHG*tCPp^Np$XwZI#}{3|-1ktk2l8-OnEf6Sdxo3q$6
z1A~?Q<HJQoQ8*C(tw@4Lzi9pOgLX@RSN7&}gL-^K$ftM7y^^vb2BeiA2L1g3*m_xO
zv-Q{Px}&r}f}8}kzE7ZA6^4cR)ZYm-dq*ydTb(BCdMI4&Sem>&cfw68)4s2;$Ob&W
zY{Z5}>!Q^Y;0WCFX(spe!x3ud%>7%l-#c4reZIsj5jRGy5Y(K38wqL*cgZSm7Uy&u
zM;0aX<j>vEfA|gFJ5o#!7Z|x64~47OG=D$serJs5k#iN+9z3NRa;8O3@?D+IU3o03
z)jN>dod)Q&Hl0V|D;JFZvCC3EI8<VOzRV&idIlbQ^MtQLRU0z;i-h=qDfnLi;rO|?
z2Pr80Z@(`N=%1MRcb`CQ&QB%g9!S8)!aZKc`v!Vqr()})T@fI9UAk~;YLxiGSNXRM
z`L5_<IU&!2rIyia2kF}-uh{u7a2Oq!1GP)YhKIK0u#PKJ`JM4yMa5+Gn7S+Xt*0_7
zGqR1=S3qra(1W)b=Efz=8yu3^Z7rCEu{N{N+GrO9c>U`FO5XUHOPdm9y?IsIfTRM$
z_rH`|m<)~{*f@4Aj$T86c(BDl#surU@cb5EEqU&%JW3{iM>mfNlP^q<5#zVz^z59F
zxo!U?)2n%A(F>ZHBI*knoW~Ac!r$>ZFAe*h*=Q}ac>)Yg%I4m@r;|eF^^wSul!3*v
ze7IavsK6-NS9|u+V*d|s0WZ*B!!5*sDyz)?IlQw%5(X<TeVyOu=7fyxKbM(L85QO3
zYDuwz*-;sTjz@@||77FH&@A%W33l}1NaT@IpiL8?Z(;_wZ+utPks7`!YrhX8hp=k7
zQEaW%-Id!MfINvwAyprLl(`?zf0`7jjsiWjBWLsKe8Y)?YH_qtR3tDtGTbYGj)!_r
z_z*2;og3r52=9IA&LI5bG-$J}0PiK|xboR?Ap9TcP3wFQ7Fpzhz-AdTgn4pAzOXW*
zHa9Vj1YUS7wz5w`#?%WIX|7dPZbZg`nMeNps&ya{l0_!mumHF9Nn^sM+`TDF_-0%<
zDg>uNo74aueic3;o=d$CXPe}KP~Fv8S`g$2;j0B@07D+G<EtO>(guR|Ny#vZYfO@I
zBfL-qXA{->)xuY-io*G6IMUHwqk8_8k~+}jRB%XPITFz;Q@OP1F=|2T7N0xlEzm*m
z(+Z{U@QIl?F+j^xvsF^cWSMlNOzjsy$=79W6pO6T9v;F=2PQ_&C%Sc%R8K*YI2GC!
z0p2~$$V)wC<wOPF`KN+!%{(0hwzj#QJB<bw7OHxj4+w&9$j?BoFdd<%a%aT!Ca)gn
zp6DMSAHQNIx<-s0AWQV%a(+44@y=qKAwZ|)DO|zhvC`kZDR_F#`Kq_T%l3pOmINhj
zcW18=z&3on<`W84w916{AZ&Q<%;>Lcf}Ij=g8=hSG4f(B`K|8?pH0d$e2`}piH@f-
zcx6uK!$5(`BBTrcezz^od*qQyi&SitIe`(y7gWa|IRUD#f$9Td>c=#uQ6qvKss)^$
z0N#ti;hPgDy}7U8sZa9_ALW}Q*#q2dsQFGO{92&Ict)=TYnWA*6%8a5TPL<j2YACD
zgLx{{>>-lwUrdj>eAk+E`t74p4k3b56Tl0+{R;5*Cm+7dA4xAQE3ruKdZ_u%EPMnM
zDzpI9CL=+UUz^xk|DhqMlM~<`9~pRLRf1Cf9CtBxNeWAu9qW*;W2Y@h52*PleEgks
z`r_VFYugY$0_BX&LJcS?NG$R|J%9`fp4WGPGlTcwv~#o}mRf%i?TMoR?{z-hnwZI|
zK<(pix25O4_0h1w;60<m=alKK3rGSuFuf?gMjbWJsG6hZ+~IJ#0v)+2haH_1p{hHt
zr78P;I64HIdadN`w|h7h0p8zNM0bx1Q-$AWefmD|o(4lLXt8$w^$4dT!1F&|RMRtZ
zbM}|{X6de$?Buy#;WPx$g40J{?kTaQDgA!DVjd3OFgj579L{y24mbq?IxkCMW^nrM
z{4}#)Fe8Vt;S9B3b%<(ialt`obpnjqltuF_xcHWk^JY28M2H5QfNSV8aiKYAbpq_l
ztfJ&E-4(xO=U%TcOI>jeAF#ot`dbLCN`T($(s}Yy4|(io*)Kyo{|$k&O}ePL>_Q8m
z)d&#3C7Yg{5+(XQ^%H-j)clmm*3pTkz(s%-M5_?s{X@lc>)5WU-S2k0{}H32bi`%Z
z5YXx->3Tz}6!@-ugW9XtWkt$8X$EUQ4O9F0T|IrRfEFjfTi+IN2Of?PzdUt0&RfHM
zWr2DRiEyd?Rziyt;I;i1RMo#Ax%|mevqZFvVjIv!fL20_65!_b>6E<HM;`HMX83=q
z#hJLn5=g#9ReufB(B;I@M)W)Ea@52H|JoK>lmHo3qAKiPDlD&>C7ILM7H~MU_M=cB
zlenr!#11C2tcW<Q4B;Gvb2>QOnsL-V4;kYGTVC1}2^?DZSL4Q2sq8<~V&uN7(xVC`
zDMh3Xo#%iV!#)KW1ycnQ*HcP-;Eg7pl9FoajKLz6@s#p#-5vs?A|Y0HE!R!UNC2E;
zoK4CeJg7htsgF!7#Hw^oej@H-x1}j8d6r{l1hp6ed{?G&SEk2Ev1?M7U$QDQ1P3kO
z0$^>Ipr-RO2we*#i1QH2&Q@Aqy-~xN`-SK<?+@#=oKkh|pndU4%9;)WnTjifAa70T
z&1{zhxNTz=`(Z-3+-pN-c(%cMR!4~rGYXgN`hHO9vIW#T2%UKFjL3{7b<mL4)<t<=
zi0&IuVY|zQxV33~zEM=XK`UTFngfGE`LfxuX0|A0gP(>x3<7L2x!WZH$U7%F@^Wt}
zU|Gsy3sGk4Y@WZp`}?gHSrOcLrgYcy>*Is;|C}>8_)N_;LOwjp-QlYxu>o$Ry9X~n
zb%*_?TWc4m@a8$OBKssI(N7=~+Y$jB?gVyA$Y3b^o02j^wLG1TD`z3tp2A0!FM~c8
zg0<XbUxh^Ooe(h<g&(&jT?k&8%4TlQrR16J(!r@w(y|eqC3_0Lt;692s20^J@ua64
z|1M};g0p4qMP;llSk0iiF>v&rJvlfyCV6^H7J2&=H+N4Scka<BYti%=dD#P9Tmr8L
z4ktjV#kLdH50_1`I(VBM2l}yjM+HKuNhVL2X2yM}?c!N_+lCB|ywXd0@4n9Vck<dH
z97=!(KFi_CXU2)+x8;tlB&3f?QBY`h@%)iQCeSDst@518S+R?`rRVrb+jH0t6C+)M
zzXmvz0NZnHj(1X_p_5gTiH1>hj+zY+z7;eH?d`8UUOgvn3AgN=AkB&s6Cbe6D0ZRo
za2NsZ-<(Csb3LRb-xhlJ@)BNCC1ZyXKS;1_1aIGq=St^A`Ao*J@d5g4s`W2?ozG3!
zlFi?rn88ikk;^YQROHZ#;LLDX#*dU)R8zmGz!;Ei6#by-XWLt?c|Zq}36zRiCDwj}
zd-<h?txo4QjOp@+Q4iac&AgVUaM7#N_yzaeAZ;AmRopo#Qd%{-i}=EzV0q}KEJ3p*
z<+>w+!!q2@SF6T7z)!QlomY2h#9G=c{|_R>CE+AQ$8R9db;}A^nabxhX1C3GKeN5#
zy2=%g$4Y6BMT_&lD|+zJtvOGO+mJc^FQ1=(D(U2<{`<y-TP?F=<zXAM*u7h_t{Wma
zETcsR+g?Z~OUxSl;F3K6J|A=EC~@b=0z8k<HDb3-{KV@UedJfaEDY|yF>{@6$+=^z
za;vtSt+XymGfOKDT`_<3f2T^n?zTGZ*ti|JFYKKVE`K>TT)q!XL`@9s8V)1CxoTU*
z{ISYvHKN{D&zc3b1(|P>HXnUBGMRpoEFAp<kAGxRCQs(|mPaIIO!@4hq3~?E<&lm8
z?R(iQD%lpvnlH-Y`D)Q>6&0^5lH7M!v2lK<)u}5!`mQKu515FN|MRub_6Ua%;F0a;
zIrHo|aqbrdcSh*>F%mTYAh@}O$#5sAF`eAg@MK7UTZ48#c1;?;dwhgQ79~$SRw=H%
zU>1oNM<t^|BxsG`@@)Z>39n`F)7Cj9`EXPOZcP7oZsiYCcAdXz_k&%f0UI;hwK;G|
z<~}b`Kc+>N7a9C3MHy%PG^_asj)Q`OJYGDt^pve{VOX)jS}y_muTAGu9*q`9Bxb}1
zYFHwMVHY$!fJ^RGyHT5-n!o6qaB!W68%(7Z+4n$+>7RJv`%AXGv{yKU09TAQ&0JO`
zT1_DOKiU=JkAO84zs?$}=a0SoK!hr@djsqKP}9w;)98;=qtINClhxug_-@D~4n8$D
zuWmX<qzfi-*i8xP|3{weE|WhWZe|Xg7Y-qSTGtSgMD4Q6fkI?Z+vM;i(|eRsi|>jQ
z{(}*9f2ir43D=aWA9NmWlF1;D9D1YI<j^5!aVz+8i#$&aSTs-p=doRqz##;%hs>`A
z>XSeqKyMF0{Z3COhBLbAhD=p|1GEO6504<4;(Mr1mWwhsen-wg{N2x2<03$70T&CR
z1_;qIRkZ{)Ad8!8zTs187PTIbyLugk1^}^Ba5%+I0_U!n<>?saCAW>Tx>h)Srcl&a
zrLB-sFE^WT-L>^=^a7mv36L0(P4Hk-sx7_`oI#3v1E*Dql^B*&t-2NM4sC|js0FMx
z?T#OAQvcS4|JL~CPxZq0m}=f-ZZNW%iw&g9S>f~qz#>IYUVtCaq)@{|bNz}v04I9`
zsI16Zc&;fTL9GFAQ0EIq>v(qz>#D8al`vav>7tUlcXaciCK^<bdg55L2@QaWMBlDd
z#OVak%&bxKb>T`)_kg>=JhAQ9L=%87;>+NjUV830h6&pG9nT04L4A!RE5@4lHHCM-
zLM0$1z*OVwh}e7KAUK2o6qiXLaMryY(vFF|1UBGMrB(e_UxE7d-nx-xvQ0tbIrdKj
zZ~-cD{cLFf_|8g6DNT4FY%!kiF2oM)-{Zw^3Rvc}80(IoFULjtXvbiG1!$}$_j+RD
z(c6G@D`6U2G@fmZ07`A+A7ZaxRE-BjL2+?MPe08tJTI6QBfj}fL7g#2yV+{$jiRzn
zLr6Y&^E}*mO(cNwmMTGggu4reYJ$kbaJ2>cJEYYNdvD6F3f55S3xY#erOCO*2h9+H
zR?D=v1iGp5bo6lCxRgT((8tTRv)e#lLBaj;El~VTE)f7ol(}KG5|x=RtjbU$|EkES
zUi)99O^=cLC1eQuXT?<X^VKe7@Ep9p(Vysq`>fz%@a{Z4b9z$b0~i*vDwS>+Rrkcw
zt(lc-_z9ymu*@vs_W*2d)g}T6L@eM^_-nYrcl!97F|41Tw$69k0}dg;-~c!E@8}SB
zz5}Q++~yM<xuybhk5)FVTI4PV2oGWy!;XP^aBOm<m3(xT?Rlu{0#L~-K_Lm?(OYa>
zP^0@zfx?LzhQbH33VI-Ie31Tqyw)cngD;#G^PBsBgESifZq)M&aMYlgSyjo3&g(aM
zhIuqlU&j6WEdR#PPW8XPnQ#aJ{Ixi)@(!IlBxGB5wRliqln1S5bCsJ0G%BJVs`Jhw
zlUgf_3{r!7F~C!!7FyZku`^<I{A#FC8lzP~g+L+G7#|K$VVWc$7oKAewh-mU<&F;4
zPh0Y*(Diq3&gOoe99eG%z>J;eDOou{d3#^+4F^iiIyW?VHP@O7)p{a@1WwJL#2ovD
zQHK!Vl_4R@&FddhJ(vK>F1o{8nxhsGP$V2mOG}j7-`#mWFk@P@CBA{7+Dp@-l{>a%
ztJe=qj+}OXpl(X6r;t$zPC+@S17HG&he;t^B~*K!&;obH<{a(e6S?rd&Z`G)$mG6x
z$o5IP`tWIiZKsp1`IRq%lmg&p)qlgVrT{gE1tRhQ4Fn`q-+gZ&E_8Do96|s@2REAs
zJ1kh|Cjp~D12l`t@Gy?yixx&YuPd#diecZB+Z?d^aByr_`QBZ*luSLy-n*~!`c=0D
z_A?Y3{d@Si4ZJhJZC`I6&7SxW{YIliLcw--&z=#zg!T#$Z%@eJ4o$Rue7ZiwZ_8nZ
zIdS6Luk$;X$ntEQ^8h(+mbV6Z#I54_LW_K2$JnstWc26s%W>firlYxNumGEbZVBlu
zd2*CI>5KEjzsNK0afd1f>_$7=oOc3`K!q!$toZTme$WV09^9JEeHPzvO+`GiBZpr<
zI;_F|+@Pf?eDSQ<M)mmytxVMvPmi$-+L*QYWQAq67e^$pDK^$O9heU;fM=)AJ{sMt
z=el(M^c36Bwxi%M4d7lQ=aa>zqgcJL^Ue-zqfkR|TDVV#Wuw2q02KbbeFcA*4;22)
zFY+k)_&+RQWh%R4Qx@NELk2%^Qx+#IOlF}g(`aLbfBVKP9)(Zd|0U#Xg=I3DI1qlb
z%Mv0`o4Zk7g8HGUEHk<(j)lWCfQraXlw^!ke3qvykYwero;<ZjEkQ^iDQ<Y6ZcpN<
z(9!g^FC=nwWOLn&Mq&JpTp?+67whu91)=ZcRUIo8<v?&wC3v}A^5xDbS8S2H8fVAl
zM6OO_8IMIfG+z$W0Ei*)^i>PxCQl*Foo58JfUTRZnSeMrXm6Phm6+~(U`OsO6n^*h
z8Je2Q4#U_TxjYL0=d7xr6(y$QWs(wzOWo}ueC)9_NeX9>$&o{M1eao1Paj)L#*uKW
z2B-n}N1CwJX{pdA$F*C?=w=fS60WFiZiQT~lIc*x?3gp;?bCdhV0S5Zn*Bex2u(r_
zv<fV{PhGy@gY=4@j$bhcyMgfGl3lv#Ai-AnPtY>@R^IfO*SoDv7m}w&+2+<e5DwJ<
zi2e!b98Tj3VRXLQAygCIT%a?E9XlG1bbvO-QL-@QCh|&85rrSICY=Z8(=M+X1>Qax
zzn7u#U)x*Q>6PTNllB%q0NY3cWz_n7wD;#2Fe>EQmb*0-4krMIpFacm>-fDv0*A9R
z?J+!13kEF<NzW6VzZ*HzH!*V?24+4QB_@stRXT%Luin)JjNh5dkwwYet}&prl7`7c
zld^^<p07NZV-P!l+P~&`h7AGALq;}*>G|zX4+{DzZhbnpU|1)I+WuPDQ5JRM<HN=D
z$$>#&1r*vnA!B!bwRj&CAiB5qaGGkNnw2Vu72-a9yTA5dJL9{qRj<5tf^`e^V#(E_
z+*`|$SZ{%J^wyBhTBbZVFj#r}yF!|7l<1Xm3;D6qN}_x;^iW0xAusn*YhdSvr-eWt
z{gMk7d72Tdy@pZHWA?2$XcqO9vTzM|)BZ;y&vpmr@2rEJzgjq)0Ejue&vT1MhDtMb
z<_`brqUlR@p8)&McfdHYmBHgwupl=snHr@xQ)k5{)m;A_dL(2BXK>u04m`dmZ|vI4
ziq64${>@8P*#o?D9G1tSM!O0h3PCi<3hzb8=JPY-#*vTD^5n_xjcShC11&-T1T+Qt
zvd3e^KW)uEa=65No1PI7g;jIep1_emYLpemL-wj=<-{#M+M?4&ac(#v<}o398r4z9
zkMHG|1x|#hTr&E9oL=SspCW^}<+4c{+u8je2QHh#swDZADht$jlzNSZQEi!hfh&^K
zO_O?f@ICfVi2UW&gmiXva#V}deng8AfP8osH)>MI`t%N72Jx7Vr(qDP7OZ;R&cJ3B
z5Dc50JT55%LXZf75gmAqZdyjl&C=(;6q|MpxIsVHL`b9tgk5NnNEzI#gNLBSB565_
zEe$kP4k;&yRK)oT(eC_)A0|dlB6ELa<h}kaCVWK85daXfGF2#?9%H?EUHXgX&C<Id
zBzt<&^+BBr00-7!3K{{0D+^$A1xNsPwt-hF>ltM=Ge=b04?i6`3<vQ`Abd`i$uC!C
z#rD9k`;)Th&hg=neC_Yx@K(UpK;e@W=eQG7qULKAvII&Rh41LLE(#LIr`3^G+^E7=
zV9cGTKmsCq3RLmpDT82D9pU|WI9du2KiD6Icysh^JdaqF%D1%e5iLpp#CTuZn!YC@
zeLluH9Z&&ru1AZhJuG2(Cr;czjljcS)va$y!0Rla`k1$ddn;!~Oj78oG(K}$Op7^w
zSEI!Vkn~`fbOW&c<-3BC3r*7923f%=_c#Tjg~iZnz%A1?V1lxqi}YED0k`^VTcp#c
zF0?oS5c$CNJ_+dpd7|6CSPuagU}DEW!-M<n0I2Ce?eJh<@;Xta|I-5lFAms{$!!|l
zdK+1`3IPzayLhN7@8@A5i@WHB6W|Eo)E9^MeYX}+__)Q5OsOf~Al-aoTI}U+>(cq}
z|6t;YqtR*vm^mm|nXxOEqk;O0A8+*=5TN0HG03Vv(C$b8g^c?f$halRppLrb<e3{U
zxh+oSlN~(SqcLbT0w7k5>LSH&&E{yhuerO2TR%5OPl7{$tH3O9xn1}KSo6)YqG)->
z4-C*P-7+flDKcyiHO=YP>cU4jh1nglF_YUrAwp704VoUi3y&3;q#n2`3K)Q`gH|PJ
za{yV8pryxYIYtHrY8NN|sml`>{`&qx`sR=jry#gf6fO#XXi^qW{oF0Dg?kQ;)bm>^
zB*h9%gR7e7Z40QyuoqF0Ne*Kyu2%T-4-`3#@DWa-0csJyC5vqx8*UT$qU7No9Q_g(
z`|26RC7;-7<W%Xc3rJYZ0QNIzIF{3$r+vSk5>-MT+DCW4+>?y#-NC6$o6{BO{hP9A
zzF87}ek95=Dly}pB1*nGS7jycpbMb=jD_p8CIN+SwRJF&E_!~`W1Zap`qbdy+}jc}
zgdZl=J?hxnaM~IbwkD0wc{EzweCBe*b3c_lZ<NVnGLf|cqaq|43)yLi013f<ee6Hx
z+&Nkv<)wN0tA}j!5$@cO!5whoE$p3^0EnoSsa*Q>7+c}ZKNB1o>~_4wB8TAKAGl#O
zBp&<hTP+XpVw``#EQ&&J&~hY5%WdB`Az}<(^Ivw3zq5l*-Wu=RTi81_0T9o8ozFhZ
zs$^t#oT!vmyZ8S*|B>@1=|!2*F1T|vSOy&O#c5{hXkX1^jsj|Te4nc3tsr;?uMBe+
zjt%q`Uit98(7kw5_jT#q*(r_K#M%kq^aQ9yx3%dkd8%!qgrX>X_k_%u?v%WgXA*C~
zlE%-0^586jpP-rt6i^MClSeh0nh0<L3vMe*poKzWbsX{3a7Q|5xCPtd!*<$kA>_p`
z^Vs}*J3Do)zZz|Z0EowT<<h;SW|lK`9~AH$CH?3{w||#gp4nSmJ*?6y^#gU_iCfcZ
zKuS2akJ5uf1RJg96VFv&5`L(Xt$}(G><Vy5UALe<htmWg8gw*pqbLu!0cY(NTa?4G
z9^4OI^z4J3W5SIPR*l=%_x9lBaiJc{jN3Y19ktV=O%dQ~M6XTf(`vSaMSOCwsNX*_
zD<jJ##kZ%PpMSj4V&xe1Q@7cv5jgHFQ6(!P2o{%!L+;@s2p1}}x+f4cH`Ojk4xfR;
zAQ5wzz{JjaF864u<<0)SLeW<fA`jxDwV1Rcmroqs#VLCAnu0b<0K~+t*)+>6Gw=o2
zPZR&!%v!&%*z1v@K^0H!$(x>BW*M>nip3yVB+1*2_Ye2rN8$c|I5P+*0su*HR}at{
zjGVb*UJG$?-dau`8>06FCM;OFBlm>zVo!l~^;CC_4q2Wmn5ZJh=s4xxAiXlrftxq9
z1llwKuEuj<dv{+nv6MoCOkV6&uMPg>P|?s_qa^2>M8a8RqSNq7M;#~h@)fSc_YG8c
z1gi_3mZtDwpyt1y6xn9%dt=aU2yitfY|fz@3#!P78{AomNu<XsL=wnTTC^!wB;O3L
zx5jn=Az!gd=-iPz{I#UmD$6BRR^{G~I<lyqJ%ZXg+9d%R!rZU&xnh$<E?OkQf$`UX
zo97R0c(C)z--fo#Y8)3_aKQx^TyVh!7hG_`1s7a!!37swaKVL^1R?(qcSChF+brwi
P00000NkvXXu0mjfzRn>}

diff --git a/roles/app-homepage/files/favicon.ico b/roles/app-homepage/files/favicon.ico
deleted file mode 100644
index 341116921654b32d6f7f70309d1bb491c5b29e90..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 101869
zcmeHQ33wCL_Ma|L_9CdLMN_q9RRM9q2Q?K@UXj--QV@`~BC?9`Sc+00!KLhr1+jdH
zm0gOZU~Lh#Bnaxq16f2`_7+t5V~eSlE_BKLpEENFX~;5Z?lhD3&d24>oqO+De!nv(
zGn45J$N6xLIoy1>U{2eF<Ho?gRx7kSHSyst!?EyivE7&BTHWTub?+{;KM&=&Ctik`
z!D72L$6a{ahieTr${Xj;afu6kxP>o9_HTAiGmzXe;@|xSVJDU*sQJ~YpM%OK{UiE4
zGx+T@*UleYHoE`ai5I(l_91t_|ER?W(vpL?c|GoGK4XA3`9NHU9)))w2=2KcLjOQ^
zj~`oHYL*|l^ORqZe^AlU?>|Z#vVD8+u2Dmt|D^5FjBQK1_D+p_>QZ&okT*Jj9_ic8
z__Q+LBb)!a9GNsac5+lw&Y43U!y-?%jYt|<In9v1@SV&n-HOTOiL*58!__lqb<4lA
zYSQtsy>DC{AFCRW)JL<X*HEteu50J~KL2KANLnWOwERX?$V=Sx8QV^ia3B4FtijyF
z5yL0W_~lC8&k-pBV|S&GP1=-M`h6%F)`)96qB?_%E;$o2KCRkt;Hc(-h%e6$Y_Y5F
z$4}n~yqz2PW@e)oXBsBOq(3w(cxE+djOw`ORIxE|5NJGkNBH^dS(it}P96w0>mp~h
z&rth~OUpi0oQDQMcT#TboT{=7{d-iNII;Ia%BHi0n$NhnQQJFf6J}PIl_a9lE1Q1m
zQQ1?QbLNHY+!dX;<TDeR1s@!d{<Lx0@r}v6#?Y%zSE``rR1w%x{7uNgy%$!2pSqOm
zy~b!79~)jd((w4XC~!2fn>NJobwzpZbIV7SZrwU3Y|ZFo0fNMbwUuMY&^8*w(Qh(y
zjK>mM25tmH_TL$vwENXLv)>U_8UFL=Il;vJcj)Knic`SAb=McE$7r4hHLn{U@3Y8P
zyYT!|-+dpMu-8y<DKBAj%I}kgs-h~E>JkncuRm5U%zk}xRL55iB~*>92+Pmfkb2>x
zkkgs!l9)pqzxbn~3pmmxe%so+jA6#ok|PMg=CVOK;~M3b9UOfwuPR{$sAyT1z-=9V
zsMr{3JTZ9W`DhiX*m3E1^@{-OuH7esUfK8NxYF1-m@+5gm*JIj44cor53|yY_i0aS
z&Zh3T@XXk%f^Sn-^7Q|BVaW2G@18zZsM9ywVdyfJ_#x}p!nh2Q6@4-x>5GdMJN_}r
z&h39w_O{XA&8*nd8AqQF(`FtvMqF4IGULf-b&vRL9aeczpt7s>c<j|H`%ddpTNTXB
zD*L6^d)rTIuIE<tUX2EA;c_0WRKK08%PhUIz2wS->Z7GG4{kmCKM^L?*0N#yiofq4
zW{8bG8v2s&#0*VIdYcgwyOqTJ@2Sqnco~=TuS)eL-L$B<53=I_;ltq6PZP3wR>oGA
z?CID&YtEcth;7}q>{VwmwD#Yrf79^yle4c5oba&W@0ne|_@MZiLB@XHZPt~kj0K<m
z@S^}g&|hU-R_S+Ssj6(k<-xvlCRGa%TwHegV$|N|x}3bCyya=9b58)k3A@S$J@O0&
z*q(sym4%vXx+|aRpZj^LU{3d+t`&7W7o1+Kt|}X!R$8(TDcu4yB4EZhd4An1^QPSU
zSJQKgPDdIM`hvNItu#q3AFYfXTW-kvzYgoF@kIOLEE2LN2P8j`@o7~+Gp<9<weow7
z2kx0&sykAYm-|v-!5Wa9eJr7K7((+y^SG?sih?(~hVCpa=>9Jd{OxR?C37E5o6e6n
zJlJ{O+4X=(yR*?h8|QTPx$k)}=aHe@#+2}&wbki8t7h~{YSSwa=ar27wNTw5G<*XW
zH(_@yjCgG2VPo#y#)|e4O+UeDZ%xX5tTKIZo8*-k{xP6t!@#G}{(|_B&?)UfM(@f;
z#+T+b4(%R*4GoN#np{13ba}x$A)!T6z?t~0k;e;llLo}C1!oIqH|k!|^tDp;;*06U
zAFk4G$4vA0BjZX_R<=3S7$l5{0W18+kP(kpm8gIDA{43ZXqYud^Ve4Y9K<!UoA&t3
z*%_L4`^l^A$FFXKXGV}=>KM(k_5L|X)mtFJP&kIHZ$XNuZc1CN1<UWv-oB=KSl^~g
zP{J~lFeQU@X+fq<-;}lr2ZY79>sdK1XqEmhH1cmSGICOBZ01GH-eq6q@H!^Wd^kh>
z@h1NYR9MhF?)tr_3w06EB?Tb|cg*>^Z20O|UTBJ`s!M$5%P&Xk1|$`p=|3y|jfKZw
zz)YNYVcln`bJsvNSY8@)sLe*+s+N1Y?t3rw&vuyZUom7p)MGd=;l*!n>k}DW-6!J9
zi7G?(>d@yq`v5ROquRZ@HZ?URG$Q_5+w9yg`x(%z9*y*=(I=x;hJ0Ik@WRAl8-}8U
zWZ$^9seg7vv4cVEf3J!ow+ueH97kS-k(UPX&^FWlCpA@tGJAr|1Cu^RFgkNjq@~VH
z24mr*J=A7*v@g)Og-h-mT^$TYr4)csM@EVV2SkT`3?s)TfUna&5~gn%9Gw>h0JK8@
zHj9e3MV~B70_{Jb_Fn~)xQNt0zePI-p`9nhgJs)N4IyCCAv9^1FrB+^L+ajjpeX%1
zn6$hrLh>?K)Fiqj4GG8u0>0ki59AH>(chN(=UNmx9EAQICm^B?`aE?q3N1jP>&1~x
zQ~&%qJ9o;4-k41LZ{VbE$p?tfKhMtFl-;ZGyErG}xyXJy`o_K63HG&k04_W5vP9T?
zxc#j-zK91{#SmZ!Fa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTU<fb-7y=9dh5$o=
zA;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3Sb5dlI-D;Y~0il#DAlo0^lKj2~r
zk+o2^nTex=0C1luEAJRrY*Qox!2Nv2y&|cR-6-IG0pnhFm=&o2xL?G$S0pvE8wK1i
zX57mTvmzA$_e&V}iljz%qk#LRjC<K(R-^*pemUb_k<`d;6mY+SaW6Z}ic|pHf5^C3
zBsH=d1>7ew?q!ErkqUtOm5h5uQX{)j!2L&zd)Z-Dqypf6HRE29)W~iWaQ`vmUUrxj
zsQ|c7X51^18rh8k?$<ExWrtaj3V{2yjC(~=BfC++{U=_{J>~b!0FQ9lL05<Z@O7P6
za}PN3d{K@8h0r6f8MHC8B~M-tZc4YM+l^!OJ_opgjpTfBlO5UjSPpOj;(Ert*>lQ%
z)yo_}86%syz)VQp?ywx-1n+vxz1efhKGvHYKp7V$o%d$$VTa`aOEkp&2Ex7BbISgD
zbq=76g;LLZGxxB=azFz;?=6FXa@>1e4xsG6H=OsD^f%}n(7?Gj#{p#=ydnos_SxIc
zdo%a2)8KLd<KB{fVV^Q4ip>F({q*MZ-ZBUpL=IrwTT*`OK4p9ql>;dIR$tD0%OI$?
zIe>9*Nwed9%2;_k2T=B>KA!iM0a34V0OQ`0TIu_gaq~zHpzK3^KkqGr!|QVZ<KB|a
z+U--uu+DM-WxE^Fd2bmgUYP?J_m&j8zfT!YS#tnoTWy~AF6sb(hq+IJ=OlPd4sekd
z8r({j;W_%~Xr_!U^&CLiKFPdF)C>N;LWc;?NKteSkjMdTPF<Gg8S3b1rHnI`96;G7
zmpOGoKg$6&e&@iQ=yU;lIeB$SwmbeRVJ>CNYn=lq+u;(2Zs-Pohbn=_+S<VL<%a(@
zady=h+WPBSo~!;UZ9HYXT*?8Ib=!<bnRS4_LzG6TEB1IS2guAzoyLMIfGcq<WiFiM
z0O*&09c{`!If^Hi1Ek*z)Hm+UaiPTX+7+89pD(s@K)vN2u!Aky6}Xi)7VHl<$1<&0
zuy7LO*Q=aw6DtdUy>gcp@1h(&rT~Zr!M%_J274v%qS12XfQG`oIUjg)0HEzM<p9OP
zLf>DO1FSJsEcyIr(@V5tUcv54GtHVmH`}J`0BOoSFv?B;tm6m#ec1zEP*W+#bpSQv
zWDo@Y4zcFY?Y0bd)~QJP=R|m&+V83|`u?&UV2!D(oYdiX$N_`gKIgs2UrEqf`{QPt
z|6Gxz*h7Qd^v^ne_?YsLD>T&dd{M@PhFx;W0DmK`Idr=%hp{ol$8E7FBZk}oKKnY9
zMVtQyCJ*p^$sxX;?2IA4VBZ~%On`p+-wQOb7;uEI$NN|gAa3V)C-JQC9MA~td%#f~
zvK(OJ{RStT-x5=f0QPiW3<&{_{T!O%s=sV}jl2T*4swXECp%*Z<^Yu=6Ic$Y_c@>~
zaLn!nWXxNDuX4W|6z&DuupB_)Ja-gBjsW&_Ukqu=a)7-21HQ_APY|97fqg9;g(38_
z=K+q+Zz+9_0QPjB@Hyc4`Jxmb*_ayF|CaZIa1JT@?*_p>hxdXk2T=Ho@br1^L_cuM
za)69E4DeO-IznKdzoQUgIiQ~BfEeNr9JA*E^5%dMj?OWU_6ht4JF<c0fO?(-9FfoZ
z7y=9dh5$o=A;1t|2rvW~0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoW
zfFZyTU<fb-7y=9dh5$o=A;1t|2rvW~0t^9$07Jkj0`T5F+bAJm<T(7BXY*EN)h_2a
zKXWJS6meXDWjmka0xjEmj#F8-wH&9mYy-I(i#DjopT{t7Ua3Cc?1P^7{$^Xtdk>gt
z1P?iW&)gQh2aMHxzv#WWErJh+ReZk)zPSyG5PT3LaG)0kn%jbU_#+KY;7m|&Zkxf^
z3LKlk7u#m;^+Jr8xfk1_dO~0a?bDm=6x&*pU!udD2?wEVR!;<n&FaOrSv?UPHmeug
zphXNl!C^hf7lKJ>Yt3x|0BnjxARwsT)JBIv32bU~gkT%go7?CxsE19(_hUQXq7D1#
zJ#2zS`Owy4Q*5Kdd{ZO>+H)=2psSD27EU&3_p)q*ZLNj2aIy-v;t`=OIBX`u91-~<
zAf^aFJ9r1gh%mQrGOp(Pt=l5wpjXBB*Jx|Va!@30JOD?n+E+l4xbcx_-7W@)#f=BR
zx_!gSVe594KqfB&?XzwhMf7oi1_xNTby|Kd{-?%%>voFX+^@oZ>oy)^TOA?L3AhM{
zqJ`qa1;hWag>&5gRzl(1>_3J8Lx3T`5MT%}1Q-Gg0fvAVBQSCed86eRGGA)BZ9M7c
z#qQQH{k>h}J<IjOB<$;I2=L;@`@6{d68yDXYpve+{=t_dv7!2&m_g<@RNv=+MHVzv
z-xqvE7B*Dh7iE&g4cPZ34b}H0S!AhfzQ^$E^=d)B!_spudC?P>2}^gAWwQAW4#6YY
z)>7s3W9t%x7^0JEn>emk*Ea2^kQGw&@Z;*r|2py=-BDZ&)S>StIu#QG9`Ic;G2kKJ
z6%hj-_T8f~pa9=J76S_Mz0PAmVZPUC3@Ft1I*9=V`!0J7xb8bXySwGyr0)VU#AK@+
zwJg_!we#Kb*=3D=u<=egd^gFYdQC{#cf4Qe5KmT{Y?Y&?76UT)Zn|Gnd<@9wJ7N$z
zgM1_h_a>R{#6YikWTS~EIcp`xz<k%A&)3LpuHY4-uo$RI-%U6{3^@FqZc{whwwC%?
zFklJE0Gn?4ymsT5&g7$`T4^y*Tb!-u0k5|^^4qdcDKS9%IU%3pCH&3?#K0<R{AjiT
zUynR1=6RLiKgI$-R;tr6#PLYzzw=Gf*m986JOH-fc}p!1+%<`uu#9zk`wvd18w0bp
zljeY_`M0iMUvdoCvr+EjVB_tUoVm3Rzxg<CC#mtfuP($utv}P<!H9MYtk^?Zd0`CD
zyB>fT*!eRFu#6+6#{li?fx~(H?_HT8@RB@0_4$D1Ie<VYJqBn$AJC=~UrP+UBnH}<
zgVx<0;rD-=Sc>7_3!wNp4|$*3HG?QC+|pjQ&k$e;Fa#I^3;~7!Lx3T`5NN0f!2OF1
zTfVTy2+@n{=4i$Bam1xPjN+0XRpLq+<>HbeMdHdE7Spx3Rt8Mh;+hyRT@N)**Mmfy
zo)0xn&j(F7y$EWYUIYcTmqU%(%b^doS8*C%dljeVwHrA#tgC@CRl-6aoGPDR|AGtD
z^Xpt_1GPepk3Li&6d#3R4HdePZ>m9=78IZXdaTg^KceY{{a`>c*3kEfSRck3#vBpr
z%Y3aNWnx{-*J@I%#T_+xFUyAOM0AG|2gSTjL<n0a0^nd9Lx3T`5UAG(jQfn-4$sL$
z9hJ^+le?4%LfRn`df$J^DJS0(6+?fx((M2Ad(s7LKkvkL1N8S%n(gpCPzMRNBkqc`
zeb*7vQ8ksEae})dV`jqv@(|db=frkJ#!SXh(ka-v?TU<<%wweU{nN-fC%8L}8CaKM
z7RX4kRbVZO59Bz{pIb<t1lun<v0YNkfSgwy$${^I=$`MGKVk^t>gXK;$uaZ%BGNqI
zb#l_4Jm4S$ZnFHS@F3WZxH_{v+!cKf%_2h`$%OYFo^eH<&9TDY13SZAQp{M(M|_*V
zVgEC`)mX9z#`s##lia2pGq&`?dq}U@<G?qT+;~z;!fefRdQ7I6vDORtHU<uk+4G^r
z7;&Li>xquqGRBN8wN!Ia9mI^a57cr|9mR~b{n&Op7fFj5%%4Z0m_Ik$O@g&gC~R)!
zB55&WH}^j?pUyo=t#XmHn6Ya+=8bl5lCJ?je|KqcITuNf8He_x4-Y5MS^rCFE`s}}
zj)2>5sGCM<GoEB)47<yLlw6c`oOF?J-{g{CesQGY*##7?R{#KKxd{Fa=L5hzt~RCV
zXmZvbUxDMues}T5`EKPRCkAwRhxgkqH|j*9b|OMjcdc@f1j#Qakru!~u00Om{q)^V
zbCJFG++&FEj>Ez^<SZ9~evE^Z+7!61Jz~#(Jl^#k@~i|XZXE)C!CGMWemdXhEEhSl
z!JR(1clr)v_*Mg*9|?P(1Z@3@G{TY2a*;bWI-2WNE&>jA|039rJ~+!oj_h!!ueBSw
zX#D{KUrq{t<A6Lmx<_-zMrU)~xh`6x<9$F1I7hk2nGNpr!?kIxuZwao^Y54Q_rAbE
zW5{`UuV1UrEH~%1;6Y^nF$5R_3;~8fgGT^9k6`2PQ(UgA06m;tF4jfxmz3DfhpR=b
z_3&yH*4jX!=2UzQuV%sT*J$vSEvVHn9rSBe_=Xk7=~ejZ7u4`7SOC=dfiPXDITh4J
z0WckFKbQ`6xnDWFtp&AD5r^ZeeDdL~EUfi>ZG>OSLAm%NNm#=_u~r+gL9|e7IBvEU
zI-sr!hguEeO?8~mCc#jvVEhWG(H~Qd4iaeBvc~tcP;@vH^LtvY*?U?52iqDL0`UFH
ztVXYq{niD(+k0JZDEciV@7lRPNReCjbBpY*@h`jX{)_qNXSSXp$*wzMiQP5sZ_y3k
zLE~B(I?K{{6#u<$t)5jsFpaEqm2dd|Y^(L0+b585F2{%PtjT4}0fSD~`u$%czrjb3
zbPQ^#+vKBL7`Uk$ZKyQ{6m-`b1B$v`#=yRAj6eQ-YVtbCgcz!^7Kq7Ld$puEaICvV
z{NFQ~Oth!V)^TTX5I7dz%y;4Y7|11m00#WCN?ZDD9kYjlgM41YXKVZJev3@7rN`be
zTNuFe=tB7Jq94c(cT`|Zw6%V~;CEUW*t6O4I6T)(wYI@723F7chpZCTY_Np^$i#P8
z_}F$-gTKF8>z9lH*t0N`G(mrC#eub4SK4+lumlhG;hjhL0~BI2C%U4~daPs&zy|pK
zkY7KCHU>cw^TBV|gm;P{4)FTGVa&VOkAFVHHim#A5P<XC)~1Dn@coVv@<3GpJc$W}
z-|AM)Bl&7A(QEVs|A$}ep6f^Q`*50~UQk-|e;B8RXEv&;z;e|Tc$)DK6le!ji^Y~A
zd`<z6CHQ9*=I0b})#>fOI}G=n_rd+<Ygi!fMYuvXe9qtBY&6Li^XC<)5hh6+-22=Q
z-^JZB7p}!(K~A1eEI9{j@C4Zu2718W-)-rIJlM=PmR!ZYfKhOdW4)n`F$8VJYZ03^
z!}n9uu^((GuVI6Pxv0*j4K?SYZUfkPJ~W=Rw>A;mmNtOAKE83}57B0vYc4R(<{Gh<
zHULLkU{0`Q0h~1`2Yn2gZefFXoe{r{_?c{gag|W=EDOvt;ZJPY0H4i1PiSv)fx7G!
zv;o#Lx&;ULZ1aK7)jMEb4cqOs74h93cnQx!p%g*Mhq4cn%X?7ZS#TmeH+>&!d@ihq
RXT;%9^l<f%55+X^{{aX&J*xl!

diff --git a/roles/app-homepage/files/homecentr.png b/roles/app-homepage/files/homecentr.png
deleted file mode 100644
index a6d04bedd0ff01d0b490db35f56740d35d81bc41..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1532
zcmYLJX;4#V6n%NT054RCNl@FN$`V5AR6rvY9mIr169ORw5d@)t3svesjV!Xp2Lg^z
zBBa$KOMn8h!=R!~F^Q-MDk6(02t)+|M@ZB#p@9c|w$tg4d+#}O&i(H9>zwEF_7T1!
z006Lt!}bthQ}nrv4YA(o8u1VtIH6#l8_?8iF^dr>isi!sfYyAI<p?~+;aK)TApn?m
zelA>B%+(_RfG^;9u=Xd0%@ud|P(3N<+C~mgJSpu+bA^MY^L2v?llqo`!F5K1MzIQ<
zU2z@pl-1Z=j;}P|`t^aItn4%AHAfb<<W2N6^gOz`W81dZDg42X4*JT>a_{2@4dvFE
zL^orre;Y*+dFzlD$7@pJQs`C=oO8z!vO$U|o^G*FFM52;CLrJg!6tRx$CqAZ1~Z#9
z?)<FnJL!s_n=*!VDzy}veaZ!V=&ayaa**>=JElPmb5|@#;YncC##&zBby-|%(DF;|
zNpg5c*hJXwKNkIhw;@AL50zbvx6q<z>F6t^S!KK#*D1#t9BgvaJ8;{(zC)=wLnjuh
zBpEqQIQwqllA(C^vx(!hL5M3B23n!Kk=>V9V#O<;1g7`*13#`54X-9>8K~jlJg#<c
zM7+5uL$27Au)BXXYCt$0(|Nf>o<9ZMT$e9zl6<XEW&6n(g1q}4qPdyou{c>tdX%0+
zbk?PBnfjrDrg)sV{FKr-jT%<($sHN93n0D&Ez!U?`LeUa=nYGBg8gOYJ?Q3|{O_+I
zvpXu{b!_w8I-p?XA$zr|DdUMYJ42gpchqr&tfINxh*>;+M~j`4RS8%=z>B{=mCCoW
zS9OBA*b~W}G~$`O5Y6JrC9_aRG=g3uS5ET68)Rwa3CeGkN$R^v>EZ+U3k$)A@YgC!
zRz}9G0*dIHQW^qJPOB^JnV8Xe{R;Kysql_>mBGSkHDl%qtLwH=-<esRuKLrQ%Fhzz
zm`LU0$*totRsQ#ujjRbSx-w;wgI7H=l{BXVrb?Cq%+d<eYP}uJr3&F{sGu&wNuThX
zC;HgmEc5eE>QWPrB?A|Pdsf`XJEKbr?UN(l$GxYCSo*D|WusnvaBcrYxV32NmYf2&
z@P5%P<wr1Zxlhm+T&d=u{PtB7V)S%b8x$0xi9+=idvMnC%WV>AypC&*AF2l~l%$uH
zwCEd$;q$4N{1ZSAZ@F(zdzR7Ko#>hq;N4xigo_zakUCJX*F6UGmZX&(<PsOZmbYFt
zc8t@fzTJ#_R=-3O_@1UQ!CBpJCD8R`e%%aYA{JmG756Ne)iaanE4tgSW|+V<?{s%D
zP+L7=7YA2k_&LOOMqRtTh?-H?;N06}=b=zJG4kcs;(_tXh-K(9N1qyLQG9Fc*NwIc
zi(WL8j}+!!0T|wLGuy>{CHQD3>MBtYI_(sX2Gs7bAwkU5r+Qrqe-1sMqpr5xz7Ubc
zfZD$fLhYE<v$}8mkT7tvG_9<kI<o^uV9R|uBnxxt@7g7awekbZ55ktkDk)Hf{VxGF
z^%Wrl>cTdt1aw60x&x4TSfN#4tb`gdJ~l~XEkWUWvw}h>8RO^!PXxtu9nA>l87s7A
zQS+qYV!(TqeuFePZ*ttHr9iRVj&MQp=?vm-S|dC{u0c18a={vzElv5VY`>XDGKmiy
zwNw&FDfW$U5k?GDiZ@~v<G4>>fe74ygL~Z&-zq1TJ4gsOrY3@<6zfK~9P=HvR2GU=
zhmZRhUlf5J0LcXpyB0jlY$fqUY$j4;rOfUxa@-3Nh-=xJFQ|*mU~-lh6K8Dzm!5;v
z+~_+*n67}Bh)}H12KFvt5)CA6-xIgmbd9FPUi8L}Z6y6^(+GD_r2yFg4iiB!*qRkg
zXM#**y_GVgzo^d^hi5}<4T+lQA50#>j4%!k%YtIq(RWsDrNDWNorRjY(TD?PB(gP|
zsfj+p<am;XaTab1YmSlhBLl>_1OngL1^-XzVTdC7KOO%=-FbC-qtVBiHnQk}Tr9Ey
MjwjEf$t@iD8^aZ_EC2ui

diff --git a/roles/app-homepage/files/onedrive.png b/roles/app-homepage/files/onedrive.png
deleted file mode 100644
index ae14c4083497ba555a5c66dc259decfa339b6f5c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 13675
zcmeHu`8(9#ANHW~kz^~1EKS)GBV}L9$WEv%VJc+HzK>y)vP8B-_I0vT_I(JEA&fQq
z&P=vp#xlmt^X_{+zdrxL<GNhqn(NGY&v~8K>wew$eU7L{hFa%&&VxW879DM<2?#_F
z{7Db`?;P+#3>YN?FH9cV7TzEbGv~iwI#6216%a@eqyxSGI3QzdmdWQCDfOGD#6=f#
zjz1QmY}(f_QnOA<nSN6^Sy<uSk&!=Na2IAHFI8XaOYHLc@3|j+Qm@}+V*HuJNomPT
zeJ_9M2;P3d<S7eNXcn3#<cWV$u_NuBR$f58xfzf^w9y&d$ymRsp`c>=3_dSDTPhxX
z7Whj4{|6NM*mG+yH(9(CQrk>VbM!t-9bDU^&23+tvG+d_FhxH7GehMWJ5L&%C_#?r
zP+KpK{Wf=_g^+fL6d|*PP9tiydeG*)Sut&HOxFK-DtYH9e|9xHpSsUDHedK>M&_)a
z*}!0UgG<}X#->;Ah;j6wP@-qx=UJ~+tfw<O4Jxtpca&bz6muv<I#eVL`ten_qrA^v
zEUqi2&Cfli9X=qf`;cfms~T2guqw){V<)VdE(p~BtM;|s=4VP*d(tGm@5w~58f!G<
z;ON>lpW?7L@rt7Vb<N%X^7xcF`sA~+p67Q1a?eGO`kqxY!g0I+k9<_Q#_YP??(Hn*
z#tp+tZy7Txx)+5pR1Q2j)zj<1GNX_(AW+w!dvdl*2E;6y`l5E%d2H$Ly^cK@myZXN
zVrS6P(!)DR)G<2HkpJ0QjnUGnozhoVxQDyv=u=>2#g@%v1xZ;+ubN9OUnEXT&w>`r
z&r*l+PyRl^U#9LmJ8j8yEa~?sj=gDb#;+rujduyb)_H)yTrd+flb{sK`Y-U=tm>_}
z%cx#WSUo_dgwcW2UtYf5`bYv1=iEx6FF>!HuPIW~tG1GvUwjS%u?bYPd!&nde8fwT
zN~)hB{tU0LxIdk>ZPB=KIz$I5$l!N*dY?33swu7Hm!eESJ!JTGH2U6i;>V;lP>Ax^
zC#n*@H&1rEy%$Hfi@I$+Ve~S(D7K3<AYVTRl1jL~orY0`*CN}`U_Nk|?=;iDf$<7V
zB!$e-fo@)c44OnQoUdhjssj;9?45t@efGm`v?V@1M3f$sxR@g25JDUX{J5tV*>!i0
z<avy_jb@2S2yvtbaV(~#L=@jgM!;7O-yC7D-}RepFbp+f1*tblaiNtwQY@*>2H)&@
zDZV8PZ$4b-bZHYj9XboT@Qxs)>_*GH9m4ad6=vHqxm3|;PR_jm+K9%K8s1SoDG#rg
zY=erDypQ9qWV79A+qqB9WdX@&Exk;4&7+z5Np9yuSN3-9&KXx(83)%9HTXcg?90qA
zUT?Sa5QOeujaPf=eYRpni4mlZeFDj>4BvaOJ#6&rcSG)@@q+exR5m>*-Xf%$QZuPV
zZtxb+;X2`Qq#>5MuvjA|kap044ppFZ6|IRl;tbBfpr>Vv$(Dx9Aa!s9eW&f=-}S8!
zX(!nfnk(k>Sc<ON6Of>5k(n9#Q8Y4w7%D=Zv3jE+TTgr1_WD22x%|T?NYv3I5xj$}
zS&pQO2}!OX`vEB4YgD`#`Pemue+A0$dsVF@t)m%8LvFbznHAv<V(Vlv>#D|6aS1bt
zRKe3xdeBJUt)k;+q!MH`v0eB>P(^!0oeq_^Alnx7T(TQeJsR3F;fCN$C*}z2J_iy{
zVL7^_AlnNhxYLKfCUYr8hxJun!RnrzeIxyRQV5<d^h;TkUYpwm4Z<7!q|KN(W-nck
zy6}f!`${Dba|9dbue#nnOxj&kb{r@^;4CC7*M<a<?N|_!)|9P>RbP4>mlEPkufEhk
z-w2>ZE3sWj8b;+ih<YQSt)@vQxIG$wVkWcV_lwmMJmNRGw%3fxE(Nj4$@<rd`<dN4
zrqfHJKX%|1`1m<wj=o)xXg;RiY!s5ifqE)iKkuG;^uq!>_#CvMw!Egg-EM`uubWg-
z92ROB?ea$(S11i4&emcgrmU#WI6B>=y++FQHZ734v*>PIT_b&IH=~I0)Joh1&j~Bx
z)6sLGoZb?RP?oZX$8U6!{I+V1_Gsp0v5TPW1eszo@ApAz46AM)vH!As0hMBgTUP{8
zG?Po$l$@ou*ahODxcL{&7@7cfFc9?3&Y<i#Yc?RrBt(kCUN;j6@_F34YUqVm{%5Ji
zzU^li5=5)Lj^n0gsI<>nbRg+?9`$)M3{8V@UpuMMcgpGw?NioSkhJzVls5k-a5}s9
zg74I<3{6Od6J!^9owF2OVspH6uVdjx-rU9MS!%ZS;5iVkOfY^>>oijT3kD6rSf5JZ
z*y#lME+1)?no(a6?rTAN23O}@TQo#eZh;CuML{yUw}PWg1kG{=qzS9vu{Rjh6-A5q
z@{*D2h;Qu1u+n;~{XHq%Fr6TZWWMD_LvUWW2gYmRb54CRq_IL>BQ}s&-}d<#36<VR
z$IwRl%Rle85U<h2zXYo4CV}oDG)z||E*j;)6ng0;;_GC?SP^j-oY%3o^K@_(gK{_@
z`dA8hte;tqMu-QyF=B5=z+|_N8>Phzx_dIPH}cvISx#vO=QXUIe<yJk@=7o63P>1b
zBi7F;@EDpDKiYB1fmwaxhf`o^w;T0nu!O6#8|UrMLsVQqU$m3OcMY1wJ+wpQ*^OWB
z`<I4Ds(6FGbW|oQHuR_&pIbe@x#HKM{<XQK&&~V9rHhe+T}UQfd{=ma0d%#$K_`+Z
z2nH8Z{B;KfLG<C5j?l0CkK=k-uY);$UEZiNDx)S4Z_~%?|0};(s$3+iAUJX0vg2Yp
z!<!3vSx2a)u!zWh>;qit89}Da?KFXdkW1Q#4YmY}v`a@uxIbqE6V4}R+4>)+cSW$U
zr<ND3;?vl%H_ofSEfP6?z<GfOENxHK#a%rsNVmC-N2Ul!LG8Akse16IbQ^JbO)pA3
zlbw8FRhQh3l2Jv}9<I29>}2qkS@Mrsv#E;U_46kM?X9wAf;m|$AFUYFfnA?>Zp<UU
z#wDC<e{}7dbEAFd#Hch)V9cj>(!t`xTck;AId!f`v4}di-xydUNpc7y?_b6w`3jAv
z&oyKG23+c=tz~}7fyR4OId7{XBDIxM(E9LAx>Qud!3EMS>dt6lo1p|w0YA9vyjXwW
z)W~|vwbHrR9^b_HdZIPBG}vU|Li#i<oQGbkn~|MeXH=of+B=n~eFpo<lXW|<3G))u
zru{63T2>wKR*Mt8d2(d<M&zi?zOO0Bb)rqig73fn@6Ghn22x3pqB_OgbfrfXAVK~Z
z5$tGFWofsf1u4<8rn#FtIGgpqx5lJ(@bt$Wu0J1n|7)a|z;;GOa%3z1ca%xoIAbzW
zBctFPNPSAO(v_fmLMwe6Tq+i?Kc$v~PYTi${8Eth#CUKXbamcdEa1*FcoKba?xW@|
zX#?@cddT;dUow}Nm2#bwVwgEx&067~1}>Z5QY(uT-S)gM=)p1ax2NR2yn#el4#k8^
z=}G{`ud@#afPS2_qt6Fc3GfFaNg6u_iZ+G!)314&0tt&ai@&^^?tJWvfjqA+kg*W1
zY@2YK@r*ZOXF~zNNz=q7F!%1Cq1i~Bp0C}w_zUuk)4@tUz`LB_`NOOrf}6cNKTSY4
z4kmaU!%MhQc@X{fZx^=<zIGNqJIy+6{l;~VAtv%%+Q2HzMNG0zC(c$-L75j~Qc1*&
zic?jD%?pY%Ma*qmopG(e%Cm`rH}c-t158j0ew!gm#<i1s^oL~;*91GEJJp8oyS~NU
zK^wMR9ad>Dk9tM>E4Pd9h;}pX^X8P+!~PVTWL&zIOEs06dDU<Egt35;hn*yzuH^Ba
zSafcwr<xj_3@+D2+<9f0wQ%e2Sfy%Nc%Ka}_aQWR06k{XqO1ph%@B6ix3$`zuzyFj
zF$`3Wk+z=|*gE^>)^P_g>et!<?I|3=z+l=yrLRS-rLAH7wNbw2l|j>`HrB7>`Q4yI
zg+}`60B%q*D#tGp-W{m1Gcm6VQC4*0cP%GPtqM8!Zn6t_L4AI_{#1gzu7Z8jCRRfG
zZYjmv#eI!*y?k2QcPqM1M`rNPEY%GMKxOv8+CgQtIlK&;&nN#~Y$`x<SMSfkGbC+}
zK3yqChgAuzXfwmd_UiGBZ8dSO)g8^mb(KZfXqM}*3?_S_G$N}1^T5`jUL1VET(iT9
zR6=7RbZZh^`<jI6bo8iQPITb?dtKK1mvITK<}b}qTxV4f#zvO@?eOKk<2s!;By3n*
zWDLbfCoaUUDUT)4S)ok2<89u`==0Wt0S+02YP>)w^lFB<N3WN?Z!Gb=`qw>2^wX`o
z9VU5pW)0g0K^;}y&j0yFu|CMV0IX#GcI&x#r>}0xdJ=Cmm-HeFlwP)eA9wI(e5wPC
zi0N;*!zRE4#p;)zG{MKvV`nfC`k%&~Tek;##-#9U0+G<v@h-f8PUTrUdZSs$Si71a
z+M_q=a>X-Ow6g_@M>lgxBSBQ7s*!?BvSHD7_+Cn>y}HC4-k+`Yw`#7YWNNL#;)cqV
zC~0sCEpk;35|?PhsjVgF-uDzkdqU`bAeLO$37>ryJr?@m1FLr4y}`AMGor1x;@y-<
zuqR<HIw7f#`qqk{xuBhk37<PNxCC_{$=0Kv!mR}}ufUd;hYunlY`S4JZhsAGA=6ee
zJ9<Eu_Hm7zrpaMl7;rhFN4#U~$KCgx#zX#+#Ix#~OMG!Jbdo}jcM@#)w0&FaiCeNA
zRXIN8-`q;K@Mf@Y%@nQG2w~%?QOAFUQ^{74hbi6Uij&nsC_MUU*V^bOCdUr`0JCtT
z`J>F3OblKhGji)f&h+(O>@s9-U|`2B>HtiGUI_d5OmP8_k32sH)1I?G5|(>1?bb||
zSyo^8cEl#6JIm83BSroyAMk;v4ap%ug$l?84k*d`4@?VRDS(RoiH{nCeYTO1YF^rP
z0zm%5QM(A)hkxrEDf}?2w)u1b+nFS~>UF#mZv&CKyPTose)8#$c$v$34ak@V(80e2
zW*78JdrE9x3~&o<LxWxW@Q1G3LO}TNw#nitv7hGdN!>6S5?39HBBv9CG~~(<1KSmg
zHK5^jJMR;uNUQU6S<R`_rLYXgM`K$x*85HK+vl$(@>fA$8SsIWA+2uDg*7|US0m(%
zGt!zKRyVrLCGgikg<Xv{U1sR?j8D}{bN`5`)<i9(jq@o<EGz*t7h=53ka}>EdK%$#
z8^3Ed<(shX<EfD8+Df#W{|T!ut2MaV&imN?lZ{%u4<>w=%jla$h&rcGZn4XQy0<8C
z6eA?zYE>hHyH2H`c52JEKB>>~<Iy8wU9WN8xn~^)??k(mGJFTB_zLHC9}+JN_Nh3`
zwl$q>D*c83Zmn-~m}E$YhpRN892)uvyLD(gO11f+`=-Kr*7G>Rj#A6wj$S2LdjS(H
znm=;U!!pz)r=rXyd0W|a?*pI1Y~9ztGbggd3$)I<tj$CZE3W{J>CyY`da;Q^%33-{
z+ppa>4i$uQG1U&TA+D1#;ob!kmpD4|X9d+lqx6T8d=2W}3e^f<AwpFSbYvoo8mYCh
zcik;~Cj(@5zFhq<T_rF?_dusXgYQyHDV6F|Cx@uEeYMOw7}5~fKs?{6ei`WZo)BL`
zhn`(tnOvDwkHI@_@NzljZuHabXbD8+=8qlkIgd|@Qb(W2`wx5iU194t-WNaLYhrhv
z1e8M^^lN`U-*=nCH9!y2LWw3hKELNxR;J9xN-0xeKNSKA_Waogin>4Ov~-F*x;j~4
zNjAPmHB0>IJRX>?h}#K&#H}XWn(<?DtK4T%rWR-Q4tTgXQNvg@i-A9LyRWsJHrBb7
zXAn(9vWD@{4OR0f6Vbm0rQ_2gXL$;^8Brb;>J#yQZQ?S5*U7&(9|s1h{Z`O@z!<~K
z@-doOqPxSi!0g3ZqtMai-zS_bg3Eg06)-{@&&o+x3KL4-;uAfiQ8wjZ`vvQ3E?E25
zKHe#uDAOR{Hp^)_(X#)-guB8MmMTR8K>qtKSIpZtlWPxA+{~%XWiB>j5p#71@wTtR
zC{;2+b3+d!<W{bpMi~6Tx=05TNNrG041DC|+3QdA*KwK}!hM(Jz3?C1eXp1iq9J3K
z^!d(Q+YB}nL_`sr^dVUbtRL&8PyjZ-QNGVAVT7z;ljoI3d)L2L2}}I(el>g&v=nHY
z74w@H{}d_d+yD9~m5A35mTUEH;(0o~5+P)q_Ou}cy@j6`=N0&yX!9_sj51qjRc{q%
zJ!+Pi%1sg~{#=4gw#hFp)oz9%)H&?c$J5Q^07vD;@hX&QvmIwTH+SdtPhnj57Ym@r
z?Zv7i1ILlZEMIS6!xBV4RoT$|9!Z=xWG*nan7I9SAy4)A+T89lgjWvar5uH+?S{&Q
zDCw%=zpNgXf~!h!V4a%3TSX=%T8}m=_rja_gceH@=5{r)F5@lA9e=wc1dYQTGF#xy
z1J>2uXD~73FP?>}%UP68fwer<yX(8*sy+do{vWeu;o-z4nUwUmof4W;7jcVP(1(_B
zq;P-ynAabn)|rhimg89$@*jT>V^|65;+Y2us6}L=P4n6!lj<!sV&ujbWnZn=6D@7O
z8zjnzRrzsgm*fMclIs00AVZ_cCasfBZzAeG#@nE)zK*RvYuJtJt+5cPjGda%tBZo5
zFSzwS(euC9>MO%dLRshX0l7%it$d-NX<17Qy^%Ml_xC%MI&0u($b9pzBpwqV<InIr
zZEPvtrstPTIaO;f>|-R^YLP5CUF-h(F{XIr470QZ=2p?4pofcnDxCsTx7xmlMlsUO
zJqkML|A|bn!RTOZYXfR(ml%K#X8P`>W!9A@dszy`dKwD^6B9a2Fq>1?vAl}kzdF&b
zt8_&=dRVw4Ag|YJ+S`HWr?<T9*}aN5l?+Z){4d}}(5q!foJ^)5ehg{sk@-&_$*)+<
z4>-M{%B-Z>|I`d-<hvVKYt%Dn%;AhV2yYW<EnluIqIwZ>HKCpZ@cpz_02M!CF=I82
z^wxz|w1+#I!8XTdHHsf?Z0sh611-RhLY&+4ZzX;M=XKe&zOYZX3{dLkuF#R*9`%2?
z*labb#W2X5<tk>ACDhu+7-vR<;$XSswkNZ^&o(7##<;V$>y9cd#yy`Bnr^gA6$Y$`
zGBJh^ILd3m-?PSQ1sNd#g=JD@XyZNf^jnz@{HjR#Tr^qr%Fj%)D0^UMn(fn(K&%Vm
z`B$g;1b%I35~WP8Vsz`1GxlJFUZcXYZn^)NvzpKDd*!5sm-9lqyW>_k-#MgahXV>w
z3QViRa6mzfJ@-Ews}0#~=+X?nndCW=lTkI4f--~82g=$MgsT@Gv4O#VzLu#t1K^aT
zA~6(XEZ~p7fqS4-1pu)Dy!Oz*_!|_l%a-6&HP_%AVOb=g4I!#RLYDK|l*aki##B=a
zha~^uWs1#?h?!MTIQ+*>GQT|3t_p6%{LTPjxv=2$X@2{PY*;k8x9q*2eTuBLaO;{;
zKPRR9DCatOU)J8WaI3_A+Th!+?Nt~$XpK0<00g!;KL6&-ou$Qah;Ai$SsXjZ@lVN-
z%jCwkYmF?cH0%h?lv$06AQi9Q)|TAv`=))XEVZ%3a7d!fVb86p_`-{zCKMwxJ4*Ze
z2)+2!=mWz(r#F)mJBGpThr5jRy{w*j_krzj=Q|#%W5>GCI5j&MyBW{3qio*0G`pIi
z#}mJGBL}KtbL-1hesJ$SvRq|BXYXr!6cO?D=I5Ow%#}MLj|8vhB@MurOHP5FL{OCQ
zSgA=jLr86gNaFKrwg<oO%(6c*r<vjw??Z9%<F?Hq?+FPVoeWJymCvI*jpzRj>lgFM
z-lPlFN{6V)M~b@MvYN1MUX#g;CP%7@xED>|sV1CHU3G6cg%xbE30#3D`B}JI`ffny
zCE{g@Uu6T6e2Zu(ij!8-(%A^jFIeRLr3PBqLV|T2fmJK1ss7u~`Lxc9?qNrOqhvgg
zPx~gO)W`^GIW>YZ87LK$@KD=-K7*u<5UmWI0;-w9B@%EzXRb7d!^?hIQ2z~!a!GfE
ze-rgLo~|{7`M8GI*YxyS6xUndL)(Av<ed{y@rdeA&cCUwpuh;qBJZR=*Jd+rS{ZH{
zjsAdg7??Z=swE0|kcoT(5UNqi`iNO9yv8Z@pN;ioZZ}~OwdgKH1?7kaR35bp=8X<=
z&e)4hJ@Q+mJgv8+=<Nr?52Ltf-*MKQTz~Z*_MdmXB+vpC{sk1YHpSqr@{}{7<36<5
zYRk#rEo-SPa;C&)OOE7<L&`2^zK!OpITf3pZqR}saioIX1D-A=(*O<I>OK+0$_Cag
zhC}d})XQyHi>uZfWutKyd<e*c8ugm(mY#IVPlx<&MyUilyh8jk%jwNKj3CXa$`wW?
zc9cH9tIN1+y4#@jl~ysB1U^9GbZ}*)StLoz`C*c*mu0B5l6!+w04}+j(*wk2byM|G
zWbdYLNjGiXo8Qr+6a`x&Y90!`{`ahQ$>kb#L#Jgo!hQXlN%=Qd4BF{J$L-!OK7hXJ
z2Ld5cg0$PDOlln^3%lS14%Ks{d6a2{E#z-WCSM&^+q{Bx7T;GX;b<Q8s+#X|;1WZ4
zWWV{pP~7S-bwq1Pz^uIp$R?)C3H1+uJ6npY#z!S)%27fnZ8G1!ZKDmO93y)#1lEKl
z|5(V|&vI<Cl$g3zXry+lb<=3it(_X3?HnxBe6z+BA<8LKjeT?<aS`<4t<aK2M5G;n
z#m&JQo|}1Xy1`*YubqiEp+@fVNH+}g_j)Z9<6UD8ucUWM|B%jM7s!f*lcmmx$i#Uq
ze>|^hb%!~*I<svf0*gUNt$x;;yLPM{P)qa>)-}vMIag0{hp+p{{1+R^3I^-iWIgYK
z>z$t3a@SaA?nGC_+st?laI1I_OkD>{&9se==?sz@uFVZ~ybxmHzDNP(NF5mvUO=J0
zO8hoj)7=O5amYuQDh-5%$bq_`PsdEMvmx^%%XJntnO%lZr!>qN4Zz_T)8Zy&(z*`l
zYp;~<1;Y!EybNCkUMBY?#L0SFhGJ_TO?*pqg<YAX195{mP)<|HraO~9hwt8R`Il&3
zNw(=qyjm~9k1lf6@pH0;hCJu&ZXQ~q;|Dob_Oadqf6&WrDjJj*kZeT^Bq_2vHhZ{X
z_MIL1lLe-ro_)M{p8$>DQ~^-HTjPISDGb9IGwEKM9Y`?U8X3jHL|PpOvPKFkuaV40
zrkBFfMQunYmZ4%D#!F$*k>^aehJxxZtvz`t@VL^=Ul%g|xUZqZczekYY3NjBfC%7Z
zX&M?%u>Z(?xIBhDJ=B+Kk1T>Y1xaX<yd}Skz=Jp2D5|Z`;Hh7|e)l=rZGI|;D6}kU
z>}g~;E&$|`^>7)aeo{-3x{;^4IxL$FU;i2;eA^kV(K_XxY?I++_TEO0{QawcL4^Ep
z=zjPi@$~Oom5%A|2p;y#GDDJbuvl{q?k8fojq;hyPS8vp$5}V7CQNws{TNv4%y0y)
zCWTk*Ow*|wdt@=4yT%?YTt2JXI;Z4zKPX{@du)Z<_SGs8*ZlLhd+D9+8etVcXMF<T
z23zlbe&t3e^i}D>3}gN5SFRze<@D_W?iXJRLs&`cD&s8=;6<Dy5iO@9#^6B4oQ^XL
zaiX0g2bS(ks)0ZP{Q4eE*8ld8vEgPLSIJm*)M7a{EVIZcu#;Jh25QgeOBM)$UQN>)
zF>H3(uW8xq4L)vje2f?#Ug!I7lmGDXbo3vgk0)J>%ELN9j$h1JX2}jpT!jV29)WK5
z)x?Ck#U1njF@Jvy@DJ6~qNA7jA**GPZb~%5nmtw{YolP`wMX{K7Oly1sWV>GbkEUM
z!)<<puU^WeELl5@$dTWX@{B*w-Oi%nK4OTIPb5N)GOlwGRO24Ws+s3A$Z2(Fb1`1T
z&o~=G&Lv{=j$Tm=At5DW+15OB;wrmQu@a-JU&egqq9j2S5yGN&Qfy$23h-5IvtBn_
zNJRP<q+AkeYdNoi=-5m)t8UG8JMJ(Vo&Lvm41GWz?~ihB>J}<@d~}#=UCm-r4gP9L
z0s6g=ZV2bCsrjpSN<BXj7ew$9HIy^lbmuC$1-?LwZ2%O=aVOdu$SI1GQW_v?S799p
z!iXyd*y*4ZZjilSZbgRHkNnufi=kSG01lKhfB9C@wA}B$;HE8A2m2ah1TG%u_4MJ?
z&weM14kx<A+l4m~tAvXnH%@^(Xz_RtH|fbkZckVUUN5k%x5PM3c3cNS-`9UlDEGrM
zA81BGRX@t)dR$#k$lvf|+x6P{+;e0&?)`(}6whz+A;!~*o7kVM1>E%ZPh%53dK}Qa
z?VJd}q~}O&W^tISU!7yROzw0J-AS?mCy^Dz^Anh}XWDK~^Wu|iE+pOmENgv$V*ph$
zox7dTxaSyAK7!BYJ3TsRetEdMo~Np-9=MtylmANQTsJp^J+!lR(J5OM6z~`^$&o5t
zP8wB`Rn0i@Ihj5FO!mW_y^qWG<lUHg?~3v6`@x50ev1YAb`jZh0_14a3#j)FWy=(M
zODU<mGC~~!MvR+D$-XIV2(gy0B(VU%wRC<<@jx*Yyv0tKsNeks0$t|#cNc(8|K^C>
zi7PLc)jf3iq{UShT?hz#!y(YFbEAiM0s~>z?YU;Zh^U~;=^w~1S6$C_JzO~^209aV
zQuvRc*}n??*Cjuc^-8*qqPWkY%zEZn0n;bvNL^SrVCwo`V86LZI;;VCsw-uq{?_tn
z5@|DW$QTDWLWy$9CzY(A?au<gp-g?8uNAho4NyRhOUpb`DqvI`R`+_k!TV6{dob!~
zFK2X+7k*f2L^mU;S`f9A>S>&<wIBCoOlr2F2r^&jugmI@cYht|qqm)5cf6jOMjvtH
zCJijI>{Jtp=4y(dAvZRGNhra|KN;XWZ|hD*msq1%U+0~%v#R$Z&;xyR`8v-2LGd4L
z_oKYHdAg%=rgL(`&r4L+J6sRfj=}pe?$1B*4?%y4Rz6_OJ`C8u1&kJ(1T+aw1@z@9
z&0YA)0`yd0$xh<Ds@$vXgJz&XS>j&k-yD0lr@hr%<xzTMlA8qZj$4!s02SX*q(t!E
z)4y9BFdB`k@Zyoeop}B>=qqi$Gf2k_u18^~IYh7AOTE1CmP61&@`9PZ)M%8U6;LS)
zm>UAKAraN!rkImGPChl?M>9TD&gpq>n3Ns<+FU&P5cFKvBk3qqMA0T|p~7@~QrVv}
zBEfnk%mCiNfzsvdBaPh<aB_>cxo0>2fEUgRiaDVVdaKnPp)xEI>|>m5^8$fvB1#GA
zcE_y$K6=09ZkG~%h=E*_HU*rPH%6-G%?oPNo^O~wEaa;)U{zInWr$$_5Dt(}H+54o
z+8j^bd)H6sLinW3@^$N15D2;UCwt7H($aBtq?n*O%Js?z+2!ZPRR4K^6+rhM{|GPe
zOeZc~_rBLsL%_zlpCdXDG}Tid7y4SB>g5Z#v_$~x6oM?5R@fGv)%|f&z|F=aSH0LQ
zkWK%^=`BhfmmQ)@_^I_%ZC3Wid||ydt45x_0pEWcwre$Iy$9h<-Q4U^E4$&et>tDq
z>hCj{H`qF|Wl#UP%4+al2H`vue#CC<j#p^(9JL+D;Ogz=v2JAqy`M5#NjZah!oQVs
zTKBQ-`@ZGQQ$4f|e29HG3fue>@}Z2!7{E((lBk73OK!2iEVDW<q)kfH09%(qYOkwm
z`EXG9vH8<4Ryi<U&k$xeF&XIU?vV1XsUU?@=(_vHLEQG)Z_0YDFO_bil|?oG*39Ld
z1`_iP{MS$N#0wa&va=``8qLd-zpudwXEm7yj5(Tm_P8}We1*+#Cg}#gO}M)~cQ1&t
z)NAYP;iJte3I1TJ+N$JlY^P~x5fDMl%X>#!5cx-(9uVF?5W@l$SbTq2OcgjUxvmgQ
z-ez8}ZA&oa*uK~CBTs&9H(Za32dSsuLYw#20DR7(-mR!9;Qq5Ho(nH<9RL~9XU(Ps
z><i;inx31G`Tu%F=r-N~sR9dJDF#p`l=APm&I>a=5i9CKQAY$CD_;chpRRzOTh3}9
z+iQI7<y3Y~=SM8QRgkzl25=G;pU7Ti1@Sz_pOTKjkmj3RPH!%4Pnv>S{m)#8h6p5D
zQ4&UWrtbAL6b)Jw?<DcxgWAo-RBosuWwW`o|FkSd#HxUH9WMh;`c2DBQ?5Nl@qA27
zDe`|}%@BZ(+8eKA{30Ru@D8~rs-%nRvpWXgVnoH9f{Yr2m-C{zYm$o0P6n_V?;=g)
zVZ`=sW=q(hB#S^Y?Dc3$cu?nvYVi35-o5B3jx?=l#BTu}e*dQ%kfLrR6yd=JoL3Vy
zr+fPUROmqD$dqeBi!O00p#L4*c7+gxGzr_0uJGOCJKmPGoUEKQV!U7;QL<9G$!+w;
zfGbun*3b(i1xPZCL%==Y(1NR5sQi=|RNtTZO<sE5;_56!<x-@mxAfeLYllA5_zdjN
z8(2(itUqXIw|bBtbjitdg`1m2_-_q)>_*>@xGqWj-3~#)y#4{)2<eV@+JqiNnLJ9T
zuG1+OyMIyr)C|Rah2^H}j#zg(SKPB9vUwYX=W_^_ll|0}v(MLcCI4eNHaZT@Ytyv)
z_TTh}lcUnOc$nj8JzkClDSyw5&t9!k@z&{05wN21&ln!yI|cngePl#&KYzuIuj;Sh
z+xx>1IyVAZ-HZNc_(cmaf2YIO0WBZ=Sf!Y!AbS)FJ^f{oyTh|@$1KOr(YMH=6^Ev<
zyq|(}rCj54C)BgFA~B|%ebbo#(RrhnzyWoV8T%ha{P(Y1xc6V)lq(bHLJJSBEkF5s
z^dsMV+^NI=q3V>psl=&&LH0K&lwh#KgO=Y5@v{g3qG|gO(Bn@sjzBqw_u5Tx-6_KW
zbt#;0{Uzu2Vp_TONG%?j2ply_0+kiK_^EtH57MKr4fKESJqD1`E}S6rC1I@6yZ`mB
zqBzlc8)F1beQKlWGhNh^o`y=XQ%o`CXxm$11l7O3QqE;kNO{m7sywxLy?z2MfAA~0
z5um{NM9%m~?R%u99(f6%2YY4{tMq$fk*uME8R!0!<c7sMWsdVS7gd7yZXd1!F_k5~
z-RK0cWunxqY!<6`H~75oM?}$Sf7><CrC!J{B1X2AI=j#Bo(f2paUHde$jJVz>Id$s
zJ5g)jD0}*+K=ut}qbatGAm7fTd+He<tVipQQ$3BevL06+`0J|WMn;;HGezGZ-OvNh
zZLZAFwF{j1frd^b+oP8-ci&eVmcr6ac|yRI50D=L!yxip$_Tg0a{vS-nLI6@3o?S{
zhDO^2K>DRLIh;_MSGOd7nytAAf;O3#JbiZ^tXm&5Lcb2Q=W5~ugT|KJ9nvW%Cm=A{
zlTnd?O5<=UcTj8a4Y6sYI{XV}($W8gh$*o)bJOeYMb+-yAbxKi_4Mm#D}yxPtZLR0
zJp<G{E_z%~?P_GCv;^tx-`#Gb`m^4;oz_cw<NbjewWrUh;l(7*(fjK4M^!RUrebps
zU9FRv<(IslK0MS@qXRysLIUffpZ`8^U5XyBdB6RaMi<(_S(X56+OsHha`Ea*d)4!=
zZWyv6BV#2hm8)K?-1w-p!d=nml@yMY`o<8NM+QvbwzriBteNnhpZM?0Q@6&#N;SwG
z22iNTU_;|nL*dl;DxgnM+?7`W4u7zo?55!RoDr1FU)s$%BZ`js^rf)Peo~-L;vV36
z9^x{wtd3wX9)?%XS$?Z9@T`FQo6kk}BNUw^EiT|KniJN?1S4CTjhB-!gW0XY_kl7^
z4B6#iA6~$SySraGb~OE&#nmguVy)J|5W2MRXn9GFAe8x~o7ORObvo;}_2`;uG;pR6
z_Bk?gDRWN7?Zq>x!ZN});sZmf66pH+!bQ*p&5oA@d%m8sk+&`nRj~KwanThiNDmI+
z(uOygI17;b*;}nipOWQf<d0U}cSp1Gxz^oq-6{<=8iljp8_9WvQ(UEtKQ7`JZ?Llq
zp#fD>HykIU*~RU%6eOj}2>Koty1=lfhY%cd_YUYZT7BZv@;mrADzbO->@s&<B>=C5
zTTXBOIfu*sAgOY<0^m}>qmbOg>v7{UD+eF-Br`@7VSp~=Kz?IqPr#X+ycql<@=SIm
zsShw7*I34S+>ep{oArzbXZ%@O-Af_$R<uuqz(+VnZg%!mHDAGRDw&4N^144X32Gow
zo1luTYV6O`ZP0#1+kxm&$Q{vBbuc(@^tQk8$r^ig+C?46?)^6M4nK|sc8SIS3e#%V
zgfAX`<x|}HJwWwjo-WO3+fc<ZUSwxSh2Y<>ya8%d&Y^I_iH?M)eeAl8>|F76C|RAB
ztUUtg{6|Qzd4^doTJlu=IyjGbd$6!RHl(G|8lHRD47eUkK=eo6eo72-n{Oy`?@YIS
zRe$^UAx;9zdI1dXixIvZdqykiz1k(%X0Xf7x2r7cHxEEL4Lx7E_DgQwMxM?@)IC{~
zh;3OS;<Qi#|3RTi34GU-Dt%j-xG2BosfXdOg#C_@WsgqkP}+YDyO!z=<^jtNhHC3L
zgAM=|&F}D@pYN_iP&6@5&28?HgQ3&N(aJT@73GdT`L+S%ZhugHi*$(bNwp!2sDXps
zV`m>G^hw0M<|k;6gb+|j{oM7$dJ4-(?VV(>>rM{f+Xyu%G~cUf$BoQ?qM|t1*-1i$
z5HFt@Q&(P~PG|QpFd2ZI{Zau*1=R4K^D>?n^M7r1$1mh>HJ<U$_0#B^U@*^fJ|GIO
zQ>>@}rNpm5kYS$pb3~2|=edwl8~{FAAr$~dpSHlQ1%=+*5Khvn`{(&(_tLfZ{}i|T
z7f*a!0T(5KQz8VAE#uZw&BqFbkSWnqJuu+;Kz|mFB?eozFS5M94IFH(0OR?$+KgHU
z&^!Gn^~!P~o+kqP!NUw#^c5gJb}MB={&A_(*rcQ|koytRJ_Wr<mMFAT?jSiIy9<!C
zy@mc^b)LRt<%4<Yz2P<MD5XPzis;O6x%WTFXyZysw*OQ709FkMHu#uW0c4NdTGIRG
zr4Tlt(ZdQRsNa=+(T{2Qr+aEXz!2{On=3n4@74=lLz~fZFJu2wt0gO|)>Sx<QAF1C
z$jIK;2BLBAv{a_<ZH&+ZAaMeWc()f!R>lbcdy{|zY=>p8I(L3!p6zQ3r8H+8AJW8@
z`<;>ZQ@l$TatI2A3isop`5ShBZ4D@(KAr}yB72Rwey7Y4vj1XlshIKMHj}B>If1gN
zZ8_iSO5_|+Itc)IL=fF}?mE~Ly>J4Oz+?XK0)EtVZ`E$XC&Z?EDPg;bXtR@ofYs=e
z8TFu0yMqkX(}hWqXFOGUaX};5*}6OXA<Z=<>q!*d;6@^Aa%80FWk9@1tgFnGA*(1F
ztJr2lyJY#4it>D+dm=R#NE?)HWAv0<oT$spBH%Y<5%~p@tg=;Avny#r09JYjwr#jz
zPn0D0ZjpA1X!jXW$Q)p8uLf}={tCfc+&Vkk4Znhf$@4!yvK1f!Dggbuom#}ywgvf}
z@p<@J_y68{HBdPCX>N>ZnW!niMx*<;=-agd^@^|!c|Ew1h@ny3lhZiFV=^NE>~_hc
zHZv)(Kh(3h%b5Y+!$85YMAnQ*;JQ`zoa@YeGq{Y1(UUk8v<ZZp)&b0<vlcxk*_!wX
z;>X5T&OuuQ-eLl%VYb}d<rJG9uvck)2EHstRpe9;V8^<zoR2G8Yjg!}wMN)KAx$<4
zhXReND4e1>JdFK2aV>_KK|KGi{;uA2V5}8j7kw6K^)u+fMbEYKF+@d*s*D^KsiB2i
zT@1u&sT((a*@nbu(LgeNc*dC77Q3UjV?Kh}*9@5pvOPn9T>(mXVNa7)UYwMzy)&M)
zSoQ&7d^+@C2`vxgJKa~C{*VA2`;{K7lFaG~t++d3X9V_%diGx>%Q@KlAZ;{zSW*5?
zedLH$6$^ZXydIfb2MQgXh*=#}pvnI_^t}Ykd;^Pq49xZk<@e-S$dev>Y|!0u{UY*0
z`teVeOZvOa!eB7j2mcwlo7nAYi#oKo<T0z=zgB2;s6$JPij1Tx)>2Y}kB_a_b$5Q%
z0Iq)J9aYQgr_3T?u!%&&YrjD@-0YV-!bhqN(9@xb^aXAsDD>)=kwSriLmWRY_)CIh
z(05YIoDtK8HJ0@ZfTKAGc(fwusE)|rAMg`${|ST|DhST2G1^L(lPt$->FlT?Zq~yw
z#lLk=B~>N0p-?8kwonWnK8Xn$)!tFQrWIm;!VP53VV8g?fU$<}_e=9=g00KDfhF+G
zpA*bV;-pOBfFU+^<C0ehgH|Kt682Vb5z$#g?aI8!bE})Zz?~v69tn5Jf{;yd*5UVi
z4>k8kA=SE6KtMs)29NAgRi_({Gl<j&8CFZt6m7l>WuK59K&grC<7$7FucHnxbL5uv
zRK#wEl!yFE?-FnXa`FSvhZv6sp&}L^f?i`?&PRO>`SrUmHXG1z&NxPXcJ^NdT(pSa
zeH$^5<Q;zD*5vrtDk@Kx)dkTeFricRn_%G1QjlkZ>a@kMXBLs?ZH>{zGd3TCH#^U;
zJ_54GTea1+R(_%|F2zPk>iV)N!_Q|AX0$>hMGb)TDQ;{V`m%#nIw#hC{Gi9;xGnZA
zqRlrxQuN7RDVw2H$cNbEIWcWxLs-w@7=zROHlumhw~PQpW!@}=kSoX|t_YVhB2_(Y
z;}n}4n|;+?sQ5rntv4#NNDkoN_EwYrPM@ilan^6{r8IAZRofn3DvBXD&PuT-sJCs<
zk(_CPq(j&h$WXx{z4TBDS6z1CznsN~=8Rfgb-jc%VPi+R{KQs{!lZ3NuR^*C*3~>>
z^lnYjep>vwW5JgyDN~_(8TkVk<wHKVjG5g-BxJ)LjRE%~Vi?JGn{RiW46~_Qln)yQ
z$Ev4SNr%G6BAo0AQTv)2_`$P*gV2y)mnqufKN%F!;JuyiafOc`p0=|3E%O%X?{?h)
z>$<&=VaR@R*CP#{K%~V~dZlCytD9VPce!d-X|ohfje|e9q!io)$k$3wa^BXpYi!0P
z2g9!Z&&IOdOElGB12s5&HVs@^wag0(37KfbR&z_$m+&_$%3t|x#(r$_FNv0yQuJ<-
z9+05$_M=I?+u76@xXF`Z5%czj1Hl6Y^K2UzW!%dN@Z*QD$kX+orx#*^o}1zC+U}?y
z<<%D>2lJaG{g!Wl^WGf9P<drcsWNEkJqej=uSRXw|Nk#I|E~!2Y6BN@pG`5@7iB{J
PjnUCGgjPIw{`UU>{MCpk

diff --git a/roles/app-homepage/files/sendgrid.png b/roles/app-homepage/files/sendgrid.png
deleted file mode 100644
index b93be701dfec197a5a4432762740e4b28b8925e1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1066
zcmeAS@N?&q;$mQ6;Pv!y31VPi1Tq;JIGBM{_L_(g5U)7M-HBn{IhmJ04okYDuOkD)
z#(wTUiL5}rM1W6-Yr^iA40CTWtb8ER_;}`{uMC?XZ+`s^D7pE9h!BwCC<*cl{tp2R
z_nP-c0>wBBJR*x382Ao@Fyrz36)6l1%pIOCjv*CsZ|5BJi*^)Xc`M%Y|9^jS>#5GG
zS}(6wnfgpUp#0M$HtSg<|DAbf0~t2!awTkYWjwP@qv56)tHJF>3~A9K2XeZZX5`|M
zymRtx-P(`YQ$0_WbNtvLr~hwH&Ev1{u3tC*x9@M&&dJKpHZ<JUxc@&O_CPqZSj0cc
z755mDp4?zClMGnIc#omzNJu_|VNnjlY#xn^4WIUNOjJH5y}_%L@u{>!-;8hdJX_(?
ziU&YKmzhooI`_<Z#k7a<NykRU9HRv;%pDVpBO2zjm+WUW1FD%IlFwk71Thh(RSY0C
ze&!7_hDT0V>VkFI3#+*Md}R|*KF+q`WP=c|Mm_T%+XO*W$BH}j$VeYhW4@;Z)LJJ8
zauDx}I_8`MtH36%GH;NuG;8o>o08E0GW;s5fO2}^f#XX3zm+ODcCLH9rs2G_Wm1^*
z7mGU#tP_-%?P&Na-*{9xf%%kqLg;~q%NuwtfTlToWvgK35K3nDFgn0ykUl~AC{RMd
zy~n&k!SJf|16~CWphHE(6PWw%Ge`&Q1&8AehDkgd7|%#P@%X5jz<fe*v(|zAtgFny
zf%b}5L+=2ajQE4#1y#&{d?p~70<tF<WJ1#sbQ6MOkX&;@5UdImUtph^HK;J>Fch;{
z2Gwv~$v^O1>NW2Uu}I;9$M+46+_78f#MPbiFqbLq{%7;Ljt0?)6mG5rzW`vEi!5Mh
zTC(AUn8<-S3xKh&;lRk^nK)5bqruV<7@>g;OdOLADMbe`6gL4QdNBj5fJ&?Dwgn8&
zSb(AB#>l1M0W{c=@eC&yFgTb*fRQbBvx#Yju!uvS1gl1af~L+UR#pRb4Pe-F1u!@U
yQEqWdDx<h%640Fg3J=m36V4A<GRu_bpUor1asp&x%2xw3Dubu1pUXO@geCx(;*SFW

diff --git a/roles/app-homepage/tasks/configure.yaml b/roles/app-homepage/tasks/configure.yaml
deleted file mode 100644
index 31d87ed..0000000
--- a/roles/app-homepage/tasks/configure.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-- name: Create config files
-  register: app_homepage_config
-  ansible.builtin.copy:
-    dest: "/etc/homepage/config/{{ item.name }}"
-    force: true
-    content: "{{ item.content | to_nice_yaml }}"
-  loop:
-    - name: bookmarks.yaml
-      content: "{{ app_homepage_bookmarks }}"
-    - name: settings.yaml
-      content: "{{ app_homepage_settings }}"
-    - name: widgets.yaml
-      content: "{{ app_homepage_widgets }}"
\ No newline at end of file
diff --git a/roles/app-homepage/tasks/docker.yaml b/roles/app-homepage/tasks/docker.yaml
deleted file mode 100644
index 69d4f83..0000000
--- a/roles/app-homepage/tasks/docker.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Create compose file
-  ansible.builtin.copy:
-    dest: /etc/homepage/docker-compose.yaml
-    force: true
-    content: "{{ lookup('template', 'docker-compose.j2') }}"
-
-- name: Start docker stack
-  community.docker.docker_compose_v2:
-    project_src: /etc/homepage
-    state: "{{ 'restarted' if app_homepage_config.changed or app_homepage_icons.changed else 'present' }}"
diff --git a/roles/app-homepage/tasks/icons.yaml b/roles/app-homepage/tasks/icons.yaml
deleted file mode 100644
index d65cd5e..0000000
--- a/roles/app-homepage/tasks/icons.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: Copy icon
-  register: app_homepage_icons
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "/etc/homepage/icons/{{ item | basename }}"
-    owner: homepage
-    group: homepage
-    mode: "0440"
-  with_fileglob: "files/*"
\ No newline at end of file
diff --git a/roles/app-homepage/tasks/main.yaml b/roles/app-homepage/tasks/main.yaml
deleted file mode 100644
index 4ca2b50..0000000
--- a/roles/app-homepage/tasks/main.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Create user
-  ansible.builtin.include_tasks:
-    file: user.yaml
-
-- name: Create config directory
-  ansible.builtin.file:
-    path: "{{ item }}"
-    owner: homepage
-    group: homepage
-    mode: "0750"
-    state: directory
-  loop:
-    - /etc/homepage
-    - /etc/homepage/config
-    - /etc/homepage/icons
-    - /var/log/homepage
-
-- name: Copy icons
-  ansible.builtin.include_tasks:
-    file: icons.yaml
-
-- name: Configure homepage
-  ansible.builtin.include_tasks:
-    file: configure.yaml
-
-- name: Start docker stack
-  ansible.builtin.include_tasks:
-    file: docker.yaml
diff --git a/roles/app-homepage/tasks/user.yaml b/roles/app-homepage/tasks/user.yaml
deleted file mode 100644
index 3b3ec51..0000000
--- a/roles/app-homepage/tasks/user.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Create homepage group with fixed GID
-  ansible.builtin.group:
-    name: homepage
-    gid: "{{ app_homepage_gid }}"
-
-- name: Create homepage user with fixed UID
-  ansible.builtin.user:
-    name: homepage
-    group: homepage
-    uid: "{{ app_homepage_uid }}"
-    create_home: true
\ No newline at end of file
diff --git a/roles/app-homepage/templates/docker-compose.j2 b/roles/app-homepage/templates/docker-compose.j2
deleted file mode 100644
index 2081ce8..0000000
--- a/roles/app-homepage/templates/docker-compose.j2
+++ /dev/null
@@ -1,18 +0,0 @@
-services:
-  homepage:
-    image: ghcr.io/gethomepage/homepage:{{ app_homepage_image_tag }}
-    container_name: homepage
-    restart: unless-stopped
-    working_dir: /app
-    entrypoint: ["node", "server.js"]
-    healthcheck:
-      disable: true
-    environment:
-      PUID: {{ app_homepage_uid }}
-      PGID: {{ app_homepage_gid }}
-    ports:
-      - 3000:3000
-    volumes:
-      - /etc/homepage/config:/app/config
-      - /etc/homepage/icons:/app/public/icons
-      - /var/log/homepage:/app/config/logs
diff --git a/roles/app-mosquitto/tasks/main.yaml b/roles/app-mosquitto/tasks/main.yaml
deleted file mode 100644
index 189ce72..0000000
--- a/roles/app-mosquitto/tasks/main.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-- name: Install Mosquitto
-  ansible.builtin.apt:
-    name: mosquitto
-    state: present
-
-- name: Create config directory
-  register: app_mosquitto_config
-  ansible.builtin.copy:
-    dest: /etc/mosquitto/conf.d/custom.conf
-    content: "{{ lookup('template', 'config.j2') }}"
-    owner: mosquitto
-    group: mosquitto
-    mode: "0644"
-
-- name: (Re)start service
-  ansible.builtin.systemd_service:
-    name: mosquitto
-    state: "{{ 'restarted' if app_mosquitto_config.changed else 'started' }}"
\ No newline at end of file
diff --git a/roles/app-mosquitto/templates/config.j2 b/roles/app-mosquitto/templates/config.j2
deleted file mode 100644
index ae1703e..0000000
--- a/roles/app-mosquitto/templates/config.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-allow_anonymous true
-    
-listener 1883 0.0.0.0
-protocol mqtt
-
-listener 9001 0.0.0.0
-protocol websockets
\ No newline at end of file
diff --git a/roles/app-pihole/handlers/main.yaml b/roles/app-pihole/handlers/main.yaml
deleted file mode 100644
index 887bc8a..0000000
--- a/roles/app-pihole/handlers/main.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: restart_dns
-  ansible.builtin.command:
-    cmd: pihole restartdns
-
-- name: restart_lighttpd
-  ansible.builtin.systemd_service:
-    name: lighttpd
-    state: restarted
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/dns.yaml b/roles/app-pihole/tasks/dns.yaml
deleted file mode 100644
index 77f2f07..0000000
--- a/roles/app-pihole/tasks/dns.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-- name: Configure custom hosts
-  notify: restart_dns
-  ansible.builtin.copy:
-    dest: /etc/pihole/custom.list
-    owner: pihole
-    group: pihole
-    mode: 0644
-    content: "{{ lookup('template', 'custom-hosts.j2') }}"
-
-- name: Configure local domain
-  notify: restart_dns
-  ansible.builtin.copy:
-    dest: /etc/dnsmasq.d/local-domain.conf
-    owner: pihole
-    group: pihole
-    mode: 0644
-    content: "{{ lookup('template', 'dnsmasq-local.j2') }}"
-
-- name: Configure explicit domain specific forwarders
-  notify: restart_dns
-  ansible.builtin.copy:
-    dest: /etc/dnsmasq.d/custom-forwarders.conf
-    owner: pihole
-    group: pihole
-    mode: 0644
-    content: "{{ lookup('template', 'dnsmasq-forwarders.j2') }}"
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/http.yaml b/roles/app-pihole/tasks/http.yaml
deleted file mode 100644
index ee23726..0000000
--- a/roles/app-pihole/tasks/http.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-- name: Add redirect from root to /admin
-  notify: restart_lighttpd
-  ansible.builtin.lineinfile:
-    path: /etc/lighttpd/lighttpd.conf
-    line: url.redirect = ("^/$" => "/admin" )
-    create: false
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/install.yaml b/roles/app-pihole/tasks/install.yaml
deleted file mode 100644
index 1ab9ab6..0000000
--- a/roles/app-pihole/tasks/install.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Download pihole
-  ansible.builtin.get_url:
-    url: https://github.com/pi-hole/pi-hole/archive/refs/tags/v{{ app_pihole_version }}.zip
-    dest: /tmp/pihole.zip
-
-- name: Extract pihole
-  ansible.builtin.unarchive:
-    src: /tmp/pihole.zip
-    dest: /tmp
-    remote_src: yes
-
-- name: Install pihole
-  ansible.builtin.shell:
-    executable: /bin/bash
-    cmd: |
-      set -o pipefail
-      cat '/tmp/pi-hole-{{ app_pihole_version }}/automated install/basic-install.sh' | bash /dev/stdin --unattended
\ No newline at end of file
diff --git a/roles/app-pihole/tasks/main.yaml b/roles/app-pihole/tasks/main.yaml
deleted file mode 100644
index dc09b05..0000000
--- a/roles/app-pihole/tasks/main.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-- name: Create configuration directory
-  ansible.builtin.file:
-    path: /etc/pihole
-    state: directory
-    owner: pihole
-    group: pihole
-    mode: 0750
-
-- name: Create setupvars
-  ansible.builtin.copy:
-    dest: /etc/pihole/setupVars.conf
-    owner: pihole
-    group: pihole
-    mode: 0640
-    force: true
-    content: "{{ lookup('template', 'setup-vars.j2') }}"
-
-- name: Check if pihole already installed
-  register: app_pihole_bin
-  ansible.builtin.stat:
-    path: /usr/local/bin/pihole
-    
-- name: Install pihole
-  when: not app_pihole_bin.stat.exists
-  ansible.builtin.include_tasks:
-    file: install.yaml
-
-- name: Configure dns server
-  ansible.builtin.include_tasks:
-    file: dns.yaml
-
-- name: Configure http server
-  ansible.builtin.include_tasks:
-    file: http.yaml
\ No newline at end of file
diff --git a/roles/app-pihole/templates/custom-hosts.j2 b/roles/app-pihole/templates/custom-hosts.j2
deleted file mode 100644
index ee04c05..0000000
--- a/roles/app-pihole/templates/custom-hosts.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-{%- for host in groups['all'] %}
-{{ hostvars[host].ansible_host }} {{ hostvars[host].ansible_hostname }}.{{ env.domain }}
-{% endfor %}
-
-{% for host in groups['all'] %}
-{% for record in hostvars[host].app_pihole_records | default([]) %}
-{% if record.type == "pomerium_proxy" %}
-{{ hostvars['pomerium'].ansible_host }} {{ record.hostname }}.{{ env.domain }}
-{% elif record.type == "ansible_host" %}
-{{ hostvars[host].ansible_host }} {{ record.hostname }}.{{ env.domain }}
-{% else %}
-{{ record.value }} {{ record.hostname }}.{{ env.domain }}
-{% endif %}
-{% endfor %}
-{% endfor %}
\ No newline at end of file
diff --git a/roles/app-pihole/templates/dnsmasq-forwarders.j2 b/roles/app-pihole/templates/dnsmasq-forwarders.j2
deleted file mode 100644
index 6b7a41f..0000000
--- a/roles/app-pihole/templates/dnsmasq-forwarders.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{% for custom_forwarder in app_pihole_custom_forwarders | default([]) %}
-server=/{{ custom_forwarder.domain_pattern }}/{{ custom_forwarder.nameserver }}
-{% endfor %}
diff --git a/roles/app-pihole/templates/dnsmasq-local.j2 b/roles/app-pihole/templates/dnsmasq-local.j2
deleted file mode 100644
index 9685bef..0000000
--- a/roles/app-pihole/templates/dnsmasq-local.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-domain={{ env.domain }}
-local=/{{ env.domain }}/
diff --git a/roles/app-pihole/templates/setup-vars.j2 b/roles/app-pihole/templates/setup-vars.j2
deleted file mode 100644
index 280c0ea..0000000
--- a/roles/app-pihole/templates/setup-vars.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-WEBPASSWORD=
-QUERY_LOGGING=true
-INSTALL_WEB=true
-DNSMASQ_LISTENING=single
-{% for forwarder in app_pihole_forwarders %}
-PIHOLE_DNS_{{ loop.index }}={{ forwarder }}
-{% endfor %}
-DNS_FQDN_REQUIRED=true
-DNS_BOGUS_PRIV=true
-DNSSEC=true
-TEMPERATUREUNIT=C
-WEBUIBOXEDLAYOUT=traditional
-API_EXCLUDE_DOMAINS=
-API_EXCLUDE_CLIENTS=
-API_QUERY_LOG_SHOW=all
-API_PRIVACY_MODE=false
-BLOCKING_ENABLED={{ app_pihole_blocking_enabled | string | lower }}
diff --git a/roles/app-pomerium/defaults/main.yaml b/roles/app-pomerium/defaults/main.yaml
deleted file mode 100644
index 42d9eab..0000000
--- a/roles/app-pomerium/defaults/main.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-app_pomerium_gid: 7000
-app_pomerium_uid: 7000
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/configure.yaml b/roles/app-pomerium/tasks/configure.yaml
deleted file mode 100644
index d7414c4..0000000
--- a/roles/app-pomerium/tasks/configure.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: Create config file
-  register: app_pomerium_config_file
-  ansible.builtin.copy:
-    dest: /etc/pomerium/config.yaml
-    owner: pomerium
-    group: pomerium
-    mode: 0440
-    force: true
-    content: "{{ lookup('template', 'config.j2') }}"
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/install.yaml b/roles/app-pomerium/tasks/install.yaml
deleted file mode 100644
index f640c76..0000000
--- a/roles/app-pomerium/tasks/install.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Download apt key
-  ansible.builtin.get_url:
-    url: "https://dl.cloudsmith.io/public/pomerium/pomerium/gpg.6E388440B94E1407.key"
-    dest: /etc/apt/keyrings/pomerium.asc
-
-- name: Add apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/pomerium.asc] https://dl.cloudsmith.io/public/pomerium/pomerium/deb/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main"
-    state: present
-    update_cache: true
-    filename: pomerium
-
-- name: Install Pomerium package
-  ansible.builtin.apt:
-    name:
-      - pomerium
-      - pomerium-cli
\ No newline at end of file
diff --git a/roles/app-pomerium/tasks/main.yaml b/roles/app-pomerium/tasks/main.yaml
deleted file mode 100644
index 44a3b7e..0000000
--- a/roles/app-pomerium/tasks/main.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-- name: Create user with fixed UID/GID
-  ansible.builtin.include_tasks:
-    file: user.yaml
-
-- name: Install pomerium
-  ansible.builtin.include_tasks:
-    file: install.yaml
-
-- name: Configure pomerium
-  ansible.builtin.include_tasks:
-    file: configure.yaml
-
-- name: Configure systemd
-  ansible.builtin.include_tasks:
-    file: systemd.yaml
diff --git a/roles/app-pomerium/tasks/systemd.yaml b/roles/app-pomerium/tasks/systemd.yaml
deleted file mode 100644
index 0b8b635..0000000
--- a/roles/app-pomerium/tasks/systemd.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-- name: Create override directory
-  ansible.builtin.file:
-    dest: /etc/systemd/system/pomerium.service.d
-    owner: root
-    group: root
-    mode: "0755"
-    state: directory
-
-- name: Create override file to allow usage of port 443
-  ansible.builtin.copy:
-    dest: /etc/systemd/system/pomerium.service.d/override-port.conf
-    owner: root
-    group: root
-    mode: "0644"
-    content: |
-      [Service]
-      AmbientCapabilities=CAP_NET_BIND_SERVICE
-
-- name: (Re)start service
-  ansible.builtin.systemd_service:
-    name: pomerium
-    enabled: true
-    daemon_reload: true
-    state: "{{ 'restarted' if app_pomerium_config_file.changed else 'started' }}"
diff --git a/roles/app-pomerium/tasks/user.yaml b/roles/app-pomerium/tasks/user.yaml
deleted file mode 100644
index 26e07aa..0000000
--- a/roles/app-pomerium/tasks/user.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Create pomerium group with fixed GID
-  ansible.builtin.group:
-    name: pomerium
-    gid: "{{ app_pomerium_gid }}"
-
-- name: Create pomerium user with fixed UID
-  ansible.builtin.user:
-    name: pomerium
-    group: pomerium
-    uid: "{{ app_pomerium_uid }}"
-    create_home: true
diff --git a/roles/app-pomerium/templates/config.j2 b/roles/app-pomerium/templates/config.j2
deleted file mode 100644
index 02bc0a4..0000000
--- a/roles/app-pomerium/templates/config.j2
+++ /dev/null
@@ -1,58 +0,0 @@
-authenticate_service_url: https://{{ app_pomerium_hostname }}
-
-autocert: false
-
-certificates:
-{% for cert in app_pomerium_certificates %}
-  - cert: '{{ cert.fullchain_path }}'
-    key: '{{ cert.key_path }}'
-{% endfor %}
-
-idp_provider: {{ app_pomerium_idp_provider }}
-idp_provider_url: '{{ app_pomerium_idp_provider_url }}'
-idp_client_id: {{ app_pomerium_idp_client_id }}
-idp_client_secret: {{ app_pomerium_idp_client_secret }}
-
-cookie_secret: {{ app_pomerium_cookie_secret }}
-
-# TODO: metrics_address: :9090
-
-routes:
-{% for host in groups['all'] %}
-{% for route in hostvars[host].app_pomerium_routes | default([]) %}
-  - from: https://{{ route.hostname }}.{{ domain }}
-    tls_skip_verify: {{ 'true' if route.tls_skip_verify | default(false) else 'false' }}
-{% if route.backend | default(none) is none %}
-    to: {{ route.protocol | default("http") }}://{{ hostvars[host].ansible_host }}:{{ route.target_port | default(80) }}
-{% elif route.backend is string %}
-    to: {{ route.protocol | default("http") }}://{{ route.backend }}:{{ route.target_port | default(80) }}
-{% else %}
-    to:
-{% for backend_host in route.backend %}
-      - {{ route.protocol | default("http") }}://{{ backend_host }}:{{ route.target_port | default(80) }}
-{% endfor%}
-{% endif %}
-{% if not (route.backend | default('') is string) %}
-    lb_policy: {{ route.backend_lb_policy | default('ROUND_ROBIN') }}
-{% endif %}
-{% if route.path | default('') != '' %}
-    path: {{ route.path }}
-{% endif %}
-{% if route.tls_upstream_server_name | default(none) is not none %}
-    tls_upstream_server_name: {{ route.tls_upstream_server_name }}
-{% endif %}
-{% if route.auth_mode == 'administrators' %}
-    policy:
-      - allow:
-          or:
-            - claim/groups: "{{ app_pomerium_groups_administrators }}"
-{% elif route.auth_mode == 'users' %}
-    policy:
-      - allow:
-          or:
-            - claim/groups: "{{ app_pomerium_groups_users }}"
-{% elif route.auth_mode == 'public' %}
-    allow_public_unauthenticated_access: true
-{% endif %}
-{% endfor %}
-{% endfor %}
diff --git a/roles/app-unifi-controller/tasks/main.yaml b/roles/app-unifi-controller/tasks/main.yaml
deleted file mode 100644
index 368a8da..0000000
--- a/roles/app-unifi-controller/tasks/main.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: Install MongoDB
-  ansible.builtin.include_tasks:
-    file: mongodb.yaml
-
-- name: Install Unifi Controller
-  ansible.builtin.include_tasks:
-    file: unifi.yaml
diff --git a/roles/app-unifi-controller/tasks/mongodb.yaml b/roles/app-unifi-controller/tasks/mongodb.yaml
deleted file mode 100644
index e7d10bb..0000000
--- a/roles/app-unifi-controller/tasks/mongodb.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-- name: Download MongoDB apt key
-  ansible.builtin.get_url:
-    url: https://www.mongodb.org/static/pgp/server-7.0.asc
-    dest: /etc/apt/keyrings/mongodb-7.0.asc
-
-- name: Add apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [ signed-by=/etc/apt/keyrings/mongodb-7.0.asc ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main"
-    state: present
-    filename: mongodb-7.0
-    update_cache: true
-
-- name: Install MongoDB
-  ansible.builtin.apt:
-    name: mongodb-org-server
-    state: present
diff --git a/roles/app-unifi-controller/tasks/unifi.yaml b/roles/app-unifi-controller/tasks/unifi.yaml
deleted file mode 100644
index e8aa688..0000000
--- a/roles/app-unifi-controller/tasks/unifi.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-- name: Download MongoDB apt key
-  ansible.builtin.get_url:
-    url: https://dl.ui.com/unifi/unifi-repo.gpg
-    dest: /usr/share/keyrings/unifi-repo.gpg
-
-- name: Add apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [ signed-by=/usr/share/keyrings/unifi-repo.gpg ] https://www.ui.com/downloads/unifi/debian stable ubiquiti"
-    state: present
-    filename: ubnt-unifi
-    update_cache: true
-
-- name: Install Unifi Controller
-  ansible.builtin.apt:
-    name: unifi
-    state: present
diff --git a/roles/docker/tasks/main.yaml b/roles/docker/tasks/main.yaml
deleted file mode 100644
index 9574a8a..0000000
--- a/roles/docker/tasks/main.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: Install docker management pip module
-  ansible.builtin.apt:
-    name: python3-docker
-    state: present
-
-- name: Install docker
-  ansible.builtin.import_role:
-    name: geerlingguy.docker
diff --git a/roles/hosts/tasks/main.yml b/roles/hosts/tasks/main.yml
deleted file mode 100644
index 03d6c81..0000000
--- a/roles/hosts/tasks/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-- name: Add host entries for other nodes (FQDN and hostname)
-  ansible.builtin.lineinfile:
-    path: /etc/hosts
-    regexp: "^.*\\W+{{ item | replace('.', '\\.') }}.*"
-    line: "{{ hostvars[item]['ansible_host'] }} {{ hostvars[item]['ansible_hostname'] }} {{ hostvars[item]['ansible_hostname'] }}.{{ domain }}"
-  with_items: "{{ groups[hosts_group_name] }}"
diff --git a/roles/pve_cluster_firewall/tasks/main.yaml b/roles/pve_cluster_firewall/tasks/main.yaml
deleted file mode 100644
index ed815c9..0000000
--- a/roles/pve_cluster_firewall/tasks/main.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- name: Create firewall config file if it does not exist
-  run_once: true
-  ansible.builtin.file:
-    path: /etc/pve/firewall/cluster.fw
-    state: touch
-
-- name: Configure cluster firewall
-  ansible.builtin.import_role:
-    name: "{{ role_path }}/../pve_firewall_common"
-  vars:
-    pve_firewall_default_scope: dc
-    pve_firewall_filepath: /etc/pve/firewall/cluster.fw
-    pve_firewall_aliases: "{{ pve_cluster_firewall_aliases }}"
-    pve_firewall_ipsets: "{{ pve_cluster_firewall_ipsets }}"
-    pve_firewall_rules: "{{ pve_cluster_firewall_rules }}"
-    pve_firewall_enabled: "{{ pve_cluster_firewall_enabled }}"
-    pve_firewall_security_groups: "{{ pve_cluster_firewall_security_groups }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/files/getssl-copy-container-all.sh b/roles/pve_cluster_getssl/files/getssl-copy-container-all.sh
deleted file mode 100644
index 5c86ddf..0000000
--- a/roles/pve_cluster_getssl/files/getssl-copy-container-all.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-
-CONTAINER_CONFIGS=$(ls -l /etc/pve/getssl-containers/*.json 2>/dev/null | cut -d' ' -f9)
-
-for CONTAINER_CONFIG in $CONTAINER_CONFIGS
-do
-    CONTAINER_ID="${CONTAINER_CONFIG%.*}"
-    getssl-copy-container $CONTAINER_ID || echo "Failure is ignored on purpose"
-done
diff --git a/roles/pve_cluster_getssl/files/getssl-copy-container.sh b/roles/pve_cluster_getssl/files/getssl-copy-container.sh
deleted file mode 100644
index 4c7e389..0000000
--- a/roles/pve_cluster_getssl/files/getssl-copy-container.sh
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-CONTAINER_ID=$1
-
-CONFIG_FILE="/etc/pve/getssl-containers/$CONTAINER_ID.json"
-MOUNTPOINTS_ROOT="/var/lib/getssl" # /$CONTAINER_ID
-
-# Check if config file exists
-if ! test -f $CONFIG_FILE; then
-    exit 0
-fi
-
-function getCertField() {
-    CERT_NAME=$1
-    FIELD_NAME=$2
-    CONFIG_FILE=$3
-
-    VALUE=$(jq -r ".[] | select(.name == \"$CERT_NAME\").$FIELD_NAME" $CONFIG_FILE)
-
-    if [ -z "$VALUE" ]; then
-        echo "The field $FIELD_NAME is mandatory"
-        exit 1
-    fi
-
-    echo "$VALUE"
-}
-
-CERTIFICATES=$(jq -r '.[].name' $CONFIG_FILE)
-
-for CERT in $CERTIFICATES
-do
-    CERT_TARGET_NAME=$(getCertField "$CERT" "cert_filename" "$CONFIG_FILE")
-    KEY_TARGET_NAME=$(getCertField "$CERT" "key_filename" "$CONFIG_FILE")
-    FULLCHAIN_TARGET_NAME=$(getCertField "$CERT" "fullchain_filename" "$CONFIG_FILE")
-    OWNER=$(getCertField "$CERT" "user" $CONFIG_FILE)
-    GROUP=$(getCertField "$CERT" "group" $CONFIG_FILE)
-    PERMS=$(getCertField "$CERT" "mode" $CONFIG_FILE)
-
-    # Copy files with new names
-    cp "/etc/pve/getssl/$CERT/fullchain.crt" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp"
-    cp "/etc/pve/getssl/$CERT/$CERT.crt" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp"
-    cp "/etc/pve/getssl/$CERT/$CERT.key" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp"
-
-    # Change permissions
-    chown "$OWNER" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp"
-    chown "$OWNER" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp"
-    chown "$OWNER" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp"
-
-    chgrp "$GROUP" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp"
-    chgrp "$GROUP" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp"
-    chgrp "$GROUP" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp"
-
-    # Overwrite the files
-    mv "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME.tmp" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$FULLCHAIN_TARGET_NAME"
-    mv "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME.tmp" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$CERT_TARGET_NAME"
-    mv "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME.tmp" "$MOUNTPOINTS_ROOT/$CONTAINER_ID/$KEY_TARGET_NAME"
-done
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh b/roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh
deleted file mode 100644
index 7cf883d..0000000
--- a/roles/pve_cluster_getssl/files/getssl-copy-pveproxy.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-UPDATE=false
-NODE_NAME=$(hostname)
-GETSSL_CERTNAME=$1
-
-PROXY_PEM_HASH=$(sha1sum "/etc/pve/nodes/$NODE_NAME/pveproxy-ssl.pem" 2>/dev/null)
-PROXY_KEY_HASH=$(sha1sum "/etc/pve/nodes/$NODE_NAME/pveproxy-ssl.key" 2>/dev/null)
-
-GETSSL_PEM_HASH=$(sha1sum "/etc/pve/getssl/$GETSSL_CERTNAME/fullchain.crt" 2>/dev/null)
-GETSSL_KEY_HASH=$(sha1sum "/etc/pve/getssl/$GETSSL_CERTNAME/$GETSSL_CERTNAME.key" 2>/dev/null)
-
-if [ "$PROXY_PEM_HASH" == "" ] || [ "$PROXY_KEY_HASH" == "" ] || [ "$PROXY_PEM_HASH" != "$GETSSL_PEM_HASH" ] || [ "$PROXY_KEY_HASH" != "$GETSSL_KEY_HASH" ]; then
-    echo "Updating certificates..."
-    cp /etc/pve/getssl/$GETSSL_CERTNAME/fullchain.crt /etc/pve/nodes/$NODE_NAME/pveproxy-ssl.pem
-    cp /etc/pve/getssl/$GETSSL_CERTNAME/$GETSSL_CERTNAME.key /etc/pve/nodes/$NODE_NAME/pveproxy-ssl.key
-
-    systemctl restart pveproxy
-fi
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/tasks/configure.yaml b/roles/pve_cluster_getssl/tasks/configure.yaml
deleted file mode 100644
index 448929f..0000000
--- a/roles/pve_cluster_getssl/tasks/configure.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-- name: Create workdir in proxmox cluster fs
-  ansible.builtin.file:
-    path: "/etc/pve/getssl"
-    state: directory
-
-- name: Create containers mapping directory
-  ansible.builtin.file:
-    path: "/etc/pve/getssl-containers"
-    state: directory
-
-- name: Create configuration directory for each certificate
-  loop: "{{ getssl_certificates }}"
-  loop_control:
-    loop_var: certificate
-  ansible.builtin.file:
-    path: "/etc/pve/getssl/{{ certificate.domain }}"
-    state: directory
-
-- name: Touch global configuration file
-  ansible.builtin.file:
-    path: /etc/pve/getssl/getssl.cfg
-    state: touch
-
-- name: Create global configuration file
-  ansible.builtin.copy:
-    dest: /etc/pve/getssl/getssl.cfg
-    content: "{{ lookup('template', 'getssl-root.j2') }}"
-    force: true
-
-- name: Touch certificate configuration files
-  loop: "{{ getssl_certificates }}"
-  loop_control:
-    loop_var: certificate
-  ansible.builtin.file:
-    path: "/etc/pve/getssl/{{ certificate.domain }}/getssl.cfg"
-    state: touch
-
-- name: Create certificate configuration files
-  loop: "{{ getssl_certificates }}"
-  loop_control:
-    loop_var: certificate
-  ansible.builtin.copy:
-    dest: "/etc/pve/getssl/{{ certificate.domain }}/getssl.cfg"
-    content: "{{ lookup('template', 'getssl-certificate.j2', template_vars=certificate) }}"
-    force: true
diff --git a/roles/pve_cluster_getssl/tasks/cron.yaml b/roles/pve_cluster_getssl/tasks/cron.yaml
deleted file mode 100644
index 33bd27f..0000000
--- a/roles/pve_cluster_getssl/tasks/cron.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-- name: Create cron for automated certificate renewal
-  ansible.builtin.cron:
-    name: "getssl-renewal"
-    cron_file: getssl-renewal
-    user: root
-    job: "/usr/bin/getssl -u -a -w /etc/pve/getssl &>> /var/log/getssl.log"
-    hour: "{{ getssl_cron_renewal_hour | default(17) }}"
-    minute: 0
-
-- name: Create cron for automated certificate push to the containers
-  ansible.builtin.cron:
-    name: "getssl-containers"
-    cron_file: getssl-containers
-    user: root
-    job: "/usr/bin/getssl-copy-container-all &>> /var/log/getssl-containers.log"
-    hour: 20
-    minute: 0
-
-- name: Create cron to update pve proxy certificate
-  ansible.builtin.cron:
-    name: "getssl-pveproxy"
-    cron_file: getssl-pveproxy
-    user: root
-    job: "/usr/bin/getssl-copy-pveproxy \"{{ (getssl_certificates | selectattr('pveproxy', 'defined') | selectattr('pveproxy', 'equalto', true) | first).domain }}\" &>> /var/log/getssl-pveproxy.log"
-    hour: 23
-    minute: 0
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/tasks/main.yaml b/roles/pve_cluster_getssl/tasks/main.yaml
deleted file mode 100644
index 92a9898..0000000
--- a/roles/pve_cluster_getssl/tasks/main.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-- name: Install required packages
-  ansible.builtin.apt:
-    name: jq # Required for parsing the config files
-
-- name: Install getssl
-  ansible.builtin.apt:
-    deb: "https://github.com/srvrco/getssl/releases/download/v{{ getssl_version }}/getssl_{{ getssl_version }}-1_all.deb"
-
-- name: Configure getssl
-  run_once: true
-  ansible.builtin.include_tasks:
-    file: configure.yaml
-
-- name: Create copy scripts
-  ansible.builtin.include_tasks:
-    file: scripts.yaml
-
-- name: Create cron jobs
-  ansible.builtin.include_tasks:
-    file: cron.yaml
-
-- name: Issue certificates
-  run_once: true
-  loop: "{{ getssl_certificates }}"
-  loop_control:
-    loop_var: certificate
-  ansible.builtin.command:
-    cmd: "getssl {{ certificate.domain }} -w /etc/pve/getssl"
\ No newline at end of file
diff --git a/roles/pve_cluster_getssl/tasks/scripts.yaml b/roles/pve_cluster_getssl/tasks/scripts.yaml
deleted file mode 100644
index ac984b3..0000000
--- a/roles/pve_cluster_getssl/tasks/scripts.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Copy script files
-  ansible.builtin.copy:
-    dest: "/usr/bin/{{ item }}"
-    content: "{{ lookup('file', item + '.sh') }}"
-    owner: root
-    group: root
-    mode: "0750"
-  loop:
-    - getssl-copy-container
-    - getssl-copy-container-all
-    - getssl-copy-pveproxy
diff --git a/roles/pve_cluster_getssl/templates/getssl-certificate.j2 b/roles/pve_cluster_getssl/templates/getssl-certificate.j2
deleted file mode 100644
index ee44709..0000000
--- a/roles/pve_cluster_getssl/templates/getssl-certificate.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-VALIDATE_VIA_DNS="true"
-
-{%- if certificate.additional_domains is defined %}
-SANS="{{ certificate.additional_domains | join(",") }}"
-{% endif %}
diff --git a/roles/pve_cluster_getssl/templates/getssl-root.j2 b/roles/pve_cluster_getssl/templates/getssl-root.j2
deleted file mode 100644
index 3365261..0000000
--- a/roles/pve_cluster_getssl/templates/getssl-root.j2
+++ /dev/null
@@ -1,18 +0,0 @@
-CA="https://acme-v02.api.letsencrypt.org"
-
-ACCOUNT_EMAIL="{{ getssl_acme_email }}"
-ACCOUNT_KEY_LENGTH=4096
-
-PRIVATE_KEY_ALG="rsa"
-
-RENEW_ALLOW="30"
-
-SERVER_TYPE="https"
-CHECK_REMOTE="true"
-
-VALIDATE_VIA_DNS="true"
-DNS_ADD_COMMAND=/usr/share/getssl/dns_scripts/dns_add_cloudflare
-DNS_DEL_COMMAND=/usr/share/getssl/dns_scripts/dns_del_cloudflare
-
-export CF_EMAIL="{{ getssl_cloudflare_email }}"
-export CF_API_TOKEN="{{ getssl_cloudflare_api_token }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_ha/tasks/main.yaml b/roles/pve_cluster_ha/tasks/main.yaml
deleted file mode 100644
index 3ca6154..0000000
--- a/roles/pve_cluster_ha/tasks/main.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-- name: Create ha config file if it does not exist
-  run_once: true
-  ansible.builtin.file:
-    dest: /etc/pve/ha/groups.cfg
-    state: touch
-
-- name: Update the ha config file
-  run_once: true
-  ansible.builtin.copy:
-    dest: /etc/pve/ha/groups.cfg
-    owner: root
-    group: www-data
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', 'ha-groups.j2') }}"
diff --git a/roles/pve_cluster_ha/templates/ha-groups.j2 b/roles/pve_cluster_ha/templates/ha-groups.j2
deleted file mode 100644
index ff2f915..0000000
--- a/roles/pve_cluster_ha/templates/ha-groups.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-{%- for group in pve_cluster_ha_groups %}
-group: {{ group.name }}
-       nodes {% for node in group.nodes %}
-{{- hostvars[node.name].ansible_hostname -}}
-{%- if node.priority | default("") != "" %}:{{ node.priority }}{% endif %}
-{%- if not loop.last %},{% endif %}
-{% endfor %}
-
-       nofailback {{ '1' if (group.nofailback | default(false)) else '0' }}
-       restricted {{ '1' if (group.restricted | default(false)) else '0' }}
-
-{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_options/tasks/main.yaml b/roles/pve_cluster_options/tasks/main.yaml
deleted file mode 100644
index 788df1b..0000000
--- a/roles/pve_cluster_options/tasks/main.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-- name: Configure migration network
-  run_once: true
-  ansible.builtin.lineinfile:
-    path: /etc/pve/datacenter.cfg
-    create: false
-    regexp: "^migration:.*"
-    line: "network={{ pve_cluster_options_migration_network }},type=secure"
-  when: pve_cluster_options_migration_network is defined and pve_cluster_options_migration_network != ""
diff --git a/roles/pve_cluster_vxlan/tasks/configs.yaml b/roles/pve_cluster_vxlan/tasks/configs.yaml
deleted file mode 100644
index 0eb493e..0000000
--- a/roles/pve_cluster_vxlan/tasks/configs.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-- name: Touch config files first to make it work with proxmox corosync
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: touch
-  loop:
-    - /etc/pve/sdn/zones.cfg
-    - /etc/pve/sdn/vnets.cfg
-    - /etc/pve/sdn/subnets.cfg
-
-- name: Configure zones
-  ansible.builtin.copy:
-    dest: /etc/pve/sdn/zones.cfg
-    owner: root
-    group: www-data
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', 'zones.j2') }}"
-
-- name: Configure vnets
-  ansible.builtin.copy:
-    dest: /etc/pve/sdn/vnets.cfg
-    owner: root
-    group: www-data
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', 'vnets.j2') }}"
-
-- name: Configure subnets
-  ansible.builtin.copy:
-    dest: /etc/pve/sdn/subnets.cfg
-    owner: root
-    group: www-data
-    mode: "0640"
-    force: true
-    content: "{{ lookup('template', 'subnets.j2') }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/tasks/ipam.yaml b/roles/pve_cluster_vxlan/tasks/ipam.yaml
deleted file mode 100644
index d88510a..0000000
--- a/roles/pve_cluster_vxlan/tasks/ipam.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: Configure IPAM and DHCP ranges for subnet
-  changed_when: true
-  loop: "{{ lookup('template', 'subnet-list.j2') | from_yaml }}"
-  loop_control:
-    loop_var: subnet
-  ansible.builtin.command:
-    cmd: "pvesh set /cluster/sdn/vnets/{{ subnet.vnet_name }}/subnets/{{ subnet.id }}"
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/tasks/main.yaml b/roles/pve_cluster_vxlan/tasks/main.yaml
deleted file mode 100644
index be99d57..0000000
--- a/roles/pve_cluster_vxlan/tasks/main.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-- name: Install required packages
-  ansible.builtin.apt:
-    name: libpve-network-perl
-    state: present
-
-- name: Verify SDN is enabled
-  ansible.builtin.lineinfile:
-    path: /etc/network/interfaces
-    create: false
-    line: "source /etc/network/interfaces.d/*"
-
-- name: Update config files
-  run_once: true
-  ansible.builtin.include_tasks:
-    file: configs.yaml
-
-- name: Update IPAM
-  run_once: true
-  ansible.builtin.include_tasks:
-    file: ipam.yaml
-
-- name: Apply changes to the whole cluster
-  changed_when: true
-  ansible.builtin.command:
-    cmd: pvesh set /cluster/sdn
diff --git a/roles/pve_cluster_vxlan/templates/subnet-list.j2 b/roles/pve_cluster_vxlan/templates/subnet-list.j2
deleted file mode 100644
index 249508f..0000000
--- a/roles/pve_cluster_vxlan/templates/subnet-list.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-{% for zone in pve_cluster_vxlans %}
-{% for vnet in zone.vnets %}
-{% for subnet in vnet.subnets %}
-- vnet_name: {{ vnet.name }}
-  id: {{ zone.name }}-{{ subnet.cidr | replace('/', '-') }}
-
-{% endfor %}
-{% endfor %}
-{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/subnets.j2 b/roles/pve_cluster_vxlan/templates/subnets.j2
deleted file mode 100644
index d112103..0000000
--- a/roles/pve_cluster_vxlan/templates/subnets.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-{% for zone in pve_cluster_vxlans %}
-{% for vnet in zone.vnets %}
-{% for subnet in vnet.subnets %}
-subnet: {{ zone.name }}-{{ subnet.cidr | replace('/', '-') }}
-        vnet {{ vnet.name }}
-{% for dhcp_range in subnet.dhcp_ranges | default([]) %}
-        dhcp-range start-address={{ dhcp_range.start }},end-address={{ dhcp_range.end }}
-{% endfor %}
-
-{% endfor %}
-{% endfor %}
-{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/vnets.j2 b/roles/pve_cluster_vxlan/templates/vnets.j2
deleted file mode 100644
index c997805..0000000
--- a/roles/pve_cluster_vxlan/templates/vnets.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-{% for zone in pve_cluster_vxlans %}
-{% for vnet in zone.vnets %}
-vnet: {{ vnet.name }}
-    zone {{ zone.name }}
-    tag {{ vnet.tag }}
-
-{% endfor %}
-{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_cluster_vxlan/templates/zones.j2 b/roles/pve_cluster_vxlan/templates/zones.j2
deleted file mode 100644
index 52428d4..0000000
--- a/roles/pve_cluster_vxlan/templates/zones.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-{% for zone in pve_cluster_vxlans %}
-vxlan: {{ zone.name }}
-    peers {{ zone.peer_hosts | map('extract', hostvars, 'ansible_host') | join(',') }}
-    ipam {{ zone.ipam | default('pve') }}
-
-{% endfor %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/tasks/main.yaml b/roles/pve_firewall_common/tasks/main.yaml
deleted file mode 100644
index 7c02c40..0000000
--- a/roles/pve_firewall_common/tasks/main.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-- name: Validate aliases
-  run_once: true
-  loop: "{{ pve_firewall_aliases | default([]) }}"
-  loop_control:
-    loop_var: alias
-  ansible.builtin.assert:
-    quiet: true
-    that:
-      - (alias.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == alias.name
-      - (alias.name | length) <= 64
-
-- name: Validate ipsets
-  run_once: true
-  loop: "{{ pve_firewall_ipsets | default([]) }}"
-  loop_control:
-    loop_var: ipset
-  ansible.builtin.assert:
-    quiet: true
-    that:
-      - (ipset.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == ipset.name
-      - (ipset.name | length) <= 64
-
-- name: Validate security groups
-  run_once: true
-  loop: "{{ pve_firewall_security_groups | default([]) }}"
-  loop_control:
-    loop_var: group
-  ansible.builtin.assert:
-    quiet: true
-    that:
-      - (group.name | regex_search("[A-Za-z][A-Za-z0-9\-\_]+")) == group.name
-      - (group.name | length) <= 18
-
-- name: Touch firewall file to make sure it exists
-  run_once: true
-  ansible.builtin.file:
-    path: "{{ pve_firewall_filepath }}"
-    state: touch
-
-- name: Update firewall file
-  run_once: true
-  ansible.builtin.copy:
-    dest: "{{ pve_firewall_filepath }}"
-    force: true
-    unsafe_writes: true
-    content: "{{ lookup('template', 'firewall-file.j2') }}"
diff --git a/roles/pve_firewall_common/templates/firewall-file.j2 b/roles/pve_firewall_common/templates/firewall-file.j2
deleted file mode 100644
index 0d348ba..0000000
--- a/roles/pve_firewall_common/templates/firewall-file.j2
+++ /dev/null
@@ -1,28 +0,0 @@
-[OPTIONS]
-
-enable: {{ '1' if pve_firewall_enabled else '0' }}
-
-{% if pve_firewall_aliases | default([]) | length > 0 %}
-[ALIASES]
-
-{% for alias in pve_firewall_aliases %}
-{{ alias.name }} {{ alias.cidr }}
-{% endfor %}
-{%- endif %}
-
-{% for ipset in pve_firewall_ipsets | default([]) %}
-
-{{ lookup('template', 'ipset.j2', template_vars=dict(ipset=ipset, default_scope=pve_firewall_default_scope)) }}
-{%- endfor %}
-
-{% for group in pve_firewall_security_groups | default([]) %}
-{{ lookup('template', 'security-group.j2', template_vars=dict(group=group, default_scope=pve_firewall_default_scope)) }}
-{% endfor %}
-
-{%- if pve_firewall_rules | default([]) | length > 0 %}
-
-[RULES]
-{% for rule in pve_firewall_rules %}
-{{ lookup('template', 'firewall-rule.j2', template_vars=dict(rule=rule, default_scope=pve_firewall_default_scope)) }}
-{% endfor %}
-{%- endif %}
diff --git a/roles/pve_firewall_common/templates/firewall-rule.j2 b/roles/pve_firewall_common/templates/firewall-rule.j2
deleted file mode 100644
index 33e0cf3..0000000
--- a/roles/pve_firewall_common/templates/firewall-rule.j2
+++ /dev/null
@@ -1,22 +0,0 @@
-{%- if rule.enabled | default(true) == false %}|{% endif -%}
-{%- if rule.type | default("") | lower == "group" %}
-GROUP {{ rule.name }}
-    {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-{%- elif rule.type | default("") | lower == "macro" %}
-    {{- rule.direction | upper }}{%raw%} {%endraw%}
-    {{- rule.name }}({{ rule.action | upper }})
-    {{- lookup('template', 'partials/source.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/destination.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/log.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-{%- else %}
-    {{- rule.direction | upper }}{%raw%} {%endraw%}
-    {{- rule.action | upper }}
-    {{- lookup('template', 'partials/source.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/destination.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/protocol.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/source-port.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/destination-port.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/interface.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-    {{- lookup('template', 'partials/log.j2', template_vars=dict(rule=rule, default_scope=default_scope)) }}
-{%- endif -%}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/ipset.j2 b/roles/pve_firewall_common/templates/ipset.j2
deleted file mode 100644
index 71bd185..0000000
--- a/roles/pve_firewall_common/templates/ipset.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-[IPSET {{ ipset.name }}]
-
-{% for item in ipset["items"] | default([]) %}
-{% if item.type | default("") == "alias" %}
-{{ item.scope | default(default_scope) }}/{{ item.name }}
-{% else %}
-{{ item.cidr }}
-{% endif %}
-{%- endfor %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/destination-port.j2 b/roles/pve_firewall_common/templates/partials/destination-port.j2
deleted file mode 100644
index 1ce94fc..0000000
--- a/roles/pve_firewall_common/templates/partials/destination-port.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{%- if rule.destination_port | default("") != "" %}
- -dport {{ rule.destination_port }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/destination.j2 b/roles/pve_firewall_common/templates/partials/destination.j2
deleted file mode 100644
index 9355658..0000000
--- a/roles/pve_firewall_common/templates/partials/destination.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{%- if rule.destination is defined %}
- -dest {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.destination, default_scope=default_scope))) }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/host-expression.j2 b/roles/pve_firewall_common/templates/partials/host-expression.j2
deleted file mode 100644
index 1b44867..0000000
--- a/roles/pve_firewall_common/templates/partials/host-expression.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-{%- if expression.type | default("") == "ipset" %}
-+{{ expression.scope | default(default_scope) | mandatory }}/{{ expression.name }}
-{%- elif expression.type | default("") == "alias" %}
-{{ expression.scope | default(default_scope) | mandatory }}/{{ expression.name }} 
-{%- else %}
-{{ expression }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/interface.j2 b/roles/pve_firewall_common/templates/partials/interface.j2
deleted file mode 100644
index 9e61fc4..0000000
--- a/roles/pve_firewall_common/templates/partials/interface.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{%- if rule.interface | default("") != "" %}
- -i {{ rule.interface }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/log.j2 b/roles/pve_firewall_common/templates/partials/log.j2
deleted file mode 100644
index f22406e..0000000
--- a/roles/pve_firewall_common/templates/partials/log.j2
+++ /dev/null
@@ -1 +0,0 @@
- -log {{ rule.log_level | default("nolog") }}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/protocol.j2 b/roles/pve_firewall_common/templates/partials/protocol.j2
deleted file mode 100644
index e4671d6..0000000
--- a/roles/pve_firewall_common/templates/partials/protocol.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{%- if rule.protocol | default("") != "" %}
- -p {{ rule.protocol | lower }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/source-port.j2 b/roles/pve_firewall_common/templates/partials/source-port.j2
deleted file mode 100644
index d116987..0000000
--- a/roles/pve_firewall_common/templates/partials/source-port.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{%- if rule.source_port | default("") != "" %}
- -sport {{ rule.source_port }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/partials/source.j2 b/roles/pve_firewall_common/templates/partials/source.j2
deleted file mode 100644
index 19a934d..0000000
--- a/roles/pve_firewall_common/templates/partials/source.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{%- if rule.source is defined %}
- -source {{ lookup('template', 'partials/host-expression.j2',template_vars=(dict(expression=rule.source, default_scope=default_scope))) }}
-{%- endif %}
\ No newline at end of file
diff --git a/roles/pve_firewall_common/templates/security-group.j2 b/roles/pve_firewall_common/templates/security-group.j2
deleted file mode 100644
index 889525a..0000000
--- a/roles/pve_firewall_common/templates/security-group.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-[group {{ group.name }}]
-
-{% for rule in group.rules %}
-{{ lookup('template', '../../pve_firewall_common/templates/firewall-rule.j2',template_vars=(dict(rule=rule,default_scope=default_scope))) }}
-{% endfor %}
\ No newline at end of file
diff --git a/tests/client/docker-compose.yaml b/tests/client/docker-compose.yaml
deleted file mode 100644
index eba470a..0000000
--- a/tests/client/docker-compose.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-services:
-  chrome:
-    image: selenium/standalone-chrome
-    ports:
-      - 4444:4444
-      - 7900:7900
-    shm_size: 4g
-    environment:
-      VNC_NO_PASSWORD: 1
-      SE_OPTS: "--log-level FINE"
-      DBUS_SESSION_BUS_ADDRESS: /dev/null
-    dns:
-      - ${DNS1}
-      - ${DNS2}
\ No newline at end of file
diff --git a/tests/environments/lab.local.env b/tests/environments/lab.local.env
deleted file mode 100644
index b513ed4..0000000
--- a/tests/environments/lab.local.env
+++ /dev/null
@@ -1,2 +0,0 @@
-DNS1=10.1.8.64
-DNS2=10.1.8.65
diff --git a/tests/environments/prod.local.env b/tests/environments/prod.local.env
deleted file mode 100644
index 1bf0d2f..0000000
--- a/tests/environments/prod.local.env
+++ /dev/null
@@ -1,2 +0,0 @@
-DNS1=10.1.2.64
-DNS2=10.1.2.65
diff --git a/tests/environments/remote.env b/tests/environments/remote.env
deleted file mode 100644
index 7f4b206..0000000
--- a/tests/environments/remote.env
+++ /dev/null
@@ -1,2 +0,0 @@
-DNS1=1.1.1.1
-DNS2=1.0.0.1
\ No newline at end of file
diff --git a/tests/environments/secrets.lab.sops.yaml b/tests/environments/secrets.lab.sops.yaml
deleted file mode 100644
index 454dac2..0000000
--- a/tests/environments/secrets.lab.sops.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-admin_user_email: ENC[AES256_GCM,data:nFgSJ1NZ/x+J+GmR11WQalWiAkBzAc8bELDzN0S2+qK5Q4o9Bk8=,iv:cOcmvNvCzg2N58WGPrgG/h82lZmkSaQqylVFF+OtoE0=,tag:lwt+RVFICgizF1GunDAZQw==,type:str]
-admin_user_password: ENC[AES256_GCM,data:2MDBS89tGg3KoI+x/xlDIYVR/s2PbC+3BsCtCxznrV+KYMBMZggv6Bp8/5pDhtP9kaP1RrbRJw==,iv:0jkbg2SJ168Bc2vRJpelyJkPmajoP0vB7xSgqPMmPGM=,tag:toLFBDOZQeov8/nhuw/bmA==,type:str]
-admin_user_totp_secret: ENC[AES256_GCM,data:RYs4wfs9J6Woc7FNnlO98Q==,iv:6hNiQEp/anTdA9EaApZip913s/aGPMHxTeMrhEkocxk=,tag:dL9fCev2q2XgBh225nS+iw==,type:str]
-nonadmin_user_email: ENC[AES256_GCM,data:936vJ4eDLxFH/KF5/AchAe34andA4aZN1au50hLJ/e+tbVh5dkY1uL75,iv:jYpCZ4UH4UsOfeGzECnOrpiW8lDM7E8RKP8nAZhynQk=,tag:EWUKg3SHBfFYzoGWJzlMzQ==,type:str]
-nonadmin_user_password: ENC[AES256_GCM,data:ZIpvNOA1bvlxFSpQ6v8YWHWOHcQvitJBRsSxy/WNfh2f0KfwY4pNIbZmecXRwUpidclzu6HlQA==,iv:5ijqvWgeXSgtuKtfVqpY2LlYBkQypWwZBgPHX7N5mAA=,tag:wHQY33HC6Z0aTdX0tEbJ0w==,type:str]
-nonadmin_user_totp_secret: ENC[AES256_GCM,data:HC9qMizk0zO4hdTQCUuXZA==,iv:bFlDRAJS9jx6znPajcxFnfRHsl9p+IUoDRxFePCmfSk=,tag:I6YU4e3MzOB1d61/U1FeXA==,type:str]
-smtp_relay_username: ENC[AES256_GCM,data:U1Lt,iv:CxxGRI6gvghpSv9RwvjTXsm+76ePMMdCvcORex0cDCQ=,tag:FvWDwmm0j/juum9B4MDQFw==,type:str]
-smtp_relay_password: ENC[AES256_GCM,data:C2hNgECf+DlAGF3RmF7FHqeg3l0=,iv:X2xGjQ+G/Y/Brwj6nZBZg0NbBAM1gDzeEePTc9/uXfQ=,tag:35xEfngNMExm0Qn0E/0qWg==,type:str]
-smtp_relay_sender: ENC[AES256_GCM,data:OzeYoX08FwmELYuRoELct8g=,iv:Jo9Oq0QqvEEMJkOWB0xFSlY01sS+UVPslCZtk6Bp3m4=,tag:ND5gTv+oZ2oZ63g0ebCw6Q==,type:str]
-smtp_relay_recipient: ENC[AES256_GCM,data:SKfBSaKsffNCDFtt0DHafVQ=,iv:bc4IUIr9t0xPU8kZkcrWdzYfk+2zVEMPXoSTpBD5XbY=,tag:D5Vhfl21r8ItOw8Z2jVdzA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5KzFmVVJaT3JMcDAweWhB
-            WmlMdlpSbDdWV3k4YWg1WE93UHpOMStDTUFzCmN4WEhaN3RYMlYvOVFIYldkOGxP
-            VmI3Q1lhaVpYQXpwcE9ZSzBpblRna00KLS0tIEQvZDlkZ1pnOW95WlMyQzhIMUR5
-            WlFYaW9naGM5RURrblp6dXZ3NUtscTgKjSZPu9KB7hK1sO5kq4CbyA1kh9P51FRQ
-            Hoqk2ZelOzAn/oTNI6hfUQ5hp8n9OAr19kXet4DOXej1LLF2Pb5qpA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-23T15:16:27Z"
-    mac: ENC[AES256_GCM,data:Nu5Azf+5B5eQfeLvb70uuoLYiIFICLQRJqf508cyS3eOugay55q0OrcdzqF6XYwqBXY3IEN7PK/55LbRo19zxWTSpamtjI5cMtck5yXEc+G9z4/fRGjmQNrSVeW5k7WcjfFk+yW1g62wIKyM+18TVvsLt6+RiNGKMf7dWaUwuG8=,iv:0nAP6EMWo617uok1sbl5OH1g/snWUQPdxQFxFtBDP2A=,tag:ioWp9DPuzkTK75k6DWgm2g==,type:str]
-    pgp:
-        - created_at: "2023-05-22T15:44:10Z"
-          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CARAAjCHbw0aHusUPjQeR3d7sWTY9cVV3krshzHUeMtbPtkLQ\r\nb/2rEM37/kXF2iB64sa0xVukWOglfPa4+irrEYwv6eqJ2avrhOvWYZq3c/9N9sUP\r\nNoYYWr5jkF9hxLiqjjdAs1bNQY4vMbWnt3v7UWw+kYoEa/RJBsS0UtvOcZZQor1L\r\nGT7gqyD/Izt7ta2WGuWsUqiTadnNLBCDU6P/KcCJpUUKnyoYyq0UcyZm5IspUbFG\r\nxCc3trt62mvydypWJICWPFsEpfM0bg01DKpz4qHjiGNurHKaYw9Ct9aO+bQW7akD\r\n5lGrPeZm06NTOxbtlp10Znch30EUBBojKp/KABtj9jI+uj26Czdmb9H7N9FfapMy\r\nk3ghAYwHgQCYWg6/dRAxHCa0OkMOjsl9y4dUhG0nnKOVIyX8VRXiaVDAtExcvmDx\r\nNl3kAq6C5PXD3ZI2chuDdEvqkShPJuY8hGPrL5oENIOWCBZjc6mAUFnh9Oo9Lx1K\r\ntpn3uzx7m1ctAIQ8Z6P4EV/hs9YnWvRBKJelHnFU/Nvb44bzql+BQMn+kyiwvYND\r\nBWo8jWvpQz0AVVLacM0sCLQrgVUAogP2fXNjT2gU7o3ApYE7+8LRIvsIEUPR6El8\r\nxzOK7fd6szwI0jb7xrUEZZJiXurvPGfnUTYRSmmLewtKGCq0tdJP9lUsYsdtWe3S\r\nXgGJ8V+cJA6fznNTtVPTILEgxoP9MJRsbtJz/GJnVLCKl+2ZzFLcaBazPkjjsqbW\r\navcg39zbA0EImVH1GX1ehMj9ArviUPQIO3TREUSXqvEGglHpngF9ZUHlwIUEip0=\r\n=W3XR\r\n-----END PGP MESSAGE-----\r\n"
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/tests/environments/secrets.prod.sops.yaml b/tests/environments/secrets.prod.sops.yaml
deleted file mode 100644
index 60a2756..0000000
--- a/tests/environments/secrets.prod.sops.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-admin_user_email: ENC[AES256_GCM,data:DJ+yYqHT+sNqWIG7VC80ysUYAV8GfsA8wnZsbCz/Og/t45A=,iv:mCEivfSPxoF8v44g/yJsS3FSb4Fz/AsvIbIgbFyyypo=,tag:M4Hlan03EXJm8TlE6Iq6WQ==,type:str]
-admin_user_password: ENC[AES256_GCM,data:9UWNFCgxBtUtySf1SgE5/0abCY2zPFMCAjGS5+POn98Lt7ymxoDWogF3ZpgoCnCRxbs5iDwGdQ==,iv:An5jYrjQmZc6edD0cXVCehVVRa4++hL4cdR8jqb8blw=,tag:o8JpRJ1caGZHfNJi5pO2qg==,type:str]
-admin_user_totp_secret: ENC[AES256_GCM,data:KUA9MRIHJh7DGDcUnWst7g==,iv:EIX0JD/7dQxP2UmU803FoioI5IhQiFgNUPQiD6TO8bY=,tag:9lJyRMRhz94iMutJddtGEg==,type:str]
-nonadmin_user_email: ENC[AES256_GCM,data:CuO0R0QIiBSrQk50QMQdSEwAQgvFUSemhbx+mEbo7s+PQsIyWpWf,iv:RBwaGgWUApORtNM0aiKeJLYv2Af42VGVN+9WGfQjLVo=,tag:Id6jX0XVoUgLgOaoHnblfQ==,type:str]
-nonadmin_user_password: ENC[AES256_GCM,data:Hhjjv6E3wZLe5siwyJ0mQmcWv3S7SjyxFN/+T3E9yZW0evScOqa3CV3jpmyZbssxld1cNkNXww==,iv:dp9bpUXduLc3QKYvTpqN0MxZtqoL1dWCLoXVMLW6wQc=,tag:NqTd66IoRCrOrhxf9x61kA==,type:str]
-nonadmin_user_totp_secret: ENC[AES256_GCM,data:YUQ39S4VG65PdNAiLFKqiQ==,iv:Hpnbhwd6GVzLj3Pzd/wC/dYPL0xsaOeysEKzCnFxhH0=,tag:5ByyFMsEMydwJksluroX+w==,type:str]
-smtp_relay_host: ENC[AES256_GCM,data:G+0RfS0sV909kw==,iv:w+Uml/zgZcwrJILgJQSJSIPG3/jHLTPWNbHHvasRE8E=,tag:jrQucPUtIVJaxK/2Pe/sBQ==,type:str]
-smtp_relay_servername: ENC[AES256_GCM,data:YL/N7nwQb2dY1nojinltLLpd,iv:0xTv+70OCzU7YzIn+ZucliKqo4DR343R1HyoWNL/ZlE=,tag:WbWXJkPxVFnTKe3b/oQC4w==,type:str]
-smtp_relay_username: ENC[AES256_GCM,data:R2r4,iv:jKhS9MZuUO+VbzbOE0tp3qTaQf5kPiSXxUbB6fr7SqU=,tag:/1BtdD/bQiX9t3CpyXUzbQ==,type:str]
-smtp_relay_password: ENC[AES256_GCM,data:2eViWnQg2EurGFYklEpJZQZZ3u0=,iv:55UoizyY8XrhwmX21//nwO1P7eTmOSRJywZvQetonk8=,tag:ESsW7j9819VZZLeJrG3wRw==,type:str]
-smtp_relay_sender: ENC[AES256_GCM,data:dVV3vJrxCPInq8QBDe+2wtQ=,iv:7iRCL4Oc2yhFs8wfkFeI2p7AWwzAm1OpWc6zdYOiO8I=,tag:2wVMn5xcUnixEp/l5K37BQ==,type:str]
-smtp_relay_recipient: ENC[AES256_GCM,data:BV4M2vNuaolyQNiwGKmg4PY=,iv:+5VTH3LDRomFuDPlY3V/iuiYBNUEKuXbA4Kgcb2tvFk=,tag:4Oyo1hPmhaRlJwCBxHG6Qg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RWwzVklFb3BRcXl3QUQ0
-            bE9xS0t2SkxrZEVYV2dXMG51WVF1Y2NWZnhvCnpFeCt6MUNJblFCZThLWUNuaDZT
-            RzBMQnVsa1dhMTIyb1NGeHYyVXNTT1EKLS0tIHlQNjJ5L09DNUdRL0lHd1dGSVFl
-            YWkvd0FBK0pNMi9GNmdJbXlYT2IzaTQKNsbrKyhgigstwQ+KmnyAV0WZWti6h08J
-            nEBh6LSBWnXANr8vwKv9URTh7Sf40m9pyrfBT38SVk0KMgMwItDeaQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-08T10:05:32Z"
-    mac: ENC[AES256_GCM,data:53JGIWp3liZw4U6qPt+oLw4SE5ErEbm0z7E1EEhA9lW7noSTaMFrJwvurJS0rSvmyvXgy9btbBrpz6xDuHVs2UggqyObpkMwwYzhdGJhbvDd+O9qVFqQbJjzNruxS366IIGg+H0uxY7IFx5ivCd0RFoeUoWFUm+GiWp0GbyLvdw=,iv:xohKU4JFhtlf/YRDEBLEckK0mmpEx2wAFmFERBTOrww=,tag:F8ay6GgATyZI4gBX89xVNA==,type:str]
-    pgp:
-        - created_at: "2023-06-06T22:06:37Z"
-          enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//cdCjtQMCmtmLZTCKt26NMpe37d7xbuCEUVyTQ3MWM8ov\r\n99LBw9qb7JcI03Tz8Tc44jSIciFnhXdWa2c2XZGovMva0D9D0f0DvioL+uRqFDVO\r\nZjLzInCkJM0WGYJW/ae8SPNcy/8FN8yIOzlPxtl9t8oNhLIg28R9zZPvYgVmsoOh\r\nh38P+32lsaDc44LEN8dTEigRcSvqgntLyrnWkTJZby86SD0ijQgWvLJCbLKmta0B\r\noBDR2ZOffyAVPANAHOAGOY2V/4O3O3v6wli8suWrIPTY35JZ6Lk+TxRkub4T4lGg\r\nFAihOUtJ1XF6k7d5Qo0QR1aSKHPfW8/+oxnD0TwjcY7I0V6BnVcB9jI/2PbvrNJj\r\nc2E6qaObJrRy2YHojhxwHNl64XLbMv/3JtkCldeVANwLr+NF2bGa73neSVsGCkfQ\r\nF+cC6gH5JXikWRU+Yf3vmkfF99Q4oleceeAGTNGdKopknHf0wLUrZLb7sm3p8mqm\r\n/ZbgG0BbOn7J4GBXxuQpcgUPekiOi1AUBSUuYD6xqbaVgOLYKKlUGWo+UWD7IdIp\r\nu2XU56CYzPgKX7/HcgvpmAorU3xtdRLEQTmsrOQNpiADtgJukJPwZBmGxt8z94vE\r\ndM1j6mj4tOopZt2TGWl6WuSJUnZngPgqzEIEN3rSyHsPjKsvGu4+SOvzlYaMTk3S\r\nXgHJygIiNSTHrHPdIUQbYlbLXRbS71ZzGfUgmjVm6izsI2KqbA7KfniOJtjAPgNK\r\n9UIz9uOvKsuGTH83ARe0Z5USzWYPmJP8IwodBEsowHRpI/pfbIMJ1tcrGJws9ZM=\r\n=V1Ee\r\n-----END PGP MESSAGE-----\r\n"
-          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/tests/haraka-relay.spec.js b/tests/haraka-relay.spec.js
deleted file mode 100644
index c24aa42..0000000
--- a/tests/haraka-relay.spec.js
+++ /dev/null
@@ -1,33 +0,0 @@
-const nodemailer = require("nodemailer");
-const dnsPromises = require("dns").promises
-
-describe('Mailrelay when accessed locally should', async () => {
-  this.tags = ["localonly"]
-
-  it('Send e-mail', async (browser) => {
-    const smtpHostname = `smtp${browser.globals.domainSuffix}`
-    const smtpIp = await dnsPromises.resolve(smtpHostname, "A")
-
-    const transport = nodemailer.createTransport({
-      host: smtpIp[0],
-      port: 25,
-      auth: {
-        user: browser.globals.smtp_relay_username,
-        pass: browser.globals.smtp_relay_password
-      },
-      tls: {
-        // Server has only domain in certificate and we are using a direct ip to skip dns resolution
-        servername: smtpHostname
-      }
-    });
-
-    const receipt = await transport.sendMail({
-      from: browser.globals.smtp_relay_sender,
-      to: browser.globals.smtp_relay_recipient,
-      subject: "E2E test ✔",
-      text: "Hello, world!"
-    });
-
-    expect(receipt.accepted.length).to.be.equal(1)
-  });
-});
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isAadErrorPage.js b/tests/nightwatch/assertions/isAadErrorPage.js
deleted file mode 100644
index d7b2889..0000000
--- a/tests/nightwatch/assertions/isAadErrorPage.js
+++ /dev/null
@@ -1,39 +0,0 @@
-const reusable = function (context, errorCode) {
-  context.formatMessage = () => {
-    const message = `Checking if the page ${this.negate ? 'doesn\'t indicate' : 'indicates'} AAD error code %s`;
-
-    return {
-      message,
-      args: [`'${errorCode}'`]
-    }
-  };
-
-  context.expected = () => {
-    return errorCode
-  }
-
-  context.value = function (result) {
-    return result.value;
-  };
-
-  context.failure = function (result) {
-    return !result;
-  };
-
-  context.evaluate = function (value) {
-    return value && value.startsWith(this.expected())
-  };
-
-  context.command = async function (callback) {
-    this.api.getText("#exceptionMessageContainer", callback)
-  };
-};
-
-const assertion = function (errorCode) {
-  reusable(this, errorCode)
-};
-
-module.exports = {
-  reusable,
-  assertion
-}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isAadPermissionRejectedPage.js b/tests/nightwatch/assertions/isAadPermissionRejectedPage.js
deleted file mode 100644
index de66ced..0000000
--- a/tests/nightwatch/assertions/isAadPermissionRejectedPage.js
+++ /dev/null
@@ -1,14 +0,0 @@
-const isAadErrorPage = require("./isAadErrorPage")
-
-const reusable = function (context) {
-  isAadErrorPage.reusable(context, "AADSTS50105")
-}
-
-const assertion = function () {
-  reusable(this)
-};
-
-module.exports = {
-  reusable,
-  assertion
-}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js b/tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js
deleted file mode 100644
index 7e49643..0000000
--- a/tests/nightwatch/assertions/isCloudflareOrAadPermissionRejectedPage.js
+++ /dev/null
@@ -1,14 +0,0 @@
-const isAadPermissionRejectedPage = require("./isAadPermissionRejectedPage")
-const isCloudflarePermissionRejectedPage = require("./isCloudflarePermissionRejectedPage")
-
-const assertion = function () {
-  if (this.__nightwatchInstance.settings.globals.isRemote) {
-    isCloudflarePermissionRejectedPage.reusable(this)
-  } else {
-    isAadPermissionRejectedPage.reusable(this)
-  }
-}
-
-module.exports = {
-  assertion
-}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js b/tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js
deleted file mode 100644
index b5b5b49..0000000
--- a/tests/nightwatch/assertions/isCloudflareOrPomeriumPermissionRejectedPage.js
+++ /dev/null
@@ -1,14 +0,0 @@
-const isPomeriumPermissionRejectedPage = require("./isPomeriumPermissionRejectedPage")
-const isCloudflarePermissionRejectedPage = require("./isCloudflarePermissionRejectedPage")
-
-const assertion = function () {
-  if (this.__nightwatchInstance.settings.globals.isRemote) {
-    isCloudflarePermissionRejectedPage.reusable(this)
-  } else {
-    isPomeriumPermissionRejectedPage.reusable(this)
-  }
-}
-
-module.exports = {
-  assertion
-}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js b/tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js
deleted file mode 100644
index 5192bd3..0000000
--- a/tests/nightwatch/assertions/isCloudflarePermissionRejectedPage.js
+++ /dev/null
@@ -1,39 +0,0 @@
-const reusable = function (context) {
-  context.formatMessage = () => {
-    const message = `Checking if the page ${this.negate ? 'doesn\'t indicate' : 'indicates'} cloudflare permission rejected`;
-
-    return {
-      message,
-      args: []
-    }
-  };
-
-  context.expected = () => {
-    return "That account does not have access."
-  }
-
-  context.value = function (result) {
-    return result.value;
-  };
-
-  context.failure = function (result) {
-    return !result;
-  };
-
-  context.evaluate = function (value) {
-    return value && value.startsWith(this.expected())
-  };
-
-  context.command = async function (callback) {
-    this.api.getText("div.AuthBox-messages", callback)
-  };
-};
-
-const assertion = function () {
-  reusable(this)
-};
-
-module.exports = {
-  reusable,
-  assertion
-}
\ No newline at end of file
diff --git a/tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js b/tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js
deleted file mode 100644
index ca69570..0000000
--- a/tests/nightwatch/assertions/isPomeriumPermissionRejectedPage.js
+++ /dev/null
@@ -1,39 +0,0 @@
-const reusable = function (context) {
-  context.formatMessage = () => {
-    const message = `Checking if the page ${this.negate ? 'doesn\'t indicate' : 'indicates'} Pomerium permission rejected`;
-
-    return {
-      message,
-      args: []
-    }
-  };
-
-  context.expected = () => {
-    return "403 Forbidden"
-  }
-
-  context.value = function (result) {
-    return result.value;
-  };
-
-  context.failure = function (result) {
-    return !result;
-  };
-
-  context.evaluate = function (value) {
-    return value && value.startsWith(this.expected())
-  };
-
-  context.command = async function (callback) {
-    this.api.getText("div[role=alert]", callback)
-  };
-};
-
-const assertion = function () {
-  reusable(this)
-};
-
-module.exports = {
-  reusable,
-  assertion
-}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/signIn.js b/tests/nightwatch/commands/signIn.js
deleted file mode 100644
index 6449d93..0000000
--- a/tests/nightwatch/commands/signIn.js
+++ /dev/null
@@ -1,26 +0,0 @@
-module.exports = {
-  command: function (email, password) {
-    return this
-      // E-mail
-      .setValue("input[type=email]", email)
-      .click('input[type=submit]')
-
-      // Password
-      .waitForElementVisible("css selector", "input[type=password].form-control") // Checking the e-mail may take a few seconds
-      .setValue("input[type=password].form-control", password)
-      .click("input[value='Sign in']")
-      // Wait for the Sign in button to disappear
-      .waitForElementNotPresent("input[value='Sign in']", 2000)
-      // Check whether the "Stay signed in?" page was shown
-      .isPresent({
-          suppressNotFoundErrors: true,
-          selector: "input[type=button][value=No]",
-          timeout: 1000
-        },
-        result => {
-          if (result.status > -1) {
-            this.click("input[type=button][value=No]")
-          }
-        })
-  }
-}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/signInAsAdmin.js b/tests/nightwatch/commands/signInAsAdmin.js
deleted file mode 100644
index 3cb6363..0000000
--- a/tests/nightwatch/commands/signInAsAdmin.js
+++ /dev/null
@@ -1,7 +0,0 @@
-module.exports = {
-    command: function () {
-        return this.signIn(
-            this.globals.admin_user_email,
-            this.globals.admin_user_password)
-    }
-}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/signInAsNonAdmin.js b/tests/nightwatch/commands/signInAsNonAdmin.js
deleted file mode 100644
index b7247c6..0000000
--- a/tests/nightwatch/commands/signInAsNonAdmin.js
+++ /dev/null
@@ -1,7 +0,0 @@
-module.exports = {
-    command: function () {
-        return this.signIn(
-            this.globals.nonadmin_user_email,
-            this.globals.nonadmin_user_password)
-    }
-}
\ No newline at end of file
diff --git a/tests/nightwatch/commands/subdomain.js b/tests/nightwatch/commands/subdomain.js
deleted file mode 100644
index 784e4ec..0000000
--- a/tests/nightwatch/commands/subdomain.js
+++ /dev/null
@@ -1,5 +0,0 @@
-module.exports = {
-  command: function (subdomain) {
-      return this.url(`https://${subdomain}${this.globals.domainSuffix}`)
-  }
-}
\ No newline at end of file
diff --git a/tests/nightwatch/globals.js b/tests/nightwatch/globals.js
deleted file mode 100644
index 6be9a01..0000000
--- a/tests/nightwatch/globals.js
+++ /dev/null
@@ -1,22 +0,0 @@
-const { decryptSops } = require('sops-wrapper');
-const dotenv = require("dotenv");
-const fs = require("fs");
-const dns = require("dns");
-
-module.exports = {
-  beforeEach(done) {
-    console.log("Loading secrets via SOPS...")
-
-    const secrets = decryptSops(`./tests/environments/${this.secretsFile}`)
-    
-    // Expose env file and secrets as globals
-    Object.assign(this, secrets)
-
-    // Set DNS from env file
-    const envFile = dotenv.parse(fs.readFileSync(`./tests/environments/${this.envFile}`))
-    console.log(envFile)
-    dns.setServers([ envFile.DNS1, envFile.DNS2 ])
-
-    done()
-  }
-}
\ No newline at end of file
diff --git a/tests/proxmox-ve-local.spec.js b/tests/proxmox-ve-local.spec.js
deleted file mode 100644
index 53e34e9..0000000
--- a/tests/proxmox-ve-local.spec.js
+++ /dev/null
@@ -1,28 +0,0 @@
-describe('Proxmox VE when accessed locally should', () => {
-  this.tags = [ "localonly" ]
-
-  afterEach((browser) => {
-    browser.end()
-  })
-
-  it('Load main screen after signing in as admin', (browser) => {
-    browser
-      .subdomain('pve')
-      .setValue('#pveloginrealm-inputEl', 'Azure Active Directory')
-      .waitForElementVisible("a#button-1070")
-      .click('a#button-1070')  // Redirects to AAD
-      .signInAsAdmin()
-      .assert.textContains("#versioninfo-innerCt", "Virtual Environment")
-  });
-
-  it('Not allow non-admins to use the app', (browser) => {
-    browser
-      .subdomain('pve')
-      .setValue('#pveloginrealm-inputEl', 'Azure Active Directory')
-      .waitForElementVisible("a#button-1070")
-      .click('a#button-1070') // Redirects to AAD
-      .signInAsNonAdmin()
-      .pause(6000)
-      .assert.isAadPermissionRejectedPage()
-  });
-});
diff --git a/tests/proxmox-ve-remote.spec.js b/tests/proxmox-ve-remote.spec.js
deleted file mode 100644
index 482550f..0000000
--- a/tests/proxmox-ve-remote.spec.js
+++ /dev/null
@@ -1,24 +0,0 @@
-describe('Proxmox VE when accessed remotely should', () => {
-  this.tags = [ "remoteonly" ]
-
-  afterEach((browser) => {
-    browser.end()
-  })
-
-  it('Load main screen after signing in as admin', (browser) => {
-    browser
-      .subdomain('pve')
-      .signInAsAdmin() // Sign into Cloudflare Access
-      .setValue('#pveloginrealm-inputEl', 'Azure Active Directory')
-      .waitForElementVisible("a#button-1070")
-      .click('a#button-1070')  // Redirects to AAD
-      .assert.textContains("#versioninfo-innerCt", "Virtual Environment")
-  });
-
-  it('Not allow non-admins to use the app', (browser) => {
-    browser
-      .subdomain('pve')
-      .signInAsNonAdmin()  // Sign into Cloudflare Access
-      .assert.isCloudflarePermissionRejectedPage()
-  });
-});
\ No newline at end of file

From a58ae36d95810504d461ab04c5af8adc7ea20cfb Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 12 Sep 2024 18:15:51 +0200
Subject: [PATCH 45/51] UPS notifications

---
 inventory/group_vars/all/promtail.sops.yaml   | 43 ++++++++++
 .../{all => pve_nodes}/ups.sops.yaml          |  5 +-
 .../group_vars/{all => pve_nodes}/ups.yaml    |  0
 inventory/hosts.yaml                          | 34 ++++++--
 playbooks/pve-guests.yaml                     | 13 ++-
 playbooks/pve-nodes.yaml                      |  7 +-
 ups-notify.sh                                 | 85 +++++++++++++++++++
 7 files changed, 176 insertions(+), 11 deletions(-)
 create mode 100644 inventory/group_vars/all/promtail.sops.yaml
 rename inventory/group_vars/{all => pve_nodes}/ups.sops.yaml (80%)
 rename inventory/group_vars/{all => pve_nodes}/ups.yaml (100%)
 create mode 100644 ups-notify.sh

diff --git a/inventory/group_vars/all/promtail.sops.yaml b/inventory/group_vars/all/promtail.sops.yaml
new file mode 100644
index 0000000..9be8aa6
--- /dev/null
+++ b/inventory/group_vars/all/promtail.sops.yaml
@@ -0,0 +1,43 @@
+promtail_loki_url: ENC[AES256_GCM,data:RGdAlCp3XT/0k8f0Hvi7QuiCof6gugBWGa8n9mRywP36XkxNqnL936TXSQ==,iv:l8GXoHpoFYY/LvJRBqVSjCa7xHH9I4+1ROPoVIy4x1s=,tag:4+1sT0K9umIuKLnlq9ZgeA==,type:str]
+promtail_loki_basicauth_username: ENC[AES256_GCM,data:w+Hln+tA5e8=,iv:A64f8cgpXXz2/+7Ede+Oisn69izX056kcYdTJgJ+WAg=,tag:rVnB8BNdnt9VYOADIXHgCQ==,type:str]
+promtail_loki_basicauth_password: ENC[AES256_GCM,data:O8o9/DVWPA7M8B/lwVVizqVhl03Uq31vKLK3PUvkwn3veIsUE2HasEI1FX90bu6y8NI=,iv:E0JOISbjFdilGmRGAv1tVdW+82D1HNpriQUgIeD+jls=,tag:bOWV68r1RC8taYDBzA+vpw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVzlNb3loS0IxbVdaWGww
+            Tm5oWk9LOE5uZndGN3J2Z05Fc0VkT0JiSmhjCnphZ2lJSXJoME9xcmxyVTlrMWpJ
+            bSt2cTVMQmJONnpYTGhwTXBQV1FJWVEKLS0tIFlTVEJveDRveEhqOWhXRnhrM0tC
+            YkFtTjJNSWVHOG8yclhuL2MxdGcxQ0UKv4GTyeWhIISArLRU6N6e5fBoI+srzNqX
+            DQG3s3ngOVy7WuZQ+aYhWynDPUCGk6jFLlkbYc55rHkqRy7x0tH+qw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-22T12:40:59Z"
+    mac: ENC[AES256_GCM,data:4pFQhchhLB4ByR0FZ9heCrkJswCRlZNKH1iAL7BozKH8EmcbImB1O3InnRx3X60w8z8i3ixtCz4xZICwZjNDZyqPdC3SSqebyyC0bOo/XzXIfVIQMZ8gjhxqOWEkYxnEYsYaa0u09CvdLVJmRN9f0U1Ah9UR5DkaOK3lbT9cBjA=,iv:pV1wZbvbXXDCfGXxZFGAkO0VJ0tQW+I9ps1zWUhQ8Xc=,tag:440JfAvBbQiC0Iqkv1GBag==,type:str]
+    pgp:
+        - created_at: "2024-08-22T12:27:18Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7Pg+ndCcR5CAQ//arHuXW/NQu7hkgSto+f34+xrgj5CIKbb8bRaAiAPgiww
+            mR1gYrPwAJ6aXyCdcCjvdhSnI18GUL0FZ7NNmQlArdWDfPlUBTyG1r6ICip1nAv0
+            x25ZTS0JWQotd+vRlJ0e2M5L9wcI4sPKEn4lKvKq6ngFzIpAe3PvhL1GxA18B6Zj
+            Of/bvRyMuzBfamIzJ7osXnmWMFb2HEnLTEueH50reeARzX3InQh51kzPbXZfiaNH
+            FevhT/hxVH6P7PY5+85JxtZOI0jHkcgRHjwHUzn8jVeXWSWB8m9mmv2+9dJu7v3W
+            COC/r0Z9JhLmWOza9swa9svLC6IkPTw9HvXOoj6DE4JCI6sV/r/QAjtehTk0r15J
+            GWbZ/1KhwBCyPqATtDuUd2szq2So4MYu2OeHY/0ytUxsZDRMj9A1a9ka99B+WCTt
+            JwHWex6z3blF4/aSgsQ+YIxYcH0SrlEdrSPo+TwIKBrQuraDUyMUgtIe87paniEG
+            fweRPuvz/A9qOJ+ziR/y8pRw8QYxwJ5DiUCDFme8bIMdgXg/2HAwDH39YwtfE1IO
+            Gpkv8nHhScUcpDCBEv+j6/WONlyti591UKEpiDDJYASyAALvpWquWnbiHPCb+sA5
+            H9Uyf/OkyR6yIkC9aRBhj2YfVl1BkdGMCYuJuNUtX1RR486k6rWBmOe19KNT7IbS
+            XgFiVYpuOkAsQ9cyCFzVxWkdGfsDurwg2mebaDp7J6JrdD+mJqpwrMLqtQX3eYLr
+            oaiwHlbHLhGyPiUkH8Fr9rPF0zErkuetRaIeKt2obtKBcgtFZxdvJMm2k2976kA=
+            =gzkb
+            -----END PGP MESSAGE-----
+          fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/inventory/group_vars/all/ups.sops.yaml b/inventory/group_vars/pve_nodes/ups.sops.yaml
similarity index 80%
rename from inventory/group_vars/all/ups.sops.yaml
rename to inventory/group_vars/pve_nodes/ups.sops.yaml
index da64e65..5457b1a 100644
--- a/inventory/group_vars/all/ups.sops.yaml
+++ b/inventory/group_vars/pve_nodes/ups.sops.yaml
@@ -1,4 +1,5 @@
 ups_observer_password: ENC[AES256_GCM,data:6hOusAECGlOcRfvlfrScBQCT,iv:+WSb3FOVY9XaNzW32aJBXI4d9f6sp+MvuIBP2h7JvGk=,tag:W0ZF3EZd7wFQPN9dWSCSDw==,type:str]
+ups_alert_pagerduty_routing_key: ENC[AES256_GCM,data:dWMdNjUOKyFEU5TiYFCl2skrXu824f8Qdm3+PagjQZQ=,iv:qKQky+VElTA7EV2+maopsN6GKDeLBpd48HSHIQ4a/Fs=,tag:Vo6GdxR2ThHWZZu9V6Q5WA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,8 +15,8 @@ sops:
             czhTc3hjY2diUmZuaFdOMDRKVmVZZncKoQ1GwgWjY773aUPwIno02YMr43VI+gge
             FV5SPn/6dBuGtycIHc1V6Fh23xbRTTQGZgPaQW19koKVMrJQQ9ravA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-08T14:57:20Z"
-    mac: ENC[AES256_GCM,data:Zja+1RBG31quXHXNbGdiyRUkmX5nzAaIi7IWWRR20l5b9ziN/ik1goChD1KIKxjMOfmTcSinW/TGLlJJ1ZNEWA/oaqDmY51xbg2m7x85j3u2O30/A0uJLsUZxp1wWQI085UOBDVwg6lA5qb66S4F+/zCjWLyU6885Qlt7it/zzg=,iv:mArkS0nazzivJ0YvLkLGj+N+Sg/7GToJQqIWFLdj/fw=,tag:SaMul47eT87WECVeYURvCQ==,type:str]
+    lastmodified: "2024-09-12T16:08:22Z"
+    mac: ENC[AES256_GCM,data:tjLH4LkwBhLVR9vwQsRGLoZyVUX47oJmt1awTpRoB/VoOPjGCUoyuR5v/yDflG/6HTQLC6rhn5fbakX8yHS0dtSAvqpxqZhu9elapjBVH+7KjE3fzAD1gLBoK2KIfLrk70S2gBj7TMBYKBc5kCM6dWBppRyUHZAtaaQ2waFzlJ4=,iv:rvN2He1Pispf/RR2QA9VSuuscTrNasU0STgT7cDwk2A=,tag:FYyQbag1MKBoEwXdK9oCow==,type:str]
     pgp:
         - created_at: "2023-06-05T09:01:58Z"
           enc: |
diff --git a/inventory/group_vars/all/ups.yaml b/inventory/group_vars/pve_nodes/ups.yaml
similarity index 100%
rename from inventory/group_vars/all/ups.yaml
rename to inventory/group_vars/pve_nodes/ups.yaml
diff --git a/inventory/hosts.yaml b/inventory/hosts.yaml
index 5753639..82b5630 100644
--- a/inventory/hosts.yaml
+++ b/inventory/hosts.yaml
@@ -40,38 +40,58 @@ all:
               ansible_host: 10.1.2.66
             cloudflared2:
               ansible_host: 10.1.2.67
+            cloudflared3:
+              ansible_host: 10.1.2.69
             pbs:
               ansible_host: 10.1.2.68
             monitoring:
               ansible_host: 10.1.2.70
+              docker_enabled: true
+              promtail_docker_logs_enabled: true
             homepage:
               ansible_host: 10.1.2.71
             mqtt:
               ansible_host: 10.1.2.72
             frigate:
               ansible_host: 10.1.2.73
+              docker_enabled: true
+              docker_enable_nvidia_runtime: true
+              promtail_docker_logs_enabled: true
             snipeit:
               ansible_host: 10.1.2.74
+              docker_enabled: true
+              promtail_docker_logs_enabled: true
             haraka:
               ansible_host: 10.1.2.75
+              docker_enabled: true
+              promtail_docker_logs_enabled: true
             unifi_controller:
               ansible_host: 10.1.2.76
             docs:
               ansible_host: 10.1.2.77
+              docker_enabled: true
+              promtail_docker_logs_enabled: true
             autosnap:
               ansible_host: 10.1.2.78
             myspeed:
               ansible_host: 10.1.2.80
             immich:
               ansible_host: 10.1.2.82
+              docker_enabled: true
+              docker_enable_nvidia_runtime: true
+              promtail_docker_logs_enabled: true
+            traefik1:
+              ansible_host: 10.1.2.83
+            traefik2:
+              ansible_host: 10.1.2.84
+            traefik3:
+              ansible_host: 10.1.2.85
+            home_assistant:
+              ansible_host: 10.1.2.86
+              docker_enabled: true
+              promtail_docker_logs_enabled: true
         vm:
           hosts:
-            pomerium:
-              ansible_host: 10.1.2.69
-              ansible_hostname: app-pomerium
             coder:
               ansible_host: 10.1.2.79
-              ansible_hostname: app-coder
-            nextcloud:
-              ansible_host: 10.1.2.81
-              ansible_hostname: app-nextcloud
\ No newline at end of file
+              ansible_hostname: app-coder
\ No newline at end of file
diff --git a/playbooks/pve-guests.yaml b/playbooks/pve-guests.yaml
index 3f142af..87c9bd5 100644
--- a/playbooks/pve-guests.yaml
+++ b/playbooks/pve-guests.yaml
@@ -32,4 +32,15 @@
     - name: Set up Node Exporter
       ansible.builtin.import_role:
         name: homecentr.system.node_exporter
-      tags: [ node-exporter ]
\ No newline at end of file
+      tags: [ node-exporter ]
+
+    - name: Set up Docker
+      when: docker_enabled | default(false)
+      ansible.builtin.import_role:
+        name: homecentr.system.docker
+      tags: [ docker ]
+
+    - name: Set up Promtail
+      ansible.builtin.import_role:
+        name: homecentr.system.promtail
+      tags: [ promtail ]
\ No newline at end of file
diff --git a/playbooks/pve-nodes.yaml b/playbooks/pve-nodes.yaml
index 0d1058e..5d79832 100644
--- a/playbooks/pve-nodes.yaml
+++ b/playbooks/pve-nodes.yaml
@@ -60,4 +60,9 @@
     - name: Set up Node Exporter
       ansible.builtin.import_role:
         name: homecentr.system.node_exporter
-      tags: [ node-exporter ]
\ No newline at end of file
+      tags: [ node-exporter ]
+
+    - name: Set up Promtail
+      ansible.builtin.import_role:
+        name: homecentr.system.promtail
+      tags: [ promtail ]
\ No newline at end of file
diff --git a/ups-notify.sh b/ups-notify.sh
new file mode 100644
index 0000000..91da9f2
--- /dev/null
+++ b/ups-notify.sh
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+
+set -e
+
+# NOTIFYTYPE is supplied by NUT
+PAGERDUTY_ROUTING_KEY="TBA"
+UPS_NAME=$(cat /etc/ups)
+
+case $NOTIFYTYPE in
+  ONBATT | LOWBATT)
+    EVENT_ACTION="trigger"
+    EVENT_SEVERITY="critical"
+    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
+    ;;
+
+  ONLINE)
+    EVENT_ACTION="resolve"
+    EVENT_SEVERITY="critical"
+    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
+    ;;
+
+  SHUTDOWN | FSD)
+    EVENT_ACTION="trigger"
+    EVENT_SEVERITY="error"
+    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
+    ;;
+
+
+  COMMBAD | NOCOMM)
+    EVENT_ACTION="trigger"
+    EVENT_SEVERITY="warn"
+    EVENT_DEDUP_KEY="COMM_$UPS_NAME"
+    ;;
+
+  COMMOK)
+    EVENT_ACTION="resolve"
+    EVENT_SEVERITY="warn"
+    EVENT_DEDUP_KEY="COMM_$UPS_NAME"
+    ;;
+
+  *)
+    EVENT_SEVERITY="critical"
+    EVENT_ACTION="trigger"
+    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
+    ;;
+esac
+
+EVENT_TIME=$(date --utc '+%Y-%m-%dT%H:%M:%S.%3N+0000')
+EVENT_SOURCE=$(hostname)
+
+UPS_STATUS_ALL=$(upsc "$UPS_NAME" 2>/dev/null)
+UPS_STATUS=$(echo "$UPS_STATUS_ALL" | grep ups.status | cut -d':' -f 2 | xargs)
+UPS_BATTERY_CHARGE=$(echo "$UPS_STATUS_ALL" | grep battery.charge | cut -d':' -f 2 | xargs)
+UPS_BATTERY_RUNTIME=$(echo "$UPS_STATUS_ALL" | grep battery.runtime | cut -d':' -f 2 | xargs)
+
+PAYLOAD=$(cat <<-EOF
+  {
+    "payload": {
+        "summary": "UPS $UPS_NAME status changed to $NOTIFYTYPE",
+        "timestamp": "$EVENT_TIME",
+        "severity": "$EVENT_SEVERITY",
+        "source": "$EVENT_SOURCE",
+        "component": "Network UPS tools",
+        "custom_details": {
+            "notifytype": "$NOTIFYTYPE",
+            "ups.status": "$UPS_STATUS",
+            "battery.charge": "$UPS_BATTERY_CHARGE",
+            "battery.runtime": "$UPS_BATTERY_RUNTIME"
+        }
+    },
+    "routing_key": "$PAGERDUTY_ROUTING_KEY",
+    "dedup_key": "$EVENT_DEDUP_KEY",
+    "event_action": "$EVENT_ACTION",
+    "client": "Network UPS tools"
+  }
+EOF
+)
+
+echo "$PAYLOAD"
+
+curl --request POST -v \
+     --url https://events.pagerduty.com/v2/enqueue \
+     --header 'Accept: application/json' \
+     --header 'Content-Type: application/json' \
+     --data "$PAYLOAD"
\ No newline at end of file

From e61851421adeeebbbf18d50efb89f7a1644d21e5 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 12 Sep 2024 19:10:49 +0200
Subject: [PATCH 46/51] UPS thresholds

---
 inventory/group_vars/pve_nodes/ups.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/inventory/group_vars/pve_nodes/ups.yaml b/inventory/group_vars/pve_nodes/ups.yaml
index 03556f8..4593d53 100644
--- a/inventory/group_vars/pve_nodes/ups.yaml
+++ b/inventory/group_vars/pve_nodes/ups.yaml
@@ -4,6 +4,8 @@ ups_devices:
     description: Eaton 1100
     port: auto
     monitored_by: pve1
+    low_battery_charge: 20 # Defines shutdown threshold
+    low_battery_runtime: 180 # Defines shutdown threshold
     # vendor: 0463
     # product: ffff
 
@@ -12,5 +14,7 @@ ups_devices:
     description: Eaton 1500
     port: auto
     monitored_by: pve2
+    low_battery_charge: 20 # Defines shutdown threshold
+    low_battery_runtime: 180 # Defines shutdown threshold
     # vendor: 0463
     # product: ffff
\ No newline at end of file

From d7f6b1c29ad1dd164cdc2f613f76102af6aa2f2f Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Tue, 8 Oct 2024 19:09:15 +0200
Subject: [PATCH 47/51] outline

---
 inventory/hosts.yaml      | 29 +++++++++++++
 playbooks/pve-guests.yaml |  6 +++
 requirements.yaml         |  4 +-
 ups-notify.sh             | 85 ---------------------------------------
 4 files changed, 37 insertions(+), 87 deletions(-)
 delete mode 100644 ups-notify.sh

diff --git a/inventory/hosts.yaml b/inventory/hosts.yaml
index 82b5630..38cccae 100644
--- a/inventory/hosts.yaml
+++ b/inventory/hosts.yaml
@@ -47,6 +47,7 @@ all:
             monitoring:
               ansible_host: 10.1.2.70
               docker_enabled: true
+              docker_enable_tcp: true
               promtail_docker_logs_enabled: true
             homepage:
               ansible_host: 10.1.2.71
@@ -55,29 +56,39 @@ all:
             frigate:
               ansible_host: 10.1.2.73
               docker_enabled: true
+              docker_enable_tcp: true
               docker_enable_nvidia_runtime: true
               promtail_docker_logs_enabled: true
             snipeit:
               ansible_host: 10.1.2.74
               docker_enabled: true
+              docker_enable_tcp: true
               promtail_docker_logs_enabled: true
             haraka:
               ansible_host: 10.1.2.75
               docker_enabled: true
+              docker_enable_tcp: true
               promtail_docker_logs_enabled: true
             unifi_controller:
               ansible_host: 10.1.2.76
             docs:
               ansible_host: 10.1.2.77
               docker_enabled: true
+              docker_enable_tcp: true
               promtail_docker_logs_enabled: true
             autosnap:
               ansible_host: 10.1.2.78
             myspeed:
               ansible_host: 10.1.2.80
+            nextcloud:
+              ansible_host: 10.1.2.81
+              docker_enabled: true
+              docker_enable_tcp: true
+              promtail_docker_logs_enabled: true
             immich:
               ansible_host: 10.1.2.82
               docker_enabled: true
+              docker_enable_tcp: true
               docker_enable_nvidia_runtime: true
               promtail_docker_logs_enabled: true
             traefik1:
@@ -89,6 +100,24 @@ all:
             home_assistant:
               ansible_host: 10.1.2.86
               docker_enabled: true
+              docker_enable_tcp: true
+              promtail_docker_logs_enabled: true
+            media:
+              ansible_host: 10.1.2.87
+              docker_enabled: true
+              docker_enable_tcp: true
+              promtail_docker_logs_enabled: true
+              docker_enable_nvidia_runtime: true
+              install_nvidia_driver: true
+            management:
+              ansible_host: 10.1.2.88
+              docker_enabled: true
+              docker_enable_tcp: true
+              promtail_docker_logs_enabled: true
+            outline:
+              ansible_host: 10.1.2.89
+              docker_enabled: true
+              docker_enable_tcp: true
               promtail_docker_logs_enabled: true
         vm:
           hosts:
diff --git a/playbooks/pve-guests.yaml b/playbooks/pve-guests.yaml
index 87c9bd5..ef62843 100644
--- a/playbooks/pve-guests.yaml
+++ b/playbooks/pve-guests.yaml
@@ -34,6 +34,12 @@
         name: homecentr.system.node_exporter
       tags: [ node-exporter ]
 
+    - name: Install nvidia driver
+      when: install_nvidia_driver | default(false)
+      ansible.builtin.import_role:
+        name: homecentr.system.nvidia_driver
+      tags: [ nvidia-driver ]
+
     - name: Set up Docker
       when: docker_enabled | default(false)
       ansible.builtin.import_role:
diff --git a/requirements.yaml b/requirements.yaml
index 5277aab..42071cb 100644
--- a/requirements.yaml
+++ b/requirements.yaml
@@ -13,10 +13,10 @@ collections:
   - name: prometheus.prometheus
   - name: https://github.com/homecentr/ansible-collection-system
     type: git
-    version: origin/feat/simplify #master
+    version: master
   - name: https://github.com/homecentr/ansible-collection-proxmox
     type: git
-    version: origin/feat/simplify # master
+    version: master
 
 roles:
   - name: geerlingguy.pip
diff --git a/ups-notify.sh b/ups-notify.sh
deleted file mode 100644
index 91da9f2..0000000
--- a/ups-notify.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# NOTIFYTYPE is supplied by NUT
-PAGERDUTY_ROUTING_KEY="TBA"
-UPS_NAME=$(cat /etc/ups)
-
-case $NOTIFYTYPE in
-  ONBATT | LOWBATT)
-    EVENT_ACTION="trigger"
-    EVENT_SEVERITY="critical"
-    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
-    ;;
-
-  ONLINE)
-    EVENT_ACTION="resolve"
-    EVENT_SEVERITY="critical"
-    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
-    ;;
-
-  SHUTDOWN | FSD)
-    EVENT_ACTION="trigger"
-    EVENT_SEVERITY="error"
-    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
-    ;;
-
-
-  COMMBAD | NOCOMM)
-    EVENT_ACTION="trigger"
-    EVENT_SEVERITY="warn"
-    EVENT_DEDUP_KEY="COMM_$UPS_NAME"
-    ;;
-
-  COMMOK)
-    EVENT_ACTION="resolve"
-    EVENT_SEVERITY="warn"
-    EVENT_DEDUP_KEY="COMM_$UPS_NAME"
-    ;;
-
-  *)
-    EVENT_SEVERITY="critical"
-    EVENT_ACTION="trigger"
-    EVENT_DEDUP_KEY="STATE_$UPS_NAME"
-    ;;
-esac
-
-EVENT_TIME=$(date --utc '+%Y-%m-%dT%H:%M:%S.%3N+0000')
-EVENT_SOURCE=$(hostname)
-
-UPS_STATUS_ALL=$(upsc "$UPS_NAME" 2>/dev/null)
-UPS_STATUS=$(echo "$UPS_STATUS_ALL" | grep ups.status | cut -d':' -f 2 | xargs)
-UPS_BATTERY_CHARGE=$(echo "$UPS_STATUS_ALL" | grep battery.charge | cut -d':' -f 2 | xargs)
-UPS_BATTERY_RUNTIME=$(echo "$UPS_STATUS_ALL" | grep battery.runtime | cut -d':' -f 2 | xargs)
-
-PAYLOAD=$(cat <<-EOF
-  {
-    "payload": {
-        "summary": "UPS $UPS_NAME status changed to $NOTIFYTYPE",
-        "timestamp": "$EVENT_TIME",
-        "severity": "$EVENT_SEVERITY",
-        "source": "$EVENT_SOURCE",
-        "component": "Network UPS tools",
-        "custom_details": {
-            "notifytype": "$NOTIFYTYPE",
-            "ups.status": "$UPS_STATUS",
-            "battery.charge": "$UPS_BATTERY_CHARGE",
-            "battery.runtime": "$UPS_BATTERY_RUNTIME"
-        }
-    },
-    "routing_key": "$PAGERDUTY_ROUTING_KEY",
-    "dedup_key": "$EVENT_DEDUP_KEY",
-    "event_action": "$EVENT_ACTION",
-    "client": "Network UPS tools"
-  }
-EOF
-)
-
-echo "$PAYLOAD"
-
-curl --request POST -v \
-     --url https://events.pagerduty.com/v2/enqueue \
-     --header 'Accept: application/json' \
-     --header 'Content-Type: application/json' \
-     --data "$PAYLOAD"
\ No newline at end of file

From d77160d7e36febe2e54351e67b4fd27e16fced3e Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 9 Oct 2024 21:48:13 +0200
Subject: [PATCH 48/51] CI pipeline

---
 .github/workflows/cd.yml | 43 ----------------------------------------
 .github/workflows/ci.yml | 41 +-------------------------------------
 2 files changed, 1 insertion(+), 83 deletions(-)
 delete mode 100644 .github/workflows/cd.yml

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
deleted file mode 100644
index 15a2202..0000000
--- a/.github/workflows/cd.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Release
-on:
-  push:
-    branches:
-      - master
-
-jobs:
-  deploy-prod:
-    runs-on: self-hosted
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@master
-
-      - name: Write ssh key
-        run: |
-          echo "${{ secrets.SSH_KEY }}" > ${{ runner.temp }}/ssh.key
-          chmod 0600 ${{ runner.temp }}/ssh.key
-
-      - name: Run Ansible playbooks
-        run: yarn prod:apply _all -e ansible_user=github-runner --private-key ${{ runner.temp }}/ssh.key
-        env:
-          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
-          ANSIBLE_HOST_KEY_CHECKING: "false"
-
-  e2e-prod-local:
-    uses: homecentr/e2e/.github/workflows/run-e2e.yml@master
-    needs:
-      - deploy-prod
-    with:
-      environment: prod
-      client: local
-    secrets:
-      sops_age_key: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
-
-  e2e-prod-remote:
-    uses: homecentr/e2e/.github/workflows/run-e2e.yml@master
-    needs:
-      - deploy-prod
-    with:
-      environment: prod
-      client: remote
-    secrets:
-      sops_age_key: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0b85b19..1083266 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,8 +11,8 @@ jobs:
 
       - name: Install pre-requisites
         run: |
-          yarn
           sudo wget -q -O /usr/bin/sops https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64
+          yarn
           sudo chmod a+x /usr/bin/sops
           sudo pip install --upgrade pip
           sudo pip uninstall -y ansible-core
@@ -26,42 +26,3 @@ jobs:
         run: yarn validate-values
         env:
           SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
-
-  deploy-lab:
-    runs-on: self-hosted
-    needs:
-      - validate
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@master
-
-      - name: Write ssh key
-        run: |
-          echo "${{ secrets.SSH_KEY }}" > ${{ runner.temp }}/ssh.key
-          chmod 0600 ${{ runner.temp }}/ssh.key
-
-      - name: Run Ansible playbooks
-        run: yarn lab:apply _all -e ansible_user=github-runner --private-key ${{ runner.temp }}/ssh.key
-        env:
-          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
-          ANSIBLE_HOST_KEY_CHECKING: "false"
-
-  e2e-lab-local:
-    uses: homecentr/e2e/.github/workflows/run-e2e.yml@master
-    needs:
-      - deploy-lab
-    with:
-      environment: lab
-      client: local
-    secrets:
-      sops_age_key: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
-
-  e2e-lab-remote:
-    uses: homecentr/e2e/.github/workflows/run-e2e.yml@master
-    needs:
-      - deploy-lab
-    with:
-      environment: lab
-      client: remote
-    secrets:
-      sops_age_key: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}
\ No newline at end of file

From 8aff08ec639e6ba5dda6c4420cf67c06aa9138dc Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Wed, 9 Oct 2024 21:51:54 +0200
Subject: [PATCH 49/51] CI 2

---
 .github/workflows/ci.yml | 2 +-
 tools/install.sh         | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1083266..97c28a9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,12 +12,12 @@ jobs:
       - name: Install pre-requisites
         run: |
           sudo wget -q -O /usr/bin/sops https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64
-          yarn
           sudo chmod a+x /usr/bin/sops
           sudo pip install --upgrade pip
           sudo pip uninstall -y ansible-core
           pip install --force-reinstall ansible==7.6.0
           pip install --force-reinstall ansible-lint==6.17.0
+          SKIP_PLAYBOOKS=1 yarn install
 
       - name: Lint Ansible files
         run: yarn lint
diff --git a/tools/install.sh b/tools/install.sh
index 7b4ad94..9f817bc 100755
--- a/tools/install.sh
+++ b/tools/install.sh
@@ -3,5 +3,8 @@
 # yarn install is executed automatically
 
 ansible-galaxy install -r ./requirements.yaml --force
-ansible-playbook ./playbooks/local/setup.yaml
-ansible-playbook -i ./inventory/ ./playbooks/local/ssh.yaml
\ No newline at end of file
+
+if [ -z "${SKIP_PLAYBOOKS}" ]; then
+    ansible-playbook ./playbooks/local/setup.yaml
+    ansible-playbook -i ./inventory/ ./playbooks/local/ssh.yaml
+fi
\ No newline at end of file

From 0a45cc98ce67b096d266de5c4e36c4803a39ec43 Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 10 Oct 2024 14:09:57 +0200
Subject: [PATCH 50/51] fix: Lint fixes

---
 .ansible-lint              | 2 ++
 .ansible-lint-ignore       | 2 +-
 inventory/hosts.yaml       | 2 +-
 playbooks/_all.yaml        | 1 -
 playbooks/local/setup.yaml | 3 +++
 5 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.ansible-lint b/.ansible-lint
index bf70e95..4633687 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -3,7 +3,9 @@ exclude_paths:
   - .github/
   - node_modules/
   - "**/*.sops.yml"
+  - "**/*.sops.yaml"
   - ".sops.yaml"
+  - "**/inventory/hosts.yaml"
 
 use_default_rules: true
 
diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore
index 124f2a6..898a766 100644
--- a/.ansible-lint-ignore
+++ b/.ansible-lint-ignore
@@ -5,4 +5,4 @@ roles/gluster_server/tasks/create-volume-quota.yml var-naming[no-role-prefix]
 roles/gluster_client/tasks/main.yml var-naming[no-role-prefix]
 roles/pve_virtual_machines/tasks/main.yml var-naming[no-role-prefix]
 roles/pve_virtual_machines/tasks/vm.yml var-naming[no-role-prefix]
-playbooks/nvidia.yml name[casing]
\ No newline at end of file
+playbooks/nvidia.yml name[casing]
diff --git a/inventory/hosts.yaml b/inventory/hosts.yaml
index 38cccae..e9ccab7 100644
--- a/inventory/hosts.yaml
+++ b/inventory/hosts.yaml
@@ -24,7 +24,7 @@ all:
       children:
         lxc:
           vars:
-            node_exporter_args: "--collector.disable-defaults --collector.os --collector.uname --collector.textfile --collector.textfile.directory /var/lib/prometheus/node-exporter"
+            node_exporter_args: --collector.disable-defaults --collector.os --collector.uname --collector.textfile --collector.textfile.directory /var/lib/prometheus/node-exporter
           hosts:
             pihole1:
               ansible_host: 10.1.2.64
diff --git a/playbooks/_all.yaml b/playbooks/_all.yaml
index 1faaf25..7c8d816 100644
--- a/playbooks/_all.yaml
+++ b/playbooks/_all.yaml
@@ -1,3 +1,2 @@
 - ansible.builtin.import_playbook: pve-nodes.yaml
 - ansible.builtin.import_playbook: pve-guests.yaml
-  
\ No newline at end of file
diff --git a/playbooks/local/setup.yaml b/playbooks/local/setup.yaml
index f90a249..9a9989f 100644
--- a/playbooks/local/setup.yaml
+++ b/playbooks/local/setup.yaml
@@ -14,6 +14,9 @@
       ansible.builtin.get_url:
         url: https://pkg.cloudflare.com/cloudflare-main.gpg
         dest: /usr/share/keyrings/cloudflare-main.gpg
+        owner: "root"
+        group: "root"
+        mode: "0644"
 
     - name: Add Cloudflare repository
       ansible.builtin.apt_repository:

From e340e00f6bf5dc63df7d8e7378598953fbac2d7d Mon Sep 17 00:00:00 2001
From: Lukas Holota <me@lholota.com>
Date: Thu, 10 Oct 2024 14:12:25 +0200
Subject: [PATCH 51/51] fix: CI fix

---
 .github/workflows/ci.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 97c28a9..942f355 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,8 +21,3 @@ jobs:
 
       - name: Lint Ansible files
         run: yarn lint
-
-      - name: Compare values across environments
-        run: yarn validate-values
-        env:
-          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_PRIVATE_KEY }}