Add performance tuning for nextcloud app

Fix nextcloud cron jobs never being run

ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+host_key_checking = false
+
+[ssh_connection]
+ssh_args = "-C -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
+
+[inventory]
+enable_plugins = yaml

en1.yml

@@ -7,14 +7,9 @@ all:
     update: false
     clean: false
 
-    omni_host_swarm_controller: jupiter
-    omni_host_webproxy: jupiter
-
   children:
+
     servers:
-      children:
-        virtualization: {}
-    virtualization:
       vars:
         omni_local_hosts:
           - hostname: jupiter.svr.local
@@ -27,7 +22,6 @@ all:
         jupiter:
           ansible_host: jupiter.net.enp.one
           omni_description: EN1 System Control Server
-          omni_docker_swarm_iface: eno2
           omni_networking:
             eno1:
               dhcp: true
@@ -35,26 +29,59 @@ all:
             eno2:
               dhcp: false
               addresses: ["192.168.42.10/24"]
+        remus:
+          ansible_host: remus.net.enp.one
+          omni_description: EN1 Hypervisor/Datastore
+          omni_networking:
+            eno1:
+              dhcp: true
+              dhcp_address: 10.42.101.20/24
+            eno2:
+              dhcp: false
+              addresses: ["192.168.42.20/24"]
+        romulus:
+          ansible_host: romulus.net.enp.one
+          omni_description: EN1 Hypervisor/Datastore
+          omni_networking:
+            eno1:
+              dhcp: true
+              dhcp_address: 10.42.101.30/24
+            eno2:
+              dhcp: false
+              addresses: ["192.168.42.30/24"]
       children:
-        worker:
+        virtualization: {}
+        datastore: {}
+
+    virtualization:
+      hosts:
+        jupiter:
+          omni_docker_configs: /etc/omni/compose
+          omni_docker_swarm_iface: eno2
+      children:
+        virtualization_worker:
           hosts:
             remus:
-              ansible_host: remus.net.enp.one
+              omni_docker_swarm_iface: eno2
-              omni_description: EN1 Hypervisor/Datastore
-              omni_networking:
-                eno1:
-                  dhcp: true
-                  dhcp_address: 10.42.101.20/24
-                eno2:
-                  dhcp: false
-                  addresses: ["192.168.42.20/24"]
             romulus:
-              ansible_host: romulus.net.enp.one
+              omni_docker_swarm_iface: eno2
-              omni_description: EN1 Hypervisor/Datastore
+
-              omni_networking:
+    datastore:
-                eno1:
+      children:
-                  dhcp: true
+        datastore_arbiter:
-                  dhcp_address: 10.42.101.30/24
+          hosts:
-                eno2:
+            jupiter:
-                  dhcp: false
+              omni_datastore_mount: /mnt/datastore
-                  addresses: ["192.168.42.30/24"]
+              omni_gluster_brick:
+                mount: /mnt/brick0
+                fs: xfs
+        datastore_block:
+          hosts:
+            remus:
+              omni_gluster_brick:
+                mount: /mnt/brick0
+                fs: xfs
+            romulus:
+              omni_gluster_brick:
+                mount: /mnt/brick0
+                fs: xfs

playbooks/configure-mgmt.yml

@@ -24,9 +24,9 @@
 - name: Configure local accounts
   hosts: all
   vars_files:
-    - vars/accounts.yml
+    - vars/accounts.yaml
-    - vars/secrets/passwords.yml
+    - vars/secrets/passwords.yaml
-    - vars/sshkeys.yml
+    - vars/sshkeys.yaml
   tasks:
     - name: Create omni group
       become: true

playbooks/configure-webproxy.yml

@@ -1,37 +1,54 @@
 ---
-# TBW
+- import_playbook: initialize.yml
 
-# - name: Install Nginx
+
-#   hosts: jupiter
+- name: Install Nginx
-#   handlers:
+  hosts: jupiter
-#     - name: restart_nginx
+  handlers:
-#       become: true
+    - name: restart-nginx
-#       systemd:
+      import_tasks: tasks/nginx/services.yml
-#         name: nginx
+  tasks:
-#         state: restarted
+    - import_tasks: tasks/nginx/install.yml
-#   tasks:
+
-#     - name: Install nginx and certbot
+    - name: Set required SELinux options
-#       become: true
+      become: true
-#       dnf:
+      seboolean:
-#         name:
+        name: httpd_can_network_connect
-#           - nginx
+        persistent: true
-#           - certbot
+        state: true
-#           - python3-certbot-nginx
+      notify:
-#         state: present
+        - restart-nginx
-#
+
-#     - name: Enable and start nginx
+
-#       become: true
+- name: Configure Nginx
-#       systemd:
+  hosts: jupiter
-#         name: nginx
+  vars_files:
-#         state: started
+    - vars/applications.yaml
-#         enabled: true
+  vars:
-#
+    _letsencrypt_cert_dir: /etc/letsencrypt/live
-#     - name: Install configuration
+  handlers:
-#       become: true
+    - name: restart-nginx
-#       copy:
+      import_tasks: tasks/nginx/services.yml
-#         src: nginx.conf
+  tasks:
-#         dest: /etc/nginx/nginx.conf
+    - name: Install server configuration
-#       notify:
+      become: true
-#         - restart_nginx
+      copy:
-#
+        src: nginx/nginx.conf
-# # sudo setsebool -P httpd_can_network_connect on
+        dest: /etc/nginx/nginx.conf
+      notify:
+        - restart-nginx
+
+    - name: Install application configurations
+      when: item.value.published.host is defined
+      become: true
+      template:
+        src: nginx/{{ item.key }}.nginx.conf.j2
+        dest: /etc/nginx/conf.d/{{ item.key }}.conf
+        owner: nginx
+        group: "{{ ansible_user }}"
+        mode: 0755
+      loop: "{{ omni_compose_apps | dict2items }}"
+      loop_control:
+        label: "{{ item.key }} ({{ item.value.published.host | default('none') }})"
+      notify:
+        - restart-nginx

playbooks/deploy-compose.yml

@@ -0,0 +1,98 @@
+---
+- name: Prompt for input
+  hosts: all
+  tags:
+    - always
+  gather_facts: false
+  vars_prompt:
+    - name: application
+      prompt: Enter name of application stack to deploy
+      private: false
+  vars_files:
+    - vars/applications.yaml
+  tasks:
+    - name: Validate user input
+      assert:
+        that: application in omni_compose_apps.keys()
+
+    - name: Set facts for usage later
+      set_fact:
+        _runtime_application: "{{ application }}"
+
+
+- import_playbook: initialize.yml
+
+
+- name: Build image
+  hosts: virtualization
+  vars_files:
+    - vars/applications.yaml
+  tasks:
+    - import_tasks: tasks/docker/build.yml
+
+
+- name: Configure datastore
+  hosts: jupiter
+  vars_files:
+    - vars/applications.yaml
+    - vars/secrets/applications.yaml
+  tasks:
+    - name: Create application datastore directory
+      become: true
+      file:
+        path: "{{ omni_datastore_mount }}{{ omni_compose_apps[_runtime_application].datastore }}"
+        state: directory
+        owner: "{{ omni_compose_apps[_runtime_application].account.name }}"
+        group: "{{ omni_compose_apps[_runtime_application].account.name }}"
+        mode: 0750
+
+    - name: Create datastore assets
+      become: true
+      template:
+        src: "{{ item.src }}"
+        dest: "{{ omni_datastore_mount }}{{ omni_compose_apps[_runtime_application].datastore }}/{{ item.name }}"
+        owner: "{{ omni_compose_apps[_runtime_application].account.name }}"
+        group: "{{ omni_compose_apps[_runtime_application].account.name }}"
+        mode: "{{ item.permissions | default(0644) }}"
+      loop: "{{ omni_compose_apps[_runtime_application].assets | default([]) }}"
+
+
+- name: Configure docker stack
+  hosts: jupiter
+  vars_files:
+    - vars/applications.yaml
+    - vars/secrets/applications.yaml
+  tasks:
+    - name: Create compose configuration directory
+      become: true
+      file:
+        path: "{{ omni_docker_configs }}/{{ _runtime_application }}"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: docker
+        mode: 0750
+
+    - name: Install docker-compose file
+      become: true
+      template:
+        src: docker-compose/{{ _runtime_application }}.yaml.j2
+        dest: "{{ omni_docker_configs }}/{{ _runtime_application }}/docker-compose.yaml"
+        owner: "{{ ansible_user }}"
+        group: docker
+        mode: 0640
+      register: _stack_file_state
+
+    - name: Remove the existing stack
+      when: _stack_file_state.changed is true or omni_compose_apps[_runtime_application].force_clean | default(false) is true
+      docker_stack:
+        name: "{{ _runtime_application }}"
+        state: absent
+        compose:
+          - "{{ omni_docker_configs }}/{{ _runtime_application }}/docker-compose.yaml"
+
+    - name: Deploy the stack
+      docker_stack:
+        name: "{{ _runtime_application }}"
+        state: present
+        compose:
+          - "{{ omni_docker_configs }}/{{ _runtime_application }}/docker-compose.yaml"

playbooks/initialize.yml

@@ -1,7 +1,6 @@
 ---
 - name: Bootstrap remote ansible environment
   hosts: all
-
   tags:
     - always
   vars:
@@ -39,16 +38,6 @@
         cmd: "{{ ansible_python_interpreter }} -m venv {{ omni_ansible_venv }} --system-site-packages"
         creates: "{{ omni_ansible_venv }}/bin/python"
 
-    # - name: Assign ownership of the virtualenv to ansible
-    #   become: true
-    #   file:
-    #     path: "{{ omni_ansible_venv }}"
-    #     state: directory
-    #     owner: "{{ ansible_user }}"
-    #     group: "{{ ansible_user }}"
-    #     mode: 0755
-    #     follow: false
-
     - name: Generate remote requirements file locally
       delegate_to: 127.0.0.1
       command:

playbooks/provision-common.yml

@@ -5,7 +5,7 @@
 - name: Configure system settings
   hosts: all
   vars_files:
-    - vars/packages.yml
+    - vars/packages.yaml
   pre_tasks:
     - import_tasks: tasks/centos-8-kernelplus.yml
   tasks:

poetry.lock

@@ -84,7 +84,7 @@ cffi = ">=1.1"
 six = ">=1.4.1"
 
 [package.extras]
-tests = ["pytest (>=3.2.1,<3.3.0 || >3.3.0)"]
+tests = ["pytest (>=3.2.1,!=3.3.0)"]
 typecheck = ["mypy"]
 
 [[package]]
@@ -209,7 +209,7 @@ optional = false
 python-versions = "*"
 
 [package.extras]
-test = ["flake8 (3.7.8)", "hypothesis (3.55.3)"]
+test = ["flake8 (==3.7.8)", "hypothesis (==3.55.3)"]
 
 [[package]]
 name = "crashtest"
@@ -232,11 +232,11 @@ cffi = ">=1.8,<1.11.3 || >1.11.3"
 six = ">=1.4.1"
 
 [package.extras]
-docs = ["sphinx (>=1.6.5,<1.8.0 || >1.8.0,<3.1.0 || >3.1.0,<3.1.1 || >3.1.1)", "sphinx-rtd-theme"]
+docs = ["sphinx (>=1.6.5,!=1.8.0,!=3.1.0,!=3.1.1)", "sphinx-rtd-theme"]
 docstest = ["doc8", "pyenchant (>=1.6.11)", "twine (>=1.12.0)", "sphinxcontrib-spelling (>=4.0.1)"]
 pep8test = ["black", "flake8", "flake8-import-order", "pep8-naming"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["pytest (>=3.6.0,<3.9.0 || >3.9.0,<3.9.1 || >3.9.1,<3.9.2 || >3.9.2)", "pretend", "iso8601", "pytz", "hypothesis (>=1.11.4,<3.79.2 || >3.79.2)"]
+test = ["pytest (>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2)", "pretend", "iso8601", "pytz", "hypothesis (>=1.11.4,!=3.79.2)"]
 
 [[package]]
 name = "distlib"
@@ -296,7 +296,7 @@ texttable = ">=0.9.0,<2"
 websocket-client = ">=0.32.0,<1"
 
 [package.extras]
-socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7,<2)"]
+socks = ["PySocks (>=1.5.6,!=1.5.7,<2)"]
 tests = ["ddt (>=1.2.2,<2)", "pytest (<6)"]
 
 [[package]]
@@ -419,6 +419,14 @@ MarkupSafe = ">=0.23"
 [package.extras]
 i18n = ["Babel (>=0.8)"]
 
+[[package]]
+name = "jsondiff"
+version = "1.2.0"
+description = "Diff JSON and JSON-like structures in Python"
+category = "main"
+optional = false
+python-versions = "*"
+
 [[package]]
 name = "jsonschema"
 version = "3.2.0"
@@ -453,7 +461,7 @@ SecretStorage = {version = ">=3.2", markers = "sys_platform == \"linux\""}
 
 [package.extras]
 docs = ["sphinx", "jaraco.packaging (>=3.2)", "rst.linker (>=1.9)"]
-testing = ["pytest (>=3.5,<3.7.3 || >3.7.3)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pytest-cov", "jaraco.test (>=3.2.0)", "pytest-black (>=0.3.7)", "pytest-mypy"]
+testing = ["pytest (>=3.5,!=3.7.3)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pytest-cov", "jaraco.test (>=3.2.0)", "pytest-black (>=0.3.7)", "pytest-mypy"]
 
 [[package]]
 name = "lockfile"
@@ -690,7 +698,7 @@ six = "*"
 
 [package.extras]
 docs = ["sphinx (>=1.6.5)", "sphinx-rtd-theme"]
-tests = ["pytest (>=3.2.1,<3.3.0 || >3.3.0)", "hypothesis (>=3.27.0)"]
+tests = ["pytest (>=3.2.1,!=3.3.0)", "hypothesis (>=3.27.0)"]
 
 [[package]]
 name = "pyparsing"
@@ -759,7 +767,7 @@ urllib3 = ">=1.21.1,<1.27"
 
 [package.extras]
 security = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)"]
-socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7)", "win-inet-pton"]
+socks = ["PySocks (>=1.5.6,!=1.5.7)", "win-inet-pton"]
 
 [[package]]
 name = "requests-toolbelt"
@@ -933,7 +941,7 @@ python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
 [package.extras]
 brotli = ["brotlipy (>=0.6.0)"]
 secure = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "certifi", "ipaddress"]
-socks = ["PySocks (>=1.5.6,<1.5.7 || >1.5.7,<2.0)"]
+socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
 
 [[package]]
 name = "virtualenv"
@@ -995,12 +1003,12 @@ python-versions = ">=3.6"
 
 [package.extras]
 docs = ["sphinx", "jaraco.packaging (>=3.2)", "rst.linker (>=1.9)"]
-testing = ["pytest (>=3.5,<3.7.3 || >3.7.3)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pytest-cov", "jaraco.test (>=3.2.0)", "jaraco.itertools", "func-timeout", "pytest-black (>=0.3.7)", "pytest-mypy"]
+testing = ["pytest (>=3.5,!=3.7.3)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pytest-cov", "jaraco.test (>=3.2.0)", "jaraco.itertools", "func-timeout", "pytest-black (>=0.3.7)", "pytest-mypy"]
 
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.7"
-content-hash = "8b7b0693f9b950cdd1b324b3a949fee237711b6db378b291df158baf0c8c83d5"
+content-hash = "fab3171105b575ad1762097ee732aba6b81555636d32cb4d3cf6f48326149396"
 
 [metadata.files]
 ansible = [
@@ -1196,6 +1204,9 @@ jinja2 = [
     {file = "Jinja2-2.11.2-py2.py3-none-any.whl", hash = "sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035"},
     {file = "Jinja2-2.11.2.tar.gz", hash = "sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0"},
 ]
+jsondiff = [
+    {file = "jsondiff-1.2.0.tar.gz", hash = "sha256:34941bc431d10aa15828afe1cbb644977a114e75eef6cc74fb58951312326303"},
+]
 jsonschema = [
     {file = "jsonschema-3.2.0-py2.py3-none-any.whl", hash = "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163"},
     {file = "jsonschema-3.2.0.tar.gz", hash = "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"},

pyproject.toml

@@ -11,6 +11,7 @@ ansible = "^2.9.4"
 docker = "^4.2.0"
 docker-compose = "^1.25.4"
 paramiko = "^2.7.1"
+jsondiff = "^1.2.0"
 
 [tool.poetry.dev-dependencies]
 ansible-lint = "^4.2.0"

resources/atom-config.cson

@@ -0,0 +1,57 @@
+"*":
+  "autocomplete-python":
+    useKite: false
+  core:
+    disabledPackages: [
+      "about"
+      "background-tips"
+      "github"
+      "image-view"
+      "metrics"
+      "open-on-github"
+    ]
+    telemetryConsent: "no"
+    themes: [
+      "one-dark-ui"
+      "base16-tomorrow-dark-theme"
+    ]
+  editor:
+    fontSize: 16
+    invisibles: {}
+    preferredLineLength: 100
+  "exception-reporting":
+    userId: "21f90c70-b680-4a55-a906-c8d67e98bf28"
+  "ide-python":
+    pylsPlugins:
+      flake8:
+        ignore: [
+          "E121"
+          "E123"
+          "E126"
+          "E226"
+          "E24"
+          "E704"
+          "W503"
+          "W504"
+          "E501"
+        ]
+      pycodestyle:
+        ignore: [
+          "E121"
+          "E123"
+          "E126"
+          "E226"
+          "E24"
+          "E704"
+          "W503"
+          "E501"
+        ]
+        maxLineLength: 100
+      pyflakes: {}
+      pylint:
+        enabled: true
+      rope_completion: {}
+    python: "python3.7"
+  "tree-view": {}
+  welcome:
+    showOnStartup: false

resources/bash/setup-atom.sh

@@ -0,0 +1,20 @@
+curl -o atom.rpm https://github.com/atom/atom/releases/download/v1.53.0/atom.x86_64.rpm
+dnf install atom.rpm
+
+python3.7 -m pip install \
+  python-language-server[all]==0.21.5 \
+  parso==0.5.2 \
+  jedi==0.15.2
+
+apm install \
+  atom-ide-ui@0.13.0 \
+  atom-jinja2@0.6.0 \
+  atom-typescript@14.1.2 \
+  autocomplete-python@1.16.0 \
+  ide-python@1.6.2 \
+  ide-typescript@0.9.1 \
+  language-docker \
+  language-ini \
+  language-restructuredtext \
+  language-rpm-spec \
+  minimap

resources/docker-compose/bitwarden.yaml.j2

@@ -0,0 +1,257 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+x-global-env: &globalenv
+  LOCAL_UID: "{{ omni_compose_apps.bitwarden.account.uid | string }}"
+  LOCAL_GID: "{{ omni_compose_apps.bitwarden.account.uid | string}}"
+  ASPNETCORE_ENVIRONMENT: Production
+  globalSettings__selfHosted: "true"
+  globalSettings__baseServiceUri__vault: https://{{ omni_compose_apps.bitwarden.published.host }}
+  globalSettings__baseServiceUri__api: https://{{ omni_compose_apps.bitwarden.published.host }}/api
+  globalSettings__baseServiceUri__identity: https://{{ omni_compose_apps.bitwarden.published.host }}/identity
+  globalSettings__baseServiceUri__admin: https://{{ omni_compose_apps.bitwarden.published.host }}/admin
+  globalSettings__baseServiceUri__notifications: https://{{ omni_compose_apps.bitwarden.published.host }}/notifications
+  globalSettings__baseServiceUri__internalNotifications: http://bitwarden_notifications:5000
+  globalSettings__baseServiceUri__internalAdmin: http://bitwarden_admin:5000
+  globalSettings__baseServiceUri__internalIdentity: http://bitwarden_identity:5000
+  globalSettings__baseServiceUri__internalApi: http://bitwarden_api:5000
+  globalSettings__baseServiceUri__internalVault: http://bitwarden_web:5000
+  globalSettings__pushRelayBaseUri: https://push.bitwarden.com
+  globalSettings__installation__identityUri: https://identity.bitwarden.com
+  globalSettings__sqlServer__connectionString: "Data Source=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;Password=e934c0bb-3b5a-4e6b-b525-cd6d83004e1a;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=True;TrustServerCertificate=True"
+  globalSettings__identityServer__certificatePassword: {{ omni_compose_app_secrets.bitwarden.identity_server_certificate_password }}
+  globalSettings__attachment__baseDirectory: /etc/bitwarden/core/attachments
+  globalSettings__attachment__baseUrl: https://{{ omni_compose_apps.bitwarden.published.host }}/attachments
+  globalSettings__dataProtection__directory: /etc/bitwarden/core/aspnet-dataprotection
+  globalSettings__logDirectory: /etc/bitwarden/logs
+  globalSettings__licenseDirectory: /etc/bitwarden/core/licenses
+  globalSettings__internalIdentityKey: {{ omni_compose_app_secrets.bitwarden.internal_identity_key }}
+  globalSettings__duo__aKey: {{ omni_compose_app_secrets.bitwarden.duo_akey }}
+  globalSettings__installation__id: {{ omni_compose_app_secrets.bitwarden.installation_id }}
+  globalSettings__installation__key: {{ omni_compose_app_secrets.bitwarden.installation_key }}
+  globalSettings__yubico__clientId: REPLACE
+  globalSettings__yubico__key: REPLACE
+  globalSettings__mail__replyToEmail: noreply@enp.one
+  globalSettings__mail__smtp__host: REPLACE
+  globalSettings__mail__smtp__port: "587"
+  globalSettings__mail__smtp__ssl: "false"
+  globalSettings__mail__smtp__username: REPLACE
+  globalSettings__mail__smtp__password: REPLACE
+  globalSettings__disableUserRegistration: "false"
+  globalSettings__hibpApiKey: REPLACE
+  adminSettings__admins: ""
+
+
+volumes:
+  bitwarden-db-data:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/mssql/data
+    driver: glusterfs
+  bitwarden-db-backup:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/mssql/backup
+  bitwarden-nginx-data:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/nginx
+    driver: glusterfs
+  bitwarden-web:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/web
+    driver: glusterfs
+  bitwarden-ssl:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/ssl
+    driver: glusterfs
+  bitwarden-ca-certs:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/ca-certificates
+    driver: glusterfs
+  bitwarden-core:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/core
+    driver: glusterfs
+  bitwarden-identity:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/identity
+    driver: glusterfs
+  bitwarden-logs-api:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/api
+    driver: glusterfs
+  bitwarden-logs-db:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/mssql
+    driver: glusterfs
+  bitwarden-logs-identity:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/identity
+    driver: glusterfs
+  bitwarden-logs-nginx:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/nginx
+    driver: glusterfs
+  bitwarden-logs-admin:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/admin
+    driver: glusterfs
+  bitwarden-logs-icons:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/icons
+    driver: glusterfs
+  bitwarden-logs-notifications:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/notifications
+    driver: glusterfs
+  bitwarden-logs-events:
+    name: datastore{{ omni_compose_apps.bitwarden.datastore }}/logs/events
+    driver: glusterfs
+
+
+networks:
+  bitwarden_internal:
+    internal: true
+    name: bitwarden_internal
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.bitwarden.networks.internal }}
+  bitwarden_external:
+    internal: false
+    name: bitwarden_external
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.bitwarden.networks.external }}
+
+
+services:
+  mssql:
+    image: bitwarden/mssql:{{ omni_compose_apps.bitwarden.versions.mssql | default(omni_compose_apps.bitwarden.versions.default) }}
+    stop_grace_period: 60s
+    networks:
+      - bitwarden_internal
+    volumes:
+      - bitwarden-db-data:/var/opt/mssql/data
+      - bitwarden-db-backup:/etc/bitwarden/mssql/backups
+      - bitwarden-logs-db:/var/opt/mssql/log
+    environment:
+      LOCAL_UID: "{{ omni_compose_apps.bitwarden.account.uid | string }}"
+      LOCAL_GID: "{{ omni_compose_apps.bitwarden.account.uid | string }}"
+      ACCEPT_EULA: "Y"
+      MSSQL_PID: Express
+      SA_PASSWORD: {{ omni_compose_app_secrets.bitwarden.mssql_sa_password }}
+    deploy:
+      replicas: 1
+
+  web:
+    image: bitwarden/web:{{ omni_compose_apps.bitwarden.versions.web | default(omni_compose_apps.bitwarden.versions.default) }}
+    networks:
+      - bitwarden_internal
+    volumes:
+      - bitwarden-web:/etc/bitwarden/web
+    environment: *globalenv
+    deploy:
+      replicas: 1
+
+  attachments:
+    image: bitwarden/attachments:{{ omni_compose_apps.bitwarden.versions.attachments | default(omni_compose_apps.bitwarden.versions.default) }}
+    networks:
+      - bitwarden_internal
+    volumes:
+      - bitwarden-core:/etc/bitwarden/core
+    environment: *globalenv
+    deploy:
+      replicas: 1
+
+  api:
+    image: bitwarden/api:{{ omni_compose_apps.bitwarden.versions.api | default(omni_compose_apps.bitwarden.versions.default) }}
+    volumes:
+      - bitwarden-core:/etc/bitwarden/core
+      - bitwarden-ca-certs:/etc/bitwarden/ca-certificates
+      - bitwarden-logs-api:/etc/bitwarden/logs
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1
+
+  identity:
+    image: bitwarden/identity:{{ omni_compose_apps.bitwarden.versions.identity | default(omni_compose_apps.bitwarden.versions.default) }}
+    volumes:
+      - bitwarden-identity:/etc/bitwarden/identity
+      - bitwarden-core:/etc/bitwarden/core
+      - bitwarden-ca-certs:/etc/bitwarden/ca-certificates
+      - bitwarden-logs-identity:/etc/bitwarden/logs
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1
+
+  admin:
+    image: bitwarden/admin:{{ omni_compose_apps.bitwarden.versions.admin | default(omni_compose_apps.bitwarden.versions.default) }}
+    depends_on:
+      - mssql
+    volumes:
+      - bitwarden-core:/etc/bitwarden/core
+      - bitwarden-ca-certs:/etc/bitwarden/ca-certificates
+      - bitwarden-logs-admin:/etc/bitwarden/logs
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1
+
+  icons:
+    image: bitwarden/icons:{{ omni_compose_apps.bitwarden.versions.icons | default(omni_compose_apps.bitwarden.versions.default) }}
+    volumes:
+      - bitwarden-ca-certs:/etc/bitwarden/ca-certificates
+      - bitwarden-logs-icons:/etc/bitwarden/logs
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1
+
+  notifications:
+    image: bitwarden/notifications:{{ omni_compose_apps.bitwarden.versions.notifications | default(omni_compose_apps.bitwarden.versions.default) }}
+    volumes:
+      - bitwarden-ca-certs:/etc/bitwarden/ca-certificates
+      - bitwarden-logs-notifications:/etc/bitwarden/logs
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1
+
+  events:
+    image: bitwarden/events:{{ omni_compose_apps.bitwarden.versions.events | default(omni_compose_apps.bitwarden.versions.default) }}
+    volumes:
+      - bitwarden-ca-certs:/etc/bitwarden/ca-certificates
+      - bitwarden-logs-events:/etc/bitwarden/logs
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1
+
+  nginx:
+    image: bitwarden/nginx:{{ omni_compose_apps.bitwarden.versions.nginx | default(omni_compose_apps.bitwarden.versions.default) }}
+    depends_on:
+      - web
+      - admin
+      - api
+      - identity
+    ports:
+      - published: {{ omni_compose_apps.bitwarden.published.ports.8080 }}
+        target: 8080
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.bitwarden.published.ports.8443 }}
+        target: 8443
+        protocol: tcp
+        mode: ingress
+    volumes:
+      - bitwarden-nginx-data:/etc/bitwarden/nginx
+      - bitwarden-ssl:/etc/ssl
+      - bitwarden-logs-nginx:/var/log/nginx
+    environment: *globalenv
+    networks:
+      - bitwarden_external
+      - bitwarden_internal
+    deploy:
+      replicas: 1

resources/docker-compose/gitea.yaml.j2

@@ -0,0 +1,51 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+networks:
+  gitea:
+    name: gitea
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.gitea.networks.main }}
+
+
+volumes:
+  gitea-data:
+    name: datastore{{ omni_compose_apps.gitea.datastore }}
+    driver: glusterfs
+
+
+services:
+  server:
+    image: gitea/gitea:{{ omni_compose_apps.gitea.versions.gitea | default(omni_compose_apps.gitea.versions.default) }}
+    hostname: gitea
+    networks:
+      - gitea
+    ports:
+      - published: {{ omni_compose_apps.gitea.published.ports.3000 }}
+        target: 3000
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.gitea.published.ports.22 }}
+        target: 22
+        protocol: tcp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: gitea-data
+        target: /data
+        read_only: false
+    environment:
+      USER_UID: "{{ omni_compose_apps.gitea.account.uid | string }}"
+      USER_GID: "{{ omni_compose_apps.gitea.account.uid | string }}"
+      APP_NAME: ENP VCS
+      RUN_MODE: prod
+      DOMAIN: jupiter.net.enp.one
+      ROOT_URL: https://{{ omni_compose_apps.gitea.published.host }}/
+      DB_TYPE: sqlite3
+      DISABLE_REGISTRATION: "true"
+    deploy:
+      replicas: 1

resources/docker-compose/minecraft.yaml.j2

@@ -0,0 +1,53 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+networks:
+  minecraft:
+    name: minecraft
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.minecraft.networks.main }}
+
+
+volumes:
+  minecraft-data:
+    name: datastore{{ omni_compose_apps.minecraft.datastore }}
+    driver: glusterfs
+
+
+services:
+  server:
+    image: itzg/minecraft-server:{{ omni_compose_apps.minecraft.versions.main }}
+    hostname: minecraft
+    networks:
+      - minecraft
+    ports:
+      - published: {{ omni_compose_apps.minecraft.published.ports.25565 }}
+        target: 25565
+        protocol: tcp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: minecraft-data
+        target: /data
+        read_only: false
+    environment:
+      EULA: "TRUE"
+      TZ: Americas/New_York
+      VERSION: {{ omni_compose_apps.minecraft.versions.server }}
+      MAX_MEMORY: "8G"
+      MOTD: "A home for buttery companions"
+      MODE: survival
+      OPS: ScifiGeek42
+      WHITELIST: "ScifiGeek42,fantasycat256,CoffeePug,Snowdude21325,KaiserSJR,glutenfreebean"
+      MAX_BUILD_HEIGHT: "512"
+      SNOOPER_ENABLED: "false"
+      ICON: https://cdn.enp.one/img/logos/e-w-sm.png
+      ENABLE_RCON: "false"
+      UID: "{{ omni_compose_apps.minecraft.account.uid | string }}"
+      GID: "{{ omni_compose_apps.minecraft.account.uid | string }}"
+    deploy:
+      replicas: 1

resources/docker-compose/nextcloud.yaml.j2

@@ -0,0 +1,144 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+x-server-env: &server-env
+  NEXTCLOUD_DATA_DIR: /data/
+  NEXTCLOUD_ADMIN_USER: admin
+  NEXTCLOUD_ADMIN_PASSWORD: {{ omni_compose_app_secrets.nextcloud.admin_password }}
+  NEXTCLOUD_TRUSTED_DOMAINS: localhost {{ inventory_hostname }} {{ omni_compose_apps.nextcloud.published.host }}
+  MYSQL_DATABASE: nextcloud
+  MYSQL_USER: root
+  MYSQL_PASSWORD: {{ omni_compose_app_secrets.nextcloud.database_password }}
+  MYSQL_HOST: database
+  REDIS_HOST: cache
+  PHP_MEMORY_LIMIT: "12G"
+  PHP_UPLOAD_LIMIT: "6G"
+  PHP_INI_SCAN_DIR: /usr/local/etc/php/conf.d:/var/www/html/
+
+
+networks:
+  nextcloud:
+    name: nextcloud
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.nextcloud.networks.main }}
+
+
+volumes:
+  database:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/database
+    driver: glusterfs
+  data:
+    name: datastore/{{ omni_compose_apps.nextcloud.datastore }}/userdata
+    driver: glusterfs
+  config:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/config
+    driver: glusterfs
+  proxy:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/proxy
+    driver: glusterfs
+
+
+services:
+  database:
+    image: mariadb:{{ omni_compose_apps.nextcloud.versions.database | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-database
+    networks:
+      - nextcloud
+    volumes:
+      - type: volume
+        source: database
+        target: /var/lib/mysql
+        read_only: false
+      - type: volume
+        source: proxy
+        target: /etc/mysql/conf.d
+        read_only: true
+    environment:
+      MYSQL_ROOT_PASSWORD: {{ omni_compose_app_secrets.nextcloud.database_password }}
+      MYSQL_DATABASE: nextcloud
+    deploy:
+      replicas: 1
+
+  cache:
+    image: redis:{{ omni_compose_apps.nextcloud.versions.cache | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-cache
+    networks:
+      - nextcloud
+    deploy:
+      replicas: 1
+
+  proxy:
+    image: nginx:{{ omni_compose_apps.nextcloud.versions.proxy | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-proxy
+    networks:
+      - nextcloud
+    depends_on:
+      - server
+    ports:
+      - published: {{ omni_compose_apps.nextcloud.published.ports.80 }}
+        target: 80
+        protocol: tcp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: config
+        target: /usr/share/nginx/nextcloud
+        read_only: true
+      - type: volume
+        source: proxy
+        target: /etc/nginx/conf.d
+        read_only: true
+    deploy:
+      replicas: 1
+
+  server:
+    image: nextcloud:{{ omni_compose_apps.nextcloud.versions.server | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-server
+    user: "{{ omni_compose_apps.nextcloud.account.uid }}"
+    networks:
+      - nextcloud
+    depends_on:
+      - database
+      - cache
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        read_only: false
+      - type: volume
+        source: config
+        target: /var/www/html
+        read_only: false
+    environment: *server-env
+    deploy:
+      replicas: 1
+
+  cron:
+    image: nextcloud:{{ omni_compose_apps.nextcloud.versions.server | default(omni_compose_apps.nextcloud.versions.default) }}
+    command: php /var/www/html/cron.php
+    hostname: nextcloud-cron
+    user: "{{ omni_compose_apps.nextcloud.account.uid }}"
+    networks:
+      - nextcloud
+    depends_on:
+      - database
+      - cache
+    volumes:
+      - type: volume
+        source: data
+        target: /data
+        read_only: false
+      - type: volume
+        source: config
+        target: /var/www/html
+        read_only: false
+    environment: *server-env
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: "4m"

resources/docker-compose/plex.yaml.j2

@@ -0,0 +1,90 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+networks:
+  plex:
+    name: plex
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.plex.networks.main }}
+
+
+volumes:
+  plex-config:
+    name: datastore{{ omni_compose_apps.plex.datastore }}
+    driver: glusterfs
+  plex-data:
+    name: plex-data
+    driver: local
+    driver_opts:
+      type: nfs
+      o: "addr=plexistore.tre2.local,ro"
+      device: ":/nfs/plex"
+  plex-personal:
+    name: datastore/media
+    driver: glusterfs
+
+
+services:
+  server:
+    image: plexinc/pms-docker:{{ omni_compose_apps.plex.versions.default }}
+    hostname: plex-media-server
+    networks:
+      - plex
+    ports:
+      - published: {{ omni_compose_apps.plex.published.ports.32400 }}
+        target: 32400
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.3005 }}
+        target: 3005
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.8324 }}
+        target: 8324
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.32469 }}
+        target: 32469
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.1900 }}
+        target: 1900
+        protocol: udp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.32410 }}
+        target: 32410
+        protocol: udp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.32413 }}
+        target: 32413
+        protocol: udp
+        mode: ingress
+      - published: {{ omni_compose_apps.plex.published.ports.32414 }}
+        target: 32414
+        protocol: udp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: plex-config
+        target: /config
+        read_only: false
+      - type: volume
+        source: plex-data
+        target: /data
+        read_only: true
+      - type: volume
+        source: plex-personal
+        target: /personal
+        read_only: false
+    environment:
+      TZ: "Americas/New_York"
+      ALLOWED_NETWORKS: 10.42.100.0/24,10.42.101.0/24
+      PLEX_UID: "{{ omni_compose_apps.plex.account.uid }}"
+      PLEX_GID: "{{ omni_compose_apps.plex.account.uid }}"
+      ADVERTISE_IP: "http://10.42.101.10:32400/"
+    deploy:
+      replicas: 1

resources/docker-compose/scipio.yaml.j2

@@ -0,0 +1,138 @@
+---
+version: "{{ omni_compose_version | string }}"
+
+
+x-global-env: &globalenv
+  SCIPIO_SECRET_KEY: {{ omni_compose_app_secrets.scipio.application_key }}
+  SCIPIO_DB_BACKEND: MARIA
+  SCIPIO_DB_HOST: database
+  SCIPIO_DB_PORT: "3306"
+  SCIPIO_DB_USERNAME: root
+  SCIPIO_DB_PASSWORD: {{ omni_compose_app_secrets.scipio.database_password }}
+  SCIPIO_DB_SCHEMA: scipio
+  SCIPIO_LOG_LEVEL: debug
+  SCIPIO_LOG_RETENTION: "864000"
+  SCIPIO_LOG_BACKEND: redis
+  SCIPIO_LOG_REDIS_SCHEMA: "0"
+  SCIPIO_LOG_REDIS_HOSTNAME: cache
+  SCIPIO_PHANTOM_FEED: https://blog.tipranks.com/feed/
+  SCIPIO_PHANTOM_HANDLER: tipranks
+  SCIPIO_EXECUTOR_HANDLER: hologram
+  SCIPIO_THRESHOLD_MIN_PROJECTED_RETURN_TO_BUY: "75"
+
+
+networks:
+  scipio:
+    name: scipio
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.scipio.networks.main }}
+
+
+volumes:
+  scipio:
+    name: datastore{{ omni_compose_apps.scipio.datastore }}
+    driver: glusterfs
+
+
+services:
+  database:
+    image: mariadb:{{ omni_compose_apps.scipio.versions.database | default(omni_compose_apps.scipio.versions.default) }}
+    hostname: scipio-database
+    networks:
+      - scipio
+    ports:
+      - published: {{ omni_compose_apps.scipio.published.ports.3306 }}
+        target: 3306
+        protocol: tcp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: scipio
+        target: /var/lib/mysql
+        read_only: false
+    environment:
+      MYSQL_ROOT_PASSWORD: {{ omni_compose_app_secrets.scipio.database_password }}
+      MYSQL_DATABASE: scipio
+    deploy:
+      replicas: 1
+
+  cache:
+    image: redis:{{ omni_compose_apps.scipio.versions.cache | default(omni_compose_apps.scipio.versions.default) }}
+    hostname: scipio-cache
+    networks:
+      - scipio
+    deploy:
+      replicas: 1
+
+  api:
+    image: scipio:{{ omni_compose_apps.scipio.versions.api | default(omni_compose_apps.scipio.versions.default) }}
+    hostname: scipio-api
+    depends_on:
+      - database
+      - cache
+    networks:
+      - scipio
+    ports:
+      - published: {{ omni_compose_apps.scipio.published.ports.8080 }}
+        target: 8080
+        protocol: tcp
+        mode: ingress
+    environment:
+      <<: *globalenv
+      SCIPIO_LOG_SOURCE: api
+    command: --api
+    deploy:
+      replicas: 1
+
+  phantom:
+    image: scipio:{{ omni_compose_apps.scipio.versions.phantom | default(omni_compose_apps.scipio.versions.default) }}
+    hostname: scipio-phantom
+    depends_on:
+      - database
+      - cache
+    networks:
+      - scipio
+    environment:
+      <<: *globalenv
+      SCIPIO_INTERVAL: "10"
+      SCIPIO_LOG_SOURCE: phantom
+    command: --phantom
+    deploy:
+      replicas: 1
+
+  executor:
+    image: scipio:{{ omni_compose_apps.scipio.versions.executor | default(omni_compose_apps.scipio.versions.default) }}
+    hostname: scipio-executor
+    depends_on:
+      - database
+      - cache
+      - phantom
+    networks:
+      - scipio
+    environment:
+      <<: *globalenv
+      SCIPIO_INTERVAL: "5"
+      SCIPIO_LOG_SOURCE: executor
+    command: --executor
+    deploy:
+      replicas: 1
+
+  falcon:
+    image: scipio:{{ omni_compose_apps.scipio.versions.falcon | default(omni_compose_apps.scipio.versions.default) }}
+    hostname: scipio-falcon
+    depends_on:
+      - database
+      - cache
+      - executor
+    networks:
+      - scipio
+    environment:
+      <<: *globalenv
+      SCIPIO_INTERVAL: "60"
+      SCIPIO_LOG_SOURCE: falcon
+    command: --falcon
+    deploy:
+      replicas: 1

resources/docker-compose/unifi.yaml.j2

@@ -0,0 +1,68 @@
+---
+version: "3.7"
+
+
+networks:
+  unifi:
+    name: unifi
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: {{ omni_compose_apps.unifi.networks.main }}
+
+
+volumes:
+  unifi-data:
+    name: datastore{{ omni_compose_apps.unifi.datastore }}
+    driver: glusterfs
+
+
+services:
+  wlc:
+    image: jacobalberty/unifi:{{ omni_compose_apps.unifi.versions.default }}
+    hostname: en1-unifi-wlc
+    init: true
+    networks:
+      - unifi
+    ports:
+      - published: {{ omni_compose_apps.unifi.published.ports.8080 }}
+        target: 8080
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.unifi.published.ports.8443 }}
+        target: 8443
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.unifi.published.ports.8843 }}
+        target: 8843
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.unifi.published.ports.8880 }}
+        target: 8880
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.unifi.published.ports.3478 }}
+        target: 3478
+        protocol: udp
+        mode: ingress
+      - published: {{ omni_compose_apps.unifi.published.ports.6789 }}
+        target: 6789
+        protocol: tcp
+        mode: ingress
+      - published: {{ omni_compose_apps.unifi.published.ports.10001 }}
+        target: 10001
+        protocol: udp
+        mode: ingress
+    volumes:
+      - type: volume
+        source: unifi-data
+        target: /unifi
+        read_only: false
+    environment:
+      RUNAS_UID0: "false"
+      UNIFI_UID: "{{ omni_compose_apps.unifi.account.uid }}"
+      UNIFI_GID: "{{ omni_compose_apps.unifi.account.uid }}"
+      TZ: "Americas/New_York"
+    deploy:
+      replicas: 1

resources/nextcloud-mariadb.cnf

@@ -0,0 +1,9 @@
+# https://docs.nextcloud.com/server/21/admin_manual/installation/server_tuning.html#using-mariadb-mysql-instead-of-sqlite
+# https://github.com/owncloud/core/issues/20967#issuecomment-205474772
+[mysqld]
+innodb_buffer_pool_size = 1G
+innodb_buffer_pool_instance = 1
+innodb_flush_log_at_trx_commit = 2
+innodb_log_buffer_size = 32M
+innodb_max_dirty_pages_pct = 90
+innodb_io_capacity=4000

resources/nextcloud-php-fpm.ini

@@ -0,0 +1,15 @@
+; https://docs.nextcloud.com/server/21/admin_manual/installation/server_tuning.html#tune-php-fpm
+pm = dynamic
+pm.max_children = 120
+pm.start_servers = 12
+pm.min_spare_servers = 6
+pm.max_spare_servers = 18
+
+; https://github.com/phpredis/phpredis#php-session-handler
+session.save_handler = redis
+session.save_path = "tcp://cache:6379?weight=1"
+
+; https://docs.nextcloud.com/server/21/admin_manual/configuration_server/caching_configuration.html#id2
+redis.session.locking_enabled=1
+redis.session.lock_retries=-1
+redis.session.lock_wait_time=10000

resources/nginx/bitwarden.nginx.conf.j2

@@ -0,0 +1,31 @@
+# Ansible managed file
+# DO NOT MANUALLY EDIT
+#
+server {
+      server_name  {{ omni_compose_apps.bitwarden.published.host }};
+      listen  443 ssl;
+      root  /usr/share/nginx/html;
+
+      location / {
+          proxy_pass  http://localhost:{{ omni_compose_apps.bitwarden.published.8080 }}/;
+          proxy_set_header  Host $host;
+      }
+
+      ssl_certificate  /etc/letsencrypt/live/{{ omni_compose_apps.bitwarden.published.host }}/fullchain.pem;
+      ssl_certificate_key  /etc/letsencrypt/live/{{ omni_compose_apps.bitwarden.published.host }}/privkey.pem;
+      include  /etc/letsencrypt/options-ssl-nginx.conf;
+      ssl_dhparam  /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+      server_name  {{ omni_compose_apps.bitwarden.published.host }};
+      listen  80;
+      root  /usr/share/nginx/html;
+
+      if ($host = {{ omni_compose_apps.bitwarden.published.host }}) {
+            return  301 https://$host$request_uri;
+      }
+      return  404;
+}
+#
+# EOF

resources/nginx/nextcloud-proxy.conf

@@ -0,0 +1,88 @@
+server {
+        listen 80;
+        root /usr/share/nginx/nextcloud;
+        index index.php index.html index.htm /index.php$request_uri;
+
+        client_max_body_size 4G;
+        fastcgi_buffers 64 4k;
+
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        add_header Referrer-Policy                      "no-referrer"   always;
+        add_header X-Content-Type-Options               "nosniff"       always;
+        add_header X-Download-Options                   "noopen"        always;
+        add_header X-Frame-Options                      "SAMEORIGIN"    always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+        add_header X-Robots-Tag                         "none"          always;
+        add_header X-XSS-Protection                     "1; mode=block" always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        location ^~ /.well-known {
+            location = /.well-known/carddav  { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav   { return 301 /remote.php/dav/; }
+            location ^~ /.well-known         { return 301 /index.php$uri; }
+            try_files $uri $uri/ =404;
+        }
+
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+
+            fastcgi_param  SCRIPT_FILENAME          /var/www/html/$fastcgi_script_name;
+            fastcgi_param  PATH_INFO                $path_info;
+            fastcgi_param  DOCUMENT_ROOT            /var/www/html/;
+            fastcgi_param  modHeadersAvailable      true;
+            fastcgi_param  front_controller_active  true;
+            fastcgi_param  HTTPS                    $https;
+            fastcgi_param  REDIRECT_STATUS          200;
+            # Mitigate https://httpoxy.org/ vulnerabilities
+            fastcgi_param  HTTP_PROXY               "";
+
+            fastcgi_pass server:9000;
+        }
+
+        location ~ \.(?:css|js|svg|gif)$ {
+            try_files $uri /index.php$request_uri;
+            expires 6M;
+            access_log off;
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;
+            access_log off;
+        }
+
+      location / {
+          try_files $uri $uri/ /index.php$request_uri;
+      }
+
+}

resources/nginx/nginx.conf

@@ -0,0 +1,37 @@
+# Ansible managed file
+# DO NOT MANUALLY EDIT
+#
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$time_local $remote_addr[$status] - $remote_addr($remote_user) - $body_bytes_sent - "$request" "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+}
+#
+# EOF

tasks/docker/build.yml

@@ -0,0 +1,45 @@
+---
+- name: Download source
+  block:
+    - name: Clone repositories
+      when: item.value.build is defined
+      git:
+        repo: "{{ item.value.build.repository }}"
+        dest: /tmp/{{ item.key }}
+        version: "{{ item.value.build.version }}"
+        accept_hostkey: true
+      loop: "{{ omni_compose_apps | dict2items }}"
+      loop_control:
+        label: "{{ item.key }}"
+  rescue:
+    - name: Remove existing repository downloads
+      file:
+        path: /tmp/{{ item.key }}
+        state: absent
+      loop: "{{ omni_compose_apps | dict2items }}"
+      loop_control:
+        label: "{{ item.key }}"
+
+    - name: Clone repositories
+      when: item.value.build is defined
+      git:
+        repo: "{{ item.value.build.repository }}"
+        dest: /tmp/{{ item.key }}
+        version: "{{ item.value.build.version }}"
+        accept_hostkey: true
+      loop: "{{ omni_compose_apps | dict2items }}"
+      loop_control:
+        label: "{{ item.key }}"
+
+- name: Build image
+  when: item.value.build is defined
+  docker_image:
+    source: build
+    name: "{{ item.key }}"
+    tag: "{{ item.value.build.version }}"
+    build:
+      path: /tmp/{{ item.key }}
+      rm: true
+  loop: "{{ omni_compose_apps | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"

tasks/networkd/install.yml

@@ -17,7 +17,7 @@
 
 
 - name: Install systemd-networkd on Fedora
-  when: ansible_distribution == "Fedora" and ansible_distribution_major_version == "8"
+  when: ansible_distribution == "Fedora"
   become: true
   dnf:
     state: "{{ _runtime_update_state }}"

tasks/nginx/install.yml

@@ -0,0 +1,36 @@
+---
+- name: Install Nginx and CertBot on CentOS 8 and Fedora
+  when: >-
+    (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
+    or
+    ansible_distribution == "Fedora"
+  become: true
+  dnf:
+    state: "{{ _runtime_update_state }}"
+    name:
+      - nginx
+      - certbot
+      - python3-certbot-nginx
+  notify:
+    - restart-nginx
+
+- name: Install Nginx and CertBot on CentOS 7
+  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
+  become: true
+  yum:
+    state: "{{ _runtime_update_state }}"
+    name:
+      - nginx
+      - certbot
+      - python-certbot-nginx
+  notify:
+    - restart-nginx
+
+#
+#     - name: Install configuration
+#       become: true
+#       copy:
+#         src: nginx.conf
+#         dest: /etc/nginx/nginx.conf
+#       notify:
+#         - restart_nginx

tasks/nginx/services.yml

@@ -0,0 +1,7 @@
+---
+- name: Restart nginx
+  become: true
+  systemd:
+    name: nginx
+    state: restarted
+    enabled: true

vars/accounts.yaml

@@ -72,3 +72,13 @@ omni_users:
     uid: 1292
     targets: [datastore]
     svc: true
+
+  - name: mech_scipio
+    uid: 1291
+    targets: [datastore]
+    svc: true
+
+  - name: mech_nextcloud
+    uid: 1290
+    targets: [datastore]
+    svc: true

vars/applications.yaml

@@ -0,0 +1,135 @@
+---
+omni_compose_version: 3.7
+
+omni_compose_apps:
+
+  bitwarden:
+    datastore: /appdata/bitwarden
+    account:
+      name: mech_bitwarden
+      uid: 1294
+    published:
+      host: ssv.enp.one
+      ports:
+        8080: 8090
+        8443: 8943
+    networks:
+      internal: 192.168.104.0/24
+      external: 192.168.105.0/24
+    versions:
+      default: 1.40.0
+      web: 2.19.0
+
+  gitea:
+    datastore: /appdata/gitea
+    account:
+      name: mech_gitea
+      uid: 1295
+    published:
+      host: vcs.enp.one
+      ports:
+        3000: 3000
+        22: 2222
+    networks:
+      main: 192.168.103.0/24
+    versions:
+      default: 1.14.1
+
+  minecraft:
+    datastore: /appdata/minecraft
+    account:
+      name: mech_minecraft
+      uid: 1297
+    published:
+      ports:
+        25565: 25565
+    networks:
+      main: 192.168.102.0/24
+    versions:
+      main: latest
+      server: 1.16.5
+
+  plex:
+    force_clean: true
+    datastore: /appdata/plex
+    account:
+      name: mech_plex
+      uid: 1298
+    published:
+      host: pms.enp.one
+      ports:
+        32400: 32400
+        3005: 3005
+        8324: 8324
+        32469: 32469
+        1900: 1900
+        32410: 32410
+        32413: 32413
+        32414: 32414
+    networks:
+      main: 192.168.101.0/24
+    versions:
+      default: latest
+
+  unifi:
+    datastore: /appdata/unifi
+    account:
+      name: mech_ubnt
+      uid: 1296
+    published:
+      ports:
+        8080: 8080
+        8443: 8443
+        8843: 8843
+        8880: 8880
+        3478: 3478
+        6789: 6789
+        10001: 10001
+    networks:
+      main: 192.168.100.0/24
+    versions:
+      default: "5.12"
+
+  scipio:
+    build:
+      repository: git@github.com:tjyork/Scipio.git
+      version: 1.1.2
+    datastore: /appdata/scipio
+    account:
+      name: mech_scipio
+      uid: 1291
+    published:
+      host: scipio.net.enp.one
+      ports:
+        8080: 8081
+        3306: 33306
+    networks:
+      main: 192.168.106.0/24
+    versions:
+      default: 1.1.2
+      database: "10"
+      cache: "6.2"
+
+  nextcloud:
+    datastore: /appdata/nextcloud
+    account:
+      name: mech_nextcloud
+      uid: 1290
+    published:
+      host: nxc.enp.one
+      ports:
+        80: 8082
+    networks:
+      main: 192.168.107.0/24
+    versions:
+      proxy: latest
+      server: 21.0.1-fpm
+      database: "10"
+      cache: "6.2"
+    assets:
+      - src: nginx/nextcloud-proxy.conf
+        name: proxy/nextcloud.conf
+      - src: nextcloud-php-fpm.ini
+        name: config/php.ini
+      - src: nextcloud-mariadb.cnf
+        name: proxy/nextcloud.cnf