Feat: add scylladb + a bunch of stuff I forgot to commit earlier

2025-08-21 23:43:52 -06:00 · 2025-08-21 23:43:52 -06:00 · e7ba86f10a
commit e7ba86f10a
parent 3529072bea
68 changed files with 1608 additions and 523 deletions
--- a/.gitea/workflows/mirror-to-github.yaml
+++ b/.gitea/workflows/mirror-to-github.yaml
@ -0,0 +1,73 @@
+name: Simple Mirror to GitHub
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  mirror:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch full history for complete mirror
+          # token: ${{ secrets.GITEA_TOKEN }}
+
+      - name: Push to GitHub
+        run: |
+          # Configure git
+          git config --global user.name "Gitea Mirror Bot"
+          git config --global user.email "noreply@gitea.local"
+
+          # Create mirror README
+          cat > README.md << 'EOF'
+
+          # 🪞 GitHub Mirror
+          
+          This is an automated mirror of the repository hosted on [GitGud.foo/xbazzi/ansible-on-prem](https://gitgud.foo/xbazzi/ansible-on-prem).
+          
+          **⚠️ This is a read-only mirror - do not create issues or pull requests here.**
+          
+          ## 🏠 Original Repository
+          
+          Please visit the [original](https://gitgud.foo/xbazzi/ansible-on-prem) repository for:
+          - 📝 Issues and bug reports
+          - 🔄 Pull requests and contributions
+          - 📋 Project documentation
+          - 💬 Discussions
+          
+          ---
+          
+          *This mirror is automatically updated when changes are pushed to the master branch.*
+          EOF
+
+          # Stage and commit the new README
+          git add README.md
+          if git diff --staged --quiet; then
+            echo "No changes to README, skipping commit"
+          else
+            git commit -m "Update README for GitHub mirror"
+          fi
+
+          # Add remote
+          git remote add github https://${{ secrets.GH_TOKEN }}@github.com/xbazzi/ansible-on-prem.git
+
+          # Check if GitHub repo is empty
+          if git ls-remote --heads github | grep -q refs/heads/; then
+            echo "GitHub repo has branches, doing full mirror"
+            git push github --all --force
+            git push github --tags --force
+          else
+            echo "GitHub repo is empty, pushing master branch first"
+            git push github master
+            # After master is established, push other branches and tags
+            git push github --all --force || echo "No additional branches to push"
+            git push github --tags --force || echo "No tags to push"
+          fi
+      - name: Debug git state
+        run: |
+          git log --oneline -5
+          git branch -a
+          git remote -v
--- a/inventory/group_vars/pve_nodes.yml
+++ b/inventory/group_vars/pve_nodes.yml
@ -1,30 +1,30 @@
 $ANSIBLE_VAULT;1.1;AES256
-37643564643838303332353264393632633132346563613935393837386230363836646433316237
-6666323032363632323636316334643334343233333833330a336236313566643033333165653564
-63663837626362393930326234663735633231333762653964306636386466346366633432386533
-6233326361633434660a323633363438643231383739633335623932613964316165356633616335
-33323833656461663961303064343565333335353935633935336161303336326535363538303465
-66313338326333333534376562633933626438633134303739653261613464633435393133613439
-31653634616339316164336231303430393665323830616262363639656438353562373766396164
-64663766323635366332333634643864323439393539303063396334653563393139613932626433
-39306661393665333337613031386635623363343235616233613233363134363533346635316533
-62343633636665313539666431356164373538613261396136363761643634343734373237396237
-62376663663565353835363030643230383639363337636331616166323430343033343633643261
-39633736653266666539316337333162643334663037313639633164333961616237333430643163
-66316536353130653363366533663864623264393030393638666361666238353565363135356432
-36353437666231343035313565393137616166303734373432636130363433393561363235383235
-35333835343763343663616161636339663036336462316161396232313937663339336331333062
-31616639356338323637646564373034643963393830653365656337666461643762643439353864
-33356430393636353365313165396562653063666432323462623430663932623938373338386430
-63336165316364323136363432333839643730333365333962353733323666643766643461626630
-63343630653830333765333936366363396436663736333235393734363962336363336436346234
-33613133653232613833376663396536343936326565633731633433373731396439373265323366
-38356539376335396138623633336133656139383133663131643064353064353631356537313065
-33353962313139366538343463616562353965666636643563613636646165636130613330393431
-61303831343561656132383363313461663738316534396132326135373533376362356363326233
-35636337623133363364656630376132613739383135653330613466626164383637336164393634
-64323861363233613964393039383262353732666564366434643837653832616137323431623232
-38643566306537373334356430613639633763303733636633346637373437343937653031643431
-39313861333239353730366265623535333735373762386162363036303432306632373439363634
-65366630366130396339373539663266646637633539393937353038363562313337303462373466
-38326133306161383364646265656265643533623638343938303933656137386239
+30633665376131343032346664366164313233393462636261616136376265383561633764306338
+3931343666383332336537613664616532303763376433620a626230623436323234303963666261
+30373131626536626361353261646436373237643861396666366239343063346665623131653165
+3061646133356432350a666430626637393038653861313136336632336135346363616339643362
+65373566616638383865623535646436343037626563636361656165616130323234393033613861
+66383935373735646535316162343035303139343732623633656362323165383830326636336338
+30376539336633363137633732366432663336303232303834353064316230306564626438303833
+32336365653338393037616336336165623234333838386636306336363034643566323631623239
+34643762303064363661313961643238396431646432643139626130353331616539656532366561
+38363966633833306565323462356538316435376163646661353465626439356539316664376637
+30376131306332636336636134326438613234656266346263643664303733373964316366323237
+31313136636639643235336237633837383063626164316465613565323261393738393830643664
+64333038383662313137633361343664323234646534346364346630383931623135386438633435
+33326130323134396135383862396236623963613633393336306164363130666664343237643539
+65393866623031323162326566353437633266613838613939346335616464623936333662656565
+31373530303033363034353861323539636164363331303530653664343263633262626639353139
+65376330336266643463613531623636643139393661323638343330393532353135316235646365
+38376165363338376136636137623638316465346261353437633032343532626532363934303866
+36646533663164393232303933316337353434663730343139346430653237383035313162643362
+62656534383361656530373735343733383837316132633435636265313062333035353930663934
+34323866306334646532623830373661616233366565366466336464626563396434353134643962
+30626431373932383331643663663064663139363961663233316565333233663666623465616534
+33623665336662313964323336353063386637646664646366363566323062663935306439643762
+30343264386539656232333530653634343266623436336165313934353134306239336134303462
+66383232383062313364383865643339333338303861353636303437373834323466656234663838
+33386233663236653937376630623130336263656265656666336564313437623731306232313834
+30656537346636303761383936653438623838343363396431613864356232383464373265323937
+61383232313535393131343134356565343365313935356161663531376666346538613632336635
+62363333656663396435626334383862313963396266646465366366616234343636
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -1,140 +1,148 @@
 $ANSIBLE_VAULT;1.1;AES256
-64316466653738626630326463346363323439386264373961656466343230653332333061656435
-6630343738383162376666616637366430333630353437360a613638353235326536313236383266
-61303939333732646535623063313638363632393334386466303834303838653935373532353162
-3464663661363063320a356636366132633464346133613731663361663337613538666631303833
-38353038316533373637376463646630336335326532666664353632303864333135333562373633
-33633466643162636662623239323239666166353762383861636238343364393438613839356237
-64303566306432666238313330363330353862343730356666636637383333303639346663373966
-31633836353234366135636266623639306539623263643461323338326564646537636538616637
-63306330663265373932306533666137616634633661373066343730633432306230306264643137
-36643965343331333435393064613537363536663236636434373438633336373536333865383239
-66323538396239303030633934613230343938633962396632326166656634623439383737363637
-37646464323834646562656231653833666562616461356530646565333932633964313865313565
-38363636383136333732393537383162343765623563373863393137333031653136333735653831
-61336437613535633265363435653338323033303035343432653033343630666438663434326533
-37303439633364666462333438366131626265616661643064663462656239633938363965366364
-63366534626439653839343730323432313765396361316530363161396334363863356438636431
-64363534353135323732323739333331623237393463386238356164633462396532393564316331
-33333335306161303962313565646134653263666266313638663463653237663837616365613639
-61383232646130396631336262373437343830626238623430316531306239323231336331356339
-64373065303262653038663863353565616665643766323138646230373435623761656265393863
-35623530323663393332393830346366633332383637383330383735653630356537633530333765
-35313361306531633366343032636166323963303231623939386134333832323038303963333433
-30343332656335346465323233633433613334323033646663663866363238373831386534663564
-63313639303762646261626566623863313732363633336562393338336334346466346637666266
-36386234386331386434633832616661626462313034643839363131656462643665613765366337
-66366337633839633761633535336263623034336131613464653936666238356464376434383336
-39363638643133636161646662613639663237303933633231303336646366356138333832393531
-36323437393966303662663664666566643764333061343363383734346536336237313837383832
-65363637663034306439633265613336386564373932393062656263353633306664303738373562
-66373066363766643431333266613065306430383061326561636366313662633936636239363934
-37346133353262323638326237623534653464306439643830613432363130646635353162643735
-32303033643865646130316666643333303866326132383662323964333564326439643833356632
-31346634336666323266613535333339363733663035663434363231626433376439643739313162
-31353664316436376436336331613638626535663033343138346537326338613863373932333531
-31373161646137386264643264323863396139623464653062373866616433633132386435323037
-64383330376432666434303264336636333163346138386239346565636436633866333464363064
-33343034663239303738373431323432333839663539313330373537346530396232356435653830
-61613464376531393632633539653936633139323131306564343761636136383066633534353365
-62326134396236636439303839303066346135323963313530346461383665343432663838393632
-39313039643634626361343134663634313734376561653866653838633363383038663366663963
-61613334646362336338313631353263636134393238336466646566616561613665636463623738
-64656566346562633535326639353063363931313730386135373431653165343332386535303837
-32663336393435373830336535646531303130306431363034663034633630633365656565663161
-64386264383863343130656433613561316334306461656662633265326234666536333935343164
-34323533636534313966613331633966306534376532383561373763303566313535326266636535
-38386165653232623238353165363636393138396637633439616264393561306363363838626438
-32363431383864326661343533356632333033626230626432643332363437306236633232663063
-64623332643739383439363565343038643531326166353835323561323034343937303265636432
-34656639616462616664646132306436643062346662663135663337666430643536396161623530
-34366666653034336364336134636564356561366539633664663738313432623333663035313833
-38306337636536636562393237393030356334633930376662363936323764633636353566303732
-33666636353762626664636534356665363661303732326562373335303538393662353434326234
-64663262343937373430656535623362663163626465666565343461303339363534613431396230
-66353232633866663139653064636334303765353131313230636665313234623433636136353837
-64323335353864313434323366343662373561653863663563333464383465333766393835303534
-62633864373731396132306562353130666263393530316331663039323230323130616431636539
-31613933323764313838646631636365316164646231323562616239313936636635323034356466
-37333139656231623136333139303335393533373230343962306438373964373863633464363134
-36633839666335636562306238656165633231363031343566386538393365666533636332666232
-62323563343634303661383865653730316132376562613636373338643236393565303938323563
-62306363343535316336383238386166393339633737383037626136336539386234303562656336
-39333137383864643630666337623962653539646335663766313536326466653961366138323838
-37343665386634626430653939613866333836663961393464353062343533353933306338623561
-61653235353636633034363864366137653334616333643734363934366264613334316538616139
-61623030323131303436636131326532303563313861663835353936626661653461646435393734
-35636331663633363066373631666437366365316261336331396163333337353233353734373938
-66653439323062303362383165646136386561636131613334356565653539346339633265383863
-64643735373539313038663939616536393263356533353734333165373765356335623230323762
-38666264393561663039363763613264393235616139346438613830626163613763346438663539
-35363631643466303737356130623063383930623665666363356332633934366466613464643539
-61386362666530616364393836363336356436353833643734613164313239663134386237356164
-38613261383339636534343264633363346237326562333033623137626363316531376562636633
-66383933623964363636393034653865373732666336306266613633373035353461386134613132
-62376164613334626633383034346664373739393938373762333065646564393937306665643539
-30646462323166353630633763393338333336336237343435326166343465626161353464366361
-62656664346135386333383866623662663839356431616636343364303430636632636438353733
-32353334316163636263633935653434393539666131306530643464323065306136366432386466
-61373035396233303635323233303532313465346262383932653638643834326135373962333335
-36396532656362356533313337373738653230373364393133346561633464396661306230373238
-62336462393439333066386637343965343733633362626339363136366431346662383836316233
-30353262636134343764343363613634313866623538643761323335663464633666306433353161
-38393834376564636265366435646331393835626635366631343862656433616133363934336430
-62376238346634356263303937623566353436326161313038336334326562613638393330303934
-61656662633336333137663438326663633062663162326432653662646461356237346533666530
-36613439326562666561396632396135343731663862333466663138303062666462616136336462
-36366662636436333534363935653464613036663963643536663333333634303037653334663865
-63346435396335333464383261363935376536616262346365633963666535623131646262653063
-39363361366235663736626532646631313230363138343936363438613863663734326331633736
-31386639303331353534333632393563313663396164356232366135373361666435363936346339
-36653138313434636161353636303231613536633332346264653534313934633737313061373039
-62663130396130306266633462646663356435373730616564366635313861616638306163323361
-30353030376331336430313639373939323832396438366262383434616466646366376330623436
-34646166396238623632633065343531636162616139373938396532386331636265313864303365
-63306365353031613534633463616663363964643032316439313733323463373261623233396564
-61323631383839613366353530373366653066653034383137613836353964616630303733666563
-64363431326362626662393832626636663932643231356332316436663965626235346539353632
-37656438623734343234323439363133636563343235373334643165653431366231353065323631
-64613564633437353330633364626239303530663734333862356435643332336162303432323438
-62386339646564653532323965316434623535363234303261653862373264663036623663336265
-61613262353035376463653237636434306434353330386639633230623430373762343936353539
-61373161323438613662623030336339633964356231326133303333663931373132346364343238
-38626163623331666530663833316266656437303663323239353232363337326465363237666431
-37316361306430616466383139386331356530643361383739376638313734373536623738343532
-37306533653632316639613639666531313965363432386536613031363736323933656639303231
-33376464366166336437393230383431343635656636646535343030643763653564323936336332
-66303238656163623936656533303535643733613338313339396232353237643432323261626535
-30303632633161333831623734366565306636396262393161333263616232356638386263323331
-33356361333436613739373862653961323239326133636338646438313931393235653730616336
-35656134366330633434396432386237613133323234356165313665383433613338353337316337
-33623533346630663831343733303132366265656539366639646265306335623064303730613362
-64326336363637646436333961373333666635376564396164633537356561343433313762396435
-34366237303130653437343831373937326336346633366663323534386361613030316236323861
-34373762663464626431356165386665613962616435306439393963383631383034323863626335
-38626430356463353636373764646561376332316132623135376334616464363033656333353963
-65656436363361356361613461316232303835386663303630333030636433623630656131623466
-65313236313063616335613038336337373631646230353930303961623835623261613735646535
-35383365346538663734333066613965646564656234613936336138323335666239656562633335
-33343066333231303037613334376137363932366462373132376666623861613863643933646531
-33656330316333383337623462663838326537343666663633353239303933316164373863393533
-30346466346466623134336262356531306332303664323438623530393863663437316561346330
-64336562326331623865616430353165306438626365356336623162616632356563643439326463
-64303136326434666564613338653435653030646430646363396666313066383637366136396536
-31386139333738366136643330386335393262366635616630356364636330666533346335333063
-38346635623235396236373536633934316163353061353835373966613233636564313466636435
-62343935613437396431653933383364363264643665343766303262373337613138326532366363
-37326335373565666637323361393631633561653963393431656561376235333936653738306234
-34373364383466363339333933623333623430666661373766376164613964663035656332376161
-64303234616365316563613237376364393934376339346137376435343062336663306366366330
-65336333356334626137373162666366376430316635653435366332316332356262306363656466
-34396634313333356239633932323133343533356636376264323165323138623265366635653533
-65313339313562326661353737306130613136363232643933656432643966383439363163366534
-37303665373336653165353238616166393266626364323034313435636663623939613039646632
-31313261636533383131396263376236306535383231323963613264343338613362316364343266
-32656636393163313230343665333366396230623062306233613663636539633630663163623064
-38663234636433346135653434313332643338653639346163336133613866643934323237633430
-38326531343463396464636664313732653233643335383736383136343161623263393030656561
-39616437353236613235623433303161383263363137653665343861313637633737343032656234
-31376262666663366336376338326434393631323933646339656166633536336431616639313332
-626565393465323937383264373436336134
+63333337313138626662626265326131633239636462393563306537323533336237326637636130
+6264333438643239343163316563633062633433653435630a613736626163623039313461376439
+37356134663037326433613561376433346434643766313033333237333436386435636530613134
+3032666461313033340a393935333463303539633265633463356335653266313732313031653639
+32363333303736613230646461663133623736333764326536326336633864316136643663646165
+65663037313539303731363833306237363637343837346461346161376536343562343338353133
+31353066666235326538396336623838636565303662303065386338633831386366343364336534
+33623337366666623365653638653638626230646462316336353831383838316433643633653637
+35316439346134613439343664366632316664643839363265613165646236303032636339303939
+32396566656630666166323062306436333863343566636463363235356235383766303438396165
+38373131346664393431343566323561313265343739663666666638383431393861626236313830
+62616439346563663263666563363837373936613939663037336165613239633533353530663166
+37626537323034386530376238623830383231333665313037623537356531633162646634363932
+33333666343263333965623939343838323730313835623433383130333731333333653263376132
+31383031663436656635613066356634643662633466656433666538303835396664313066663635
+30306333643664383638376539356163633435383436366436356161326266333332613664323738
+66333537363632383536626664343939376635376632363139373337366262363665623265346235
+34363735666565393565313039663764363136333163393433373434613437363066626231363130
+64663433633636626666396334373563356633386238613835346561356433623064653762363862
+66666165333233356361326665353833316163643635343934333438306564333135383735363330
+31333462616464613162323236323233373839656162646339336339366433343236376339303039
+32623966363863653638363937326162643533656437323730386137353062633832643830616635
+36316561326662386364613736316231623534333765396431356237643536613136313862623665
+30613061316130643735626432356235326630643861653338303864376364643833363964613535
+66323061353365636563346662613132396235336464353537613463376363393162313764336635
+39383235366238656634336262323139663030656565666433323034343366303438323634366235
+33353037373630373331366430623937643131656134383936633565356666383133303836303430
+31326234646530366133623135306430343766343362343236303130653565663533383966306439
+38656563336566633233336664623734353538623766326564306661383964623162633430613733
+66303461323536346534343139613030396130323333353638383462356233636261376130373966
+62396263626362656463306464393465653163323839663835653665316665643064623763383137
+31383539383464346630396138646530323163613761393039353430643866363138303435353833
+31316133363430323632383332306537353664313533653132653164656139313235313164313266
+66646164616535393765333338316634626330393866326664373531363034363734343165383339
+64663232373236346136333437663635316162623664616236393963386564623336343466663838
+35326263356266306232633434633162386561623435653763663733343738303231376663306662
+65353361313338356336646164656238303562623462653163636630353731333566323437663432
+66326436623835663135396162373764373432616337356135616236303561383765353462633430
+30363438373166303764653933356634376330666232613463663039323933326530353266313332
+62666661356666363635626330346338613238363633623138633235646466303031373733643234
+32336438376564656136623639383137313738323562363638376262363537303232343430653265
+37306430323264366535323664643065363464336363663866343137636430646332633164613866
+37313335633634346666643863623238353537636366633730626162663863323532613130353766
+32366362393835623666313530356631636365653230653762313439636336616230373363656263
+38656237623239383962356436323034313834336333383438363632616336653230346361653534
+33336464343733303233653266326536396435373866393437363339646263393835653837623730
+66303362666138306463646363643162316532653963643534333638633835383961646136396465
+63396565306336353835333336313833613138303163666261373263376564343539646430653661
+39616265323734643735353930626563353337326532643432363465346265643835316364663538
+37336332623834326233393637643361643565313636333963623339656163383936326364333831
+65666334643864326265326433343635666664313132363031373036623166373838353538343864
+33383433376431613137383162666237313334386630633461646466376264313132346230383662
+32303039663232363464373765306462343762346338303262336463336633393738646439326330
+66336263386661336139613966643538316561383834303532353533396631323832613039313966
+65373237306636353065323033383234656630353732656639313731326631626332636531356666
+30353135323334616462306639336534333534323161356437633637376538613061303164323834
+30353466336563396166623537386665663763613463393465366633303931393066363261316166
+37613766656232633762353964323732633337363761346364396664666163356134343633313634
+32303264346535376430616332636363653034386638663765633566663436393630623966393532
+61663339343632343230346439326231383363663035613336323965636233316165623264366435
+32646332316530663538646530323561383730333831613762363739643739663430326365373032
+66643165643261313464373734333039363532316464643133623734303634363661303765346565
+37306631316233383138666236613465623462306162393663393362343162336130623762326532
+62363366363235353939303762666262616234393536343363656638626633626163323936343261
+65633937316361333134636462323063323765663834306438303032366239373630303039613763
+66313839613963653965656364643334336333393335373266386237613763356535373136316165
+63653435643733333439623633316364666433663063636136653164396533326165306163373562
+35656162346562363235633362623135333135616633353863363562666565626230626239303834
+33356235656532666466333730363938366466633932356539353838393033376235383964653864
+32653861313563343063313131313632666230313036636135623461653266653362346439626565
+66633034326339303832366433376264623332336465373262323832303439653131316334316537
+64383232316363643433343666653030633330356538303464343937653662363031386632643138
+32656163626266386166336331616464336331613761643363373732653035663633333637623961
+39333039363565363235393033373163386162616136366331646336646661623161643131633163
+65303437616662366434636232333335633461336265626364373262373164353232353264383032
+64336661623236326263363736613139653739393830376266306364633363363835366632653539
+34633539346265623631656237353565306338316432373833616266623837356337616466313035
+30656238333030613066363261323463613437353633383661313732373461343064376231343839
+35356336653262316362323137323337363535656332393766356235313839626638346134666135
+30343739613666323563613933323037396535616462376261303536336331393537383966313538
+38303738613664376432346438343166383031643964336435363264316636333938343536366536
+38343434313838623034396163646335333139643562366333303265366438666561623861616432
+62326235613364383361346536353134656261663537663231323164366635346337616266653230
+33633263376539393337386263326566636366633033383561336163343163346565346130636635
+36363137663838303931353636323865363861623461643436313830623034663630663334613561
+66393231643063636161316332376334633031623135383237653132623061333839323461643734
+30343766313937623766303062633730613131346538313635616565656662643561336431653030
+64636232343138666136373064353631333535663836636464313938656138353463326261616234
+62643936393663393030353166623233323564343430303637326534363166363361656366653738
+66313161313231306438613033643533656230303136613239396465663162353531303639343038
+65643963616133363563636363346432663236626335363662376564316563386633316661323134
+32376630306661656533643930316430333236653337373233656266306432323662613731366434
+66646133613335646662346466646138326230386534363230666263643461623838623035323663
+65383962366564376335393931633762303331393064303333303665613434346633663634393631
+30613862363239373333366261663536636636326439343839306461346631326164616532346362
+33613932376439356633303062343030656233666433663161396434653731393264643462623533
+36386438363366346435616339643765326132666562366431323836363665333463303761656130
+34383736316664383230636566623434326562313164616163386465643035636638376463623464
+63303333326364656536653636353339353732303065653533623466333238323934323864343361
+37316361643433373332646533326539303862326332306363323036313461656364343830316361
+35626232363462643939643037383637356338316362323761323466376566353964636461366366
+32343038363035646363623664353865326536646365323939633161346664353165646366636636
+66623533663631623931326166353861623830326161623162653732313639386336643438646263
+64643736323133646432323962666564626461356362303232326662393636616166626336376637
+38623663666263393838653137393261383034666130663736303463646661353362643932666132
+33383064396366656534303763363539303737663433656665303835626561663831353665393739
+63383832386261336366333736613130393134363334353737613438333731303035653635646138
+30313361333734366264356337303130393734653635336132313535346365356137313634313933
+36393662366531613231663934353737323463616634656364643637646130636439633235656365
+62643862326664663133633466333064613133363334383832653766396131356362663638383232
+30366633623837343833633535353031383431373765353663616338633734376430346266306434
+35393665346463623735656335626161363136373639633065623633306632356431373435356662
+62373031613537613734316332326137353031613264376562656136306434633531386165666437
+33636433343862363131613363633235393933396133313062383434373636366236323666316538
+66646466396639316137666638373339303562616439393966663363633336383637393530336165
+35393937636334393261393530353162343765316331353664656238356434343336653665616634
+32366533316237356666333237646133316332376435643864343832653339396536353335386437
+31393931616164383331343836633930393164353539376337353835636661323165346263363035
+65313163663337393735346663656634316135383966643838303063316136323038633964316131
+38393763643430303662653863363366636666623132396239653631653232376564333665353563
+61356262373637386632333230356365666239656637653039356538626461373433356562386364
+36633362353135373239363632653562643430316261316166306334623536663037383236313738
+38633730646531363361623165313262343437633538396434316262323434353863353635323164
+32343462323231393362336638373237653438336632323538363837363130313064316335626463
+35336164363764383363633335333630336233383561306666623238343133356537623639373136
+30346663656238363161383239316137336134643638323530653535336163636566393837643232
+66663330383366656630616665623030626637313164326231666635663239393634316434383366
+31643832393761323738306566373637666634663531376233643436376239663134376431616435
+33323134333030386631323565643539316237623033366561613030626339613963353034633337
+65646366646263623336616663656261653862343163393338623031366261313161356130343330
+62393330666164646333653238376663396537393931393730663537306661333231363237643465
+36656430616634316561653935313863653732346337396365646262653133626339656165653735
+61366233336366626539343133396639666134346237316365666433336235306134343135386436
+37393163643765616636633962393331653430663736383166313338623662363930353834386535
+65336532313930623063383935393861343338303761326533616637313735306239323635396139
+61363034333538386537656136626431353966616163316661376666343039623534633365616135
+34326231303863383762343135396566306339636130666631306538323761656262623561653037
+34326264653565343637313563616265323165363737326437316562336662643066386439616464
+61363461363063656638323535613337303831366639613964363761666437326363333862663465
+31376434646539666636356630353065376435323433366539613263626361633932623931363464
+63393135326466386639613337383739383933356662623465633638306234393233353437623465
+65383737366338663837636334333766346332393165346637333138626236643331343262353633
+38363131666436306433646433663861613363616330313135393030356134353930373161373038
+31343737373863366235386230353963646530643137313466613631343065623736643130363839
+62396138373332353737373763336662336634383566333437616332646136666335613662636638
+37656431386661396533656365643934343833306162376664366338636533346431623131363262
+383862316531646564646366333938333464
--- a/playbooks/configure-pve.yml
+++ b/playbooks/configure-pve.yml
@ -3,5 +3,4 @@
  hosts: pve_nodes
  become: true
  roles:
-    # - role: pve/setup_networking
-    - role: pve/lvm
+    # - role: pve/setup_networking
--- a/playbooks/deploy-stack.yml
+++ b/playbooks/deploy-stack.yml
@ -0,0 +1,40 @@
+- name: Deploy Docker Swarm mgmt & stacks
+  hosts: prod_vms
+  vars:
+    ansible_python_interpreter: /opt/docker-venv/bin/python
+  become: true
+
+  roles:
+    - role: docker/swarm/prereqs
+
+    - role: docker/swarm/node
+      when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
+
+    - role: docker/swarm/stacks
+      when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
+      vars:
+        stacks:
+          - name: postgresql
+            compose_path: postgresql-compose.yml
+
+          - name: portainer
+            compose_path: portainer-compose.yml
+
+          - name: nginx
+            compose_path: nginx-compose.yml
+
+          - name: dumbwhois
+            compose_path: dumbwhois-compose.yml
+          
+          - name: flowtodo
+            compose_path: flowtodo-compose.yml
+
+          - name: traefik
+            compose_path: traefik-compose.yml
+            mount_dirs:
+              - /docker-shared/stacks/data/traefik/certs
+              - /docker-shared/stacks/data/traefik/dynamic
+              - /docker-shared/stacks/data/traefik/logs
+
+          - name: scylladb
+            compose_path: scylladb-compose.yml
--- a/playbooks/deploy-swarm.yml
+++ b/playbooks/deploy-swarm.yml
@ -1,74 +0,0 @@
- name: Deploy Docker Swarm mgmt & stacks
-  hosts: prod_vms
-  become: true
-
-  roles:
-    - role: docker/swarm/mgmt
-      when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
-
-    - role: docker/swarm/node
-      when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
-
-    - role: docker/swarm/stacks
-      when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
-      vars:
-        stacks:
-          - name: portainer
-            compose_path: portainer-compose.j2
-            restart_condition: on-failure
-            replicas: 1
-            labels:
-              com.xbazzi.stack: portainer
-              com.xbazzi.critical: "true"
-            constraints:
-              - node.role == manager
-              - node.hostname == prod2
-              - node.labels.zone == core
-
-          - name: caddy
-            compose_path: caddy-compose.j2
-            deploy_mode: replicated
-            replicas: 1
-            restart_condition: on-failure
-            labels:
-              com.xbazzi.stack: caddy
-              com.xbazzi.critical: "true"
-            constraints:
-              - node.role == manager
-              - node.labels.zone == core
-              - node.labels.type != db
-            volumes:
-              - /docker-shared/stacks/data/caddy/conf:/etc/caddy
-              - /docker-shared/stacks/data/caddy/site:/srv
-              - /docker-shared/stacks/data/caddy/caddy_data:/data
-              - /docker-shared/stacks/data/caddy/caddy_config:/config
-              - /var/run/docker.sock:/var/run/docker.sock
-            mount_dirs:
-              - /docker-shared/stacks/data/caddy/conf
-              - /docker-shared/stacks/data/caddy/site
-              - /docker-shared/stacks/data/caddy/caddy_data
-              - /docker-shared/stacks/data/caddy/caddy_config
-
-          - name: nginx
-            compose_path: nginx-compose.j2
-            deploy_mode: replicated
-            replicas: 1
-            restart_condition: on-failure
-            labels:
-              com.xbazzi.stack: nginx
-              com.xbazzi.critical: "false"
-            constraints:
-              - node.labels.zone == core
-              - node.labels.type != db
-
-          # - name: sleep
-          #   compose_path: sleep-forever-compose.j2
-          #   deploy_mode: replicated
-          #   replicas: 5
-          #   restart_condition: on-failure
-          #   labels:
-          #     com.xbazzi.stack: sleep
-          #     com.xbazzi.critical: "false"
-          #   constraints:
-          #     - node.labels.zone == core
-          #     - node.labels.type != db
--- a/playbooks/docker-prep.yml
+++ b/playbooks/docker-prep.yml
@ -0,0 +1,7 @@
+
+- name: Install Docker and prep for Swag
+  hosts: prod_vms
+  become: true
+  roles:
+    - role: docker/install
+    - role: server/reboot
--- a/playbooks/enable-x11.yml
+++ b/playbooks/enable-x11.yml
@ -0,0 +1,11 @@
+- name: Enable X11 Forwarding
+  hosts: prod_vms
+  become: true
+  roles:
+    - role: server/ssh/x11
+    - role: server/packages
+  tasks:
+    - name: Restart sshd
+      ansible.builtin.systemd_service:
+        name: sshd
+        state: restarted
--- a/playbooks/install-packages.yml
+++ b/playbooks/install-packages.yml
@ -0,0 +1,6 @@
+
+- name: Install dnf packages
+  hosts: prod_vms
+  become: true
+  roles:
+    - role: server/packages
--- a/playbooks/nuke-docker.yml
+++ b/playbooks/nuke-docker.yml
@ -0,0 +1,6 @@
+- name: Nuke Docker on all nodes
+  hosts: prod_vms
+  become: true
+  roles:
+    - role: docker/uninstall
+    - role: server/reboot
--- a/playbooks/provision-alma.yml
+++ b/playbooks/provision-alma.yml
@ -1,20 +0,0 @@
---
- name: Provision AlmaLinux 9 VM
-  hosts: prod_vms
-  become: yes
-  roles:
-    # - role: server/hostname
-    # - role: server/users
-    # - role: server/sshkey
-    - role: server/packages
-    # - role: server/network
-    - role: server/firewall
-    # - role: provision/alma/common
-    # - role: provision/alma/nfs
-    # - role: docker/install
-    # - role: docker/migrate-data
-    # - role: docker/setup-lvm
-    # - role: server/fstrim
-    # - role: server/kitty
-    # - role: server/reboot
-    # - role: server/nfs
--- a/playbooks/provision-vm.yml
+++ b/playbooks/provision-vm.yml
@ -0,0 +1,23 @@
+---
+- name: Provision VMs (deb/alma)
+  hosts: prod_vms
+  become: yes
+  roles:
+    # - role: server/hostname
+    # - role: server/users
+    # - role: server/sshkey
+    # - role: server/network
+    # - role: server/packages
+    # - role: server/fastfetch
+    # - role: server/nfs
+    # - role: docker/install/deb
+
+    # BE REALLY CAREFUL FOR THESE TWO
+    # Only enable the FIRST time you attach a blank docker disk (vm-disk-1)
+    # - role: docker/migrate-data
+    - role: docker/setup-lvm
+    # - role: server/disable/firewalld
+    # - role: server/fstrim
+    # - role: server/kitty
+    # - role: server/service/networkd
+    # - role: server/reboot
--- a/playbooks/sysprep-alma.yml
+++ b/playbooks/sysprep-alma.yml
@ -1,9 +1,9 @@
 - name: Sysprep Alma Linux machine
-  hosts: staging-vm
+  hosts: sysprep_vm
  become: yes
  roles:
+    - role: server/qemu-agent
    - role: server/users
    - role: server/sysprep
    - role: server/sshkey
-    - role: server/network
    - role: server/reboot
--- a/playbooks/uninstall-packages.yml
+++ b/playbooks/uninstall-packages.yml
@ -0,0 +1,5 @@
+- name: Uninstall packages 
+  hosts: prod_vms
+  become: yes
+  roles:
+    - role: server/uninstall
--- a/roles/docker/build/caddy/templates/caddy-dockerfile.j2
+++ b/roles/docker/build/caddy/templates/caddy-dockerfile.j2
@ -10,6 +10,7 @@ FROM caddy:{{ item.version }}-{{ item.os }}

 COPY --from=builder /usr/bin/caddy /usr/bin/caddy

+# Only for standalone Caddy. This one's pimped.
 #CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

 CMD ["caddy", "docker-proxy"]
--- a/roles/docker/install/alma/defaults/main.yml
+++ b/roles/docker/install/alma/defaults/main.yml
--- a/roles/docker/install/alma/tasks/main.yml
+++ b/roles/docker/install/alma/tasks/main.yml
--- a/roles/docker/install/deb/defaults/main.yml
+++ b/roles/docker/install/deb/defaults/main.yml
--- a/roles/docker/install/deb/handlers/main.yml
+++ b/roles/docker/install/deb/handlers/main.yml
@ -0,0 +1,3 @@
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: yes
--- a/roles/docker/install/deb/tasks/main.yml
+++ b/roles/docker/install/deb/tasks/main.yml
@ -0,0 +1,156 @@
+---
+# - name: Ensure GPG and curl are installed
+#   ansible.builtin.apt:
+#     name:
+#       - curl
+#       - gnupg
+#     state: present
+#     update_cache: true
+
+# - name: Create keyrings directory
+#   ansible.builtin.file:
+#     path: /etc/apt/keyrings
+#     state: directory
+#     mode: '0755'
+
+# - name: Download and dearmor Docker GPG key
+#   ansible.builtin.shell: |
+#     curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+#   args:
+#     creates: /etc/apt/keyrings/docker.gpg
+
+# - name: Set proper permissions on the GPG key
+#   ansible.builtin.file:
+#     path: /etc/apt/keyrings/docker.gpg
+#     mode: '0644'
+
+# - name: Add Docker APT repository (correct for Debian)
+#   ansible.builtin.copy:
+#     dest: /etc/apt/sources.list.d/docker.list
+#     content: |
+#       deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable
+#     mode: '0644'
+#   notify: Update apt cache
+
+- name: Ensure dependencies for Docker key
+  apt:
+    name:
+      - curl
+      - gnupg
+    state: present
+    update_cache: true
+
+- name: Remove any broken docker keyrings or source files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/apt/keyrings/docker.gpg
+    - /etc/apt/keyrings/docker.asc
+    - /etc/apt/sources.list.d/docker.list
+
+- name: Create keyring directory
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+
+- name: Download and dearmor Docker GPG key
+  shell: |
+    curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+  args:
+    creates: /etc/apt/keyrings/docker.gpg
+
+- name: Set correct permissions on Docker GPG key
+  file:
+    path: /etc/apt/keyrings/docker.gpg
+    mode: '0644'
+
+# - name: Add Docker APT repository
+#   copy:
+#     dest: /etc/apt/sources.list.d/docker.list
+#     content: |
+#       deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable
+#     mode: '0644'
+
+- name: Add Docker APT repository (correct for Debian)
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list.d/docker.list
+    content: |
+      deb [arch={{ ansible_architecture | regex_replace('x86_64', 'amd64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable
+    mode: '0644'
+
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+# - name: Update apt cache manually if needed
+#   ansible.builtin.apt:
+#     update_cache: true
+#   when: ansible_run_tags is not defined or 'skip_cache' not in ansible_run_tags
+# - name: Update apt cache
+#   ansible.builtin.apt:
+#     update_cache: yes
+
+# - name: Install prerequisite packages
+#   ansible.builtin.apt:
+#     name:
+#     - ca-certificates
+#     - curl
+#     state: present
+
+# - name: Create apt keyrings directory
+#   ansible.builtin.file:
+#     path: /etc/apt/keyrings
+#     state: directory
+#     mode: '0755'
+
+# - name: Download Docker GPG key (dearmor format)
+#   ansible.builtin.get_url:
+#     url: https://download.docker.com/linux/debian/gpg
+#     dest: /etc/apt/keyrings/docker.gpg
+#     mode: '0644'
+
+# - name: Add Docker apt repository
+#   ansible.builtin.apt_repository:
+#     repo: "deb [arch={{ docker_arch }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+#     filename: docker
+#     state: present
+#   vars:
+#     docker_arch: "{{ ansible_architecture | regex_replace('x86_64', 'amd64') }}"
+
+# - name: Add Docker apt repository for Debian
+#   ansible.builtin.apt_repository:
+#     repo: "deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable"
+#     filename: docker
+#     state: present
+#     update_cache: true
+
+# - name: Update apt cache after adding Docker repository
+#   ansible.builtin.apt:
+#     update_cache: true
+
+- name: Install Docker packages
+  ansible.builtin.apt:
+    name:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-buildx-plugin
+    - docker-compose-plugin
+    state: present
+
+- name: Enable and start Docker Engine
+  ansible.builtin.systemd_service:
+    name: docker
+    state: started
+    enabled: true
+
+- name: Verify with Hello World
+  ansible.builtin.command: docker run hello-world
+  register: docker_hello
+
+- name: Test
+  ansible.builtin.debug:
+    var: docker_hello.stdout_lines
--- a/roles/docker/install/tasks/main2.yml
+++ b/roles/docker/install/tasks/main2.yml
@ -1,45 +0,0 @@
---
- name: Update apt cache
-  ansible.builtin.apt:
-    update_cache: yes
-
- name: Install prerequisite packages
-  ansible.builtin.apt:
-    name:
-    - ca-certificates
-    - curl
-    state: present
-
- name: Create apt keyrings directory
-  ansible.builtin.file:
-    path: /etc/apt/keyrings
-    state: directory
-    mode: '0755'
-
- name: Download Docker GPG key
-  ansible.builtin.get_url:
-    url: "https://download.docker.com/linux/ubuntu/gpg"
-    dest: /etc/apt/keyrings/docker.asc
-    mode: '0644'
-
- name: Add Docker apt repository
-  ansible.builtin.apt_repository:
-    repo: "deb [arch={{ docker_arch }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
-    filename: docker
-    state: present
-  vars:
-    docker_arch: "{{ ansible_architecture | regex_replace('x86_64', 'amd64') }}"
-
- name: Update apt cache after adding Docker repository
-  ansible.builtin.apt:
-    update_cache: true
-
- name: Install Docker packages
-  ansible.builtin.apt:
-    name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
-    - docker-buildx-plugin
-    - docker-compose-plugin
-    state: present
--- a/roles/docker/setup-lvm/tasks/main.yml
+++ b/roles/docker/setup-lvm/tasks/main.yml
@ -13,18 +13,24 @@
  ansible.builtin.command: "lvs --noheadings -o lv_name {{ docker_vg }}"
  register: lvs_output

- name: Create logical volume for Docker
+- name: Create logical volume for Docker (in VM)
  community.general.lvol:
    vg: "{{ docker_vg }}"
    lv: "{{ docker_lv }}"
    size: "{{ docker_lv_size }}"
    state: present

- name: Format logical volume with XFS
+# - name: Format logical volume with XFS
+#   community.general.filesystem:
+#     fstype: xfs
+#     dev: "/dev/{{ docker_vg }}/{{ docker_lv }}"
+#     opts: "-n ftype=1"
+
+- name: Format logical volume with ext4
  community.general.filesystem:
-    fstype: xfs
+    fstype: ext4
    dev: "/dev/{{ docker_vg }}/{{ docker_lv }}"
-    opts: "-n ftype=1"
+    opts: "-F"

 - name: Create mount point for Docker volume
  ansible.builtin.file:
@ -32,14 +38,23 @@
    state: directory
    mode: '0755'

+# - name: Mount Docker LV to VM filesystem
+#   ansible.posix.mount:
+#     path: "{{ docker_mountpoint }}"
+#     src: "/dev/{{ docker_vg }}/{{ docker_lv }}"
+#     fstype: xfs
+#     opts: defaults
+#     state: mounted
+
 - name: Mount Docker LV to VM filesystem
  ansible.posix.mount:
    path: "{{ docker_mountpoint }}"
    src: "/dev/{{ docker_vg }}/{{ docker_lv }}"
-    fstype: xfs
+    fstype: ext4
    opts: defaults
    state: mounted

+
 - name: Stop Docker service
  ansible.builtin.systemd:
    name: docker
--- a/roles/docker/stack/defaults/main.yml
+++ b/roles/docker/stack/defaults/main.yml
@ -1,2 +0,0 @@
-apps: []
-stack_name: "willneverexist"
--- a/roles/docker/stack/tasks/main.yml
+++ b/roles/docker/stack/tasks/main.yml
@ -1,27 +0,0 @@
---
- name: Create app mount directories
-  ansible.builtin.file:
-    path: "{{ remote_app_mounts }}/{{ item }}"
-    state: directory
-    mode: '0777'
-  loop: "{{ apps }}"
-
- name: Create stack directory
-  ansible.builtin.file:
-    path: "{{ remote_stacks }}/{{ stack_name }}"
-    state: directory
-    mode: '0777'
-
- name: Copy docker-compose.yml to server
-  ansible.builtin.copy:
-    src: '{{ docker_stacks }}/{{ stack_name }}/docker-compose.yml'
-    dest: '{{ remote_stacks }}/{{ stack_name }}/docker-compose.yml'
-    owner: javi
-    group: javi
-    mode: '0777'
-
- name: Start up the containers
-  ansible.builtin.command: docker compose up -d
-  become: true
-  args:
-    chdir: "{{ remote_stacks }}/{{ stack_name }}" 
--- a/roles/docker/swarm/node/tasks/main.yml
+++ b/roles/docker/swarm/node/tasks/main.yml
@ -4,4 +4,5 @@
    hostname: "{{ item.name }}"
    labels: "{{ item.labels }}"
    labels_state: replace
-  loop: "{{ swarm_nodes }}"
+  loop: "{{ swarm_nodes }}"
+  when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
--- a/roles/docker/swarm/prereqs/tasks/main.yml
+++ b/roles/docker/swarm/prereqs/tasks/main.yml
@ -1,18 +1,36 @@
 ---
- name: Ensure pip is installed
-  ansible.builtin.package:
-    name: 
-      - python3
-      - python3-pip
+- name: Ensure python3-venv is installed
+  ansible.builtin.apt:
+    name: python3-venv
    state: present
  become: true

- name: Install Docker SDK and requests for Python
+- name: Create a virtualenv for Docker SDK
+  ansible.builtin.command:
+    cmd: python3 -m venv /opt/docker-venv
+    creates: /opt/docker-venv
+
+- name: Install packages in the virtualenv
  ansible.builtin.pip:
+    virtualenv: /opt/docker-venv
    name:
      - docker
      - requests
      - jsondiff
      - packaging
-    state: present
-  become: true
+
+# - name: Install pipx
+#   ansible.builtin.apt:
+#     name: pipx
+    # state: absent
+
+# - name: Ensure pipx binary path is available
+#   ansible.builtin.shell: pipx ensurepath
+
+# - name: Ensure pip is installed
+#   ansible.builtin.package:
+#     name: 
+#       - python3
+#       - python3-pip
+#     state: present
+#   become: true
--- a/roles/docker/swarm/stacks/files/dumbwhois-compose.yml
+++ b/roles/docker/swarm/stacks/files/dumbwhois-compose.yml
@ -0,0 +1,36 @@
+
+services:
+  dumbwhois:
+    image: dumbwareio/dumbwhois:latest
+    networks:
+      - traefik_traefik_proxy
+    deploy:
+      mode: replicated
+      replicas: 15
+      restart_policy:
+        condition: on-failure
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the dumbwhois router rule
+        - "traefik.http.routers.dumbwhois.rule=Host(`dumbwhois.lan.xbazzi.com`)"
+        # Expose dumbwhois on the HTTPS entrypoint
+        - "traefik.http.routers.dumbwhois.entrypoints=websecure"
+        # - "traefik.http.routers.dumbwhois.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.dumbwhois.tls=true"
+        # - "traefik.http.routers.dumbwhois.tls=false"
+        # Expose the dumbwhois port number to Traefik
+        - "traefik.http.services.dumbwhois.loadbalancer.server.port=3000"
+
+        # Custom labels
+        - "com.xbazzi.stack=dumbwhois"
+        - "com.xbazzi.critical=false"
+      placement:
+        constraints:
+          - node.labels.zone == core
+          - node.labels.type != db
+
+networks:
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/files/flowtodo-compose.yml
+++ b/roles/docker/swarm/stacks/files/flowtodo-compose.yml
@ -0,0 +1,38 @@
+services:
+  flowtodo:
+    image: gitgud.foo/thegrind/flowtodo
+    #environment:
+      # If you're serving through a reverse proxy
+      #- OCTANE_HTTPS=false 
+    networks:
+      - traefik_traefik_proxy
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the flowtodo router rule
+        - "traefik.http.routers.flowtodo.rule=Host(`flowtodo.lan.xbazzi.com`)"
+        # Expose flowtodo on the HTTPS entrypoint
+        - "traefik.http.routers.flowtodo.entrypoints=websecure"
+        # - "traefik.http.routers.flowtodo.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.flowtodo.tls=true"
+        # - "traefik.http.routers.flowtodo.tls=false"
+        # Expose the flowtodo port number to Traefik
+        - "traefik.http.services.flowtodo.loadbalancer.server.port=8000"
+
+        # Custom labels
+        - "com.xbazzi.stack=flowtodo"
+        - "com.xbazzi.critical=true"
+      placement:
+        constraints:
+          - node.labels.zone == core
+          - node.labels.type != db
+
+networks:
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/files/nginx-compose.yml
+++ b/roles/docker/swarm/stacks/files/nginx-compose.yml
@ -0,0 +1,37 @@
+
+services:
+  nginx:
+    image: nginx:latest
+    networks:
+      - traefik_traefik_proxy
+    deploy:
+      mode: replicated
+      replicas: 8
+      restart_policy:
+        condition: on-failure
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the nginx router rule
+        - "traefik.http.routers.nginx.rule=Host(`nginx.lan.xbazzi.com`)"
+        # Expose nginx on the HTTPS entrypoint
+        - "traefik.http.routers.nginx.entrypoints=websecure"
+        # - "traefik.http.routers.nginx.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.nginx.tls=true"
+        # - "traefik.http.routers.nginx.tls=false"
+        # Expose the nginx port number to Traefik
+        - "traefik.http.services.nginx.loadbalancer.server.port=80"
+
+        # Custom labels
+        - "com.xbazzi.stack=nginx"
+        - "com.xbazzi.critical=false"
+      placement:
+        constraints:
+          - node.labels.zone == core
+          # - node.role != manager
+          # - node.labels.type != db
+
+networks:
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/files/portainer-compose.yml
+++ b/roles/docker/swarm/stacks/files/portainer-compose.yml
@ -0,0 +1,60 @@
+version: '3.2'
+
+services:
+  agent:
+    image: portainer/agent:lts
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    networks:
+      - agent_network
+    deploy:
+      mode: global
+      placement:
+        constraints: [node.platform.os == linux]
+
+  portainer:
+    image: portainer/portainer-ce:lts
+    command: -H tcp://tasks.agent:9001 --tlsskipverify
+    ports:
+      - "9443:9443"
+      - "9000:9000"
+      - "8000:8000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /docker-shared/stacks/data/portainer:/data
+    networks:
+      - traefik_traefik_proxy
+      - agent_network
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the nginx router rule
+        - "traefik.http.routers.portainer.rule=Host(`portainer.lan.xbazzi.com`)"
+        # Expose nginx on the HTTPS entrypoint
+        - "traefik.http.routers.portainer.entrypoints=websecure"
+        # - "traefik.http.routers.nginx.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.portainer.tls=true"
+        # - "traefik.http.routers.nginx.tls=false"
+        # Expose the nginx port number to Traefik
+        - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+
+
+        # Custom labels
+        - "com.xbazzi.stack=nginx"
+        - "com.xbazzi.critical=false"
+      restart_policy:
+        condition: on-failure
+      placement:
+        constraints: [node.role == manager]
+
+networks:
+  agent_network:
+    driver: overlay
+    attachable: true
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/files/postgresql-compose.yml
+++ b/roles/docker/swarm/stacks/files/postgresql-compose.yml
@ -0,0 +1,67 @@
+services:
+
+  postgres:
+    image: postgres:17.5-alpine3.21
+    hostname: postgres
+    networks:
+      - postgres_net
+      - traefik_traefik_proxy
+    # or set shared memory limit when deploy via swarm stack
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+      labels:
+        # Custom labels
+        - "com.xbazzi.stack=postgresql"
+        - "com.xbazzi.critical=true"
+
+      placement:
+        constraints:
+          - node.hostname == db1
+    volumes:
+      - /var/lib/postgresql/data:/var/lib/postgresql/data
+    #  - type: tmpfs
+    #    target: /dev/shm
+    #    tmpfs:
+    #      size: 134217728 # 128*2^20 bytes = 128Mb
+    environment:
+      POSTGRES_PASSWORD: password
+
+  adminer:
+    image: adminer
+    networks:
+      - postgres_net
+      - traefik_traefik_proxy
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the nginx router rule
+        - "traefik.http.routers.adminer.rule=Host(`adminer.lan.xbazzi.com`)"
+        # Expose nginx on the HTTPS entrypoint
+        - "traefik.http.routers.adminer.entrypoints=websecure"
+        # Enable TLS
+        - "traefik.http.routers.adminer.tls=true"
+        # Expose the nginx port number to Traefik
+        - "traefik.http.services.adminer.loadbalancer.server.port=8080"
+
+        # Custom labels
+        - "com.xbazzi.stack=adminer"
+        - "com.xbazzi.critical=true"
+      placement:
+        constraints:
+          - node.hostname == db1
+
+networks:
+  postgres_net:
+    driver: overlay
+    attachable: true
+    
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/files/scylladb-compose.yml
+++ b/roles/docker/swarm/stacks/files/scylladb-compose.yml
@ -0,0 +1,37 @@
+services:
+  some-scylla:
+    image: scylladb/scylla
+    networks:
+      - traefik_traefik_proxy
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: on-failure
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the scylladb router rule
+        - "traefik.http.routers.scylladb.rule=Host(`scylladb.lan.xbazzi.com`)"
+        # Expose scylladb on the HTTPS entrypoint
+        - "traefik.http.routers.scylladb.entrypoints=websecure"
+        # - "traefik.http.routers.scylladb.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.scylladb.tls=true"
+        # - "traefik.http.routers.scylladb.tls=false"
+        # Expose the scylladb port number to Traefik
+        - "traefik.http.services.scylladb.loadbalancer.server.port=9494"
+
+        # Custom labels
+        - "com.xbazzi.stack=scylladb"
+        - "com.xbazzi.critical=true"
+      placement:
+        constraints:
+          - node.labels.zone == core
+          - node.labels.type == db
+    volumes:
+      - /var/lib/scylla:/var/lib/scylla
+
+networks:
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/files/traefik-compose.yml
+++ b/roles/docker/swarm/stacks/files/traefik-compose.yml
@ -0,0 +1,142 @@
+services:
+  traefik:
+    image: traefik:v3.4
+
+    networks:
+    # Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes
+      - traefik_proxy
+
+    ports:
+        # Expose Traefik's entry points to the Swarm
+        # Swarm requires the long syntax for ports.
+      - target: 80 # Container port (Traefik web entry point)
+        published: 80 # Host port exposed on the nodes
+        protocol: tcp
+        # 'host' mode binds directly to the node's IP where the task runs.
+        # 'ingress' mode uses Swarm's Routing Mesh (load balances across nodes).
+        # Choose based on your load balancing strategy. 'host' is often simpler if using an external LB.
+        mode: host
+      - target: 443 # Container port ( Traefik websecure entry point)
+        published: 443 # Host port
+        protocol: tcp
+        mode: host
+
+      # External EntryPoint host port
+      - target: 8443  
+        published: 8443 
+        protocol: tcp
+        mode: host
+
+    volumes:
+      # Mount the Docker socket for the Swarm provider
+      # This MUST be run from a manager node to access the Swarm API via the socket.
+      - /docker-shared/stacks/data/traefik/certs:/certs:ro
+      - /docker-shared/stacks/data/traefik/dynamic:/dynamic:ro
+      - /docker-shared/stacks/data/traefik/logs:/logs/
+      - /var/run/docker.sock:/var/run/docker.sock:ro   # Swarm API socket
+
+    # Traefik Static configuration via command-line arguments
+    command:
+      # HTTP EntryPoint
+      - "--entrypoints.web.address=:80"
+
+      # External EntryPoint
+      - "--entrypoints.external.address=:8443"
+      - "--entrypoints.external.http.tls=true"
+
+      # Configure HTTP to HTTPS Redirection
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
+
+      # HTTPS EntryPoint
+      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.websecure.http.tls=true"
+
+      # Attach dynamic TLS file
+      - "--providers.file.filename=/dynamic/tls.yaml"
+
+      # Providers
+
+      # Enable the Docker Swarm provider (instead of Docker provider)
+      - "--providers.swarm.endpoint=unix:///var/run/docker.sock"
+
+      # Watch for Swarm service changes (requires socket access)
+      - "--providers.swarm.watch=true"
+
+      # Recommended: Don't expose services by default; require explicit labels
+      - "--providers.swarm.exposedbydefault=false"
+
+      # Specify the default network for Traefik to connect to services
+      - "--providers.swarm.network=traefik_traefik_proxy"
+
+      # API & Dashboard
+      # - "--api=true" # Enable API
+      # - "--api"
+      # - "--api.insecure=true" # Enale API
+      - "--api.dashboard=true" # Enable the dashboard
+      - "--api.insecure=false" # Explicitly disable insecure API mod
+
+      # Observability
+      - "--log.level=DEBUG" # Set the Log Level e.g INFO, DEBUG
+      - "--accesslog=true" # Enable Access Logs
+      - "--metrics.prometheus=true"  # Enable Prometheus
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+
+      # Placement constraints restrict where Traefik tasks can run.
+      # Running on manager nodes is common for accessing the Swarm API via the socket.
+        constraints:
+          - node.role == manager
+
+      # Traefik Dynamic configuration via labels
+      # In Swarm, labels on the service definition configure Traefik routing for that service.
+      labels:
+        - "traefik.enable=true"
+
+        # Dashboard router
+        - "traefik.http.routers.dashboard.rule=Host(`traefik.lan.xbazzi.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+        - "traefik.http.routers.dashboard.entrypoints=websecure"
+        # - "traefik.http.routers.dashboard.entrypoints=web"
+        - "traefik.http.routers.dashboard.service=api@internal"
+        - "traefik.http.routers.dashboard.tls=true"
+        # - "traefik.http.routers.dashboard.tls=false"
+
+        # Basic‑auth middleware
+        - "traefik.http.middlewares.dashboard-auth.basicauth.users=admin:$$apr1$$E5TT9jjy$$FWtnebebWTH/fiL.oz3jg1"
+        - "traefik.http.routers.dashboard.middlewares=dashboard-auth@swarm"
+
+        # Service hint
+        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+
+  # Deploy the Whoami application
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik_proxy
+    deploy:
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the WHoami router rule
+        - "traefik.http.routers.whoami.rule=Host(`whoami.lan.xbazzi.com`)"
+        # Expose Whoami on the HTTPS entrypoint
+        - "traefik.http.routers.whoami.entrypoints=websecure"
+        # - "traefik.http.routers.whoami.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.whoami.tls=true"
+        # - "traefik.http.routers.whoami.tls=false"
+        # Expose the whoami port number to Traefik
+        - "traefik.http.services.whoami.loadbalancer.server.port=80"
+      placement:
+        constraints:
+          - node.role != manager
+
+# Define the overlay network for Swarm
+networks:
+  traefik_proxy:
+    driver: overlay
+    attachable: true
--- a/roles/docker/swarm/stacks/files/whoami-compose.yml
+++ b/roles/docker/swarm/stacks/files/whoami-compose.yml
@ -0,0 +1,26 @@
+services:
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik_proxy
+    deploy:
+      labels:
+        # Enable Service discovery for Traefik
+        - "traefik.enable=true"
+        # Define the WHoami router rule
+        - "traefik.http.routers.whoami.rule=Host(`whoami.lan.xbazzi.com`)"
+        # Expose Whoami on the HTTPS entrypoint
+        - "traefik.http.routers.whoami.entrypoints=websecure"
+        # - "traefik.http.routers.whoami.entrypoints=web"
+        # Enable TLS
+        - "traefik.http.routers.whoami.tls=true"
+        # - "traefik.http.routers.whoami.tls=false"
+        # Expose the whoami port number to Traefik
+        - "traefik.http.services.whoami.loadbalancer.server.port=80"
+      placement:
+        constraints:
+          - node.role != manager
+
+networks:
+  traefik_traefik_proxy:
+    external: true
--- a/roles/docker/swarm/stacks/tasks/main.yml
+++ b/roles/docker/swarm/stacks/tasks/main.yml
@ -9,15 +9,24 @@
  loop: "{{ stacks }}"
  # when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"

- name: Render docker-compose.yml for each stack
-  ansible.builtin.template:
+# - name: Render docker-compose.yml for each stack
+#   ansible.builtin.template:
+#     src: "{{ item.compose_path }}"
+#     dest: "/docker-shared/stacks/compose/{{ item.name }}/docker-compose.yml"
+#     owner: root
+#     group: root
+#     mode: '0644'
+#   loop: "{{ stacks }}"
+#   # when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"
+
+- name: Copy raw docker-compose.yml for each stack
+  ansible.builtin.copy:
    src: "{{ item.compose_path }}"
    dest: "/docker-shared/stacks/compose/{{ item.name }}/docker-compose.yml"
    owner: root
    group: root
    mode: '0644'
  loop: "{{ stacks }}"
-  # when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"

 - name: Ensure Docker bind mount directories exist
  ansible.builtin.file:
--- a/roles/docker/swarm/stacks/templates/caddy-compose.j2
+++ b/roles/docker/swarm/stacks/templates/caddy-compose.j2
@ -1,12 +1,15 @@
 services:
-  caddy:
+  server:
    image: gitgud.foo/xbazzi/caddy-pimped:latest
-    restart: unless-stopped
    ports:
-      - "80:80"
-      - "443:443"
-      - "2019:2019"
-      - "443:443/udp"
+      - 80:80
+      - 5443:443
+    networks:
+      - caddy_net
+      - caddy_controller
+    environment:
+      - CADDY_DOCKER_MODE=server
+      - CADDY_CONTROLLER_NETWORK=10.200.254.0/24
    volumes:
 {% for volume in item.volumes %}
          - {{ volume }}
@ -17,6 +20,7 @@ services:
      restart_policy:
        condition: {{ item.restart_condition }}
      labels:
+        caddy.email: admin@xbazzi.com
 {% for key, val in item.labels.items() %}
        {{ key }}: "{{ val }}"
 {% endfor %}
@ -24,4 +28,31 @@ services:
        constraints:
 {% for constraint in item.constraints %}
          - {{ constraint }}
-{% endfor %}
+{% endfor %}
+
+  controller:
+    image: gitgud.foo/xbazzi/caddy-pimped:latest
+    networks:
+      - caddy_controller
+      - caddy_net
+    environment:
+      - CADDY_DOCKER_MODE=controller
+      - CADDY_CONTROLLER_NETWORK=10.200.254.0/24
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    deploy:
+      placement:
+        constraints:
+{% for constraint in item.constraints %}
+          - {{ constraint }}
+{% endfor %}
+
+networks:
+  caddy_net:
+    external: true
+  caddy_controller:
+    driver: overlay
+    ipam:
+      driver: default
+      config:
+        - subnet: "10.200.254.0/24"
--- a/roles/docker/swarm/stacks/templates/dumbwhois-compose.j2
+++ b/roles/docker/swarm/stacks/templates/dumbwhois-compose.j2
@ -0,0 +1,30 @@
+
+services:
+  dumbwhois:
+    image: dumbwareio/dumbwhois:latest
+    ports:
+      - target: 3000
+        published: 3000
+        protocol: tcp
+        mode: ingress
+    networks:
+      - default
+      - caddy_net
+    deploy:
+      mode: replicated
+      replicas: {{ item.replicas }}
+      restart_policy:
+        condition: {{ item.restart_condition }}
+      labels:
+{% for key, val in item.labels.items() %}
+        {{ key }}: "{{ val }}"
+{% endfor %}
+      placement:
+        constraints:
+{% for constraint in item.constraints %}
+          - {{ constraint }}
+{% endfor %}
+
+networks:
+  caddy_net:
+    external: true
--- a/roles/docker/swarm/stacks/templates/flowtodo-compose.j2
+++ b/roles/docker/swarm/stacks/templates/flowtodo-compose.j2
@ -0,0 +1,33 @@
+
+services:
+  flowtodo:
+    image: gitgud.foo/thegrind/flowtodo
+    #environment:
+      # If you're serving through a reverse proxy
+      #- OCTANE_HTTPS=false 
+    ports:
+      - target: 8000
+        published: 4000
+        protocol: tcp
+        mode: ingress
+    networks:
+      - default
+      - caddy_net
+    deploy:
+      mode: replicated
+      replicas: {{ item.replicas }}
+      restart_policy:
+        condition: {{ item.restart_condition }}
+      labels:
+{% for key, val in item.labels.items() %}
+        {{ key }}: "{{ val }}"
+{% endfor %}
+      placement:
+        constraints:
+{% for constraint in item.constraints %}
+          - {{ constraint }}
+{% endfor %}
+
+networks:
+  caddy_net:
+    external: true
--- a/roles/docker/swarm/stacks/templates/nginx-compose.j2
+++ b/roles/docker/swarm/stacks/templates/nginx-compose.j2
@ -7,6 +7,8 @@ services:
        published: 8080
        protocol: tcp
        mode: ingress
+    networks:
+      - caddy_net
    deploy:
      mode: replicated
      replicas: {{ item.replicas }}
@ -21,3 +23,7 @@ services:
 {% for constraint in item.constraints %}
          - {{ constraint }}
 {% endfor %}
+
+networks:
+  caddy_net:
+    external: true
--- a/roles/docker/swarm/stacks/templates/portainer-compose.j2
+++ b/roles/docker/swarm/stacks/templates/portainer-compose.j2
@ -25,9 +25,14 @@ services:
      - /docker-shared/stacks/data/portainer:/data
    networks:
      - agent_network
+      - caddy_net
    deploy:
      mode: replicated
      replicas: {{ item.replicas }}
+      labels:
+{% for key, val in item.labels.items() %}
+        {{ key }}: "{{ val }}"
+{% endfor %}
      restart_policy:
        condition: {{ item.restart_condition }}
      placement:
@ -37,4 +42,6 @@ services:
 networks:
  agent_network:
    driver: overlay
-    attachable: true
+    attachable: true
+  caddy_net:
+    external: true
--- a/roles/docker/swarm/stacks/templates/scylladb-compose.j2
+++ b/roles/docker/swarm/stacks/templates/scylladb-compose.j2
@ -0,0 +1,4 @@
+services:
+  scylla:
+    image: scylladb/scylla
+    container_name: scylladb
--- a/roles/docker/uninstall/defaults/main.yml
+++ b/roles/docker/uninstall/defaults/main.yml
--- a/roles/docker/uninstall/tasks/main.yml
+++ b/roles/docker/uninstall/tasks/main.yml
@ -0,0 +1,38 @@
+---
+- name: Leave Docker Swarm (if member)
+  ansible.builtin.shell: docker swarm leave --force || true
+  ignore_errors: true
+
+- name: Stop Docker service
+  ansible.builtin.systemd_service:
+    name: docker
+    state: stopped
+    enabled: true
+
+- name: Remove Docker data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /var/lib/docker
+    - /var/lib/docker/volumes
+    - /var/lib/docker/swarm
+    - /var/lib/docker/network
+    - /etc/docker/key.json
+    - /run/docker
+  ignore_errors: true
+
+- name: Remove dnf packages
+  ansible.builtin.dnf:
+    name:
+      - docker
+      - docker-client
+      - docker-client-latest
+      - docker-common
+      - docker-latest
+      - docker-latest-logrotate
+      - docker-logrotate
+      - docker-engine
+      - podman
+      - runc
+    state: absent
--- a/roles/pve/lvm/tasks/main.yml
+++ b/roles/pve/lvm/tasks/main.yml
@ -25,10 +25,11 @@
    shrink: false
    size: "{{ pve_docker_lv_size }}"
    state: present
-  when: "'docker' in item.roles"
+  when: "'docker' in item.vm_roles"
  loop: "{{ vms }}"
  loop_control:
    label: "{{ item.vmid }}"
+  ignore_errors: true

 - name: Attach Docker disk to VM
  ansible.builtin.shell: >
@ -38,7 +39,7 @@
  delegate_to: "{{ item.node }}"
  run_once: true
  loop: "{{ vms }}"
-  when: "'docker' in item.roles"
+  when: "'docker' in item.vm_roles"
  loop_control:
    label: "VM {{ item.vmid }} on {{ item.node }}"
    
@ -49,7 +50,83 @@
    shrink: false
    size: "{{ pve_db_lv_size }}"
    state: present
-  when: "'db' in item.roles"
+  when: "'db' in item.vm_roles"
  loop: "{{ vms }}"
  loop_control:
    label: "{{ item.vmid }}"
+
+# - name: Install LVM tools (if not present)
+#   ansible.builtin.package:
+#     name: lvm2
+#     state: present
+
+# - name: Check current LVs for VMs
+#   ansible.builtin.shell: >
+#     lvs -o lv_name --noheadings | grep vm || true
+#   register: lvs_output
+#   changed_when: false
+
+# - name: Debug current LV list
+#   debug:
+#     var: lvs_output.stdout_lines
+
+# - name: Create logical volume for Docker (only on owning node)
+#   community.general.lvol:
+#     lv: "vm-{{ item.vmid }}-disk-{{ pve_docker_disk_id }}"
+#     vg: "{{ pve_vg }}"
+#     shrink: false
+#     size: "{{ pve_docker_lv_size }}"
+#     state: present
+#   when: 
+#     - "'docker' in item.vm_roles"
+#     - inventory_hostname == item.node
+#   loop: "{{ vms }}"
+#   loop_control:
+#     label: "lv_docker_{{ item.vmid }}"
+#   ignore_errors: false
+
+# - name: Ensure VM exists before attaching disk
+#   ansible.builtin.command: >
+#     qm config {{ item.vmid }}
+#   register: vm_check
+#   failed_when: vm_check.rc != 0 and 'no such VM' not in vm_check.stderr
+#   changed_when: false
+#   when:
+#     - "'docker' in item.vm_roles"
+#     - inventory_hostname == item.node
+#   loop: "{{ vms }}"
+#   loop_control:
+#     label: "check_vm_{{ item.vmid }}"
+
+# - name: Attach Docker disk to VM
+#   ansible.builtin.shell: >
+#     qm set {{ item.vmid }} --scsi{{ pve_docker_disk_id }}
+#     ha-lvm:vm-{{ item.vmid }}-disk-{{ pve_docker_disk_id }},
+#     cache=writeback,discard=on,iothread=1,ssd=1
+#   args:
+#     executable: /bin/bash
+#   delegate_to: "{{ item.node }}"
+#   run_once: false
+#   loop: "{{ vms }}"
+#   when:
+#     - "'docker' in item.vm_roles"
+#   retries: 5
+#   delay: 3
+#   register: disk_attach_result
+#   until: disk_attach_result.rc == 0
+#   loop_control:
+#     label: "attach_vm_{{ item.vmid }}"
+
+# - name: Create logical volume for DB (only on owning node)
+#   community.general.lvol:
+#     lv: "vm-{{ item.vmid }}-disk-{{ pve_db_disk_id }}"
+#     vg: "{{ pve_vg }}"
+#     shrink: false
+#     size: "{{ pve_db_lv_size }}"
+#     state: present
+#   when: 
+#     - "'db' in item.vm_roles"
+#     - inventory_hostname == item.node
+#   loop: "{{ vms }}"
+#   loop_control:
+#     label: "lv_db_{{ item.vmid }}"
--- a/roles/server/disable/firewalld/defaults/main.yml
+++ b/roles/server/disable/firewalld/defaults/main.yml
--- a/roles/server/disable/firewalld/tasks/main.yml
+++ b/roles/server/disable/firewalld/tasks/main.yml
@ -0,0 +1,7 @@
+---
+- name: Disable and stop firewalld
+  ansible.builtin.systemd_service:
+    name: firewalld
+    state: stopped
+    enabled: false
+    masked: true
--- a/roles/server/fastfetch/defaults/main.yml
+++ b/roles/server/fastfetch/defaults/main.yml
--- a/roles/server/fastfetch/tasks/main.yml
+++ b/roles/server/fastfetch/tasks/main.yml
@ -0,0 +1,31 @@
+---
+- name: Clone fastfetch repository
+  ansible.builtin.git:
+    repo: https://github.com/fastfetch-cli/fastfetch.git
+    dest: /usr/local/src/fastfetch
+    version: master
+    update: yes
+
+- name: Create build directory
+  ansible.builtin.file:
+    path: /usr/local/src/fastfetch/build
+    state: directory
+
+- name: Run cmake to configure build
+  ansible.builtin.command:
+    cmd: cmake -G Ninja ..
+    chdir: /usr/local/src/fastfetch/build
+  args:
+    creates: /usr/local/src/fastfetch/build/build.ninja
+
+- name: Build fastfetch with ninja
+  ansible.builtin.command:
+    cmd: ninja
+    chdir: /usr/local/src/fastfetch/build
+  args:
+    creates: /usr/local/src/fastfetch/build/fastfetch
+
+- name: Install fastfetch binary
+  ansible.builtin.command:
+    cmd: ninja install
+    chdir: /usr/local/src/fastfetch/build
--- a/roles/server/firewall/tasks/main.yml
+++ b/roles/server/firewall/tasks/main.yml
@ -8,6 +8,7 @@
 - name: Assign interface ens18 to core zone
  ansible.posix.firewalld:
    interface: ens18
+    # masquerade: true
    zone: core
    state: enabled
    permanent: true
@ -15,6 +16,7 @@
 - name: Assign interface ens19 to mgmt zone
  ansible.posix.firewalld:
    interface: ens19
+    # masquerade: true
    zone: mgmt
    state: enabled
    permanent: true
@ -22,6 +24,7 @@
 - name: Assign interface ens20 to dmz zone
  ansible.posix.firewalld:
    interface: ens20
+    # masquerade: true
    zone: dmz
    state: enabled
    permanent: true
@ -32,12 +35,12 @@
 - name: Reload firewalld to apply changes
  ansible.builtin.command: firewall-cmd --reload

- name: DROP all traffic on dmz by default
-  ansible.builtin.firewalld:
-    zone: dmz
-    target: "DROP"
-    permanent: true
-    state: enabled
+# - name: DROP all traffic on dmz by default
+#   ansible.builtin.firewalld:
+#     zone: dmz
+#     target: "DROP"
+#     permanent: true
+#     state: enabled

 ################ SWARM SETUP ################
 - name: Open Docker Swarm manager inbound port 2377/tcp
@ -46,7 +49,7 @@
    port: 2377/tcp
    permanent: true
    state: enabled
-  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"
+  when: "'swarm_manager' in hostvars[inventory_hostname]['vm_roles']"

 - name: Open Docker Swarm data overlay node discovery port 7946/tcp
  ansible.builtin.firewalld:
@ -88,10 +91,18 @@
    state: enabled
  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

+- name: Open Docker Swarm overlay network traffic 4789/udp on mgmt
+  ansible.builtin.firewalld:
+    zone: mgmt
+    port: 4789/udp
+    permanent: true
+    state: enabled
+
+
 ############# Docker Services ###########
 - name: Open Docker Stack portainer 9443/tcp
  ansible.builtin.firewalld:
-    zone: core
+    # zone: core
    port: 9443/tcp
    permanent: true
    state: enabled
@ -99,51 +110,59 @@

 - name: Open Docker Stack nginx 8080/tcp
  ansible.builtin.firewalld:
-    zone: core
+    # zone: core
    port: 8080/tcp
    permanent: true
    state: enabled
  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

- name: Open Caddy 443/tcp
+- name: Open Caddy 4443/tcp
  ansible.builtin.firewalld:
-    zone: core
-    port: 443/tcp
+    # zone: core
+    port: 4443/tcp
    permanent: true
    state: enabled
  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

- name: Open Caddy 80/tcp
+- name: Open Caddy 4443/udp
  ansible.builtin.firewalld:
-    zone: core
-    port: 80/tcp
+    # zone: core
+    port: 4443/udp
    permanent: true
    state: enabled
  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

- name: Open Caddy 80/tcp
+- name: Open Caddy 4080/tcp
  ansible.builtin.firewalld:
-    zone: core
-    port: 80/tcp
+    # zone: core
+    port: 4080/tcp
    permanent: true
    state: enabled
  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

 - name: Open Caddy 2019/tcp
  ansible.builtin.firewalld:
-    zone: core
+    # zone: core
    port: 2019/tcp
    permanent: true
    state: enabled
  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

-# - name: Open Portainer env port 9001/tcp
-#   ansible.builtin.firewalld:
-#     zone: core
-#     port: 9001/tcp
-#     permanent: true
-#     state: enabled
-#   when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"
+- name: Open FlowTodo 4000/tcp
+  ansible.builtin.firewalld:
+    # zone: core
+    port: 4000/tcp
+    permanent: true
+    state: enabled
+  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"
+
+- name: Open DumbWhois 3000/tcp
+  ansible.builtin.firewalld:
+    # zone: core
+    port: 3000/tcp
+    permanent: true
+    state: enabled
+  when: "'swarm' in hostvars[inventory_hostname]['vm_roles']"

 - name: Restart firewalld service
  ansible.builtin.systemd_service:
--- a/roles/server/kitty/tasks/main.yml
+++ b/roles/server/kitty/tasks/main.yml
@ -5,21 +5,35 @@
 - name: Upload xterm-kitty.terminfo to each user’s home
  ansible.builtin.copy:
    src: "/home/xbazzi/.xterm-kitty.terminfo"
-    dest: "/home/{{ item }}/.xterm-kitty.terminfo"
+    dest: "{{ '/root' if item == 'root' else '/home/' + item }}/.xterm-kitty.terminfo"
+    # dest: "/home/{{ item }}/.xterm-kitty.terminfo"
    owner: "{{ item }}"
    group: "{{ item }}"
    mode: '0644'
-  loop: "{{ users }}"
+  loop: "{{ users + ['root']}}"

+# - name: Compile terminfo for each user
+#   ansible.builtin.command: >
+#     tic -x -o "{{ '/root' if item == 'root' else '/home/' + item }}/.terminfo  {{ '/root' if item == 'root' else '/home/' + item }}/.xterm-kitty.terminfo"
+#   become: true
+#   become_user: root #"{{ item }}"
+#   loop: "{{ users + ['root']}}"
+  
 - name: Compile terminfo for each user
-  ansible.builtin.command: >
-    tic -x -o /home/{{ item }}/.terminfo /home/{{ item }}/.xterm-kitty.terminfo
-  become: true
-  become_user: root #"{{ item }}"
-  loop: "{{ users }}"
+  ansible.builtin.command:
+    argv:
+      - tic
+      - -x
+      - -o
+      - "{{ item_home }}/.terminfo"
+      - "{{ item_home }}/.xterm-kitty.terminfo"
+  vars:
+    item_home: "{{ '/root' if item == 'root' else '/home/' + item }}"
+  loop: "{{ users + ['root'] }}"
+

 - name: Clean up xterm-kitty.terminfo from home directory
  ansible.builtin.file:
    path: "/home/{{ item }}/.xterm-kitty.terminfo"
    state: absent
-  loop: "{{ users }}"
+  loop: "{{ users + ['root']}}"
--- a/roles/server/network/handlers/main.yml
+++ b/roles/server/network/handlers/main.yml
@ -1,4 +1,13 @@
 - name: Restart systemd-networkd
  ansible.builtin.systemd_service:
    name: systemd-networkd
-    state: restarted
+    state: restarted
+
+- name: Trigger udev for new interface names
+  ansible.builtin.command: udevadm trigger
+  become: true
+
+- name: Restart systemd-networkd
+  ansible.builtin.systemd:
+    name: systemd-networkd
+    state: restarted
--- a/roles/server/network/tasks/main.yml
+++ b/roles/server/network/tasks/main.yml
@ -1,68 +1,69 @@
 ---
 ##### Firewall pre-requisites #####
+
+# - name: Enable and start firewalld
+#   ansible.builtin.systemd:
+#     name: firewalld
+#     enabled: yes
+#     state: started
+
+# - name: firewall-cmd --get-zones
+#   ansible.builtin.command: firewall-cmd --get-zones
+#   register: firewalld_zones
+
+# - name: firewall-cmd --get-active-zones
+#   ansible.builtin.command: firewall-cmd --get-active-zones
+#   register: firewalld_zones
+
+# - name: Check existing zones
+#   ansible.builtin.debug:
+#     var: firewalld_zones.stdout
+
+# - name: Create firewalld core zone
+#   ansible.posix.firewalld:
+#     zone: core
+#     state: present
+#     permanent: true
+
+# - name: Create firewalld mgmt zone
+#   ansible.posix.firewalld:
+#     zone: mgmt
+#     state: present
+#     permanent: true
+
+# - name: Create firewalld dmz zone
+#   ansible.posix.firewalld:
+#     zone: dmz
+#     state: present
+#     permanent: true
+
+# - name: Reload firewalld to apply changes
+#   ansible.builtin.command: firewall-cmd --reload
+
+# - name: Enable ssh rule in core 
+#   ansible.posix.firewalld:
+#     zone: core
+#     service: ssh
+#     state: enabled
+#     permanent: true
+
+# - name: Enable ssh rule in mgmt 
+#   ansible.posix.firewalld:
+#     zone: mgmt
+#     service: ssh
+#     state: enabled
+#     permanent: true
+
+# - name: Reload firewalld to apply changes
+#   ansible.builtin.command: firewall-cmd --reload
+
+#### Network config ####
 - name: Enable and start systemd-networkd
  ansible.builtin.systemd:
    name: systemd-networkd
    enabled: true
    state: started

- name: Enable and start firewalld
-  ansible.builtin.systemd:
-    name: firewalld
-    enabled: yes
-    state: started
-
- name: firewall-cmd --get-zones
-  ansible.builtin.command: firewall-cmd --get-zones
-  register: firewalld_zones
-
- name: firewall-cmd --get-active-zones
-  ansible.builtin.command: firewall-cmd --get-active-zones
-  register: firewalld_zones
-
- name: Check existing zones
-  ansible.builtin.debug:
-    var: firewalld_zones.stdout
-
- name: Create firewalld core zone
-  ansible.posix.firewalld:
-    zone: core
-    state: present
-    permanent: true
-
- name: Create firewalld mgmt zone
-  ansible.posix.firewalld:
-    zone: mgmt
-    state: present
-    permanent: true
-
- name: Create firewalld dmz zone
-  ansible.posix.firewalld:
-    zone: dmz
-    state: present
-    permanent: true
-
- name: Reload firewalld to apply changes
-  ansible.builtin.command: firewall-cmd --reload
-
- name: Enable ssh rule in core 
-  ansible.posix.firewalld:
-    zone: core
-    service: ssh
-    state: enabled
-    permanent: true
-
- name: Enable ssh rule in mgmt 
-  ansible.posix.firewalld:
-    zone: mgmt
-    service: ssh
-    state: enabled
-    permanent: true
-
- name: Reload firewalld to apply changes
-  ansible.builtin.command: firewall-cmd --reload
-
-#### Network config ####
 - name: Ensure systemd-networkd directories exist
  ansible.builtin.file:
    path: "{{ item }}"
@ -74,6 +75,25 @@
    - /etc/systemd/network
    - /etc/systemd/networkd.conf.d

+- name: Rename default network interface via .link files
+  ansible.builtin.template:
+    src: rename-default-dev.link.j2
+    dest: "/etc/systemd/network/1-rename-{{ default_interface.ifname }}-to-{{ default_interface.name }}.link"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Trigger udev for new interface names
+
+- name: Rename network interfaces via .link files
+  ansible.builtin.template:
+    src: rename-auxiliary-dev.link.j2
+    dest: "/etc/systemd/network/1-rename-{{ item.ifname }}-to-{{ item.name }}.link"
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ network_interfaces }}"
+  notify: Trigger udev for new interface names
+
 - name: Generate default interface .network file
  ansible.builtin.template:
    src: default-interface.network.j2
@ -117,12 +137,21 @@
    - 10-routes.conf
  notify: Restart systemd-networkd

+- name: Ensure networking is disabled
+  ansible.builtin.systemd_service:
+    name: networking
+    masked: true
+    enabled: false
+    state: stopped 
+  ignore_errors: true
+
 - name: Ensure NetworkManager is disabled
  ansible.builtin.systemd_service:
    name: NetworkManager
    masked: true
    enabled: false
    state: stopped 
+  ignore_errors: true

 - name: Ensure NetworkManager-wait-online is disabled
  ansible.builtin.systemd_service:
@ -130,3 +159,4 @@
    masked: true
    enabled: false
    state: stopped 
+  ignore_errors: true
--- a/roles/server/network/templates/auxiliary-interface.network.j2
+++ b/roles/server/network/templates/auxiliary-interface.network.j2
@ -1,5 +1,5 @@
 [Match]
-Name={{ item.ifname }}
+Name={{ item.name }}

 [Network]
 Address={{ hostvars[inventory_hostname]['addresses'][item.name] }}/22
--- a/roles/server/network/templates/default-interface.network.j2
+++ b/roles/server/network/templates/default-interface.network.j2
@ -1,5 +1,5 @@
 [Match]
-Name={{ default_interface.ifname }}
+Name={{ default_interface.name }}

 [Network]
 Address={{ hostvars[inventory_hostname]['addresses'][default_interface.name] }}/22
--- a/roles/server/network/templates/rename-auxiliary-dev.link.j2
+++ b/roles/server/network/templates/rename-auxiliary-dev.link.j2
@ -0,0 +1,5 @@
+[Match]
+OriginalName={{ item.ifname }}
+
+[Link]
+Name={{ item.name }}
--- a/roles/server/network/templates/rename-default-dev.link.j2
+++ b/roles/server/network/templates/rename-default-dev.link.j2
@ -0,0 +1,5 @@
+[Match]
+OriginalName={{ default_interface.ifname }}
+
+[Link]
+Name={{ default_interface.name }}
--- a/roles/server/nfs/tasks/main.yml
+++ b/roles/server/nfs/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Install NFS client
-  ansible.builtin.dnf:
-    name: nfs-utils
+  ansible.builtin.package:
+    name: nfs-common
    state: present

 - name: Create mount points
--- a/roles/server/packages/tasks/main.yml
+++ b/roles/server/packages/tasks/main.yml
@ -1,21 +1,59 @@
+# ---
+# - name: Install packages
+#   ansible.builtin.package:
+#     name:
+#       # - systemd-networkd
+#       - systemd-resolved
+#       - vim
+#       - curl
+#       - git
+#       - bash-completion
+#       - firewalld
+#       - fastfetch
+#       - btop
+#       - kitty-terminfo
+#       - bind-utils
+#       - nmap
+#       - tcpdump
+#       - rsync
+#       - tree
+#       - ipvsadm
+#       - conntrack
+#       - wireshark
+#       - xorg-x11-xauth
+#       - xorg-x11-fonts-misc
+#       - xorg-x11-utils
+#       - dbus-x11    
+#     state: latest
+#     update_cache: true
+
 ---
- name: Install packages
-  ansible.builtin.package:
+- name: Install packages on Debian
+  ansible.builtin.apt:
    name:
-      - systemd-networkd
+      - jq
+      - apache2-utils
      - systemd-resolved
      - vim
      - curl
      - git
      - bash-completion
      - firewalld
-      - fastfetch
+      # - fastfetch
      - btop
-      - kitty-terminfo
-      - bind-utils
+      - ncurses-term        # Replaces kitty-terminfo for terminfo
+      - dnsutils            # Replaces bind-utils (for dig, etc.)
      - nmap
      - tcpdump
      - rsync
      - tree
+      - ipvsadm
+      - conntrack
+      - wireshark
+      - xauth               # Replaces xorg-x11-xauth
+      # - fonts-misc-fixed    # Replaces xorg-x11-fonts-misc
+      - x11-utils           # Replaces xorg-x11-utils
+      - dbus-x11
+      - gpg
    state: latest
    update_cache: true
--- a/roles/server/qemu-agent/defaults/main.yml
+++ b/roles/server/qemu-agent/defaults/main.yml
--- a/roles/server/qemu-agent/tasks/main.yml
+++ b/roles/server/qemu-agent/tasks/main.yml
@ -0,0 +1,5 @@
+---
+- name: Install QEMU Guest Agent 
+  ansible.builtin.package:
+    name:
+      - 'qemu-guest-agent'
--- a/roles/server/service/networkd/defaults/main.yml
+++ b/roles/server/service/networkd/defaults/main.yml
--- a/roles/server/service/networkd/tasks/main.yml
+++ b/roles/server/service/networkd/tasks/main.yml
@ -0,0 +1,7 @@
+---
+- name: Stop legacy networking.service
+  ansible.builtin.systemd_service:
+    name: networking
+    enabled: false
+    state: stopped
+  ignore_errors: true
--- a/roles/server/ssh/x11/defaults/main.yml
+++ b/roles/server/ssh/x11/defaults/main.yml
--- a/roles/server/ssh/x11/tasks/main.yml
+++ b/roles/server/ssh/x11/tasks/main.yml
@ -0,0 +1,13 @@
+---
+- name: Ensure SSH X11 forwarding is enabled
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?X11Forwarding'
+    line: 'X11Forwarding yes'
+    state: present
+    backup: yes
+
+- name: Restart sshd
+  ansible.builtin.systemd_service:
+    name: sshd
+    state: restarted
--- a/roles/server/sysprep/tasks/main.yml
+++ b/roles/server/sysprep/tasks/main.yml
@ -18,14 +18,20 @@
    regexp: '^::1\s+localhost'
    state: absent

+- name: Clean APT cache
+  ansible.builtin.apt:
+    autoclean: yes
+    autoremove: yes
+    update_cache: no
+
 # - name: Remove xbazzi user
 #   ansible.builtin.user:
 #     name: xbazzi
 #     state: absent
 #     remove: true

-# - name: Truncate machine-id
-#   ansible.builtin.command: truncate -s 0 /etc/machine-id
+- name: Truncate machine-id
+  ansible.builtin.command: truncate -s 0 /etc/machine-id

 - name: Remove DBus machine-id if exists
  ansible.builtin.file:
@ -42,27 +48,36 @@
    path: /root/anaconda-ks.cfg
    state: absent

- name: Clear logs
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /var/log/boot.log
-    - /var/log/cron
-    - /var/log/dmesg
-    - /var/log/grubby
-    - /var/log/lastlog
-    - /var/log/maillog
-    - /var/log/messages
-    - /var/log/secure
-    - /var/log/spooler
-    - /var/log/tallylog
-    - /var/log/wtmp
-    - /var/log/yum.log
-    - /var/log/audit/audit.log
-    - /var/log/tuned/tuned.log
-    - /var/log/wpa_supplicant.log
-    - /var/log/ovirt-guest-agent/ovirt-guest-agent.log
+- name: Truncate logs
+  ansible.builtin.shell: |
+    find /var/log -type f -exec truncate -s 0 {} \;
+
+# - name: Clear logs
+#   ansible.builtin.file:
+#     path: "{{ item }}"
+#     state: absent
+#   loop:
+#     - /var/log/boot.log
+#     - /var/log/cron
+#     - /var/log/dmesg
+#     - /var/log/grubby
+#     - /var/log/lastlog
+#     - /var/log/maillog
+#     - /var/log/messages
+#     - /var/log/secure
+#     - /var/log/spooler
+#     - /var/log/tallylog
+#     - /var/log/wtmp
+#     - /var/log/yum.log
+#     - /var/log/audit/audit.log
+#     - /var/log/tuned/tuned.log
+#     - /var/log/wpa_supplicant.log
+#     - /var/log/ovirt-guest-agent/ovirt-guest-agent.log
+
+- name: Truncate logs
+  ansible.builtin.shell: |
+    find /var/log -type f -exec truncate -s 0 {} \;
+

 - name: Rotate and vacuum journal logs
  ansible.builtin.shell: |
@ -70,11 +85,12 @@
    journalctl --vacuum-time=1s
  when: ansible_facts['distribution_major_version'] is version('8', '>=')

- name: Clear shell history
-  ansible.builtin.copy:
-    content: ""
-    dest: /root/.bash_history
-    force: true
+- name: Clear bash history
+  ansible.builtin.shell: |
+    unset HISTFILE
+    rm -f /root/.bash_history
+    find /home -name .bash_history -exec rm -f {} \;
+  become: true

 - name: Find all SSH keys
  ansible.builtin.find:
@ -86,7 +102,6 @@
      - "id_*"
      - "authorized_keys"
      - "known_hosts"
-      - "config"
    use_regex: false
    recurse: true
    file_type: file
@ -112,4 +127,4 @@
  local_action: 
    module: command
    args:
-      cmd: ssh-keygen -R "{{ hostvars['staging-vm'].ansible_host }}"
+      cmd: ssh-keygen -R "{{ hostvars['sysprep_vm'].ansible_host }}"
--- a/roles/server/uninstall/defaults/main.yml
+++ b/roles/server/uninstall/defaults/main.yml
--- a/roles/server/uninstall/tasks/main.yml
+++ b/roles/server/uninstall/tasks/main.yml
@ -0,0 +1,5 @@
+---
+- name: Remove dnf packages
+  ansible.builtin.package:
+    name:
+      - docker
--- a/roles/server/users/tasks/main.yml
+++ b/roles/server/users/tasks/main.yml
@ -1,33 +1,33 @@
 ---
- name: Add xbazzi group
-  ansible.builtin.group:
-    name: xbazzi
-    gid: 1337
-    state: present
-
- name: Add xbazzi user
-  ansible.builtin.user:
-    name: xbazzi
-    create_home: true
-    shell: /bin/bash
-    groups: "{{ admin_group }},xbazzi"
-    uid: 1337
-    state: present
-
-# - name: Add ansible group
+# - name: Add xbazzi group
 #   ansible.builtin.group:
-#     name: ansible
+#     name: xbazzi
+#     gid: 1337
 #     state: present
-#     gid: 1001

-# - name: Add ansible user
+# - name: Add xbazzi user
 #   ansible.builtin.user:
-#     name: ansible
+#     name: xbazzi
 #     create_home: true
 #     shell: /bin/bash
-#     groups:  "{{ admin_group }},ansible"
+#     groups: "{{ admin_group }},xbazzi"
+#     uid: 1337
 #     state: present
-#     uid: 1001
+
+- name: Add ansible group
+  ansible.builtin.group:
+    name: ansible
+    state: present
+    gid: 1001
+
+- name: Add ansible user
+  ansible.builtin.user:
+    name: ansible
+    create_home: true
+    shell: /bin/bash
+    groups:  "sudo,ansible"
+    state: present
+    uid: 1001

 - name: Add ansible to sudoers w/ no password
  community.general.sudoers:
@ -48,6 +48,6 @@
    name: nfsuser
    create_home: true
    shell: /bin/bash
-    groups: "{{ admin_group }}"
+    groups: "sudo"
    state: present
    uid: 3005