From 66d89510544d205818f9ab13b20765a49de04d30 Mon Sep 17 00:00:00 2001
From: Tobias Petrich <tobias@rohrschacht.de>
Date: Sat, 27 Dec 2025 19:31:11 +0100
Subject: [PATCH] move to secrets, add pasta configuration

---
 .../actual/actual.container}                  |  0
 .../bitwarden/bitwarden.container}            |  0
 .../files/bookstack/bookstack-db.container    | 16 ++++++++++
 .../bookstack/bookstack-srv.container}        |  8 ++---
 .../bookstack/bookstack.pod}                  |  0
 .../gitea/gitea-db.container}                 |  4 +--
 .../gitea/gitea-srv.container}                |  6 ++--
 .../gitea.pod.j2 => files/gitea/gitea.pod}    |  0
 .../languagetool/languagetool.container}      |  0
 .../mumble/mumble.container}                  |  0
 .../nextcloud/nextcloud-db.container}         |  4 +--
 .../nextcloud/nextcloud-srv.container}        |  6 ++--
 .../nextcloud/nextcloud.pod}                  |  0
 .../paperless/paperless-broker.container}     |  0
 .../paperless/paperless-db.container}         |  6 ++--
 .../paperless/paperless-srv.container}        | 12 ++++----
 .../paperless/paperless.pod}                  |  0
 .../rustdesk/hbbr.container}                  |  0
 .../rustdesk/hbbs.container}                  |  0
 .../rustdesk/rustdesk.pod}                    |  0
 .../files/sgnarva/sgnarva-db.container        | 13 +++++++++
 .../sgnarva/sgnarva-srv.container}            |  0
 .../sgnarva/sgnarva.pod}                      |  0
 .../traefik/traefik.container}                |  0
 .../wekan/wekan-db.container}                 |  0
 .../wekan/wekan-srv.container}                |  0
 .../wekan.pod.j2 => files/wekan/wekan.pod}    |  0
 .../wekantesting/wekantesting-db.container}   |  0
 .../wekantesting/wekantesting-srv.container}  |  0
 .../wekantesting/wekantesting.pod}            |  0
 .../services/tasks/copy_quadlet_files.yml     | 12 ++++----
 .../services/tasks/create_containers_conf.yml | 22 ++++++++++++++
 .../tasks/create_service_directories.yml      |  1 +
 .../roles/services/tasks/enable_service.yml   | 29 +++++++++++++++++++
 ansible/roles/services/tasks/main.yml         | 28 ++++++++++++++++++
 ansible/roles/services/tasks/secrets.yml      | 11 +++++++
 .../bookstack/bookstack-db.container.j2       | 16 ----------
 .../templates/sgnarva/sgnarva-db.container.j2 | 13 ---------
 38 files changed, 149 insertions(+), 58 deletions(-)
 rename ansible/roles/services/{templates/actual/actual.container.j2 => files/actual/actual.container} (100%)
 rename ansible/roles/services/{templates/bitwarden/bitwarden.container.j2 => files/bitwarden/bitwarden.container} (100%)
 create mode 100644 ansible/roles/services/files/bookstack/bookstack-db.container
 rename ansible/roles/services/{templates/bookstack/bookstack-srv.container.j2 => files/bookstack/bookstack-srv.container} (69%)
 rename ansible/roles/services/{templates/bookstack/bookstack.pod.j2 => files/bookstack/bookstack.pod} (100%)
 rename ansible/roles/services/{templates/gitea/gitea-db.container.j2 => files/gitea/gitea-db.container} (67%)
 rename ansible/roles/services/{templates/gitea/gitea-srv.container.j2 => files/gitea/gitea-srv.container} (59%)
 rename ansible/roles/services/{templates/gitea/gitea.pod.j2 => files/gitea/gitea.pod} (100%)
 rename ansible/roles/services/{templates/languagetool/languagetool.container.j2 => files/languagetool/languagetool.container} (100%)
 rename ansible/roles/services/{templates/mumble/mumble.container.j2 => files/mumble/mumble.container} (100%)
 rename ansible/roles/services/{templates/nextcloud/nextcloud-db.container.j2 => files/nextcloud/nextcloud-db.container} (67%)
 rename ansible/roles/services/{templates/nextcloud/nextcloud-srv.container.j2 => files/nextcloud/nextcloud-srv.container} (61%)
 rename ansible/roles/services/{templates/nextcloud/nextcloud.pod.j2 => files/nextcloud/nextcloud.pod} (100%)
 rename ansible/roles/services/{templates/paperless/paperless-broker.container.j2 => files/paperless/paperless-broker.container} (100%)
 rename ansible/roles/services/{templates/paperless/paperless-db.container.j2 => files/paperless/paperless-db.container} (53%)
 rename ansible/roles/services/{templates/paperless/paperless-srv.container.j2 => files/paperless/paperless-srv.container} (61%)
 rename ansible/roles/services/{templates/paperless/paperless.pod.j2 => files/paperless/paperless.pod} (100%)
 rename ansible/roles/services/{templates/rustdesk/hbbr.container.j2 => files/rustdesk/hbbr.container} (100%)
 rename ansible/roles/services/{templates/rustdesk/hbbs.container.j2 => files/rustdesk/hbbs.container} (100%)
 rename ansible/roles/services/{templates/rustdesk/rustdesk.pod.j2 => files/rustdesk/rustdesk.pod} (100%)
 create mode 100644 ansible/roles/services/files/sgnarva/sgnarva-db.container
 rename ansible/roles/services/{templates/sgnarva/sgnarva-srv.container.j2 => files/sgnarva/sgnarva-srv.container} (100%)
 rename ansible/roles/services/{templates/sgnarva/sgnarva.pod.j2 => files/sgnarva/sgnarva.pod} (100%)
 rename ansible/roles/services/{templates/traefik/traefik.container.j2 => files/traefik/traefik.container} (100%)
 rename ansible/roles/services/{templates/wekan/wekan-db.container.j2 => files/wekan/wekan-db.container} (100%)
 rename ansible/roles/services/{templates/wekan/wekan-srv.container.j2 => files/wekan/wekan-srv.container} (100%)
 rename ansible/roles/services/{templates/wekan/wekan.pod.j2 => files/wekan/wekan.pod} (100%)
 rename ansible/roles/services/{templates/wekantesting/wekantesting-db.container.j2 => files/wekantesting/wekantesting-db.container} (100%)
 rename ansible/roles/services/{templates/wekantesting/wekantesting-srv.container.j2 => files/wekantesting/wekantesting-srv.container} (100%)
 rename ansible/roles/services/{templates/wekantesting/wekantesting.pod.j2 => files/wekantesting/wekantesting.pod} (100%)
 create mode 100644 ansible/roles/services/tasks/create_containers_conf.yml
 create mode 100644 ansible/roles/services/tasks/secrets.yml
 delete mode 100644 ansible/roles/services/templates/bookstack/bookstack-db.container.j2
 delete mode 100644 ansible/roles/services/templates/sgnarva/sgnarva-db.container.j2

diff --git a/ansible/roles/services/templates/actual/actual.container.j2 b/ansible/roles/services/files/actual/actual.container
similarity index 100%
rename from ansible/roles/services/templates/actual/actual.container.j2
rename to ansible/roles/services/files/actual/actual.container
diff --git a/ansible/roles/services/templates/bitwarden/bitwarden.container.j2 b/ansible/roles/services/files/bitwarden/bitwarden.container
similarity index 100%
rename from ansible/roles/services/templates/bitwarden/bitwarden.container.j2
rename to ansible/roles/services/files/bitwarden/bitwarden.container
diff --git a/ansible/roles/services/files/bookstack/bookstack-db.container b/ansible/roles/services/files/bookstack/bookstack-db.container
new file mode 100644
index 0000000..ce4c14f
--- /dev/null
+++ b/ansible/roles/services/files/bookstack/bookstack-db.container
@@ -0,0 +1,16 @@
+[Unit]
+Description=Bookstack database
+
+[Container]
+ContainerName=bookstack-db
+Image=lscr.io/linuxserver/mariadb:11.4.5
+Volume=/var/vol/bookstack/db:/config:Z
+Environment=PUID=1000
+Environment=PGID=1000
+Environment=TZ=Europe/Berlin
+Secret=mysql_root_pw,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=mysql_database,type=env,target=MYSQL_DATABASE
+Secret=mysql_user,type=env,target=MYSQL_USER
+Secret=mysql_pw,type=env,target=MYSQL_PASSWORD
+AutoUpdate=registry
+Pod=bookstack.pod
diff --git a/ansible/roles/services/templates/bookstack/bookstack-srv.container.j2 b/ansible/roles/services/files/bookstack/bookstack-srv.container
similarity index 69%
rename from ansible/roles/services/templates/bookstack/bookstack-srv.container.j2
rename to ansible/roles/services/files/bookstack/bookstack-srv.container
index 8cd7697..35dc557 100644
--- a/ansible/roles/services/templates/bookstack/bookstack-srv.container.j2
+++ b/ansible/roles/services/files/bookstack/bookstack-srv.container
@@ -12,11 +12,11 @@ Environment=APP_URL=https://bookstack.rohrschacht.de
 # APP_KEY must be a unique key. Generate your own by running
 # docker run -it --rm --entrypoint /bin/bash lscr.io/linuxserver/bookstack:latest appkey
 # You should keep the "base64:" part for the option value.
-Environment=APP_KEY={{ service_secrets.bookstack.app_key }}
+Secret=app_key,type=env,target=APP_KEY
 Environment=DB_HOST=127.0.0.1
 Environment=DB_PORT=3306
-Environment=DB_DATABASE={{ service_secrets.bookstack.mysql_database }}
-Environment=DB_USERNAME={{ service_secrets.bookstack.mysql_user }}
-Environment=DB_PASSWORD={{ service_secrets.bookstack.mysql_pw }}
+Secret=mysql_database,type=env,target=DB_DATABASE
+Secret=mysql_user,type=env,target=DB_USERNAME
+Secret=mysql_pw,type=env,target=DB_PASSWORD
 AutoUpdate=registry
 Pod=bookstack.pod
diff --git a/ansible/roles/services/templates/bookstack/bookstack.pod.j2 b/ansible/roles/services/files/bookstack/bookstack.pod
similarity index 100%
rename from ansible/roles/services/templates/bookstack/bookstack.pod.j2
rename to ansible/roles/services/files/bookstack/bookstack.pod
diff --git a/ansible/roles/services/templates/gitea/gitea-db.container.j2 b/ansible/roles/services/files/gitea/gitea-db.container
similarity index 67%
rename from ansible/roles/services/templates/gitea/gitea-db.container.j2
rename to ansible/roles/services/files/gitea/gitea-db.container
index 40d3fa8..92e5c75 100644
--- a/ansible/roles/services/templates/gitea/gitea-db.container.j2
+++ b/ansible/roles/services/files/gitea/gitea-db.container
@@ -7,7 +7,7 @@ Image=docker.io/postgres:14
 Volume=/var/vol/gitea/db:/var/lib/postgresql/data:Z
 Environment=LANG=en_US.utf8
 Environment=PGDATA=/var/lib/postgresql/data/pgdata
-Environment=POSTGRES_USER={{ service_secrets.gitea.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.gitea.pg_pw }}
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=gitea.pod
diff --git a/ansible/roles/services/templates/gitea/gitea-srv.container.j2 b/ansible/roles/services/files/gitea/gitea-srv.container
similarity index 59%
rename from ansible/roles/services/templates/gitea/gitea-srv.container.j2
rename to ansible/roles/services/files/gitea/gitea-srv.container
index 198fa97..7866376 100644
--- a/ansible/roles/services/templates/gitea/gitea-srv.container.j2
+++ b/ansible/roles/services/files/gitea/gitea-srv.container
@@ -9,8 +9,8 @@ Environment=USER_UID=1000
 Environment=USER_GID=1000
 Environment=GITEA__database__DB_TYPE=postgres
 Environment=GITEA__database__DB_HOST=127.0.0.1:5432
-Environment=GITEA__database__DB_NAME={{ service_secrets.gitea.pg_db }}
-Environment=GITEA__database__DB_USER={{ service_secrets.gitea.pg_user }}
-Environment=GITEA__database__DB_PASSWD={{ service_secrets.gitea.pg_pw }}
+Secret=pg_db,type=env,target=GITEA__database__DB_NAME
+Secret=pg_user,type=env,target=GITEA__database__DB_USER
+Secret=pg_pw,type=env,target=GITEA__database__DB_PASSWD
 AutoUpdate=registry
 Pod=gitea.pod
diff --git a/ansible/roles/services/templates/gitea/gitea.pod.j2 b/ansible/roles/services/files/gitea/gitea.pod
similarity index 100%
rename from ansible/roles/services/templates/gitea/gitea.pod.j2
rename to ansible/roles/services/files/gitea/gitea.pod
diff --git a/ansible/roles/services/templates/languagetool/languagetool.container.j2 b/ansible/roles/services/files/languagetool/languagetool.container
similarity index 100%
rename from ansible/roles/services/templates/languagetool/languagetool.container.j2
rename to ansible/roles/services/files/languagetool/languagetool.container
diff --git a/ansible/roles/services/templates/mumble/mumble.container.j2 b/ansible/roles/services/files/mumble/mumble.container
similarity index 100%
rename from ansible/roles/services/templates/mumble/mumble.container.j2
rename to ansible/roles/services/files/mumble/mumble.container
diff --git a/ansible/roles/services/templates/nextcloud/nextcloud-db.container.j2 b/ansible/roles/services/files/nextcloud/nextcloud-db.container
similarity index 67%
rename from ansible/roles/services/templates/nextcloud/nextcloud-db.container.j2
rename to ansible/roles/services/files/nextcloud/nextcloud-db.container
index 065f437..3e9c769 100644
--- a/ansible/roles/services/templates/nextcloud/nextcloud-db.container.j2
+++ b/ansible/roles/services/files/nextcloud/nextcloud-db.container
@@ -7,7 +7,7 @@ Image=docker.io/postgres:12
 Volume=/var/vol/nextcloud/db:/var/lib/postgresql/data:Z
 Environment=LANG=en_US.utf8
 Environment=PGDATA=/var/lib/postgresql/data/pgdata
-Environment=POSTGRES_USER={{ service_secrets.nextcloud.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.nextcloud.pg_pw }}
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=nextcloud.pod
diff --git a/ansible/roles/services/templates/nextcloud/nextcloud-srv.container.j2 b/ansible/roles/services/files/nextcloud/nextcloud-srv.container
similarity index 61%
rename from ansible/roles/services/templates/nextcloud/nextcloud-srv.container.j2
rename to ansible/roles/services/files/nextcloud/nextcloud-srv.container
index 36947f7..2fc7629 100644
--- a/ansible/roles/services/templates/nextcloud/nextcloud-srv.container.j2
+++ b/ansible/roles/services/files/nextcloud/nextcloud-srv.container
@@ -9,8 +9,8 @@ Environment=USER_UID=1000
 Environment=USER_GID=1000
 Environment=PHP_MEMORY_LIMIT=4G
 Environment=POSTGRES_HOST=127.0.0.1:5432
-Environment=POSTGRES_DB={{ service_secrets.nextcloud.pg_db }}
-Environment=POSTGRES_USER={{ service_secrets.nextcloud.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.nextcloud.pg_pw }}
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=nextcloud.pod
diff --git a/ansible/roles/services/templates/nextcloud/nextcloud.pod.j2 b/ansible/roles/services/files/nextcloud/nextcloud.pod
similarity index 100%
rename from ansible/roles/services/templates/nextcloud/nextcloud.pod.j2
rename to ansible/roles/services/files/nextcloud/nextcloud.pod
diff --git a/ansible/roles/services/templates/paperless/paperless-broker.container.j2 b/ansible/roles/services/files/paperless/paperless-broker.container
similarity index 100%
rename from ansible/roles/services/templates/paperless/paperless-broker.container.j2
rename to ansible/roles/services/files/paperless/paperless-broker.container
diff --git a/ansible/roles/services/templates/paperless/paperless-db.container.j2 b/ansible/roles/services/files/paperless/paperless-db.container
similarity index 53%
rename from ansible/roles/services/templates/paperless/paperless-db.container.j2
rename to ansible/roles/services/files/paperless/paperless-db.container
index 7bb89fa..7e63eec 100644
--- a/ansible/roles/services/templates/paperless/paperless-db.container.j2
+++ b/ansible/roles/services/files/paperless/paperless-db.container
@@ -6,8 +6,8 @@ ContainerName=paperless-db
 Image=docker.io/postgres:17
 Volume=/var/vol/paperless/db:/var/lib/postgresql/data:Z
 Environment=LANG=en_US.utf8
-Environment=POSTGRES_DB={{ service_secrets.paperless.pg_db }}
-Environment=POSTGRES_USER={{ service_secrets.paperless.pg_user }}
-Environment=POSTGRES_PASSWORD={{ service_secrets.paperless.pg_pw }}
+Secret=pg_db,type=env,target=POSTGRES_DB
+Secret=pg_user,type=env,target=POSTGRES_USER
+Secret=pg_pw,type=env,target=POSTGRES_PASSWORD
 AutoUpdate=registry
 Pod=paperless.pod
diff --git a/ansible/roles/services/templates/paperless/paperless-srv.container.j2 b/ansible/roles/services/files/paperless/paperless-srv.container
similarity index 61%
rename from ansible/roles/services/templates/paperless/paperless-srv.container.j2
rename to ansible/roles/services/files/paperless/paperless-srv.container
index 2f04acd..a2c8255 100644
--- a/ansible/roles/services/templates/paperless/paperless-srv.container.j2
+++ b/ansible/roles/services/files/paperless/paperless-srv.container
@@ -9,16 +9,16 @@ Volume=/var/vol/paperless/media:/usr/src/paperless/media:Z
 Volume=/var/vol/paperless/export:/usr/src/paperless/export:Z
 Volume=/var/vol/paperless/consume:/usr/src/paperless/consume:Z
 Environment=PAPERLESS_URL=https://paperless.rohrschacht.de
-Environment=PAPERLESS_SECRET_KEY={{ service_secrets.paperless.secret_key }}
+Secret=secret_key,type=env,target=PAPERLESS_SECRET_KEY
 Environment=PAPERLESS_TIME_ZONE=Europe/Berlin
 Environment=PAPERLESS_OCR_LANGUAGE=deu
 Environment=PAPERLESS_OCR_LANGUAGES=eng
-Environment=PAPERLESS_ADMIN_USER={{ service_secrets.paperless.admin_user }}
-Environment=PAPERLESS_ADMIN_PASSWORD={{ service_secrets.paperless.admin_pw }}
+Secret=admin_user,type=env,target=PAPERLESS_ADMIN_USER
+Secret=admin_pw,type=env,target=PAPERLESS_ADMIN_PASSWORD
 Environment=PAPERLESS_REDIS=redis://127.0.0.1:6379
 Environment=PAPERLESS_DBHOST=127.0.0.1
-Environment=PAPERLESS_DBNAME={{ service_secrets.paperless.pg_db }}
-Environment=PAPERLESS_DBUSER={{ service_secrets.paperless.pg_user }}
-Environment=PAPERLESS_DBPASS={{ service_secrets.paperless.pg_pw }}
+Secret=pg_db,type=env,target=PAPERLESS_DBNAME
+Secret=pg_user,type=env,target=PAPERLESS_DBUSER
+Secret=pg_pw,type=env,target=PAPERLESS_DBPASS
 AutoUpdate=registry
 Pod=paperless.pod
diff --git a/ansible/roles/services/templates/paperless/paperless.pod.j2 b/ansible/roles/services/files/paperless/paperless.pod
similarity index 100%
rename from ansible/roles/services/templates/paperless/paperless.pod.j2
rename to ansible/roles/services/files/paperless/paperless.pod
diff --git a/ansible/roles/services/templates/rustdesk/hbbr.container.j2 b/ansible/roles/services/files/rustdesk/hbbr.container
similarity index 100%
rename from ansible/roles/services/templates/rustdesk/hbbr.container.j2
rename to ansible/roles/services/files/rustdesk/hbbr.container
diff --git a/ansible/roles/services/templates/rustdesk/hbbs.container.j2 b/ansible/roles/services/files/rustdesk/hbbs.container
similarity index 100%
rename from ansible/roles/services/templates/rustdesk/hbbs.container.j2
rename to ansible/roles/services/files/rustdesk/hbbs.container
diff --git a/ansible/roles/services/templates/rustdesk/rustdesk.pod.j2 b/ansible/roles/services/files/rustdesk/rustdesk.pod
similarity index 100%
rename from ansible/roles/services/templates/rustdesk/rustdesk.pod.j2
rename to ansible/roles/services/files/rustdesk/rustdesk.pod
diff --git a/ansible/roles/services/files/sgnarva/sgnarva-db.container b/ansible/roles/services/files/sgnarva/sgnarva-db.container
new file mode 100644
index 0000000..f0787bc
--- /dev/null
+++ b/ansible/roles/services/files/sgnarva/sgnarva-db.container
@@ -0,0 +1,13 @@
+[Unit]
+Description=SGNarva Wordpress database
+
+[Container]
+ContainerName=sgnarva-db
+Image=docker.io/mysql:8
+Volume=/var/vol/sgnarva/sgnarvadb:/var/lib/mysql:Z
+Secret=mysql_root_pw,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=mysql_db,type=env,target=MYSQL_DATABASE
+Secret=mysql_user,type=env,target=MYSQL_USER
+Secret=mysql_pw,type=env,target=MYSQL_PASSWORD
+AutoUpdate=registry
+Pod=sgnarva.pod
diff --git a/ansible/roles/services/templates/sgnarva/sgnarva-srv.container.j2 b/ansible/roles/services/files/sgnarva/sgnarva-srv.container
similarity index 100%
rename from ansible/roles/services/templates/sgnarva/sgnarva-srv.container.j2
rename to ansible/roles/services/files/sgnarva/sgnarva-srv.container
diff --git a/ansible/roles/services/templates/sgnarva/sgnarva.pod.j2 b/ansible/roles/services/files/sgnarva/sgnarva.pod
similarity index 100%
rename from ansible/roles/services/templates/sgnarva/sgnarva.pod.j2
rename to ansible/roles/services/files/sgnarva/sgnarva.pod
diff --git a/ansible/roles/services/templates/traefik/traefik.container.j2 b/ansible/roles/services/files/traefik/traefik.container
similarity index 100%
rename from ansible/roles/services/templates/traefik/traefik.container.j2
rename to ansible/roles/services/files/traefik/traefik.container
diff --git a/ansible/roles/services/templates/wekan/wekan-db.container.j2 b/ansible/roles/services/files/wekan/wekan-db.container
similarity index 100%
rename from ansible/roles/services/templates/wekan/wekan-db.container.j2
rename to ansible/roles/services/files/wekan/wekan-db.container
diff --git a/ansible/roles/services/templates/wekan/wekan-srv.container.j2 b/ansible/roles/services/files/wekan/wekan-srv.container
similarity index 100%
rename from ansible/roles/services/templates/wekan/wekan-srv.container.j2
rename to ansible/roles/services/files/wekan/wekan-srv.container
diff --git a/ansible/roles/services/templates/wekan/wekan.pod.j2 b/ansible/roles/services/files/wekan/wekan.pod
similarity index 100%
rename from ansible/roles/services/templates/wekan/wekan.pod.j2
rename to ansible/roles/services/files/wekan/wekan.pod
diff --git a/ansible/roles/services/templates/wekantesting/wekantesting-db.container.j2 b/ansible/roles/services/files/wekantesting/wekantesting-db.container
similarity index 100%
rename from ansible/roles/services/templates/wekantesting/wekantesting-db.container.j2
rename to ansible/roles/services/files/wekantesting/wekantesting-db.container
diff --git a/ansible/roles/services/templates/wekantesting/wekantesting-srv.container.j2 b/ansible/roles/services/files/wekantesting/wekantesting-srv.container
similarity index 100%
rename from ansible/roles/services/templates/wekantesting/wekantesting-srv.container.j2
rename to ansible/roles/services/files/wekantesting/wekantesting-srv.container
diff --git a/ansible/roles/services/templates/wekantesting/wekantesting.pod.j2 b/ansible/roles/services/files/wekantesting/wekantesting.pod
similarity index 100%
rename from ansible/roles/services/templates/wekantesting/wekantesting.pod.j2
rename to ansible/roles/services/files/wekantesting/wekantesting.pod
diff --git a/ansible/roles/services/tasks/copy_quadlet_files.yml b/ansible/roles/services/tasks/copy_quadlet_files.yml
index d512bdc..f04fb63 100644
--- a/ansible/roles/services/tasks/copy_quadlet_files.yml
+++ b/ansible/roles/services/tasks/copy_quadlet_files.yml
@@ -8,14 +8,14 @@
     mode: '0755'
 
 - name: Copy Quadlet files to the user's systemd directory
-  with_fileglob: "../templates/{{ service_name }}/*.j2"
+  with_fileglob: "{{ service_name }}/*"
   loop_control:
-    loop_var: template_path
-  ansible.builtin.template:
-    src: "{{ template_path }}"
-    dest: "/home/{{ service_name }}/.config/containers/systemd/{{ template_path | basename | regex_replace('.j2', '') }}"
+    label: "{{ file_path | basename }}"
+    loop_var: file_path
+  ansible.builtin.copy:
+    src: "{{ file_path }}"
+    dest: "/home/{{ service_name }}/.config/containers/systemd/{{ file_path | basename }}"
     owner: "{{ service_name }}"
     group: "{{ service_name }}"
     mode: '0644'
-    remote_src: no
   register: quadlet_files_copied
diff --git a/ansible/roles/services/tasks/create_containers_conf.yml b/ansible/roles/services/tasks/create_containers_conf.yml
new file mode 100644
index 0000000..e08c264
--- /dev/null
+++ b/ansible/roles/services/tasks/create_containers_conf.yml
@@ -0,0 +1,22 @@
+---
+- name: Remove pasta configuration if setting is off
+  ansible.builtin.file:
+    path: "/home/{{ service_name }}/.config/containers/containers.conf"
+    state: absent
+  when: enable_pasta_config is not defined or not enable_pasta_config
+
+- name: Ensure configuration path
+  ansible.builtin.file:
+    path: "/home/{{ service_name }}/.config/containers"
+    state: directory
+    owner: "{{ service_name }}"
+    group: "{{ service_name }}"
+    mode: '0755'
+  when: enable_pasta_config is defined and enable_pasta_config
+- name: Create pasta configuration
+  ansible.builtin.copy:
+    dest: "/home/{{ service_name }}/.config/containers/containers.conf"
+    content: |
+      [network]
+      pasta_options = ["-a", "10.0.2.0", "-n", "24", "-g", "10.0.2.2", "--dns-forward", "10.0.2.3"]
+  when: enable_pasta_config is defined and enable_pasta_config
diff --git a/ansible/roles/services/tasks/create_service_directories.yml b/ansible/roles/services/tasks/create_service_directories.yml
index ff21a97..3c09300 100644
--- a/ansible/roles/services/tasks/create_service_directories.yml
+++ b/ansible/roles/services/tasks/create_service_directories.yml
@@ -4,6 +4,7 @@
     path: "{{ btrfs_base_path }}/{{ service_name }}/{{ service_dir }}"
   loop: "{{ service_directories }}"
   loop_control:
+    label: "{{ service_name }}/{{ service_dir }}"
     loop_var: service_dir
   register: directory_stats
 
diff --git a/ansible/roles/services/tasks/enable_service.yml b/ansible/roles/services/tasks/enable_service.yml
index 7d9ef8b..335055b 100644
--- a/ansible/roles/services/tasks/enable_service.yml
+++ b/ansible/roles/services/tasks/enable_service.yml
@@ -1,6 +1,21 @@
+- name: Check if podman socket is active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active podman.socket' | grep -qv inactive"
+  become: yes
+  register: podman_socket_status
+  ignore_errors: yes
+  changed_when: false
+
+- name: Enable and start the podman socket if not active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user enable --now podman.socket'"
+  become: yes
+  when: podman_socket_status.rc != 0
+
 - name: Check if service is already running
   ansible.builtin.command:
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active {{ systemd_service_name }}' | grep -qv inactive"
+  become: yes
   register: service_status
   ignore_errors: yes
   changed_when: false
@@ -16,3 +31,17 @@
     cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user daemon-reload && systemctl --user restart {{ systemd_service_name }}'"
   become: yes
   when: service_status.rc == 0 and (quadlet_files_copied.changed or force_systemd_restart)
+
+- name: Check if podman auto updater timer is active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user is-active podman-auto-update.timer' | grep -qv inactive"
+  become: yes
+  register: podman_auto_update_timer_status
+  ignore_errors: yes
+  changed_when: false
+
+- name: Enable and start the podman auto updater timer if not active
+  ansible.builtin.command:
+    cmd: "machinectl shell {{ service_name }}@ /bin/bash -c 'systemctl --user enable --now podman-auto-update.timer'"
+  become: yes
+  when: podman_auto_update_timer_status.rc != 0
\ No newline at end of file
diff --git a/ansible/roles/services/tasks/main.yml b/ansible/roles/services/tasks/main.yml
index b22c537..de8cc15 100644
--- a/ansible/roles/services/tasks/main.yml
+++ b/ansible/roles/services/tasks/main.yml
@@ -4,6 +4,8 @@
 
 - name: Create users
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: create_user.yml
   vars:
     service_name: "{{ item.key }}"
@@ -16,32 +18,58 @@
 
 - name: Create Btrfs subvolume
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: create_btrfs_subvolume.yml
   vars:
     service_name: "{{ item.key }}"
 
 - name: Create service directories
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: create_service_directories.yml
   when: " item.value.service_directories is defined and item.value.service_directories | length > 0"
   vars:
     service_name: "{{ item.key }}"
     service_directories: "{{ item.value.service_directories }}"
 
+- name: Pasta configuration
+  loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  include_tasks: create_containers_conf.yml
+  vars:
+    service_name: "{{ item.key }}"
+
 - name: Enable linger for the user
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: enable_linger.yml
   vars:
     service_name: "{{ item.key }}"
 
+- name: Install Secrets
+  loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  include_tasks: secrets.yml
+  vars:
+    service_name: "{{ item.key }}"
+
 - name: Copy Quadlet files
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: copy_quadlet_files.yml
   vars:
     service_name: "{{ item.key }}"
 
 - name: Enable and start main service
   loop: "{{ services | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   include_tasks: enable_service.yml
   vars:
     service_name: "{{ item.key }}"
diff --git a/ansible/roles/services/tasks/secrets.yml b/ansible/roles/services/tasks/secrets.yml
new file mode 100644
index 0000000..1a7f27f
--- /dev/null
+++ b/ansible/roles/services/tasks/secrets.yml
@@ -0,0 +1,11 @@
+- name: Install Secrets
+  become: true
+  become_user: "{{ service_name }}"
+  containers.podman.podman_secret:
+    name: "{{ secret.key }}"
+    state: present
+    data: "{{ secret.value }}"
+  loop: "{{ service_secrets.get(service_name) | default({}, true) | dict2items }}"
+  loop_control:
+    label: "{{ secret.key }}"
+    loop_var: secret
\ No newline at end of file
diff --git a/ansible/roles/services/templates/bookstack/bookstack-db.container.j2 b/ansible/roles/services/templates/bookstack/bookstack-db.container.j2
deleted file mode 100644
index 452bef5..0000000
--- a/ansible/roles/services/templates/bookstack/bookstack-db.container.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Bookstack database
-
-[Container]
-ContainerName=bookstack-db
-Image=lscr.io/linuxserver/mariadb:11.4.5
-Volume=/var/vol/bookstack/db:/config:Z
-Environment=PUID=1000
-Environment=PGID=1000
-Environment=TZ=Europe/Berlin
-Environment=MYSQL_ROOT_PASSWORD={{ service_secrets.bookstack.mysql_root_pw }}
-Environment=MYSQL_DATABASE={{ service_secrets.bookstack.mysql_database }}
-Environment=MYSQL_USER={{ service_secrets.bookstack.mysql_user }}
-Environment=MYSQL_PASSWORD={{ service_secrets.bookstack.mysql_pw }}
-AutoUpdate=registry
-Pod=bookstack.pod
diff --git a/ansible/roles/services/templates/sgnarva/sgnarva-db.container.j2 b/ansible/roles/services/templates/sgnarva/sgnarva-db.container.j2
deleted file mode 100644
index d6a87c5..0000000
--- a/ansible/roles/services/templates/sgnarva/sgnarva-db.container.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=SGNarva Wordpress database
-
-[Container]
-ContainerName=sgnarva-db
-Image=docker.io/mysql:8
-Volume=/var/vol/sgnarva/sgnarvadb:/var/lib/mysql:Z
-Environment=MYSQL_ROOT_PASSWORD={{ service_secrets.sgnarva.mysql_root_pw }}
-Environment=MYSQL_DATABASE={{ service_secrets.sgnarva.mysql_db }}
-Environment=MYSQL_USER={{ service_secrets.sgnarva.mysql_user }}
-Environment=MYSQL_PASSWORD={{ service_secrets.sgnarva.mysql_pw }}
-AutoUpdate=registry
-Pod=sgnarva.pod