DEV-1042: added new stage for demo mpmx

3 years ago · 91303a458d
parent 0a40471a7a
commit 91303a458d
178 changed files with 2699 additions and 2996 deletions
--- a/create-database-backup.yml
+++ b/create-database-backup.yml
@ -2,7 +2,7 @@

 # creates database backup
 #   - postgres
-#     - executed on stage specific server: {{ stage }}-postgres-01
+#     - executed on stage specific server: {{ shared_service_postgres_primary }}
 #     - creates database backup for specific database

 # Parameters:
@ -44,17 +44,17 @@
  tasks:
    - name: "Add postgres servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-postgres-01"
+        name: "{{ shared_service_postgres_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
      changed_when: False
      with_items: "{{ cluster_features }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns']
+      when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns']

    - name: "Add maria servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
@ -89,9 +89,6 @@
 #    - role: pdns_postgres
 #      when: "'pdns' in group_names"

-    - role: webdav_postgres
-      when: "'webdav' in group_names"
-
    - role: connect_wordpress_maria
      when: "'connect_wordpress' in group_names"

--- a/create-database.yml
+++ b/create-database.yml
@ -2,14 +2,13 @@

 # creates databases on shared service servers
 #   - postgres
-#     - executed on stage specific server: {{ stage }}-postgres-01
+#     - executed on stage specific server: {{ shared_service_postgres_primary }}
 #     - creates databases to work with connect: {{ connect_postgres_database }}
 #     - creates databases to work with pdns: {{ pdns_postgres_database }}
 #     - creates databases to work with management connect: {{ management_connect_postgres_database }}
-#     - creates databases to work with shared webdav: {{ webdav_postgres_database }}
 #     - creates databases to work with shared keycloak: {{ keycloak_postgres_database }}
 #   - maria
-#     - executed on stage specific server: {{ stage }}-maria-01
+#     - executed on stage specific server: {{ shared_service_maria_primary }}
 #     - creates databases to work with connect wordpress: {{ connect_wordpress_maria_database }}

 # Parameters:
@ -50,17 +49,17 @@
  tasks:
    - name: "Add postgres servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-postgres-01"
+        name: "{{ shared_service_postgres_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
      changed_when: False
      with_items: "{{ cluster_features }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns']
+      when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns']

    - name: "Add maria servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
@ -105,9 +104,6 @@
        initialize: True
      when: "'pdns' in group_names"

-    - role: webdav_postgres
-      when: "'webdav' in group_names"
-
    - role: connect_wordpress_maria
      when: "'connect_wordpress' in group_names"

--- a/create-remote-database-backup.yml
+++ b/create-remote-database-backup.yml
@ -2,10 +2,10 @@

 # creates remote database backup
 #   - postgres
-#     - executed on stage specific server: {{ stage }}-postgres-02 (currently: slave)
+#     - executed on stage specific server: {{ shared_service_postgres_secondary }} (currently: slave)
 #     - creates database backup for ALL databases in postgres-server
 #   - mariadb
-#     - executed on stage specific server: {{ stage }}-maria-01
+#     - executed on stage specific server: {{ shared_service_maria_primary }}
 #     - creates database backup for ALL databases in mariadb-server

 # Parameters:
@ -42,11 +42,21 @@
  tasks:
    - name: "Add {{ database_engine }} servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-{{ database_engine }}-{{'02' if database_engine == 'postgres' else '01'}}"
+        name: "{{shared_service_postgres_secondary }}"
        groups:
        - "stage_{{ stage }}"
        - '{{ database_engine }}'
-      changed_when: False
+      when:
+        - database_engine is 'postgres'
+
+    - name: "Add {{ database_engine }} servers to hosts if necessary"
+      add_host:
+        name: "{{ shared_service_maria_primary }}"
+        groups:
+        - "stage_{{ stage }}"
+        - '{{ database_engine }}'
+      when:
+        - database_engine is 'maria'

    - name: "Add 'storage' servers to hosts if necessary"
      add_host:
@ -54,7 +64,6 @@
        groups:
        - "stage_{{ stage }}"
        - storage
-      changed_when: False

 ##############################################################
 ##   Creating remote database backups for created inventory
--- a/create-server.yml
+++ b/create-server.yml
@ -134,7 +134,7 @@
        - docker_enabled

    - role: hetzner-ansible-common
-    
+
    - role: devsec.hardening.ssh_hardening
      tags:
        - ssh_hardening 
--- a/docker/dregsy/config.yaml
+++ b/docker/dregsy/config.yaml
@ -1,120 +0,0 @@
-# relay config sections
-skopeo:
-  # path to the skopeo binary; defaults to 'skopeo', in which case it needs to
-  # be in PATH
-  binary: skopeo
-  # directory under which to look for client certs & keys, as well as CA certs
-  # (see note below)
-  certs-dir: /etc/skopeo/certs.d
-
-docker:
-  # Docker host to use as the relay
-  dockerhost: unix:///var/run/docker.sock
-  # Docker API version to use, defaults to 1.24
-  api-version: 1.24
-
-# settings for image matching (see below)
-lister:
-  # maximum number of repositories to list, set to -1 for no limit, defaults to 100
-  maxItems: 100
-  # for how long a repository list will be re-used before retrieving again;
-  # specify as a Go duration value ('s', 'm', or 'h'), set to -1 for not caching,
-  # defaults to 1h
-  cacheDuration: 1h
-
-# list of sync tasks
-tasks:
-
-  - name: smardigo # required
-
-    # interval in seconds at which the task should be run; when omitted,
-    # the task is only run once at start-up
-    interval: 600
-
-    # determines whether for this task, more verbose output should be
-    # produced; defaults to false when omitted
-    verbose: true
-
-    # 'source' and 'target' are both required and describe the source and
-    # target registries for this task:
-    #  - 'registry' points to the server; required
-    #  - 'auth' contains the base64 encoded credentials for the registry
-    #    in JSON form {"username": "...", "password": "..."}
-    #  - 'auth-refresh' specifies an interval for automatic retrieval of
-    #    credentials; only for AWS ECR (see below)
-    #  - 'skip-tls-verify' determines whether to skip TLS verification for the
-    #    registry server (only for 'skopeo', see note below); defaults to false
-    source:
-      registry: docker.dev-at.de
-      auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg==
-    target:
-      registry: dev-harbor-01.smardigo.digital
-      auth: eyJ1c2VybmFtZSI6InJvYm90JGFuc2libGUiLCJwYXNzd29yZCI6IlAwRmJkb2tSc3V0V2lvVWl2cmI5TzVET05HY2FHNk1KIn0K
-
-    # 'mappings' is a list of 'from':'to' pairs that define mappings of image
-    # paths in the source registry to paths in the destination; 'from' is
-    # required, while 'to' can be dropped if the path should remain the same as
-    # 'from'. Regular expressions are supported in both fields (read on below
-    # for more details). Additionally, the tags being synced for a mapping can
-    # be limited by providing a 'tags' list. This list may contain semver and
-    # regular expressions filters (see below). When omitted, all image tags are
-    # synced.
-    mappings:
-      - from: smardigo/connect-whitelabel-app
-        to: smardigo/connect-whitelabel-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-      - from: smardigo/iam-app
-        to: smardigo/iam-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-      - from: smardigo/smardigo-webdav-app
-        to: smardigo/smardigo-webdav-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-      - from: smardigo/smardigo-workflow-proxy-app
-        to: smardigo/smardigo-workflow-proxy-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-
-  - name: sensw
-    interval: 600
-    verbose: true
-    source:
-      registry: docker.dev-at.de
-      auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg==
-    target:
-      registry: dev-harbor-01.smardigo.digital
-      auth: eyJ1c2VybmFtZSI6InJvYm90JGFuc2libGUiLCJwYXNzd29yZCI6IlAwRmJkb2tSc3V0V2lvVWl2cmI5TzVET05HY2FHNk1KIn0K
-    mappings:
-      - from: smardigo/sensw-app
-        to: sensw/sensw-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-      - from: smardigo/sensw-bda-adapter-app
-        to: sensw/sensw-bda-adapter-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-      - from: smardigo/sensw-profiskal-export-app
-        to: sensw/sensw-profiskal-export-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-
-  - name: ssp
-    interval: 600
-    verbose: true
-    source:
-      registry: docker.dev-at.de
-      auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJRNHB6aWhWRFl3eUthZEM3NmxiNCJ9Cg==
-    target:
-      registry: dev-harbor-01.smardigo.digital
-      auth: eyJ1c2VybmFtZSI6InJvYm90JGFuc2libGUiLCJwYXNzd29yZCI6IlAwRmJkb2tSc3V0V2lvVWl2cmI5TzVET05HY2FHNk1KIn0K
-    mappings:
-      - from: smardigo/ssp-connect-app
-        to: ssp/ssp-connect-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
-      - from: smardigo/smardigo-action-si-dyns-app
-        to: ssp/smardigo-action-si-dyns-app
-        tags:
-          - 'regex: ^(latest)|(([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+)\.([0-9]|[1-9][0-9]+))$'
--- a/docker/dregsy/docker-compose.yml
+++ b/docker/dregsy/docker-compose.yml
@ -1,11 +0,0 @@
-version: '3.7'
-
-services:
-  local-dregsy:
-    image: "xelalex/dregsy:0.4.1"
-    volumes:
-      - "./config.yaml:/config.yaml:ro"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-    environment:
-      LOG_LEVEL: "debug"
-      LOG_FORMAT: "json"
--- a/export-database.yml
+++ b/export-database.yml
@ -40,7 +40,7 @@
  tasks:
    - name: Add maria servers to hosts if necessary
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
--- a/external_monitoring.yml
+++ b/external_monitoring.yml
@ -10,7 +10,6 @@
        - "{{ lookup('community.general.dig', 'dev-prometheus-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'qa-prometheus-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}"
-        - "{{ lookup('community.general.dig', 'demompmx-prometheus-01.' + domain ) }}"
      k8s_nodes_devnso:
        - "{{ lookup('community.general.dig', 'devnso-kube-node-01.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'devnso-kube-node-02.' + domain ) }}"
@ -35,10 +34,8 @@
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-04.' + domain ) }}"
        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-05.' + domain ) }}"
-      k8s_nodes_demompmx:
-        - "{{ lookup('community.general.dig', 'demompmx-kube-node-01.' + domain ) }}"
-        - "{{ lookup('community.general.dig', 'demompmx-kube-node-02.' + domain ) }}"
-        - "{{ lookup('community.general.dig', 'demompmx-kube-node-03.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-06.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-07.' + domain ) }}"

  - name: "Allow SSH in UFW"
    ufw:
--- a/gitlab.clone.k8s-clusters.sh
+++ b/gitlab.clone.k8s-clusters.sh
@ -2,5 +2,6 @@

 git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/devnso-argocd.git ../devnso-argocd
 git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/devscr-argocd.git ../devscr-argocd
-git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/prodnso-argocd.git ../prodnso-argocd
 git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/qanso-argocd.git ../qanso-argocd
+git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/prodnso-argocd.git ../prodnso-argocd
+git clone git@git.dev-at.de:smardigo-hetzner/k8s-clusters/demompmx-argocd.git ../demompmx-argocd
--- a/group_vars/all/argocd.yml
+++ b/group_vars/all/argocd.yml
@ -1,12 +1,15 @@
 ---
-
-k8s_argocd_with_keycloak: false
+argocd_oidc_realm: "stage-argocd"
+argocd_oidc_client_id: "stage-argocd"
+argocd_oidc_client_secret: "{{ argocd_oidc_client_secret_vault | default(argo_keycloak_client_secret_vault) }}" # backwards compatibility
+argocd_oidc_admin_username: "argocd-admin"
+argocd_oidc_admin_password: "{{ argocd_oidc_admin_password_vault | default(argocd_admin_password_vault) }}" # backwards compatibility
+argocd_oidc_admin_email: "{{ devops_email_address }}"
+argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"

 k8s_argocd_helm__name: "argo-cd"
 k8s_argocd_helm__release_namespace: "argo-cd"

-argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
-
 k8s_argocd_helm__chart_version: 5.19.0

 # https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
@ -163,11 +166,11 @@ k8s_argocd_helm__release_values:
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      hosts:
-        - "{{ shared_service_kube_argocd_hostname }}"
+        - "{{ shared_service_kube_hostname_argocd }}"
      tls:
        - secretName: "{{ stage }}-kube-argocd-cert"
          hosts:
-            - "{{ shared_service_kube_argocd_hostname }}"
+            - "{{ shared_service_kube_hostname_argocd }}"
  dex:
    enabled: false
  applicationSet:
--- a/group_vars/all/awx.yml
+++ b/group_vars/all/awx.yml
@ -0,0 +1,16 @@
+---
+awx_oidc_realm: "stage-awx"
+awx_oidc_client_id: "stage-awx"
+awx_oidc_client_secret: "{{ awx_oidc_client_secret_vault }}"
+awx_oidc_admin_username: "{{ awx_admin_username }}"
+awx_oidc_admin_password: "{{ awx_admin_password }}"
+awx_oidc_admin_email: "{{ devops_email_address }}"
+
+awx_custom_ee_image: "{{ shared_service_hostname_harbor }}/awx/awx-custom-ee"
+
+awx_ansible_user_name: "awx"
+awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}"
+awx_credential_machine_hetzner_name: hetzner-ansible-ssh
+
+awx_ansible_username: ansible
+awx_ansible_password: ansible
--- a/group_vars/all/connect.yml
+++ b/group_vars/all/connect.yml
@ -0,0 +1,11 @@
+---
+shared_service_connect_data_hostname: "{{ shared_service_elastic_stack_01_hostname }}"
+shared_service_connect_data_username: "{{ elastic_connect_data_username_vault | default(elastic_admin_username) }}"
+shared_service_connect_data_password: "{{ elastic_connect_data_password_vault | default(elastic_admin_password) }}"
+
+connect_id: "{{ inventory_hostname }}-connect"
+connect_base_url: "{{ connect_id }}.{{ domain }}"
+wordpress_id: "{{ inventory_hostname }}-wordpress"
+wordpress_base_url: "{{ wordpress_id }}.{{ domain }}"
+
+smardigo_auth_token_name: "Smardigo-User-Token"
--- a/group_vars/all/database.yml
+++ b/group_vars/all/database.yml
@ -0,0 +1,18 @@
+---
+shared_service_maria_primary: "{{ stage }}-maria-01"
+
+shared_service_postgres_primary: "{{ stage }}-postgres-01"
+shared_service_postgres_secondary: "{{ stage }}-postgres-02"
+
+shared_service_pg_master_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', shared_service_postgres_primary )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_pg_slave_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', shared_service_postgres_secondary )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
--- a/group_vars/all/dns.yml
+++ b/group_vars/all/dns.yml
@ -1,5 +1,4 @@
 ---
-
 dns: digitalocean
 domain: "smardigo.digital"
 domain_env: "{{ domain }}"
--- a/group_vars/all/gitea.yml
+++ b/group_vars/all/gitea.yml
@ -0,0 +1,7 @@
+---
+gitea_oidc_realm: "stage-gitea"
+gitea_oidc_client_id: "stage-gitea"
+gitea_oidc_client_secret: "{{ gitea_oidc_client_secret_vault | default(gitea_client_secret) }}" # backwards compatibility
+gitea_oidc_admin_username: "{{ gitea_admin_username }}"
+gitea_oidc_admin_password: "{{ gitea_admin_password }}"
+gitea_oidc_admin_email: "{{ devops_email_address }}"
--- a/group_vars/all/grafana.yml
+++ b/group_vars/all/grafana.yml
@ -7,6 +7,8 @@ grafana_users:
    email: "{{ grafana_smardigo_email }}"
    password: "{{ grafana_smardigo_password }}"

+grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
+
 # Define Grafana Dashboards which should be visible users without admin role
 # See uids from in hetzner-ansible/templates/prometheus/config/grafana/provisioning/dashboards/*.json
 grafana_dashboard_whitelist:
--- a/group_vars/all/harbor.yml
+++ b/group_vars/all/harbor.yml
@ -0,0 +1,10 @@
+---
+harbor_oidc_realm: "stage-harbor"
+harbor_oidc_client_id: "stage-harbor"
+harbor_oidc_client_secret: "{{ harbor_oidc_client_secret_vault | default(docker_registry_oidc_client_secret_vault) }}"  # backwards compatibility
+harbor_oidc_admin_username: "harbor-admin"
+harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
+harbor_oidc_admin_email: "{{ devops_email_address }}"
+
+harbor_username: "{{ docker_registry_username_vault }}"
+harbor_token: "{{ docker_registry_token_vault }}"
--- a/group_vars/all/keycloak.yml
+++ b/group_vars/all/keycloak.yml
@ -0,0 +1,5 @@
+---
+keycloak_admin_username: "keycloak-admin"
+keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
+
+keycloak_default_theme: "smardigo-theme"
--- a/group_vars/all/management.yml
+++ b/group_vars/all/management.yml
@ -0,0 +1,8 @@
+---
+management_oidc_realm: "infrastructure"
+management_oidc_client_id: "connect"
+
+management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
+
+management_admin_username: "management-admin"
+management_admin_password: "{{ management_admin_password_vault }}"
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -1,7 +1,7 @@
 ---
+
 ansible_ssh_host: "{{ stage_server_domain }}"

-debug: false
 ssh_macs:
  - umac-128-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
@ -26,6 +26,7 @@ ssh_ciphers:
  - aes256-gcm@openssh.com
 ssh_permit_root_login: "yes"

+debug: false
 docker_enabled: true
 docker_config_enabled: true
 traefik_enabled: true
@ -65,15 +66,6 @@ hetzner_server_image: ubuntu-20.04
 hetzner_location: nbg1
 hetzner_load_balancer_type: lb11

-awx_ansible_user_name: "awx"
-awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}"
-awx_credential_machine_hetzner_name: hetzner-ansible-ssh
-
-awx_ansible_username: ansible
-awx_ansible_password: ansible
-
-argocd_bootstrap_infrastructure: false
-
 gitlab_ansible_user_name: "gitlabci"

 backupuser_user_name: backupuser
@ -156,15 +148,12 @@ docker_compose_path: "/usr/bin/docker-compose"
 service_base_path: "/etc/smardigo"

 devops_email_address: "nso.devops@netgo.de"
-gitea_admin_email: "{{ devops_email_address }}"
 lets_encrypt_email: "{{ devops_email_address }}"
 connect_admin_email: "{{ devops_email_address }}"
 keycloak_admin_email: "{{ devops_email_address }}"
 pgadmin4_admin_email: "{{ devops_email_address }}"
-harbor_oidc_admin_email: "{{ devops_email_address }}"
 grafana_admin_email: "{{ devops_email_address }}"
 grafana_smardigo_email: "{{ devops_email_address }}"
-argocd_admin_email: "{{ devops_email_address }}"

 http_port: "80"
 https_port: "443"
@ -179,7 +168,6 @@ service_port_logstash: "5044"
 service_port_postgres: "5432"
 service_port_kibana: "5601"
 service_port_cadvisor: "8080"
-service_port_webdav: "8080"
 service_port_keycloak: "8080"
 service_port_iam: "8082"
 service_port_sonarqube: "9000"
@ -198,13 +186,6 @@ monitor_port_postgres: "9087"
 admin_port_service: "9081"
 admin_port_traefik: "9080"

-connect_id: "{{ inventory_hostname }}-connect"
-connect_base_url: "{{ connect_id }}.{{ domain }}"
-wordpress_id: "{{ inventory_hostname }}-wordpress"
-wordpress_base_url: "{{ wordpress_id }}.{{ domain }}"
-
-smardigo_auth_token_name: "Smardigo-User-Token"
-
 filebeat_certificate: "{{ stage }}-elastic-stack-filebeat"
 logstash_certificate: "{{ stage }}-elastic-stack-logstash-01"

@ -228,12 +209,6 @@ upstream_dns_servers:
  - 185.12.64.1
  - 185.12.64.2

-harbor_username: "{{ docker_registry_username_vault }}"
-harbor_token: "{{ docker_registry_token_vault }}"
-
-keycloak_admin_username: "keycloak-admin"
-keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
-
 # Note: all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
--- a/group_vars/all/prometheus.yml
+++ b/group_vars/all/prometheus.yml
@ -1,5 +1,4 @@
 ---
-
 # node exporter exposes data only into the private network
 node_exporter_listen_address: "{{ stage_private_server_ip }}"

--- a/group_vars/all/services.yml
+++ b/group_vars/all/services.yml
@ -1,5 +1,4 @@
 ---
-
 # TODO variable shouldn't used in a global way
 elastic_id: "{{ inventory_hostname }}-elastic"
 # TODO variable shouldn't used in a global way
@ -7,25 +6,29 @@ elastic_exporter_id: "{{ inventory_hostname }}-elastic-exporter"

 shared_service_url_harbor: "https://{{ shared_service_hostname_harbor }}"
 shared_service_hostname_harbor: "{{ stage }}-harbor-01.{{ domain_env }}"
-
-shared_service_url_kibana: "https://{{ shared_service_hostname_kibana }}"
-shared_service_hostname_kibana: "{{ stage }}-elastic-stack-kibana-01-kibana.{{ domain_env }}"
-
 shared_service_url_keycloak: "https://{{ shared_service_hostname_keycloak }}"
 shared_service_hostname_keycloak: "{{ stage }}-keycloak-01.{{ domain_env }}"
-
+shared_service_url_kibana: "https://{{ shared_service_hostname_kibana }}"
+shared_service_hostname_kibana: "{{ stage }}-elastic-stack-kibana-01-kibana.{{ domain_env }}"
 shared_service_host_management: "{{ stage }}-management-01"
 shared_service_url_management: "https://{{ shared_service_hostname_management }}"
 shared_service_hostname_management: "{{ shared_service_host_management }}-connect.{{ domain_env }}"

 # use private loadbalancer ip for all kubernetes services
 stage_kube: "{{ stage }}"
-shared_service_kube_argocd_hostname: "{{ stage_kube }}-argocd.{{ domain_env }}"
-shared_service_kube_url_awx: "https://{{ shared_service_kube_awx_hostname }}"
-shared_service_kube_awx_hostname: "{{ stage_kube }}-awx.{{ domain_env }}"
-shared_service_kube_harbor_hostname: "{{ stage }}-harbor.{{ domain_env }}"
+shared_service_kube_url_argocd: "https://{{ shared_service_kube_hostname_argocd }}"
+shared_service_kube_hostname_argocd: "{{ stage_kube }}-argocd.{{ domain_env }}"
+shared_service_kube_url_gitea: "https://{{ shared_service_kube_hostname_gitea }}"
+shared_service_kube_hostname_gitea: "{{ stage_kube }}-gitea.{{ domain_env }}"
+shared_service_kube_url_kibana: "https://{{ shared_service_kube_hostname_kibana }}"
+shared_service_kube_hostname_kibana: "{{ stage_kube }}-kibana.{{ domain_env }}"
+shared_service_kube_url_awx: "https://{{ shared_service_kube_hostname_awx }}"
+shared_service_kube_hostname_awx: "{{ stage_kube }}-awx.{{ domain_env }}"
+shared_service_kube_url_harbor: "https://{{ shared_service_kube_hostname_harbor }}"
+shared_service_kube_hostname_harbor: "{{ stage }}-harbor.{{ domain_env }}"
+shared_service_kube_url_prometheus: "https://{{ shared_service_kube_hostname_prometheus }}"
+shared_service_kube_hostname_prometheus: "{{ stage_kube }}-prometheus.{{ domain_env }}"
 shared_service_kube_jaeger_collector_hostname: "{{ stage_kube }}-jaeger-collector.{{ domain_env }}"
-shared_service_kube_prometheus_hostname: "{{ stage_kube }}-prometheus.{{ domain_env }}"

 # TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml
 shared_service_kube_loadbalancer_public_ip_not_available: "public loadbalancer ip not available"
@ -33,15 +36,22 @@ shared_service_kube_loadbalancer_public_ip: "{{ stage_public_ingress_loadbalance
 # TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml
 shared_service_kube_loadbalancer_private_ip_not_available: "private loadbalancer ip not available"
 shared_service_kube_loadbalancer_private_ip: "{{ stage_private_ingress_loadbalancer_ip | default(shared_service_kube_loadbalancer_private_ip_not_available) }}"
+# TODO make value available for plays with static inventory - by autodiscover_pre_tasks.yml
+shared_service_loadbalancer_logstash_private_ip_not_available: "private logstash loadbalancer ip not available"
+shared_service_loadbalancer_logstash_private_ip: "shared_service_loadbalancer_logstash_private_ip_not_available"

-shared_service_additional_hosts:
-  - name: "{{ shared_service_kube_argocd_hostname }}"
+shared_service_default_additional_hosts:
+  - name: "{{ shared_service_kube_hostname_argocd }}"
    ip: "{{ shared_service_kube_loadbalancer_private_ip }}"
-  - name: "{{ shared_service_kube_awx_hostname }}"
+  - name: "{{ shared_service_kube_hostname_awx }}"
    ip: "{{ shared_service_kube_loadbalancer_private_ip }}"
-  - name: "{{ shared_service_kube_prometheus_hostname }}"
+  - name: "{{ shared_service_kube_hostname_prometheus }}"
    ip: "{{ shared_service_kube_loadbalancer_private_ip }}"
  - name: "{{ shared_service_kube_jaeger_collector_hostname }}"
    ip: "{{ shared_service_kube_loadbalancer_private_ip }}"
-  - name: "{{ shared_service_kube_harbor_hostname }}"
+  - name: "{{ shared_service_kube_hostname_harbor }}"
    ip: "{{ shared_service_kube_loadbalancer_private_ip }}"
+  - name: "{{ shared_service_logstash_hostname }}"
+    ip: "{{ shared_service_loadbalancer_logstash_private_ip }}"
+
+shared_service_additional_hosts: "{{ shared_service_default_additional_hosts + (shared_service_custom_additional_hosts | default([])) }}"
--- a/group_vars/all/versions.yml
+++ b/group_vars/all/versions.yml
@ -26,6 +26,5 @@ traefik_version: "v2.8.5"

 connect_version: "10.5"
 iam_version: "10.0"
-webdav_version: "8.4.1"

 ansible_minimal_version: "2.12.0" 
--- a/group_vars/connect/plain.yml
+++ b/group_vars/connect/plain.yml
@ -6,14 +6,14 @@ hetzner_server_labels: "stage={{ stage }} service=connect{% if tenant_id is defi
 # unique id for a service, will be used for service access management as well (e.g. keycloak realm)
 connect_client_id: "{{ cluster_name }}"

-connect_postgres_host: "{{ shared_service_postgres_01_hostname }}"
+connect_postgres_host: "{{ shared_service_postgres_primary }}"
 connect_postgres_database: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_connect"
 connect_postgres_username: "{{ connect_postgres_database }}"
 connect_postgres_password: "connect-postgres-admin"

-connect_elastic_host: "{{ shared_service_elastic_stack_01_hostname }}"
-connect_elastic_username: "{{ elastic_admin_username }}"
-connect_elastic_password: "{{ elastic_admin_password }}"
+connect_elastic_host: "{{ shared_service_connect_data_hostname }}"
+connect_elastic_username: "{{ shared_service_connect_data_username }}"
+connect_elastic_password: "{{ shared_service_connect_data_password }}"
 connect_elastic_ca: "file:/usr/share/smardigo/ca.crt"
 connect_elastic_prefix: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}"

--- a/group_vars/connect_webdav/main.yml
+++ b/group_vars/connect_webdav/main.yml
@ -1,3 +0,0 @@
---
-
-connect_webdav_enabled: "true"
--- a/group_vars/connect_wordpress/main.yml
+++ b/group_vars/connect_wordpress/main.yml
@ -1,6 +1,5 @@
 ---

-connect_wordpress_maria_host: "{{ shared_service_maria_hostname }}"
 connect_wordpress_maria_database: "{{ stage }}_{{ tenant_id }}_{{ cluster_name }}_connect_wordpress"
 connect_wordpress_maria_username: "{{ connect_wordpress_maria_database }}"
 connect_wordpress_maria_password: "connect-wordpress-maria-admin"
--- a/group_vars/gitea/plain.yml
+++ b/group_vars/gitea/plain.yml
@ -8,11 +8,7 @@ gitea_postgres_id: "{{ inventory_hostname }}-postgres-gitea"

 gitea_base_url: "{{ inventory_hostname }}.{{ domain }}"

-# unique id for a service, will be used for service access management as well (e.g. keycloak realm)
-gitea_client_id: "{{ cluster_name }}"
-gitea_client_secret: "{{ cluster_name }}"
-
-gitea_postgres_host: "{{ shared_service_postgres_01_hostname }}"
+gitea_postgres_host: "{{ shared_service_postgres_primary }}"
 gitea_postgres_database: "{{ stage }}_gitea"
 gitea_postgres_username: "{{ gitea_postgres_database }}"
 gitea_postgres_password: "gitea-postgres-admin"
--- a/group_vars/keycloak/plain.yml
+++ b/group_vars/keycloak/plain.yml
@ -3,7 +3,7 @@
 hetzner_server_type: cx11
 hetzner_server_labels: "stage={{ stage }} service=keycloak"

-keycloak_postgres_host: "{{ shared_service_postgres_01_hostname }}"
+keycloak_postgres_host: "{{ shared_service_postgres_primary }}"
 keycloak_postgres_database: "{{ stage }}_keycloak"
 keycloak_postgres_username: "{{ keycloak_postgres_database }}"
 keycloak_postgres_password: "keycloak-postgres-admin"
--- a/group_vars/logstash/plain.yml
+++ b/group_vars/logstash/plain.yml
@ -1,5 +1,6 @@
 ---
-
 hetzner_server_labels: "stage={{ stage }} service=logstash"

 traefik_enabled: false
+
+logstash_ssl_enabled: true
--- a/group_vars/management/plain.yml
+++ b/group_vars/management/plain.yml
@ -1,55 +1,3 @@
 ---

 hetzner_server_type: cx21
-
-connect_client_admin_username: "{{ management_admin_username }}"
-connect_client_admin_password: "{{ management_admin_password }}"
-connect_workflow_env: "baseUrl:{{ connect_base_url }};stage:{{ stage }};smardigoUserToken:{{ smardigo_auth_token_value }}"
-connect_oidc_client_secret: "{{ management_oidc_client_secret }}"
-
-connect_config_delete_scope_enabled: true
-connect_datasource_action_enabled: true
-connect_element_template_enabled: true
-connect_external_task_script_worker_enabled: true
-connect_search_elastic_enabled: false
-connect_swagger_enabled: true
-connect_workflow_heatmap_enabled: true
-
-tenant_id: "{{ management_oidc_realm }}"
-cluster_size: "1"
-cluster_name: "{{ management_oidc_client_id }}"
-current_realm_name: "management"
-current_realm_display_name: "Stage Management"
-
-postgres_acls:
-  - name: "{{ connect_postgres_database }}"
-    password: "{{ connect_postgres_password }}"
-    trusted_cidr_entry: "{{ shared_service_network }}"
-
-current_realm_clients: [
-  {
-    name: '{{ management_oidc_client_id }}',
-    clientId: "{{ management_oidc_client_id }}",
-    admin_url: '',
-    root_url: '',
-    redirect_uris: [
-        "{{ http_s }}://{{ connect_base_url }}/*"
-    ],
-    secret: '{{ management_oidc_client_secret }}',
-    web_origins: [
-      "{{ http_s }}://{{ connect_base_url }}"
-    ],
-  }
-]
-
-current_realm_users:
-  - username: "{{ management_admin_username }}"
-    password: "{{ management_admin_password }}"
-    email: "{{ connect_admin_email }}"
-    requiredActions: []
-
-current_realm_admin_users:
-  - username: "{{ management_realm_admin_username }}"
-    password: "{{ management_realm_admin_password }}"
-    email: "{{ connect_admin_email }}"
-    requiredActions: []
--- a/group_vars/pdns/plain.yml
+++ b/group_vars/pdns/plain.yml
@ -10,7 +10,7 @@ pdns_admin_id: "{{ inventory_hostname }}-admin-pdns"
 pdns_admin_postgres_id: "{{ inventory_hostname }}-admin-postgres-pdns"
 #pdns_api_key: "< see vault >"

-pdns_postgres_host: "{{ shared_service_postgres_01_hostname }}"
+pdns_postgres_host: "{{ shared_service_postgres_primary }}"
 pdns_postgres_database: "{{ stage }}_pdns"
 pdns_postgres_username: "{{ pdns_postgres_database }}"
 pdns_postgres_password: "pdns-postgres-admin"
--- a/group_vars/postgres/plain.yml
+++ b/group_vars/postgres/plain.yml
@ -1,7 +1,7 @@
 ---

 hetzner_server_type: cpx11
-hetzner_server_labels: "stage={{ stage }} service=postgres"
+hetzner_server_labels: "stage={{ stage }} service=postgres role={{ server_type }}"

 postgres_acls: []

--- a/group_vars/redis/plain.yml
+++ b/group_vars/redis/plain.yml
@ -1,11 +0,0 @@
---
-hetzner_server_type: cx11
-hetzner_server_labels: "stage={{ stage }} service=redis"
-
-docker_enabled: false
-traefik_enabled: false
-
-redis_bind_interface: 0.0.0.0
-redis_maxmemory: '{{ ansible_memtotal_mb * 0.8 | int }}'
-
-redis_exporter_ip: "{{ ansible_ens10.ipv4.address | default('127.0.0.1') }}"
--- a/group_vars/stage_demompmx/awx.yml
+++ b/group_vars/stage_demompmx/awx.yml
@ -0,0 +1,6 @@
+---
+awx_admin_username: "awx-admin"
+awx_admin_password: "{{ awx_admin_password_vault }}"
+
+awx_hetzner_ansible_revision: "main"
+awx_custom_ee_image: "{{ shared_service_hostname_harbor }}/prodnso/awx/awx-custom-ee"
--- a/group_vars/stage_demompmx/bootstrap.yml
+++ b/group_vars/stage_demompmx/bootstrap.yml
@ -0,0 +1,14 @@
+---
+harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
+harbor_bootstrap_helm_name: "infrastructure"
+harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
+harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}"
+
+gitea_bootstrap_url: "https://demompmx-gitea.smardigo.digital/demompmx/demompmx-argocd"
+gitea_bootstrap_username: "{{ gitea_admin_username }}"
+gitea_bootstrap_password: "{{ gitea_admin_password }}"
+
+custom_ip_whitelist:
+  - "5.75.131.94"
+  - "116.203.156.144"
+  - "91.107.225.163"
--- a/group_vars/stage_demompmx/database.yml
+++ b/group_vars/stage_demompmx/database.yml
@ -0,0 +1,21 @@
+---
+shared_service_postgres_primary: "{{ stage }}-postgres01-01"
+shared_service_postgres_secondary: "{{ stage }}-postgres01-02"
+
+stage_database_management_connect_name: "{{ stage }}_infrastructure_management_connect"
+stage_database_management_connect_password: "connect-postgres-admin"
+stage_database_management_keycloak_name: "{{ stage }}_infrastructure_management_keycloak"
+stage_database_management_keycloak_password: "keycloak-postgres-admin"
+stage_database_management_gitea_name: "{{ stage }}_infrastructure_management_gitea"
+stage_database_management_gitea_password: "gitea-postgres-admin"
+
+stage_postgres_acls:
+  - name: "{{ stage_database_management_connect_name }}"
+    password: "{{ stage_database_management_connect_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
+  - name: "{{ stage_database_management_keycloak_name }}"
+    password: "{{ stage_database_management_keycloak_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
+  - name: "{{ stage_database_management_gitea_name }}"
+    password: "{{ stage_database_management_gitea_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
--- a/group_vars/stage_demompmx/firewall.yml
+++ b/group_vars/stage_demompmx/firewall.yml
@ -0,0 +1,143 @@
+---
+hcloud_firewall_objects:
+   -
+     name: "{{ stage }}-default"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: icmp
+        port: ''
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: ICMP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: SSH allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTPS allowed
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-monitoring"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '9080-9085'
+        source_ips: '{{ ip_whitelist + [ lookup("community.general.dig", stage + "-prometheus-01." + domain ) + "/32"]  }}'
+        destination_ips: []
+        description: 'Server/Service Monitoring'
+     -
+        direction: in
+        protocol: tcp
+        port: '9001'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: 'PgAdmin'
+     -
+        direction: in
+        protocol: tcp
+        port: '9187'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: 'Postgres-Exporter'
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-monitoring-extern-https"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips:
+         - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=connect'
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=keycloak'
+   -
+     name: "{{ stage }}-access-to-kubernetes-api"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '6443'
+        source_ips: "{{ ip_whitelist }}"
+        destination_ips: []
+        description: "Allow access for whitelisted ips"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=kube_control_plane'
+   -
+     name: "{{ stage }}-access-to-connect"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: 
+          - '0.0.0.0/0'
+        destination_ips: []
+        description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for connect-instance(s)"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=connect'
+
+
+hcloud_firewall_objects_keycloak:
+   -
+     name: "{{ stage }}-access-to-keycloak"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: 
+          - '0.0.0.0/0'
+        destination_ips: []
+        description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for keycloak-instance(s))"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=keycloak'
--- a/group_vars/stage_demompmx/gitea.yml
+++ b/group_vars/stage_demompmx/gitea.yml
@ -0,0 +1,5 @@
+---
+gitea_admin_username: "gitea-admin"
+gitea_admin_password: "{{ gitea_admin_password_vault }}"
+gitea_postgres_username: "gitea-postgres"
+gitea_postgres_password: "{{ gitea_postgres_password_vault }}"
--- a/group_vars/stage_demompmx/grafana.yml
+++ b/group_vars/stage_demompmx/grafana.yml
@ -0,0 +1,4 @@
+---
+grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
+grafana_admin_username: "grafana-admin"
+grafana_admin_password: "{{ grafana_admin_password_vault }}"
--- a/group_vars/stage_demompmx/kubernetes.yml
+++ b/group_vars/stage_demompmx/kubernetes.yml
@ -0,0 +1,7 @@
+---
+
+kubernetes_with_externaldns: true
+kubernetes_with_certmanager: true
+kubernetes_with_ingress: true
+kubernetes_with_gitea: true
+kubernetes_with_awx: true
--- a/group_vars/stage_demompmx/logging.yml
+++ b/group_vars/stage_demompmx/logging.yml
@ -0,0 +1,2 @@
+---
+logstash_ssl_enabled: false
--- a/group_vars/stage_demompmx/plain.yml
+++ b/group_vars/stage_demompmx/plain.yml
@ -0,0 +1,52 @@
+---
+stage: "demompmx"
+
+hetzner_server_type_kube_cpl: cpx21
+hetzner_server_type_kube_node: cpx31
+
+custom_stage_plattform_users:
+  - "hp.wissenbach"
+
+# TODO read configuration with hetzner rest api
+shared_service_network: "10.0.0.0/16"
+
+netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
+netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"
+
+# smardigo automation DEV gpg key
+# https://git.dev-at.de/smardigo-hetzner/communication-keys/
+# push mirror: https://{{ stage }}-gitea-01.smardigo.digital/communication-keys.git
+gpg_key_smardigo_automation__private: "{{ gpg_key_smardigo_automation__private__vault }}"
+
+pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
+pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"
+
+shared_service_gitea_hostname: "{{ shared_service_kube_hostname_gitea }}"
+shared_service_hostname_harbor: "{{ shared_service_kube_hostname_harbor }}"
+
+shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}"
+shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}"
+shared_service_logstash_hostname: "{{ stage }}-logstash.{{ domain_env }}"
+
+filebeat_image_name: "{{ shared_service_hostname_harbor }}/docker.elastic.co/beats/filebeat"
+metricbeat_image_name: "{{ shared_service_hostname_harbor }}/docker.elastic.co/beats/metricbeat"
+
+connect_jwt_enabled: true
+connect_jwt_secret: "06aa5b66a2e241b7af934035df79e8a8"
+iam_jwt_enabled: true
+iam_jwt_secret: "b9bb2282a3284bf291173ef202928004"
+
+keycloak_default_theme: "mpmx-theme"
+
+harbor_admin_username: "{{ harbor_admin_username_vault }}"
+harbor_admin_password: "{{ harbor_admin_password_vault }}"
+
+shared_service_url_kibana: "{{ shared_service_kube_url_kibana }}"
+shared_service_hostname_kibana: "{{ shared_service_kube_hostname_kibana }}"
+
+elastic_admin_username: "{{ elastic_admin_username_vault }}"
+elastic_admin_password: "{{ elastic_admin_password_vault }}"
+
+shared_service_elastic_stack_01_hostname: "demompmx-connect-data.smardigo.digital:443"
+
+shared_service_loadbalancer_logstash_private_ip: "10.0.0.21"
--- a/group_vars/stage_demompmx/prometheus.yml
+++ b/group_vars/stage_demompmx/prometheus.yml
@ -0,0 +1,12 @@
+---
+prometheus_admin_username: "prometheus-admin"
+prometheus_admin_password: "{{ prometheus_admin_password_vault }}"
+prometheus_admin_password_htpasswd: "{{ prometheus_admin_password_htpasswd_vault }}"
+
+alertmanager_admin_username: "alertmanager-admin"
+alertmanager_admin_password: "{{ alertmanager_admin_password_vault }}"
+alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_vault }}"
+
+prometheus_tsdb_rentention_time: '2w'
+# federation for k8s prometheus -> stage prometheus
+prometheus_federation_enabled: false
--- a/group_vars/stage_demompmx/services.yml
+++ b/group_vars/stage_demompmx/services.yml
@ -0,0 +1,9 @@
+---
+shared_service_url_harbor: "{{ shared_service_kube_harbor_url }}"
+
+shared_service_custom_additional_hosts:
+  - name: "{{ shared_service_connect_data_hostname }}"
+    ip: "{{ shared_service_kube_loadbalancer_private_ip }}"
+
+iam_image_name: '{{ shared_service_hostname_harbor }}/prodnso/smardigo/iam-app'
+connect_image_name: "{{ shared_service_hostname_harbor }}/prodnso/smardigo/connect-whitelabel-app"
--- a/group_vars/stage_demompmx/vault.yml
+++ b/group_vars/stage_demompmx/vault.yml
@ -0,0 +1,130 @@
+$ANSIBLE_VAULT;1.1;AES256
+39316466656139663139383533663864323562303264393333393336316339373436636137373332
+3335663062626562656537313266346339643561383265320a646136366137666338396666386565
+63616237396265613136323361396166623763323761653666656161333039343730316362633938
+6631323836653532380a303038663633386634323235383330373831363536633133333931343430
+35373332376666616137346164303431636635306435336164353332363632356630383334396436
+33633631356663643932626664393932333164626132633536323336393531653133373734303933
+31653335323635313032303739366461393433636231306239306332363533306365363264386138
+63363465363831333762363237353636313262396666333335663966636537353563643561393536
+31313662303065353135643734356439623535633036663337653865373330333934633565386262
+61353166346130636663356365646166303431373131373237323262666237353930353864383433
+64633666613939623832636330353964353865373230393564663937646663306332666462326431
+35366334663836326531396535353164396666666333393666333138313732653438633637396664
+61393865636436613666316166663966306331666538653266313830666136333461356261626461
+39306139326438366632333866356362636162376664316430643530623439383034666532326234
+33383762663036356530663165333562313938356161623063393531316539326439383330633366
+39386563623730666639363363343736663532316334343032396662643338613033333737346564
+34633738613530373332313063343364376264343731613334333463663937323565623265343432
+36326431663631306633393135626462383733633730303966383739316338646635643862376439
+30666636666433393863656537356135616235633865353265323239313539393164383333383535
+35323462373262643730343530633366366135646566396466396335626535333433313161396336
+38356364616339343565336361356263313766336162306263663762323461323739393063323036
+64373763306234663738343436353738653061343737643164396434356532666539633437386639
+63306264363239366437653062643365323330353534393861393932653461353138626234343263
+37333438386362386437333836646563633565653930303630343362386531666635343366346435
+34366666353636363536336135663262393863383764646632663066663436636539633530313361
+30613662333035393233616532353830383363633061353036626331623830333831303262316564
+62383063353334326263623232616133336136393166386236353464306666326563303333366437
+62313130376636626538396439373630316237323534643238353739636664333039653466336666
+37376164373134313430653731333132633636336434303830396336323536313965353736623331
+33656236356137373433633165386430653364663636346463643663333830383430666566393735
+65613232326463666436346531356334396461613961366539623130333563663739393438396464
+66306636643865363737313732303830663437646464336139346433653233366132656532353335
+65303164343033303333316536643131393332643034343061386263313332356333343539383937
+38353863366632633139626261346339626263623565313336333366666439643165396164636663
+36633764616361663536373437346435636564346436663237643930383932396134616331306266
+34653134346166633034353438663430306162613638323561616662383137646231666235316561
+65386563383435653135356237393263373632376564303639383562306564633933396462623730
+35643863626138656331666432663938653765643866666434323336323061333036373561366461
+33663164346538656139626266386633373531333932343830313035343038666435316265306536
+34623534373465613930376637623863643264316633306436316530366165336539333161383734
+36373234613965666535373634313966313466363966373133393336646436323637353536613032
+38343533306663343961396633373564336237663864316334613031626534653733626133666464
+63396331323765656231303966373661323365656432663333613563666266356465623866663735
+37656631313464663838323833646635623362353032663062366335373230333166393034376536
+66306565316533363564656531383963646132333937326438656339393563623631306263313337
+39323235613261393132303139623762306535346362363463383365383639303431323432633938
+35643637303133383662363462646435326439306262646266303738633935383838343930336436
+64613838363530643162363261636432633236313534373262626538303330316432336564366163
+37386539333930616234623437333563316631633636373334356465376338323766643663343238
+34356330303062666230663939626639643937653130326530383935616433343165316332333434
+33383462313961316566643366323139616439393830353638663466643938643632663137646438
+32643466616366636233333832316364313633623561353639386162643963393533613436393637
+66643633643137353564383531303964626331623538323937336538626661383135363639363033
+31623233386334656361656662353666366635373431373837643031333133353732363763376466
+31383132303864366233623837313735353934303137376331313238656262623862626430616566
+61396631376133346334393464626437366432356233303762366363383630373464623162316562
+34393531323263306532396535343035323163363230616164333861623538326266366664393166
+32323932306162323033353237656565353130613463653163303530346665343836366336353333
+36663831396433326664656264326530623038613165306435336436656239333839376339633738
+35663665316261623336333830363863316365393562653633313530366561623636326232643539
+62663238376232346364666661373936316164313334323561303236386134633663623561616265
+63396231313266633861353966383235613734343239396630343764633731643031386634356437
+33346633313632333532353036333761366561363435376366383231353033373032653434353233
+66656331366635626565373661666335666664383362393863313233323636316239643939316436
+36313361376361313539626533313066643036363432393037336162623336383537346138313361
+35663761386634636235373738653635353864383936356364646635653665336661326563303634
+63326563323638376432336530663538656263613362333265656436333534666136393536613437
+30353961363462373362643139353235396330323663626538633866326239633665373736636539
+63393531633833396464393032343333623739343164366362663065323865616338653662656236
+63653763623262333235303334313836353064633863346365373265326239323964633866383764
+34633062326334343835626337363663646633313438636237373362363563376662623333646138
+64623230323035616333303064316233333561393733363236653237376535336162366261653332
+62633031303362333962326665633264333435363739363563316338343966386637646461353934
+37626237633465373139393338643435613430383564386461356266373635306662613339643439
+66323966323239383963323837656465323963303965653737323439613065363632343935623766
+33636437646230656166353031393934346364626565613164353834613464313433663235336666
+30316363343966353039303535323735366663373439393336336365353639623732663362376431
+35623633653931323839376431626661393863316534316333353331646636366533376434656431
+33326237666264386535343037386635383833333463313866633133343863326161653661623937
+36623134613166366261626231303365623737316134633564323635633032326563643233633436
+65623838336161643761333436356566663565376531613331386164393362393064336531633130
+62303534353939623937663365303963356538326334336234666237323664353332633732343333
+31353462613836383936643162373038653637623461363930626466393331623162366265643462
+38613031666334336466653239343633666666313163366663306133316665666638323336653832
+34616261336132656635643731396238636339633133643138616465643638323166653762346132
+36376131316237616339363964363130633065363065303631373732313463633936653731623864
+35353362323365343135643163386361613333383232616534363539356165333938616365663931
+62633230616434613663313130666336306261326135386564373738623365376365636563393732
+35386634643638626630383534383232303836323339316635353562613232636163343630646335
+38653662303466643463646632633965383131323561356638313532613831626537626335666463
+30303735303230313331383033386133343266643536356532636531336234616137643564636562
+38386538663666653034633262303261346136383661393933313738623739656532623634663831
+38623335373637353434323063313336613436633465643135663633383733316362396361313036
+66363363376431343361663137633162373862346161386236383731333732313930663461623563
+61336362346563613065366438393561666261663733646335663031613861366135386231656431
+30666261326437316431616136313861666636666433653536663833316365656139653639363137
+38343839613437373233386232323138363762616665636362663833343439323730313466663633
+37636364363633653365343638326664316631363363663730353139653934333061346635666265
+37323965386337613634653634373139653531353539636132393365366232643033386561356638
+31663764386266656363313131646665303639323364343535626332386639363430303534616236
+32343833653462383831323432373861383662346137393361613263613865326131623163383962
+63636435366566376639313233386230303136646136383064663934373564306234366435636265
+35393938393033366231396433373337613965316264353964396533323136363162386363376566
+30323835303561346166373931313663303266386335663830383630653363373361616664393539
+65303666616535643164316534616134653862353162326336353530656534323966666639373464
+64313132303236666462366265633332366330323463613432326231313631653037366137306237
+65363734656436383930313136383136663734623132613438313630633437303832663666323233
+30376138653231623861396137313132316532616139306265336365643138636331643131373733
+39643333643939613561346233373136366162363166326234313730353965363830303433353736
+30323264376431336233336438366639376232333335663462393834306234336366356633346234
+65333137626564323161386238653634303239623566663736313363336364373662666465303038
+39373765616165353662363432383338643565366364303064326662633035303434346231383266
+34666466336265653031396339303930626232393335303937336164336639393934383265646639
+32643936353561613961613938386331383339663361376135663933613965346430306361303735
+63303365376230343236373633633464626437353565383730636633613737643834386162636530
+39303738666663646133376566613130343132353462316362336239356237626464343634326361
+37663931613066303563666663626433653634323032363533393136353931666339393464653762
+30613437646635653963366664333430643437646264353338383666393835613335396138653434
+66313630393736653164323737306235353336303533666561366635613361303435636230313161
+64333464306661333663626564363131303361343061376138323231353938613033636632656238
+61363964653630666130313664323031316334366537346265303262363835373366353730313163
+62373863373233623838636363643533303132336232363137353337396464626534353863333462
+38316634316335313634313732656264353934393065656465353339313239383837333831353939
+65373864666237306634613463663734373964623130653865396165356564366263313664326562
+63393763353532353962646366363138666636323761613232336631656637323432633935666638
+35653532353964306332376464613061333461666533336234306138373836656433386564396562
+36623637633462386162383835613038633532373230643932363937363732373863336533326334
+33366561656262393965643265623465383935363434356466383038656266303339613130383831
+62613535623563353935626162346332653334613465333862623162643036653861
--- a/group_vars/stage_demompmx/vault_backup.yml
+++ b/group_vars/stage_demompmx/vault_backup.yml
@ -0,0 +1,28 @@
+$ANSIBLE_VAULT;1.1;AES256
+39306464316231633561666232626464316634306164653164663731373232636433343564306266
+3864333037326533646163383034313733356561336564630a346339376435616538303662636461
+32396538333437633363653533333234666231613936373336356164386563653061663234613233
+3238643332353530380a396162653561373032333333633438313930663539303039623336333766
+61346666613639333038336336633233646338356461663738653866303562656638626264363330
+36666532353434316262336436333136626333366464613534636235633762343362626430616431
+39396264353962366463393530323734383638666262393030336463303863633235633234333365
+39636434303535346266653733633864613436613066306130386639323762346331366336613537
+34313261373962353065326434306639656337643562323538373666366438376239613432333832
+30313262663637386630363830386231353733636131366635643064313539353739336438353431
+39303866363532646136626530353733363131343738383164383830663333643431613834633966
+32333065363833373562633037333030633765323762656438383263633666653466636231323739
+65353937353033613462343666303835386534633662623132656630663864326564613062656135
+30653030333230623531353466333933633634393966386565363366336235666436613938383061
+63666639373936323537373835643938386531626535373931383136386630613063353061656237
+33353865313535306437663834666361306538616533313834336632343934376231643665303030
+36643037633438323964386662326263396361343535383166633137303166353433316335333539
+61383837303664663864396661386434316630626137386662356230636639303037343436313030
+34313562343534383233373939613332323630303131373564333365306439353637316237663433
+37306539653334373636656561626637376362336137633333383434366364383538636263663533
+31303766646135323666343133353938313865343531656662643263333263303435666134373437
+35383032386338373462316133376335313931626263393166633562623265636530636631323435
+65343833613030633262623636346266623962323537363635396238663965653661653138666562
+63386164323130313763313136623636653266306439393333663833363537313236383839326261
+65306636393031643039653830333539383566353063323562663062353137353632393130633066
+65613833383863356138303834346435396365613762643336373065303766636633343832653166
+356366613430343266616461363534383531
--- a/group_vars/stage_demompmx/vault_env.yml
+++ b/group_vars/stage_demompmx/vault_env.yml
@ -0,0 +1,79 @@
+$ANSIBLE_VAULT;1.1;AES256
+32323066616635353064366133343063363764623034623934383161666536623033306330303638
+3461656635666631623363666663343339333837663935630a313462306639656565653733346533
+64663964313163393037343263643165343662646630623930396466336231616631386535623963
+6361636664393462650a616665323364383866303762353261303437646434323733346237336639
+62343733663934366233616335613133646638613132623632643032386437396663363131363535
+36663662366264353631343136356139623335303263656437373964646464613035363639646135
+38373430633337376533323663376465616538393536396630393966646534346230653363393066
+62663961346431363035383036316161396363633639373538653736613135633665393537343530
+38313261653261613164636235386237656365336666383237623063643439333533636264376230
+66323236303232303361613461653763663034356166313132343638303831633337373865646162
+34353161323262663136653165323636323737616436336138623030616331363866303332383233
+31346337373664323963626230656466653566653964386161303238656661633233623533613739
+62386638363531613530343631306162333261653965396663386432303638643734353832346464
+62626138356337393532373033626364633166383935316639656335313862336538656336313662
+34616134346639633566353839646639396137333830366432623763343066396537313137363633
+61373239363030313031376338666265353432363566353230336535623465353939346666303164
+31356234643463396639313130303835636232363562643038366236633931366563313931353566
+33613362383533623265616563336432653938653630376231383062366630363437666563313264
+63316437623563356334386232366536623964633231656231373866643032366163326266646237
+64636431383630353765636165396133383035313366623066613533343361306435383735623932
+38643431346334653664396364303934376364383766623931386263616465393534333537633834
+38343461393739386261316264653865386463633330366237323530306135353765343563343432
+64393539636437613064616262303137626364346561646461373366363436333739633363303235
+63363135666430393666663238306338323863343665636166663338636632363438633132303766
+31653032363734613265343437613539323631613334376539613930383362383437366436303834
+64656266623437326161323561373834343462353637666435616265383834323266633464386462
+38653762643532386533656431323939616337666430373766373536633162366532656132623064
+36613461316235663262373630643763303132363738643366316364383962653939643239666361
+65633034626531393338633165386533376564313937366334633731386566643137333136613263
+30646436666165323131353736626134626338313362303732396635393835643938653236346437
+64313435616231323534663936363034613132653233313831636133303061396633313435393866
+36643131323161646532353533613564616232356165376132323963303130393664383065303936
+39363831303531393334376163636531616334333035656236353339633532626137393633623836
+65646535663365646462383866623338303131613338656239376430373339323734653261633130
+64343964393161613139636335366134383362353137646162383432356565643332346365656139
+63303166383962323434663931613532666464636464333035383233323264353461663966646230
+33353663363137363132396433336538333166356162626139336137353962626563613763383765
+66653035373261373333646638626433373834306164313831333964656430373330376365316633
+30313934383163373466643633393863333661633538656664363131303336366634326337346533
+62373036636364656262643737336562336338353432313237613764626633373130373534353533
+66323132666130653062643232653530363564386561643932396237633766353961323838373065
+34363633653463363433326265633630663035396635663639613737343030333630643366376666
+33313664386566653732616666356663393539303638363134346361303164643236313962306231
+37346332373331396566386532363035623461383235633666356662393839646633376565333136
+31303637333833616339633334343965393034313234363361373033343631346331343063383939
+37323733313337346539636135316361336639613233323134363637343434653761633036376265
+36343634376233666262646534613832313235323936316562353235373430363966366432353730
+35663434386631323564323538623365333734653065373664396562383430306531373561613839
+65623063363464663337336533303239346338366665653762653266653333363064383737613033
+30623930383564343065653966373331316563346133623765363838306235306135373165623837
+33376438326332613938393630353263353134333535333337353834303031646663633463633039
+35646466613565336632613532303135396132393063613432626337313533393532346334616465
+34343633626465353263663037363735353735376537663234326163343635353134663766373439
+65656432613164653230393939653133373130643937373835363662336235623065643061386666
+34373237653564336131643635356139386663303639623064306536383062653937333166376230
+37373761623832353262316436386532306338653866313761306237393034383130313932373065
+36386630373333353235323263663736353334306535333565616136366335353839326134323532
+63653334626465303261383230653136636631386138353866383865366663623065383534613265
+61313131323064616562643932306535313135363431646438366134623561313332326664323137
+32323866663931303865326162373633653034363966386164376639616534616139303931306461
+35366132346533383565323134343432396563393130626463323366383139343061343535613636
+32333936376238643439383433356536333863313235356132623638376339636662633131633534
+63386633333735393662646365636439313834393738666630633432633362653639323466613539
+38323031343461373464383036623134633466623334306536303231663863663063313165333365
+32323433396261643864623562306464386339633965613934333964353961393737316330343434
+38646266653632323932653063373239396639366666313336333363623631376634366566663530
+30363966313762386465633438303938323336383336316131366131386633303266623431636537
+32396131316264366530353666646232646263646331363664616563643230633863376538356562
+31646464336363653261626638303738623464373762623165613732313062326530366536656665
+34653231306537646666346561306231303238376532313537656561383861313064653334386332
+61643833363933383534303962623666646363313733653637306664336531653766636331626234
+61353263376465323765373166633664626163323664663230353965313364363066393737386232
+64393662653832376237663035303262303332326138366563393739393165343030383564653236
+34303330666435623066383262626230336366383535653265356236376262643261313666383733
+35633337633339616533633166346336303937646636643865336635373764343661653438303032
+66383466306139353837396531346230633931383666353636303234316435633337363438663861
+65626665336564393134353135613033333536363165633837616332656561383534373764623663
+6261633561663633646466356462363964613364633365623038
--- a/group_vars/stage_demompmx/vault_pgp.yml
+++ b/group_vars/stage_demompmx/vault_pgp.yml
@ -0,0 +1,353 @@
+$ANSIBLE_VAULT;1.1;AES256
+33383336366364656233386239393166336131396632323532346531313239306634306139333538
+6638393163643036333664376230366133353961616332660a393335346263383034333464363863
+66613339613633373833643561366462656430343961303865623931363461346239396164313332
+3362633238373938340a396230336635303039356431333532393234383766346261306337313065
+38303839633463393232346462356133636434336235643638386661383633306266343734376137
+34656634653362333163656564616632303861353638393262353666613565626664333463383865
+33326235393931626132636635346534326432356133353263653165393565343430363963343538
+64303161633936316161356662336430396535633833613864356238376439613262383161353635
+39633130326635653039613035343561626532313437653866333431303335326136333737666137
+30656566653630363333633863343735323761336365383162616263666133366330323238343932
+32626664653464333431633961353564626261336263326363386638323838656330316137633662
+37633965323531643961656231346238616630376562386635333432313730323133396136633830
+64333463333739353862383132633835656234633265623332323161656234356433633030666231
+64646262316464386634633731386530333265366537626436623433373062373065343162396434
+37663331656535613661323566383831326130666630613235396265393630363333363536393032
+33303635613435313830393430623036353035306666393665333161313735356632393136373032
+31626533303635383462356461366532383537353064393566623233386231363366346662376366
+62643732653635343738353230373932323663396164653032393335333766643363333162643836
+36643430366364363263333364343163326135643932383064343834636238383363303166303665
+39383635323565306534633536643935653233663733396636383361393065623438656432346366
+39313134623930356465383964323463313864666330396530646463316661376537333664626335
+37396562636435343934633861653065343635353634393737656235363837646637306332383635
+38663934306331316663353335373931656332646636343336643663396135323838663632633766
+32333630333833306538326538613531383739623634643136653031653236393461333331363130
+34646164353134393030353463626539646630393137323161313331376135353339313236386231
+63323135383533623161373530616431336234326263336563306236363162353334663165333831
+31353266343436663737663163613230656265386434616432313361326434646237616337363331
+36663633326665623265363436326665366135653930373434353130313133373737366433343336
+62313530303236393061346636353932623634343530353130623130666334313535623933353530
+37613165323432386539613365303339633965313531663039383436346165633466613732613439
+65613835306230373232646534343530646535393836636161303661356634653331646536666136
+31666335336430396135323466636333626563613430343161326664316630336361356132393534
+35383339633134313639623035383462353461623165373132613535383462326665313831666536
+62333336623963376564366233316561366633313662323837336232626431653234353230366232
+32366637666362343838383030623331343635653231303437383961363933326131626664623137
+34383330346335326437333232633830343532393532393630396132393637333032343831353565
+66383937376436366136353833373339626261386338623362346164633935376431333230386631
+36393263616438353862663434623563383834613039616338333637356636376462656133363731
+64623565326133303461396439383638323030333431663762656136636230383936343566633432
+38386565363332326463653863353234313434376534613533643830353631643761636261363063
+66356632323962383631393833323866346431666630383533633438346436626339373337333963
+33313838323437623062393834393730396432313263373738653934616561666361346239636433
+30396664363061316334316132626563326561646163356534336339343237653730303766623062
+32363632316536663234616464353239356433613036336165353039373534626361323162656438
+30656237363134663664363862383736636537663663613636336534643165343065386239333037
+63373065306439353138313639373665663565386231346631376134373237376339376536343365
+62636233366565363434373233346462616362303031383632323362313762393239323663636633
+61663430326363656462386463353563653035383161613831376631373039363939326637663837
+36656536666331656539336337396466636431633430393932653766663935366664316563353863
+35656138366261643234393733636330323436346432316239653738376232343363663139376632
+30303266396331326665326639306564393637373234636336623130643539623961323635633164
+33366436393933646265323665336431393162323636623039623066646363656238653538363766
+61653462363061363833623561373233643738633331643336656630663035626337333034316436
+31386161656364653330613739323065656233366234643664326262653438306338663731376631
+32326230313935643863623139613635353131383332633132653136343764303034623033653436
+63323039616165363764653061376139636536313635613266336135376339623737303839646564
+36366465323266313332323035326637623735633463646364366132653131393461313339373265
+37356365336139313562663135636535643764313235376265663732386230376466366236643438
+36343338646334363935623466616238623761656638626164313962346161663562396563633539
+30326661323161343832396638303631353536646330643162623136376237386336396333353064
+37303966313137663761616137353161623133313639613562643437333136303735373936336464
+36326261336139313863396131636463346661336639633263613933353564363933663663663265
+31636364376236326261623763616132646161363534646335303332626438626164363634626632
+34386231376233326132633235653037353061323730376335346437336639363134373133343762
+35383134393663666663656465356630383434633462303431633039323561623064353038616664
+31373231386335393561303966383535623636376335336534353134626566663738646466623033
+65363930623930646332326565363964363861616533643062353064303332373835653365303962
+62656661663538626166323764366464343430663064613364346465313934383263393233323530
+30613636366261633931313436373930643036376532633632346634323232616638346266646235
+62613839623336303430313461363631616532323365316166616535663438393530336534666561
+37373335653536326632363931613836653836373336363961383431383337363362663165633463
+34656361393666613766313134633564323839393731326564346361666664326131636635396630
+30616163633636353736643062323561643533663030333966616432313331306433343465373062
+63656163306331316530623066666162333464643262313964323563623966333061316235316433
+64396531663037666330643166613338373966616464336237336638653465383634346461396363
+32323365383331366531653461316631363264636562313831633337353033633364373731323634
+30663731663139343537663962623061663065643137643836326438646635376234616236633566
+64353866656434326663613833323237663530353139633765393466303037373061343861653639
+30396339363734376665373635343762643434623630623933643365663162646465303665313739
+39663533643434333765303533656662383562633037646561323763616137336164393231373134
+37333665313365303536633533636332663134336564323365653262623935366261633062303336
+61623963666638363437316335626639306263363264373366306163643930353735656332396263
+39346635323739663562653135663637323361393561623631646333633031316231653539333736
+65343330346561316561376163356439633939346433626266643366303739326239623136373935
+39336262643962383538646665633732336265363963343435353734393465323562393162613065
+38383532353833336263326265383665663261303137666537346162643738326230333732616365
+65376634376530663537653734646661626535626233653230306238376265356365333032353436
+32656664356130353838616430373362353765323430333036313064656464303263356637666439
+34396563333237626665633236346135613439363437323163623339626635616235363961373061
+37623832323738643238343034373537613736346236323130663838626232353031313137313536
+34643961323961646538643566613266383334646237633435623564663466616238333638363731
+62396466393034343864346133643632333837646164383235303031353435613565313166636632
+32623836313237376231656131323431393732636231653233613338393337626562313331363364
+31303038336533303933303439633730336662333064633334326666306164393131346232326566
+61313662373164313065623838313138396136623166623363363836303830616232376132653138
+66333133393833306264663238313064323462333164353138383563633136346432396663393436
+39636431393338656132663032366232326164313666386361303364633464323633633864316138
+39383435373863333035396538636437646633623466623164616130636464613336656565353137
+37623266336565383865373638376335313530623437656539613362313139303661363639313533
+62366662623737623239326437663265363034353464383238653037613436313130313764326337
+63316662333434333664333636366138623030326666613135313831643935633362303764623663
+64646339383563313661333130343131306237663533333366633365366466663365623766663634
+33306631616566363133616261633862373262333833316139383266316539656236333632613834
+65613964343162636264636231373139646164376336303932613933313335643661383039343965
+38316330343632316366636437376535663733303832306333303632393232623736386166376365
+31316562303634623138393831373961383566303334356133623631376334613165363831633130
+30633564626362393166333433333333623065656130666430636333373330613139346537386464
+61613463663663653465616333316461616237306636356663313963656135376333333631643536
+62386561336538643536373937653633313731653130376534303362326539373365356231626264
+35643633356361633962623466393334346432393134626331343761623438663632393465373436
+34393934316138663064663964306333623561636466616439363363376433356531353039373530
+34636338303537363962393435623066633863313934323634376233636230363736633432613164
+35623864323330343337643862333664356563366262623532633736386132323333656634653734
+31626162313161396566353636303765663265386637626433666162383636636535323664666436
+35393362353036616539303932616362623038636262653464336164303034626630643439653634
+61353061623137623261343733613061316336663430663231366265313066383732376135383666
+31646634663139656162366462326136393438653063323033323336303134326361363462393838
+30316435346364613563383237633964303764333265616561366638396334353764363832373638
+35356231663961623430323335323936656535666534323463383331363438393130363630636162
+32636231633761336264616235386437313035663461393131366236373137383630343039623733
+65353039306531303832396236623062306264383231656564316536373065633465336231303530
+66363839646464626332303931343331646563396634363064373231613531323336306339623131
+31333535323331306439353532343134363232343261393365333338633261653337356238326637
+30663036313464633137313761636666323838336537353633623665366230663838343665613235
+62656235343332383531313633383165656333633338336663656234316535633838303233623331
+63636665393764333938376432626564313832613334303264313532316665316631616238313966
+35336266316662343733636339333361303437386332386663346265373064656365346566323932
+33353864656361663139336434653464306364663635383466343165326432653066363435643232
+36636364343939663536393266303066626337386531623631373331656231323535323238353030
+65326139393766626539656130336265356561323630633638653861393934643766623338356635
+34366266386362646538636164616438613362373335393736373133643230373462633231306564
+32623865636162323265643864636134373664326361653162343537373432386161383930656137
+36303030623130363534333637653539303637303437613264333662336336306638626266646339
+63316234633261316564633562636238333035663165366136353432326634636136326233306536
+37353266333939316661636565636239613564343830653061323965623039346262373931633239
+39306330323730326134306634616566376532643762623832616363336134666539313335353036
+62306565616162376634316163663631653036643039663663376662323439653564393835343335
+38323063633062633563633165663163383337633035313964626533363434336535366566653565
+36633666663931613533616637383462346538623531386137303866313830333030616433393463
+37303431336530616431636434376539383133663465613632633661323738363938326265353838
+62653938653264613836303637303131326166333834316331343166353431366232663665306665
+64663934636631376337376539393238373630383230633235333530353335396433653461653864
+63313535333862343232613038346464363631353030353762386230303131623565343763643337
+63316633623733386533666430366637386462346437613533313666383833373764373165366264
+34366364353536363533366534373832666539336439326435393964333434636637656361633063
+65656332343132323262356534396266333433373039373037383531353132313664643031623333
+66356239643164356132373037333962613834346334626562343361323834633864346339353831
+38646335366633386135313034343534656563383565633039633962656364363632366230363833
+65323330336661363364353066306137613566303662386134323861393736616465643338303733
+62353364366537616338646437303762656138333630303838306136353031633261306238396433
+66336338343339643739386437653865643237363363613166393465633535333037356233626333
+36643836343335303662386566306565373830323031623336393666616636383535306630346136
+63656164356132346564326332363164353565653061363636653761346535353234666335383138
+34336163353065386263333034323336643035336237323236616339363637663634636236313764
+35303564313566393734343734663338323138653035343131653963353830363430303837386136
+63653763386638313739646264643465646134626661623837616432333437316162363533623234
+65306463373731313830376666396439303464313536353266623863373033636432666531393835
+30613266323733346633346139373137316134633534626238386132616438386234336564353263
+36633734646436373862636531386234326635656533653966613431653665623936313431343263
+37313566343135336264663965623365313666636434656161373563303738643862363831353837
+33383863306633376337386464656331376438663434313234633837633535333831373237636562
+31643332326562346461643636373539616661663464343333353630663965633565383266303937
+64336361366335366265653764386364366133386134626662313434633934613636653536663738
+64316532366563646633386430636264386333313530343466326634396636313965376330336465
+33316436333936626439303339393831666338396433313437333131356463363830323131396361
+66636566353831343163303665373235386338316338623561633933666336623963623666353635
+32373738643136656664386438363638303439663164646233666461663765633162393930626633
+31656330333031343231373835396162343561326632363366343039663830303631623734616265
+64343737396163653131333630663036643833393962356239323238343933323765366135323837
+63373865643435633934346535643833663739366439663535343632616339623766303938646237
+65386562366530646566316433636166326631623532353136643561353233383834346237633335
+37333564373732333165313961316161623134623363303734363764616237373639393333623864
+35666436643565353930636230396439313265316431653735323034303431356538353330393933
+64366535396464343133326661663836623631303261386163343136326566636530313765303964
+36643835666535393831376565326332323938663730333635666233373863663266643035303066
+66306639653530313539636631386234336432316361313633316134373136623433336165303437
+32643061653732613639653663306164366333353065663137356338653137343965346166353831
+39363361643633396338636562376335353339323662313832306436623564613961633035633761
+62313765383562663063653932616463653138646662656661333861313561313436613266656330
+34366264363731346332303866353232333464383834633238626138396237313533303933653437
+63376230303238656362306236326263336238303531616633313566363865353138663638353064
+65643831666664383931363561663830383062623733333838356232373036323561613831633338
+32383833316431633336336339363738396533653264313762336361316631303631343835346234
+66353164623637313264336363303834303037656232666631366337646430636438356631623865
+33653234393961376631396633393365303230656565363635386162643164623364383832343963
+38323865353436663364653965636137303362653934643836623266313830336331343136326466
+61666231633266316663333432353838636665306437643337383666303966313431623661633839
+32626332616434643636353662626338663264623365373932646462353635343962356463366532
+61386436356664663335386534656638393034646161313436366338616338353533373836363163
+33623132343361623934383139303633313436306130613637633761613764643338343064386266
+37636366643862323764376261646235653563353333333835356134646637336366303335386563
+65623862326633393661646438643761626435383835663166613239616363326632396337353966
+62626432326561656537643865313536333562623237633439613466356461393932356334386538
+64323430373230396433653062643335353565656262356636303632646136313262346562623464
+65666132653532616330306566623762613038306665356436343262366666303036323535316635
+36663238386538323362363632346436386137303034616335343438343739613233366433323066
+34376530396666643764623864383961313136383433393938323139643735366261366239376135
+64376330303866393562613233323231346439363566613163323236636565653431326438363562
+38633838313234656166326363353165356433383239646133363635633937623838636539376339
+33303365396636663364363366353130383861366537663437653839316433626137343131383166
+36376638306539376238313438396434646634616435373161383230303066356666656631383730
+32366439386132346666326566633265363838336530616539356263343262336465326235666230
+39343235366433396634323063666464333434616539303830363332396136303733336264343439
+65646232623163663235313638373365643463386435336634656463323338646562373132393433
+61313664643133323835323833613633373064393432303039613365663138633330633665636537
+61376232353838623839636133666664613536663163666339366661383463303937303561393633
+64383161356264646136383134666534636331663364353931343135343834376365326563303063
+30663464343736626266663561616262613532373865323132626262633763353535303839353138
+66306535633933386134303434396231353832323539396638626139613564633335613639346434
+31326162663832663239386661633238323333383133613264633232333133346163626232663736
+65353663613766613731323132393839373863393636643264623061313764313364633364383364
+34333263346261356638386130366464326262343834666532393666613131616337336530646137
+36613438613565303163666238643038636263313464363835313630306432616365303034633631
+62323433333865393531363164653464363335383565333333666164623637326365633130373930
+31393036356439376633623531616265323138626435323230333766323434383138313930643036
+34386236353030643236386135366430666263643562666430663138353930363333303736326333
+66306433373933373837343439366539323862393136313462373434396337363265346636343232
+37343636346133393134383330363338363765613431656265383139346165316436336533313131
+63383939316163323265396135636266383330306632666164633561656237376362383132663766
+30323038623631363730646639383737663037346561616531636131626566363465333938663937
+64336132623266336238353162356631646134376164333534353762353132646534333063323735
+66386434636430396532396264366433376532656365623561336535373236633430333537376562
+64633936346461626464356432396132396632653665326432366265323163303434656433633733
+37663634383935396362336561616362393534373636306461643431303563396335333037373362
+34353731313465383837313465366563353534393866396330343061393730376262656139663365
+61396639323066303662633634333030346335343234353736343335383832346165333430366263
+37626333343366623461333438383636353536393733643131396438613237313138343164636166
+61323332306437643764663466336661313833353539663366613934353333346134306633623331
+31653530336233666232343863666535373963646637323637666337333664373662653563353032
+34643434653466323937623561343530626665653836303633393739616434306130653664373164
+31373135356563373136396662666238616663303934393730383834373934333934633064376661
+63353665666433653965323935303634633338346564333530663862396333643564336363393733
+30613064356562313134613435613436373735383961373330386662366334613361653030643861
+35313562356266343361303438626438373335316430333032663834343138376535383235373561
+30353931633361306361346464313431393466356532613938643333316166376265313739646135
+63303235356630623933303763616432313662616431316535613564346666333132623037343930
+35333366356165636538353135663332373865623236666532376166323530373261353138646232
+31363164313036316462386535356564336231313563346230616139363631653934396430316563
+36316633336261333238383264396139363334366331613964666366653332366134383865366638
+63326239373261373964313337353531366535653931316533313430643362666336373338393535
+39373332646162333732333661663930636261623037343430386361313566656662666663313762
+66303734333663383335356230353463663534303865343464613330346163623565366134303535
+64373362393739613636323361333464343866626130396139623838366163303061626266346366
+30643261373031626433333665326431616435633834363837646330333061316633303862346339
+36356464336564666637323838643563363237343337333034343861616435316463356334373764
+62616361313038633439363838373662373138386265306338653634326138643263393735323862
+35303733316632636365646463613835613134303432383433313836303764623464393830316563
+32643964316434393838376139336465626536663139306634383533623064333831623331383539
+33366533393936636631316264623862313434613863373734636537363466373065613033316133
+36393661663333363239666132393036306266323230633763323430663239663834366535356436
+39623634323237633563656531313062623030353230363932623539386637333266363936656463
+66333538613861373163656331643062323265383036333532666361336566373930333435646261
+30653237346636346362353635623166303239643136643130396161303834623130323632643634
+65303837643564356134353233353635333562623461653030613138393064656130666433663361
+36326337333531636138386366613037326338646132343033376334616265663661383561383734
+35656634323634353866326564366261643131316430663730346436373036333330363632353334
+36353766633939366236393865666338653432326532393732626161353634643731336162363862
+39623339316333353739313235366432623663353935373234363933343362653437316564303366
+65623662623463663764386566653461626531396139373363656337623665313964363439356466
+31656666653662343232623833323132653565306637323638663537613466313632373266616631
+37393264346431323134653334396630316566663335333338663932306538316432343133663030
+65316663366131386636383366663830646162356134623730376332373135633561383234653130
+38666236633137343763303435613162643932626238663738383939616530356463373962363563
+32323263366664386535316164343833306362303665626232613064356433303835623036626331
+31363933626636383965356132366536373835646331623634666434303765636131636462343036
+30343564333463386430653432366665333761616465633232393034643534666238363738633539
+36323435386539323663363031646230343834366233346634376361653438353464666237393663
+35366666646236633366326236653338356531303466356436363466636566333935386665376137
+34646332316430386565666232376535343436386466383031383031636531326430323234353734
+30343766313361366465303332333962343836643963616235333361653730613466313165643761
+66386537366238323562393330303537343038336230303564613962363365393739663137393937
+64663461633564363137613963383433663061616330343031663061316133323234656361386531
+61323965393061633837646332646533386639613430363633306530343761653137383337613737
+31306530386638383039663731626239666666643034616636366232616636393935613830306631
+34366564366264323134316266333835666637616264323566326530643061323635346365383236
+37643231326631323863306333373935643336313132613437316330303239353561336139616631
+61656234633038323336356530653436336661313639363331323435633661333764316330363730
+31383038326261306163666366366431646339363864316263353965373464393233636132386432
+33653463636631623065333564393038376132303162616533326634636563366264366264353233
+34626163653633306433656233366633383366333033303862373766666134626662303138356265
+38383735353237663066363237663361343063633136636566633930666361366666366331643737
+61363663303736393030373236653238633238636330383939633231396630303465626630393061
+65383139626562366338386631396661616636646566663936633738393365326137633536326364
+65623330346633663034363433373038633632386465386132373066353365326536353130363833
+35346332363637363561643537376338313236356333623238393265616331643635646364313466
+39663363666538336434666463306433376164396434333738323234336565343162633266383038
+30323264626438636438383861626338313237363034613434313237363338613639616239303562
+61666134643131323964633562353035383836393237616264303866636135313338343266643733
+63646636646461343664643639353635306666613033373835326465373263643661353136663964
+62623833386338303762323563306231616539643637336433353638356535313333636535623639
+66393531633330363331626366363034383436303239306238366432333934626239303431666233
+30326138623635636530393838336638383064666563646666336632306538363030636431373430
+34303335666562313734373739353862343462623864643037386163656635633630346663646166
+32356533363636383636333361646663643462363632653130366437373030616237633735336664
+31663964383137663535653239613863363764336438653766393135316461666161363730616461
+62616330386366333738323434353963633365646238376430646564316334326262316137613965
+62363863316565663935653233643864663237623661666161363966363365396562666536653434
+63383635363139613834346235323563363039313330303162323766393936373634633464326430
+64633636623237633161653262393166393733656330633533323963663733303932353539313333
+34306163666266636566353639343066643764386132643562343032316230666630306364346136
+39613561313033343666343832643262306535616135346632353032633838613534376662363563
+65356364333038376434626264383837343739316130636635303636333135393764346466393039
+30386631626536646365636331313338386237386130333666643632663234323135353036666333
+66353136326161313630386637633864386638333636623461376534383565623065323233396135
+33376234363030643364643033633232663562643836666338643638613562353636363837303832
+36396631386565623530613463333432376561663937313661373362373839663532383334343861
+39616537356266316532633631383039313130386466366638373735643666306238323763366663
+32303237303335336161346332373732656334623833633934643037353638623566653436616637
+63656263333765653130663561643566396165306337346363346263306263616361306263616139
+30313031323764623032653239336165646365373262306438653563366533303566333536616530
+37336631623330663330383235376432393236313762323830333566626436373461646533383032
+34366639623536643735393831663061376662653531323562366331336532313735633365316562
+65363534306536343733326366656461656464356435393566333536333938353939653137623166
+32656336373265323136396263633439636136633038373930666133626535336563386462323864
+66393335633735303462363137663538373562383266343235396330656263626232363466643566
+30613430313235613935616464366131663161653133343562343666626263383236623461333232
+62663738653362393531373938356635336437386636616439653362666137303665316534393266
+35376539343633383661306430626636373566626363333432386464326165646134636161366331
+64336333323739613133303533373733613666383133623365303237653436363532343339393866
+34303561663164646563623065393632646535663336636361643566376437366632663338373434
+64656631386336643136323763363835663266313536393438623833323461356461613737623035
+37303534326233663237326531346164616139323132666436356536363339333439616433316462
+34383238366639343831666366613966383364643965316239306464333837356263626230633535
+62633562363464343531313737663838303031346438323535353132303561396438663931666330
+31343038313262346431316363623338613030336265386530303937363631643838613737363164
+31393635623333643931373533303533373438386636626265343934336139343335313037363239
+65356531343435363538383563366137643135306565393631316364336234633335313232656537
+34333539663732663763303761376436356436666266633738613632663466326334623262376533
+30656430323935303838386364306631303139376336306533616663346433613736383634626138
+32666330616236623033303539353739353236303366306561366433633731623466336632616262
+35353434323264303861353461333139663039663939323932616336336632366431643437653435
+30316537663230333964393933303062396665396461363330653062313366303738613632636266
+62393632313835633036333439373236653063613163303861316137623666623034346466663162
+62303535616664363536646162376239343132393565383535343462333062363335643665653937
+31666162303839343231623865666336376131623164356638363435356163643831666236663466
+35626638313865393864643166616233356462363365303138653762666561626338323066626530
+65333363306336316132303566616435633463373165316434346232323066323833356465353061
+39363565373439343534306438373935313237323465616435343838656263656233356665326533
+61316437393064313836623130303333356232353564626435626634666438366134306236313561
+64366362343537326665303830646535343433313266653661633365666263643634386538356263
+38616239303065373635383932333938393461333734393436383363303239646133383235323431
+38643236363366313431393462313635623038323733393930333530653865366639323630326234
+31653861393135353739306363336265376232663461613465633662346433343265333438366532
+30356132643531373034653661666235343631623431643533393265633936303930316563363066
+30616366653962396134623237656165626334653636383434356466666566393766333063366665
+34303836646331386531306261363030366330343935333533343933646566666665353334656230
+32323236343736646436356265663933626237356265366163663264313032306231303535383333
+64656437346336303237656661653135336665353264383236336362643064346461646531346635
+36306436383431653334656433383666386635333761333932333966393631373363616163653365
+30333837616562663462316265326264393239613861613363633032396337346639343238633931
+32333936303733376239316466643534656630313961393730336664393337386465343639393331
+33363661303037376461
--- a/group_vars/stage_demompmx/vault_postgres.yml
+++ b/group_vars/stage_demompmx/vault_postgres.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+65656638316434663066316265653231653037616465653633313665333537633062326265353237
+3730363261386331356431653336383531336565373331630a336431303535366239623061333663
+63333832653730643634373639393930363036353435666434343663393365633130323235643430
+3434653836386561340a643932376436626533323762663764646663323532376462343862653231
+65393532303639616663306364636530316136366632623862663430313732353033663236323563
+62306239626135643935373232363266386639326532306138386631386361313834353632643438
+33316439613235313465646265356239623230623431373064386130353539353231666535393462
+36383739613231373533663435636266383335343565666561646537313530306363303735376164
+3838
--- a/group_vars/stage_demompmx/versions.yml
+++ b/group_vars/stage_demompmx/versions.yml
@ -0,0 +1,15 @@
+---
+
+keycloak_version: "21.0.2.7"
+
+pgadmin4_version: "7.1"
+
+prom_alertmanager_version: "v0.25.0"
+prom_blackbox_exporter_version: "v0.23.0"
+prom_prometheus_version: "v2.44.0"
+prom_prom2teams_version: "3.2.3" # TODO 4.2.1
+
+traefik_version: "v2.10.1"
+
+connect_version: "10.5"
+iam_version: "10.5"
--- a/group_vars/stage_dev/bootstrap.yml
+++ b/group_vars/stage_dev/bootstrap.yml
@ -1,7 +1,4 @@
 ---
-
-argocd_bootstrap_infrastructure: true
-
 harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
 harbor_bootstrap_helm_name: "infrastructure"
 harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
--- a/group_vars/stage_dev/grafana.yml
+++ b/group_vars/stage_dev/grafana.yml
@ -1,2 +0,0 @@
---
-grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@ -4,47 +4,19 @@ stage_kube: "{{ stage }}nso"

 # TODO read configuration with hetzner rest api
 shared_service_network: "10.0.0.0/16"
-shared_service_pg_master_ip: "{{ stage_server_infos
-  | selectattr('name', 'match', stage + '-postgres-01' )
-  | map(attribute='private_ip')
-  | list
-  | first
-  | default('-') }}"
-shared_service_pg_slave_ip: "{{ stage_server_infos
-  | selectattr('name', 'match', stage + '-postgres-02' )
-  | map(attribute='private_ip')
-  | list
-  | first
-  | default('-') }}"
-
-shared_service_maria_hostname: "{{ stage }}-maria-01"
-shared_service_postgres_01_hostname: "{{ stage }}-postgres-01"
-shared_service_postgres_02_hostname: "{{ stage }}-postgres-02"
+
 shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
 shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
 shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
-shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
+shared_service_logstash_hostname: "{{ stage }}-elastic-stack-logstash-01"

 shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}"
 shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}"
 shared_service_gitea_hostname: "{{ stage }}-gitea-01.{{ domain_env }}"
-shared_service_redis_hostname: "{{ stage }}-redis-01.{{ domain_env }}"
 shared_service_pdns_hostname: "{{ stage }}-pdns-01.{{ domain_env }}"
-shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain_env }}"
-
-harbor_oidc_realm: "harbor"
-harbor_oidc_client_id: "harbor"
-harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
-harbor_oidc_admin_username: "harbor-admin"
-harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
-
-management_oidc_realm: "management"
-management_oidc_client_id: "smardigo"

 connect_jwt_enabled: true
 connect_jwt_secret: "908ae14462d049d3be84964ef379c7c6"
-webdav_jwt_enabled: true
-webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f"
 iam_jwt_enabled: true
 iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"

@ -56,11 +28,6 @@ grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
 pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"

-management_admin_username: "management-admin"
-management_admin_password: "{{ management_admin_password_vault }}"
-management_realm_admin_username: "management-realm-admin"
-management_realm_admin_password: "{{ management_realm_admin_password_vault }}"
-
 harbor_admin_username: "{{ harbor_admin_username_vault }}"
 harbor_admin_password: "{{ harbor_admin_password_vault }}"
 harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}"
@ -78,11 +45,6 @@ gitea_admin_password: "{{ gitea_admin_password_vault }}"
 gitea_realm_admin_username: "gitea-realm-admin"
 gitea_realm_admin_password: "gitea-realm-admin"

-argocd_admin_username: "argocd-admin"
-argocd_admin_password: "{{ argocd_admin_password_vault }}"
-argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}"
-argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
-
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"

@ -97,8 +59,6 @@ alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_v
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

-management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
-
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
--- a/group_vars/stage_devscr/bootstrap.yml
+++ b/group_vars/stage_devscr/bootstrap.yml
@ -1,15 +1,12 @@
 ---
-
-argocd_bootstrap_infrastructure: true
-
 harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
 harbor_bootstrap_helm_name: "infrastructure"
 harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
 harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault }}"

+gitea_bootstrap_url: "https://{{ stage_kube }}-gitea.smardigo.digital/{{ stage }}/{{ stage }}-argocd"
 gitea_bootstrap_username: "{{ gitea_admin_username }}"
 gitea_bootstrap_password: "{{ gitea_admin_password }}"
-gitea_bootstrap_url: "https://{{ stage_kube }}-gitea.smardigo.digital/{{ stage }}/{{ stage }}-argocd"

 custom_ip_whitelist:
  - '94.130.225.244'
--- a/group_vars/stage_prodnso/bootstrap.yml
+++ b/group_vars/stage_prodnso/bootstrap.yml
@ -1,7 +1,4 @@
 ---
-
-argocd_bootstrap_infrastructure: true
-
 harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
 harbor_bootstrap_helm_name: "infrastructure"
 harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
@ -9,4 +6,4 @@ harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}"

 gitea_bootstrap_url: "https://prodnso-gitea-01.smardigo.digital/prodnso/prodnso-argocd"
 gitea_bootstrap_username: "{{ gitea_admin_username }}"
-gitea_bootstrap_password: "{{ gitea_admin_password }}"
+gitea_bootstrap_password: "{{ gitea_admin_password }}"
--- a/group_vars/stage_prodnso/grafana.yml
+++ b/group_vars/stage_prodnso/grafana.yml
@ -1,2 +0,0 @@
---
-grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
--- a/group_vars/stage_prodnso/plain.yml
+++ b/group_vars/stage_prodnso/plain.yml
@ -4,47 +4,18 @@ stage_kube: "{{ stage }}"

 # TODO read configuration with hetzner rest api
 shared_service_network: "10.0.0.0/16"
-shared_service_pg_master_ip: "{{ stage_server_infos
-  | selectattr('name', 'match', stage + '-postgres-01' )
-  | map(attribute='private_ip')
-  | list
-  | first
-  | default('-') }}"
-shared_service_pg_slave_ip: "{{ stage_server_infos
-  | selectattr('name', 'match', stage + '-postgres-02' )
-  | map(attribute='private_ip')
-  | list
-  | first
-  | default('-') }}"
-
-shared_service_maria_hostname: "{{ stage }}-maria-01"
-shared_service_postgres_01_hostname: "{{ stage }}-postgres-01"
-shared_service_postgres_02_hostname: "{{ stage }}-postgres-02"
+
 shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
 shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
 shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
-shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
-
+shared_service_logstash_hostname: "{{ stage }}-elastic-stack-logstash-01"
 shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}"
 shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}"
 shared_service_gitea_hostname: "{{ stage }}-gitea-01.{{ domain_env }}"
-shared_service_redis_hostname: "{{ stage }}-redis-01.{{ domain_env }}"
 shared_service_pdns_hostname: "{{ stage }}-pdns-01.{{ domain_env }}"
-shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain_env }}"
-
-harbor_oidc_realm: "harbor"
-harbor_oidc_client_id: "harbor"
-harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
-harbor_oidc_admin_username: "harbor-admin"
-harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
-
-management_oidc_realm: "management"
-management_oidc_client_id: "smardigo"

 connect_jwt_enabled: true
 connect_jwt_secret: "908ae14462d049d3be84964ef379c7c6"
-webdav_jwt_enabled: true
-webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f"
 iam_jwt_enabled: true
 iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"

@ -56,11 +27,6 @@ grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
 pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"

-management_admin_username: "management-admin"
-management_admin_password: "{{ management_admin_password_vault }}"
-management_realm_admin_username: "management-realm-admin"
-management_realm_admin_password: "{{ management_realm_admin_password_vault }}"
-
 harbor_admin_username: "{{ harbor_admin_username_vault }}"
 harbor_admin_password: "{{ harbor_admin_password_vault }}"
 harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}"
@ -78,11 +44,6 @@ gitea_admin_password: "{{ gitea_admin_password_vault }}"
 gitea_realm_admin_username: "gitea-realm-admin"
 gitea_realm_admin_password: "gitea-realm-admin"

-argocd_admin_username: "argocd-admin"
-argocd_admin_password: "{{ argocd_admin_password_vault }}"
-argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}"
-argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
-
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"

@ -97,8 +58,6 @@ alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_v
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

-management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
-
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
--- a/group_vars/stage_prodwork01/bootstrap.yml
+++ b/group_vars/stage_prodwork01/bootstrap.yml
@ -1,12 +1,9 @@
 ---
-
-argocd_bootstrap_infrastructure: True
-
 harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
 harbor_bootstrap_helm_name: "infrastructure"
 harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
 harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}"

+gitea_bootstrap_url: "https://prodnso-gitea-01.smardigo.digital/argocd/prodwork01-argocd"
 gitea_bootstrap_username: "{{ gitea_bootstrap_username_vault }}"
 gitea_bootstrap_password: "{{ gitea_bootstrap_password_vault }}"
-gitea_bootstrap_url: "https://prodnso-gitea-01.smardigo.digital/argocd/prodwork01-argocd"
--- a/group_vars/stage_qa/bootstrap.yml
+++ b/group_vars/stage_qa/bootstrap.yml
@ -1,7 +1,4 @@
 ---
-
-argocd_bootstrap_infrastructure: true
-
 harbor_bootstrap_helm_url: "prodnso-harbor-01.smardigo.digital/infrastructure"
 harbor_bootstrap_helm_name: "infrastructure"
 harbor_bootstrap_username: "{{ harbor_bootstrap_username_vault }}"
@ -9,4 +6,4 @@ harbor_bootstrap_password: "{{ harbor_bootstrap_password_vault}}"

 gitea_bootstrap_url: "https://qa-gitea-01.smardigo.digital/qanso/qanso-argocd"
 gitea_bootstrap_username: "{{ gitea_admin_username }}"
-gitea_bootstrap_password: "{{ gitea_admin_password }}"
+gitea_bootstrap_password: "{{ gitea_admin_password }}"
--- a/group_vars/stage_qa/grafana.yml
+++ b/group_vars/stage_qa/grafana.yml
@ -1,2 +0,0 @@
---
-grafana_smardigo_password: "{{ grafana_smardigo_password_vault }}"
--- a/group_vars/stage_qa/plain.yml
+++ b/group_vars/stage_qa/plain.yml
@ -4,47 +4,19 @@ stage_kube: "{{ stage }}nso"

 # TODO read configuration with hetzner rest api
 shared_service_network: "10.1.0.0/16"
-shared_service_pg_master_ip: "{{ stage_server_infos
-  | selectattr('name', 'match', stage + '-postgres-01' )
-  | map(attribute='private_ip')
-  | list
-  | first
-  | default('-') }}"
-shared_service_pg_slave_ip: "{{ stage_server_infos
-  | selectattr('name', 'match', stage + '-postgres-02' )
-  | map(attribute='private_ip')
-  | list
-  | first
-  | default('-') }}"
-
-shared_service_maria_hostname: "{{ stage }}-maria-01"
-shared_service_postgres_01_hostname: "{{ stage }}-postgres-01"
-shared_service_postgres_02_hostname: "{{ stage }}-postgres-02"
+
 shared_service_elastic_stack_01_hostname: "{{ stage }}-elastic-stack-elastic-01"
 shared_service_elastic_stack_02_hostname: "{{ stage }}-elastic-stack-elastic-02"
 shared_service_elastic_stack_03_hostname: "{{ stage }}-elastic-stack-elastic-03"
-shared_service_elastic_stack_logstash_01_hostname: "{{ stage }}-elastic-stack-logstash-01"
+shared_service_logstash_hostname: "{{ stage }}-elastic-stack-logstash-01"

 shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain_env }}"
 shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain_env }}"
 shared_service_gitea_hostname: "{{ stage }}-gitea-01.{{ domain_env }}"
-shared_service_redis_hostname: "{{ stage }}-redis-01.{{ domain_env }}"
 shared_service_pdns_hostname: "{{ stage }}-pdns-01.{{ domain_env }}"
-shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain_env }}"
-
-harbor_oidc_realm: "harbor"
-harbor_oidc_client_id: "harbor"
-harbor_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
-harbor_oidc_admin_username: "harbor-admin"
-harbor_oidc_admin_password: "{{ harbor_oidc_admin_password_vault }}"
-
-management_oidc_realm: "management"
-management_oidc_client_id: "smardigo"

 connect_jwt_enabled: true
 connect_jwt_secret: "908ae14462d049d3be84964ef379c7c6"
-webdav_jwt_enabled: true
-webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f"
 iam_jwt_enabled: true
 iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"

@ -56,11 +28,6 @@ grafana_signing_secret: "{{ grafana_signing_secret_vault }}"
 pgadmin4_admin_username: "{{ pgadmin4_admin_email }}"
 pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"

-management_admin_username: "management-admin"
-management_admin_password: "{{ management_admin_password_vault }}"
-management_realm_admin_username: "management-realm-admin"
-management_realm_admin_password: "{{ management_realm_admin_password_vault }}"
-
 harbor_admin_username: "{{ harbor_admin_username_vault }}"
 harbor_admin_password: "{{ harbor_admin_password_vault }}"
 harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}"
@ -78,11 +45,6 @@ gitea_admin_password: "{{ gitea_admin_password_vault }}"
 gitea_realm_admin_username: "gitea-realm-admin"
 gitea_realm_admin_password: "gitea-realm-admin"

-argocd_admin_username: "argocd-admin"
-argocd_admin_password: "{{ argocd_admin_password_vault }}"
-argo_keycloak_client_secret: "{{ argo_keycloak_client_secret_vault }}"
-argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
-
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"

@ -97,8 +59,6 @@ alertmanager_admin_password_htpasswd: "{{ alertmanager_admin_password_htpasswd_v
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

-management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
-
 # smardigo automation {{ stage }} gpg key
 # https://git.dev-at.de/smardigo-hetzner/communication-keys/
 # push mirror: https://{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys/
--- a/group_vars/webdav/plain.yml
+++ b/group_vars/webdav/plain.yml
@ -1,9 +0,0 @@
---
-
-hetzner_server_type: cpx11
-hetzner_server_labels: "stage={{ stage }} service=webdav"
-
-webdav_postgres_host: "{{ shared_service_postgres_01_hostname }}"
-webdav_postgres_database: "{{ stage }}_webdav"
-webdav_postgres_username: "{{ webdav_postgres_database }}"
-webdav_postgres_password: "webdav-postgres-admin"
--- a/host_vars/demompmx-postgres01-01.yml
+++ b/host_vars/demompmx-postgres01-01.yml
@ -0,0 +1,4 @@
+---
+
+hetzner_server_type: cpx21
+server_type: "master"
--- a/host_vars/demompmx-postgres01-02.yml
+++ b/host_vars/demompmx-postgres01-02.yml
@ -0,0 +1,4 @@
+---
+
+hetzner_server_type: cpx21
+server_type: "slave"
--- a/host_vars/prodwork01-keycloak-01.yml
+++ b/host_vars/prodwork01-keycloak-01.yml
@ -1,4 +0,0 @@
---
-keycloak_external_subdomain: "{{ inventory_hostname }}"
-
-keycloak_compact_tls_cert_resolver: letsencrypt
--- a/import-database.yml
+++ b/import-database.yml
@ -37,10 +37,20 @@
        - "stage_{{ stage }}"
      changed_when: False

+#############################################################
+#   Importing database backups for created inventory
+#############################################################
+
+- hosts: "{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  run_once: true
+
  tasks:
-    - name: Add maria servers to hosts if necessary
+    - name: "Add maria server to hosts if necessary"
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
--- a/initialize-stage.yml
+++ b/initialize-stage.yml
@ -0,0 +1,240 @@
+---
+
+### tags:
+###   update_database
+###   update_deployment (keycloak, iam, connect)
+###   update_realms
+###   update_harbor_realm
+###   update_argocd_realm
+###   update_gitea_realm
+###   update_awx_realm
+###   update_connect_realm
+###   update_harbor
+###   update_connections (connect)
+###   update_configurations (connect)
+
+#############################################################
+#   Setup stage default databases (postgres)
+#############################################################
+
+- name: 'apply setup to {{ host | default("postgres") }}'
+  hosts: '{{ host | default("postgres") }}'
+  serial: "{{ serial_number | default(5) }}"
+  become: true
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+
+  pre_tasks:
+    - name: "Import constraints check"
+      import_tasks: tasks/constraints_check.yml
+      tags:
+        - always
+
+  tasks:
+    - name: "Updating databases on {{ inventory_hostname }}"
+      include_role:
+        name: postgres
+        tasks_from: _update_database_state
+        apply:
+          tags:
+            - update_database
+      tags:
+        - update_database
+      vars:
+        postgres_acls: "{{ stage_postgres_acls }}"
+
+#############################################################
+#   Setup stage keycloak with stage default realms
+#############################################################
+
+- name: 'apply setup to {{ host | default("keycloak") }}'
+  hosts: '{{ host | default("keycloak") }}'
+  serial: "{{ serial_number | default(5) }}"
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+
+  pre_tasks:
+    - name: "Import autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      become: false
+      tags:
+        - always
+
+  tasks:
+    - name: "Install server based keycloak"
+      include_role:
+        name: keycloak
+      vars:
+        keycloak_postgres_database: "{{ stage_database_management_keycloak_name }}"
+        keycloak_postgres_username: "{{ stage_database_management_keycloak_name }}"
+        keycloak_postgres_password: "{{ stage_database_management_keycloak_password }}"
+        shared_service_hostname_harbor: "{{ shared_service_kube_hostname_harbor }}/prodnso"
+      tags:
+        - update_deployment
+
+    - name: "Setup stage harbor realm"
+      include_role:
+        name: harbor_realm
+        apply:
+          tags:
+            - update_realms
+            - update_harbor_realm
+      tags:
+        - update_realms
+        - update_harbor_realm
+      vars:
+        current_realm_password_policy: ""
+
+    - name: "Setup stage argocd realm"
+      include_role:
+        name: argocd_realm
+        apply:
+          tags:
+            - update_realms
+            - update_argocd_realm
+      tags:
+        - update_realms
+        - update_argocd_realm
+      vars:
+        current_realm_password_policy: ""
+
+    - name: "Setup stage gitea realm"
+      include_role:
+        name: gitea_realm
+        apply:
+          tags:
+            - update_realms
+            - update_gitea_realm
+      tags:
+        - update_realms
+        - update_gitea_realm
+      vars:
+        current_realm_password_policy: ""
+
+    - name: "Setup stage awx realm"
+      include_role:
+        name: awx_realm
+        apply:
+          tags:
+            - update_realms
+            - update_awx_realm
+      tags:
+        - update_realms
+        - update_awx_realm
+      vars:
+        current_realm_password_policy: ""
+
+    - name: "Setup stage connect realm"
+      include_role:
+        name: connect_realm
+        apply:
+          tags:
+            - update_realms
+            - update_connect_realm
+      tags:
+        - update_realms
+        - update_connect_realm
+      vars:
+        current_realm_password_policy: ""
+        current_realm_name: "stage-connect" # TODO migrate from realm infrastructure
+        current_realm_users_base:
+          - username: "{{ management_admin_username }}"
+            password: "{{ management_admin_password }}"
+            email: "{{ connect_admin_email }}"
+            firstName: "Netgo"
+            lastName: "Administrator"
+            requiredActions: []
+        connect_client_id: "connect"
+        client_web_origin_connect: "{{ shared_service_url_management }}"
+        connect_oidc_client_secret: "{{ management_oidc_client_secret }}"
+
+#############################################################
+#   Setup stage harbor configuration
+#############################################################
+
+- name: 'apply setup to {{ host | default("virtual") }}'
+  hosts: '{{ host | default("virtual") }}'
+  serial: "{{ serial_number | default(5) }}"
+  connection: local
+  gather_facts: no
+  become: no
+
+  pre_tasks:
+    - name: "Import autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      become: false
+      tags:
+        - always
+
+  tasks:
+    - name: "Setup stage harbor configuration"
+      include_role:
+        name: harbor_config
+        apply:
+          tags:
+            - update_harbor
+      tags:
+        - update_harbor
+
+#############################################################
+#   Setup stage iam
+#############################################################
+
+- name: 'apply setup to {{ host | default("iam") }}'
+  hosts: '{{ host | default("iam") }}'
+  serial: "{{ serial_number | default(5) }}"
+  become: true
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+
+  pre_tasks:
+    - name: "Import autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      become: false
+      tags:
+        - always
+
+  tasks:
+    - name: "Install server based iam"
+      include_role:
+        name: iam
+      tags:
+        - update_deployment
+
+#############################################################
+#   
+#############################################################
+
+- name: 'apply setup to {{ host | default("management") }}'
+  hosts: '{{ host | default("management") }}'
+  serial: "{{ serial_number | default(5) }}"
+  become: true
+  vars:
+    ansible_ssh_host: "{{ stage_server_domain }}"
+
+  pre_tasks:
+    - name: "Import autodiscover pre-tasks"
+      import_tasks: tasks/autodiscover_pre_tasks.yml
+      become: false
+      tags:
+        - always
+
+  tasks:
+    - name: "Install server based connect"
+      include_role:
+        name: management
+      vars:
+        current_realm_name: "{{ management_oidc_realm }}"
+        connect_postgres_database: "{{ stage_database_management_connect_name }}"
+      tags:
+        - update_deployment
+
+    - name: "Setup stage connect configuration"
+      include_role:
+        name: management
+      vars:
+        current_realm_name: "{{ management_oidc_realm }}"
+        connect_postgres_database: "{{ stage_database_management_connect_name }}"
+      tags:
+        - update_connections
+        - update_configurations
--- a/pmci-database-backup-create.yml
+++ b/pmci-database-backup-create.yml
@ -1,62 +1,10 @@
 ---

-# Parameters:
-#   playbook inventory
-#     stage := the name of the stage (e.g. dev, int, qa, prod)
-#     tenant := object with tenant related data
-#       key := 
-#       name := 
-#     cluster := object with cluster specific data (optional)
-#       ...
-#     data := object with action specific data (optional)
-#       custom_backup_name := 
-#   smardigo message callback
-#     scope_id := (scope id of the management process)
-#     process_instance_id := (process instance id of the management process)
-#     smardigo_management_action := (smardigo management action anme of the management process)
-
 #############################################################
 #   Creating inventory dynamically for given parameters
 #############################################################

- hosts: localhost
-  connection: local
-  gather_facts: false
-
-  pre_tasks:
-    - name: "Import constraints check"
-      import_tasks: tasks/constraints_check.yml
-      tags:
-        - always
-
-#     add virtual server to load stage specific variables as context
-    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
-      add_host:
-        name: "{{ stage }}-virtual-host-to-read-groups-vars"
-        groups:
-        - "stage_{{ stage }}"
-      changed_when: False
-
-  tasks:
-    - name: "Add postgres servers to hosts if necessary"
-      add_host:
-        name: "{{ stage }}-postgres-01"
-        groups:
-        - "stage_{{ stage }}"
-        - "{{ item }}"
-      changed_when: False
-      with_items: "{{ cluster_features }}"
-      when: item in ['connect']
-
-    - name: "Add maria servers to hosts if necessary"
-      add_host:
-        name: "{{ stage }}-maria-01"
-        groups:
-        - "stage_{{ stage }}"
-        - "{{ item }}"
-      changed_when: False
-      with_items: "{{ cluster_features }}"
-      when: item in ['connect_wordpress']
+- import_playbook: pmci-inventory-database.yml

 #############################################################
 #   Creating database backups for created inventory
@ -68,6 +16,9 @@
  vars:
    database_backup_state: dump
    ansible_ssh_host: "{{ stage_server_domain }}"
+    tenant_id: "{{ tenant.key }}" # legacy paramater, backwards compatibility
+    cluster_name: "{{ cluster.key }}" # legacy paramater, backwards compatibility
+    custom_backup_name: "backup" # legacy paramater, backwards compatibility

  roles:
    - role: connect_postgres
--- a/pmci-database-backup-import.yml
+++ b/pmci-database-backup-import.yml
@ -40,7 +40,7 @@
  tasks:
    - name: Add maria servers to hosts if necessary
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
--- a/pmci-database-backup-restore.yml
+++ b/pmci-database-backup-restore.yml
@ -1,55 +1,10 @@
 ---

-# restores a database backup
-#   - postgres
-#     - executed on stage specific server: {{ stage }}-postgres-01
-#     - restores a database backup 
-
-# Parameters:
-#   playbook inventory
-#     stage := the name of the stage (e.g. dev, int, qa, prod)
-#     tenant_id := (unique key for the tenant, e.g. customer)
-#     cluster_name := (business name for the cluster, e.g. product, department )
-#     cluster_service := (service to setup, e.g. 'connect', ...)
-#     cluster_features := (optional features to use, e.g. ['wordpress', 'resubmission', ...])
-#     custom_backup_name := defines a substring for backup file => {{ stage }}_{{ tenant_id }}_{{ cluster_name }}_{{ cluster_service }}__gehtdichnixan.sql
-#   smardigo message callback
-#     scope_id := (scope id of the management process)
-#     process_instance_id := (process instance id of the management process)
-#     smardigo_management_action := (smardigo management action anme of the management process)
-
 #############################################################
 #   Creating inventory dynamically for given parameters
 #############################################################

- hosts: localhost
-  connection: local
-  gather_facts: false
-
-  pre_tasks:
-    - name: "Import constraints check"
-      import_tasks: tasks/constraints_check.yml
-      tags:
-        - always
-
-#     add virtual server to load stage specific variables as context
-    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
-      add_host:
-        name: "{{ stage }}-virtual-host-to-read-groups-vars"
-        groups:
-        - "stage_{{ stage }}"
-      changed_when: False
-
-  tasks:
-    - name: "Add postgres servers to hosts if necessary"
-      add_host:
-        name: "{{ stage }}-postgres-01"
-        groups:
-        - "stage_{{ stage }}"
-        - "{{ item }}"
-      changed_when: False
-      with_items: "{{ cluster_features }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns']
+- import_playbook: pmci-inventory-database.yml

 #############################################################
 #   Restoring databases for created inventory
@ -61,6 +16,9 @@
  vars:
    database_backup_state: restore
    ansible_ssh_host: "{{ stage_server_domain }}"
+    tenant_id: "{{ tenant.key }}" # legacy paramater, backwards compatibility
+    cluster_name: "{{ cluster.key }}" # legacy paramater, backwards compatibility
+    custom_backup_name: "backup" # legacy paramater, backwards compatibility

  roles:
    - role: connect_postgres
--- a/pmci-database-create.yml
+++ b/pmci-database-create.yml
@ -50,9 +50,6 @@
    - role: keycloak_postgres
      when: "'keycloak' in group_names"

-    - role: webdav_postgres
-      when: "'webdav' in group_names"
-
    - role: connect_wordpress_maria
      when: "'connect_wordpress' in group_names"

--- a/pmci-database-delete.yml
+++ b/pmci-database-delete.yml
@ -51,9 +51,6 @@
    - role: keycloak_postgres
      when: "'keycloak' in group_names"

-    - role: webdav_postgres
-      when: "'webdav' in group_names"
-
    - role: connect_wordpress_maria
      when: "'connect_wordpress' in group_names"

--- a/pmci-inventory-database.yml
+++ b/pmci-inventory-database.yml
@ -27,7 +27,8 @@
      tags:
        - always

-#     add virtual server to load stage specific variables as context
+  tasks:
+#   add virtual server to load stage specific variables as context
    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
      add_host:
        name: "{{ stage }}-virtual-host-to-read-groups-vars"
@ -35,20 +36,30 @@
        - "stage_{{ stage }}"
      changed_when: False

+#############################################################
+#   
+#############################################################
+
+- hosts: "{{ stage }}-virtual-host-to-read-groups-vars"
+  serial: "{{ serial_number | default(1) }}"
+  gather_facts: false
+  connection: local
+  run_once: true
+
  tasks:
    - name: "Add postgres servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-postgres-01"
+        name: "{{ shared_service_postgres_primary }}"
        groups:
        - "{{ item }}"
        - "stage_{{ stage }}"
      changed_when: False
      with_items: "{{ ['hcloud'] + ['stage_' + stage ] + [cluster.service] + (cluster.features | default([])) }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns']
+      when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns']

    - name: "Add maria servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "{{ item }}"
        - "stage_{{ stage }}"
--- a/pmci-service-state-update.yml
+++ b/pmci-service-state-update.yml
@ -1,47 +1,10 @@
 ---

-# Parameters:
-#   playbook inventory
-#     stage := the name of the stage (e.g. dev, int, qa, prod)
-#     tenant_id := (unique key for the tenant, e.g. customer)
-#     cluster_name := (business name for the cluster, e.g. product, department )
-#     cluster_features := (services to setup, e.g. ['connect', 'wordpress', ...])
-#     service_state := the state of the service (e.g. up, down, upgrade)
-#   smardigo message callback
-#     scope_id := (scope id of the management process)
-#     process_instance_id := (process instance id of the management process)
-#     smardigo_management_action := (smardigo management action anme of the management process)
-
 #############################################################
 #   Creating inventory dynamically for given parameters
 #############################################################

- hosts: localhost
-  gather_facts: false
-  connection: local
-
-  pre_tasks:
-    - name: "Check if ansible version is at least {{ ansible_minimal_version }}"
-      assert:
-        that:
-          - ansible_version.string is version(ansible_minimal_version, ">=")
-        msg: "The ansible version has to be at least {{ ansible_minimal_version }}"
-
-#     add virtual server to load stage specific variables as context
-    - name: "Add <{{ stage }}-virtual-host-to-read-groups-vars> to hosts"
-      add_host:
-        name: "{{ stage }}-virtual-host-to-read-groups-vars"
-        groups:
-        - "stage_{{ stage }}"
-      changed_when: False
-
-  tasks:
-    - name: Add hosts
-      add_host:
-        name: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}-{{ '%02d' | format(item|int) }}"
-        groups: "{{ ['stage_' + stage ] + [cluster_service] + cluster_features }}"
-      with_sequence: start=1 end={{ cluster_size | default(1) }}
-      changed_when: False
+- import_playbook: pmci-inventory-cluster.yml

 #############################################################
 #   Stopping services for created inventory
@ -51,8 +14,10 @@
  serial: "{{ serial_number | default(1) }}"
  remote_user: root
  vars:
-    service_state: up
    ansible_ssh_host: "{{ stage_server_domain }}"
+    tenant_id: "{{ tenant.key }}" # legacy paramater, backwards compatibility
+    cluster_name: "{{ cluster.key }}" # legacy paramater, backwards compatibility
+    service_state: "{{ data.service_state | default('up') }}" # legacy paramater, backwards compatibility

  pre_tasks:
    - name: "Import autodiscover pre-tasks"
--- a/pmci-tenant-change.yml
+++ b/pmci-tenant-change.yml
@ -44,7 +44,6 @@
  gather_facts: false
  connection: local
  vars:
-    management_realm_name: "management"
    management_base_url: "{{ stage }}-management-01-connect.{{ domain }}"

  pre_tasks:
--- a/pmci-tenant-create.yml
+++ b/pmci-tenant-create.yml
@ -44,7 +44,6 @@
  gather_facts: false
  connection: local
  vars:
-    management_realm_name: "management"
    management_base_url: "{{ stage }}-management-01-connect.{{ domain }}"

  pre_tasks:
--- a/pmci-tenant-delete.yml
+++ b/pmci-tenant-delete.yml
@ -44,7 +44,6 @@
  gather_facts: false
  connection: local
  vars:
-    management_realm_name: "management"
    management_base_url: "{{ stage }}-management-01-connect.{{ domain }}"

  pre_tasks:
--- a/pmci-tenant-sync.yml
+++ b/pmci-tenant-sync.yml
@ -44,7 +44,6 @@
  gather_facts: false
  connection: local
  vars:
-    management_realm_name: "management"
    management_base_url: "{{ stage }}-management-01-connect.{{ domain }}"
    sma_management_scope_id: "pmci"
    sma_management_role_id: "user"
--- a/remove-database.yml
+++ b/remove-database.yml
@ -2,7 +2,7 @@

 # deletes databases and roles on shared service servers
 #   - postgres
-#     - executed on stage specific server: {{ stage }}-postgres-01
+#     - executed on stage specific server: {{ shared_service_postgres_primary }}

 # Parameters:
 #   playbook inventory
@ -42,17 +42,17 @@
  tasks:
    - name: Add postgres servers to hosts if necessary
      add_host:
-        name: "{{ stage }}-postgres-01"
+        name: "{{ shared_service_postgres_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
      changed_when: False
      with_items: "{{ cluster_features }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea', 'pdns']
+      when: item in ['connect', 'management_connect', 'keycloak', 'gitea', 'pdns']

    - name: Add maria servers to hosts if necessary
      add_host:
-        name: "{{ stage }}-maria-01"
+        name: "{{ shared_service_maria_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
@ -94,9 +94,6 @@
 #    - role: pdns_postgres
 #      when: "'pdns' in group_names"

-    - role: webdav_postgres
-      when: "'webdav' in group_names"
-
    - role: connect_wordpress_maria
      when: "'connect_wordpress' in group_names"

--- a/restore-database-backup.yml
+++ b/restore-database-backup.yml
@ -2,7 +2,7 @@

 # restores a database backup
 #   - postgres
-#     - executed on stage specific server: {{ stage }}-postgres-01
+#     - executed on stage specific server: {{ shared_service_postgres_primary }}
 #     - restores a database backup 

 # Parameters:
@ -43,13 +43,13 @@
  tasks:
    - name: "Add postgres servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-postgres-01"
+        name: "{{ shared_service_postgres_primary }}"
        groups:
        - "stage_{{ stage }}"
        - "{{ item }}"
      changed_when: False
      with_items: "{{ cluster_features }}"
-      when: item in ['connect', 'management_connect', 'keycloak', 'webdav', 'gitea']
+      when: item in ['connect', 'management_connect', 'keycloak', 'gitea']

 #############################################################
 #   Restoring databases for created inventory
@ -72,9 +72,6 @@
    - role: keycloak_postgres
      when: "'keycloak' in group_names"

-    - role: webdav_postgres
-      when: "'webdav' in group_names"
-
 #############################################################
 #   Sending smardigo management message to process
 #############################################################
--- a/restore-remote-database-backup.yml
+++ b/restore-remote-database-backup.yml
@ -2,10 +2,10 @@

 # restores remote database backup
 #   - postgres
-#     - executed on stage specific server: {{ stage }}-restore-postgres-01
+#     - executed on stage specific server: {{ shared_service_postgres_primary }}-restore
 #     - restores a server from full-backup
 #   - mariadb
-#     - executed on stage specific server: {{ stage }}-restore-maria-01
+#     - executed on stage specific server: {{ shared_service_maria_primary }}-restore
 #     - restores a server from full-backup

 # Parameters:
@ -40,13 +40,24 @@
      changed_when: False

  tasks:
-    - name: "Add {{ database_engine }} servers to hosts if necessary"
+    - name: "Add {{ database_engine }}-restore servers to hosts if necessary"
      add_host:
-        name: "{{ stage }}-restore-{{ database_engine }}-01"
+        name: "{{ shared_service_postgres_secondary }}-restore"
        groups:
        - "stage_{{ stage }}"
        - 'restore'
-      changed_when: False
+      when:
+        - database_engine is 'postgres'
+
+    - name: "Add {{ database_engine }}-restore servers to hosts if necessary"
+      add_host:
+        name: "{{ shared_service_maria_primary }}-restore"
+        groups:
+        - "stage_{{ stage }}"
+        - 'restore'
+      when:
+        - database_engine is 'maria'
+      
    - name: "Add 'backup' servers to hosts if necessary"
      add_host:
        name: "{{ stage }}-backup-01"
--- a/roles/argocd_realm/defaults/main.yml
+++ b/roles/argocd_realm/defaults/main.yml
@ -0,0 +1,43 @@
+---
+current_realm_name: "{{ argocd_oidc_realm }}"
+
+current_realm_clients:
+  - name: "{{ argocd_oidc_client_id }}"
+    base_url: "/applications"
+    clientId: "{{ argocd_oidc_client_id }}"
+    admin_url: "{{ shared_service_kube_url_argocd }}/"
+    root_url: "{{ shared_service_kube_url_argocd }}/"
+    redirect_uris:
+      - "{{ shared_service_kube_url_argocd }}/auth/callback"
+    secret: "{{ argocd_oidc_client_secret }}"
+    web_origins:
+      - "{{ shared_service_kube_url_argocd }}/"
+    default_client_scopes: "{{ keycloak_default_client_scopes + ['groups'] }}"
+
+current_realm_users:
+  - username: "{{ argocd_oidc_admin_username }}"
+    password: "{{ argocd_oidc_admin_password }}"
+    email: "{{ argocd_oidc_admin_email }}"
+    firstName: "Netgo"
+    lastName: "Administrator"
+    requiredActions: []
+
+current_realm_admin_users:
+  - username: "argocd-realm-admin"
+    password: "{{ infrastructure_realm_admin_password_vault }}"
+    email: "{{ argocd_oidc_admin_email }}"
+    firstName: "Netgo"
+    lastName: "Administrator"
+    requiredActions: []
+
+current_realm_groups:
+  - name: "admin"
+  - name: "argocd-admin" # not working yet
+
+current_user_groupmembership:
+  - username: "argocd-admin"
+    destination_group: "admin"
+  - username: "argocd-admin"
+    destination_group: "argocd-admin"
+
+keycloak_force_prune: true
--- a/roles/argocd_realm/tasks/main.yml
+++ b/roles/argocd_realm/tasks/main.yml
@ -0,0 +1,5 @@
+---
+
+- name: "Setup realm for <{{ current_realm_name }}>"
+  include_role:
+    name: keycloak_realm
--- a/roles/awx_realm/defaults/main.yml
+++ b/roles/awx_realm/defaults/main.yml
@ -0,0 +1,39 @@
+---
+current_realm_name: "{{ awx_oidc_realm }}"
+
+current_realm_clients:
+  - name: "{{ awx_oidc_client_id }}"
+    clientId: "{{ awx_oidc_client_id }}"
+    admin_url: "{{ shared_service_kube_url_awx }}/"
+    root_url: "{{ shared_service_kube_url_awx }}/"
+    redirect_uris:
+      - "{{ shared_service_kube_url_awx }}/sso/complete/oidc/"
+    secret: "{{ awx_oidc_client_secret }}"
+    web_origins:
+      - "{{ shared_service_kube_url_argocd }}/"
+    default_client_scopes: "{{ keycloak_default_client_scopes + ['groups'] }}"
+
+current_realm_users:
+  - username: "{{ awx_oidc_admin_username }}"
+    password: "{{ awx_oidc_admin_password }}"
+    email: "{{ awx_oidc_admin_email }}"
+    firstName: "Netgo"
+    lastName: "Administrator"
+    requiredActions: []
+
+current_realm_admin_users:
+  - username: "awx-realm-admin"
+    password: "{{ infrastructure_realm_admin_password_vault }}"
+    email: "{{ awx_oidc_admin_email }}"
+    firstName: "Netgo"
+    lastName: "Administrator"
+    requiredActions: []
+
+current_realm_groups:
+  - name: "awx-admin"
+
+current_user_groupmembership:
+  - username: "awx-admin"
+    destination_group: "awx-admin"
+
+keycloak_force_prune: true
--- a/roles/awx_realm/tasks/main.yml
+++ b/roles/awx_realm/tasks/main.yml
@ -0,0 +1,5 @@
+---
+
+- name: "Setup realm for <{{ current_realm_name }}>"
+  include_role:
+    name: keycloak_realm
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@ -4,7 +4,6 @@
 ###   update_certs
 ###   update_deployment

-
 - name: "Setup hcloud firewalls for <{{ inventory_hostname }}>"
  include_role:
    name: hetzner-ansible-hcloud
@ -89,6 +88,7 @@
    restarted: yes
    build: no
  tags:
+    - never
    - update_certs

 - name: "Update {{ connect_id }}"
--- a/roles/connect/vars/main.yml
+++ b/roles/connect/vars/main.yml
@ -96,12 +96,6 @@ connect_environment: [
  "RESUBMISSION_ENABLED: \"{{ connect_resubmission_enabled }}\"",
  "SMA_WORKFLOW_HEATMAP_ENABLED: \"{{ connect_workflow_heatmap_enabled }}\"",

-  "SMA_ENABLE_WEBDAV_DOC_EDITING: \"{{ connect_webdav_enabled | default('false') }}\"",
-  "SMA_WEBDAV_BASE_PATH: \"{{ http_s }}://{{ connect_base_url }}\"",
-  "SMA_WEBDAV_HOST_URL: \"{{ http_s }}://{{ shared_service_webdav_hostname }}/\"",
-  "SMA_WEBDAV_FRONTEND_URL: \"{{ http_s }}://{{ shared_service_webdav_hostname }}/\"",
-  "SMA_WEBDAV_JWT_SECRET: \"{{ webdav_jwt_secret }}\"",
-
  "SPRINGDOC_SERVER_URL: \"{{ http_s }}://{{ connect_base_url }}\"",

  "SMA_CORS_ORIGINS: \"{{ http_s }}://{{ connect_base_url }}:{{ admin_port_service }}\"",
--- a/roles/connect_realm/defaults/main.yml
+++ b/roles/connect_realm/defaults/main.yml
@ -1,28 +1,26 @@
 ---
+connect_client_secret: "{{ connect_client_id }}"

 client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}"
 client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}"
 client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain | default('unset') }}.{{ domain }}"

-current_realm_clients: [
-  {
-    name: "{{ connect_client_id }}",
-    clientId: "{{ connect_client_id }}",
-    admin_url: "",
-    root_url: "",
+current_realm_clients:
+  - name: "{{ connect_client_id }}"
+    clientId: "{{ connect_client_id }}"
+    admin_url: "{{ client_web_origin_connect }}"
+    root_url: "{{ client_web_origin_connect }}"
    redirect_uris: "{{
      [client_web_origin_connect + '/*'] +
      ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) +
      ([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else [])
-    }}",
-    secret: '{{ connect_client_id }}',
+    }}"
+    secret: "{{ connect_oidc_client_secret }}"
    web_origins: "{{
      [client_web_origin_connect] +
      ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) +
      ([client_web_origin_connect_external] if connect_external_subdomain is defined else [])
-    }}",
-  }
-]
+    }}"

 current_realm_users_base:
  - username: "{{ connect_client_admin_username }}"
--- a/roles/connect_realm/tasks/main.yml
+++ b/roles/connect_realm/tasks/main.yml
@ -2,7 +2,7 @@

 ### tags:

- name: "Setup realm for {{ inventory_hostname }}"
+- name: "Authenticate on keycloak for {{ inventory_hostname }}"
  include_role:
    name: keycloak
    tasks_from: _authenticate
--- a/roles/connect_realm/vars/main.yml
+++ b/roles/connect_realm/vars/main.yml
@ -1 +0,0 @@
---
--- a/roles/connect_wordpress/vars/main.yml
+++ b/roles/connect_wordpress/vars/main.yml
@ -33,7 +33,7 @@ wordpress_docker: {
      image_version: "{{ wordpress_image_version }}",
      labels: "{{ wordpress_labels + ( wordpress_labels_additional | default([])) }}",
      environment: [
-        "WORDPRESS_DB_HOST: \"{{ connect_wordpress_maria_host }}:{{ wordpress_mysql_port | default('3306') }}\"",
+        "WORDPRESS_DB_HOST: \"{{ shared_service_maria_primary }}:{{ wordpress_mysql_port | default('3306') }}\"",
        "WORDPRESS_DB_USER: \"{{ connect_wordpress_maria_username }}\"",
        "WORDPRESS_DB_PASSWORD: \"{{ connect_wordpress_maria_password }}\"",
        "WORDPRESS_DB_NAME: \"{{ connect_wordpress_maria_database }}\"",
--- a/roles/gitea/vars/main.yml
+++ b/roles/gitea/vars/main.yml
@ -27,7 +27,7 @@ gitea_environment: [
  "USER_UID: \"1000\"",
  "USER_GID: \"1000\"",
  "GITEA__database__DB_TYPE: \"postgres\"",
-  "GITEA__database__HOST: \"{{ shared_service_postgres_01_hostname }}\"",
+  "GITEA__database__HOST: \"{{ gitea_postgres_host }}\"",
  "GITEA__database__NAME: \"{{ gitea_postgres_database }}\"",
  "GITEA__database__USER: \"{{ gitea_postgres_database }}\"",
  "GITEA__database__PASSWD: \"{{ gitea_postgres_password }}\"",
--- a/roles/gitea_realm/defaults/main.yml
+++ b/roles/gitea_realm/defaults/main.yml
@ -1,31 +1,32 @@
 ---
+current_realm_name: "{{ gitea_oidc_realm }}"

-current_realm_clients: [
-  {
-    name: '{{ gitea_client_id }}',
-    clientId: "{{ gitea_client_id }}",
-    admin_url: '',
-    root_url: '',
-    redirect_uris: '
-      [
-        "{{ http_s }}://{{ gitea_base_url }}/*",
-      ]',
-    secret: '{{ gitea_client_secret }}',
-    web_origins: '
-      [
-        "{{ http_s }}://{{ gitea_base_url }}",
-      ]',
-  }
-]
+current_realm_clients:
+  - name: "{{ gitea_oidc_client_id }}"
+    base_url: ""
+    clientId: "{{ gitea_oidc_client_id }}"
+    admin_url: "{{ shared_service_kube_url_gitea }}"
+    root_url: "{{ shared_service_kube_url_gitea }}"
+    redirect_uris:
+      - "{{ shared_service_kube_url_gitea }}/*"
+    secret: "{{ gitea_oidc_client_secret }}"
+    web_origins:
+      - "{{ shared_service_kube_url_gitea }}/"

 current_realm_users:
-  - username: "{{ gitea_admin_username }}"
-    password: "{{ gitea_admin_password }}"
-    email: "{{ gitea_admin_email }}"
+  - username: "{{ gitea_oidc_admin_username }}"
+    password: "{{ gitea_oidc_admin_password }}"
+    email: "{{ gitea_oidc_admin_email }}"
+    firstName: "Netgo"
+    lastName: "Administrator"
    requiredActions: []

 current_realm_admin_users:
-  - username: "{{ gitea_realm_admin_username }}"
-    password: "{{ gitea_realm_admin_password }}"
-    email: "{{ gitea_admin_email }}"
+  - username: "gitea-realm-admin"
+    password: "{{ infrastructure_realm_admin_password_vault }}"
+    email: "{{ gitea_oidc_admin_email }}"
+    firstName: "Netgo"
+    lastName: "Administrator"
    requiredActions: []
+
+keycloak_force_prune: true
--- a/roles/gitea_realm/tasks/main.yml
+++ b/roles/gitea_realm/tasks/main.yml
@ -1,25 +1,5 @@
 ---

-### tags:
-
- name: "Setup realm for {{ inventory_hostname }}"
-  include_role:
-    name: keycloak
-    tasks_from: _authenticate
-
- name: "Setup realm for {{ inventory_hostname }}"
-  include_role:
-    name: keycloak
-    tasks_from: _configure_realm
-  vars:
-    current_realm_password_policy: ''
-
- name: "Create realm users"
-  include_role:
-    name: keycloak
-    tasks_from: _create_realm_users
-
- name: "Create realm admin"
+- name: "Setup realm for <{{ current_realm_name }}>"
  include_role:
-    name: keycloak
-    tasks_from: _create_realm_admin
+    name: keycloak_realm
--- a/roles/gitea_realm/vars/main.yml
+++ b/roles/gitea_realm/vars/main.yml
@ -1 +0,0 @@
---
--- a/roles/harbor/tasks/main.yml
+++ b/roles/harbor/tasks/main.yml
@ -1,14 +1,5 @@
 ---

- name: "Create realm for <{{ inventory_hostname }}> if necessary"
-  include_role:
-    name: harbor_realm
-  vars:
-    current_realm_name: "harbor"
-    current_realm_display_name: "harbor"
-  tags:
-    - always
-
 - name: "Install harbor"
  include_tasks: install.yml

--- a/roles/harbor_config/defaults/main.yml
+++ b/roles/harbor_config/defaults/main.yml
@ -0,0 +1,82 @@
+---
+harbor_system_configuration:
+  email_host: '{{ shared_service_mail_hostname }}'
+  email_port: 25
+  email_from: 'harbor@{{ domain_env }}'
+  email_password: ''
+  email_username: ''
+  email_insecure: true
+  auth_mode: oidc_auth
+  oidc_name: "{{ harbor_oidc_realm }}"
+  oidc_endpoint: 'https://{{ shared_service_hostname_keycloak }}/auth/realms/{{ harbor_oidc_realm }}'
+  oidc_client_id: "{{ harbor_oidc_client_id }}"
+  oidc_client_secret: "{{ harbor_oidc_client_secret }}"
+  oidc_groups_claim: groups
+  oidc_scope: openid
+  oidc_verify_cert: true
+  oidc_auto_onboard: true
+  oidc_admin_group: 'admin'
+  oidc_user_claim: 'sub'
+  scan_all_policy:
+    parameter:
+      daily_time: 0
+
+harbor_project_names:
+  - awx
+  - sken
+  - infrastructure
+
+# default configuration for all harbor projects
+harbor_project_template:
+  project_attributes:
+    project_name: '{{ project_name }}'
+  meta_data:
+    auto_scan: true
+  project_state: present
+  members:
+    -
+      group_name: '{{ project_name }}'
+      group_type: oidc
+      role: projectadmin
+
+harbor_robot_tokens:
+  -
+    secret_refresh: true
+    name: ansible
+    level: system
+    description: 'smardigo docker pull credentials'
+    secret: '{{ harbor_token }}'
+    disable: false
+    duration: -1
+    editable: true
+    expires_at: -1
+    permissions:
+    - access:
+      - action: push
+        resource: repository
+      - action: pull
+        resource: repository
+      - action: delete
+        resource: artifact
+      - action: read
+        resource: helm-chart
+      - action: create
+        resource: helm-chart-version
+      - action: delete
+        resource: helm-chart-version
+      - action: create
+        resource: tag
+      - action: delete
+        resource: tag
+      - action: create
+        resource: artifact-label
+      - action: create
+        resource: scan
+      kind: project
+      namespace: "*"
+
+harbor_scanall:
+  -
+    schedule:
+      cron: 0 0 1 * * *
+      type: Custom
--- a/roles/harbor_config/tasks/configure-system.yml
+++ b/roles/harbor_config/tasks/configure-system.yml
@ -0,0 +1,15 @@
+---
+- name: "Add harbor base configuration via API"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ shared_service_url_harbor }}/api/v2.0/configurations"
+    user: '{{ harbor_admin_username }}'
+    password: '{{ harbor_admin_password }}'
+    method: PUT
+    body_format: json
+    force_basic_auth: yes
+    body: "{{ harbor_system_configuration }}"
+    headers:
+      Content-Type: application/json
+    status_code: [200]
--- a/roles/harbor_config/tasks/configure_project.yml
+++ b/roles/harbor_config/tasks/configure_project.yml
@ -0,0 +1,26 @@
+---
+- name: "Apply project state <{{ project.project_state }}>"
+  include_tasks: configure_project_crud.yml
+  vars:
+    project_name: '{{ project.project_attributes.project_name }}'
+
+- name: "Configure project metadata"
+  include_tasks: configure_project_metadata_crud.yml 
+  vars:
+    project_name: '{{ project.project_attributes.project_name }}'
+  loop: '{{ project.meta_data | dict2items }}'
+  loop_control:
+    loop_var: meta_data_elem
+  when:
+    - project.meta_data is defined
+    - project.project_state == 'present'
+
+- name: "Configure project members"
+  include_tasks: configure_project_members_crud.yml
+  vars:
+    project_name: '{{ project.project_attributes.project_name }}'
+  loop: '{{ project.members }}'
+  loop_control:
+    loop_var: member
+  when:
+    - project.project_state == 'present'
--- a/roles/harbor_config/tasks/configure_project_crud.yml
+++ b/roles/harbor_config/tasks/configure_project_crud.yml
@ -0,0 +1,100 @@
+---
+- name: "Check if project <{{ project_name }}> exists"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}"
+    user: '{{ harbor_admin_username }}'
+    password: '{{ harbor_admin_password }}'
+    method: GET
+    body_format: json
+    force_basic_auth: yes
+    headers:
+      Content-Type: application/json
+    status_code: [200,404]
+  register: project_exists
+
+- name: "Check if project <{{ project_name }}> exists"
+  debug:
+    msg: '{{ project_exists.json }}'
+  when: debug
+
+- name: "Create project <{{ project_name }}>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ shared_service_url_harbor }}/api/v2.0/projects"
+    user: '{{ harbor_admin_username }}'
+    password: '{{ harbor_admin_password }}'
+    method: POST
+    body_format: json
+    body: '{{ project.project_attributes | to_json }}'
+    force_basic_auth: yes
+    headers:
+      Content-Type: application/json
+    status_code: [200,201]
+  register: project_create
+  when:
+    - project_exists.status in [404]
+    - project.project_state == 'present'
+
+- name: "Create project <{{ project_name }}>"
+  debug:
+    msg: '{{ project_create.json }}'
+  when:
+    - debug
+    - project_exists.status in [404]
+    - project.project_state == 'present'
+
+- name: "Update project <{{ project_name }}>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}"
+    user: '{{ harbor_admin_username }}'
+    password: '{{ harbor_admin_password }}'
+    method: PUT
+    body_format: json
+    body: '{{ project.project_attributes | to_json }}'
+    force_basic_auth: yes
+    headers:
+      Content-Type: application/json
+    status_code: [200,201]
+  register: project_update
+  when:
+    - project_exists.status in [200]
+    - project.project_state == 'present'
+
+- name: "Update project <{{ project_name }}>"
+  debug:
+    msg: '{{ project_update.json }}'
+  when:
+    - debug
+    - project_exists.status in [200]
+    - project.project_state == 'present'
+
+- name: "Delete project <{{ project_name }}>"
+  delegate_to: 127.0.0.1
+  become: false
+  uri:
+    url: "{{ shared_service_url_harbor }}/api/v2.0/projects/{{ project_name }}"
+    user: '{{ harbor_admin_username }}'
+    password: '{{ harbor_admin_password }}'
+    method: DELETE
+    body_format: json
+    force_basic_auth: yes
+    headers:
+      Content-Type: application/json
+    status_code: [200]
+  register: project_delete
+  when:
+    - project_exists.status in [200]
+    - project.project_state == 'absent'
+
+- name: "Delete project <{{ project_name }}>"
+  debug:
+    msg: '{{ project_update.json }}'
+  when:
+    - debug
+    - project_exists.status in [200]
+    - project.project_state == 'absent'
--- a/Show More
+++ b/Show More