From: Hamatoma <author@hamatoma.de>
Date: Thu, 24 Apr 2025 20:35:51 +0000 (+0200)
Subject: V0.2.0: first working version as nest1
X-Git-Url: https://gitweb.hamatoma.de/?a=commitdiff_plain;h=09a499e2be272bab2a8c4dec2e00349def8850e3;p=nest_ansible.git

V0.2.0: first working version as nest1
---

diff --git a/build_dkim_text.py b/build_dkim_text.py
new file mode 120000
index 0000000..39943e7
--- /dev/null
+++ b/build_dkim_text.py
@@ -0,0 +1 @@
+scripts/build_dkim_text.py
\ No newline at end of file
diff --git a/docu/dkim_dns_configuration.md b/docu/dkim_dns_configuration.md
new file mode 100644
index 0000000..9d80736
--- /dev/null
+++ b/docu/dkim_dns_configuration.md
@@ -0,0 +1,17 @@
+# DNS Configuration for SPF, DKIM, DMARC
+
+## SPF:
+
+| Domain | DNS Type | Contents | Comment |
+| ------ | -------- | -------- | ------- |
+| example.com | TXT |           v=spf1 mx -all | deny other server
+| relayhost.example.com | TXT | v=spf1 a -all | |
+| example.com |	TXT |			v=spf1 ip4:2.234.54.2 mx ~all | allow other server |
+
+### Test
+```
+host -t txt example.com
+host -t txt relayhost.example.com
+
+## DKIM
+```
\ No newline at end of file
diff --git a/playbooks/i_10_basic.yaml b/playbooks/i_10_basic.yaml
index 4250d9d..6145a9d 120000
--- a/playbooks/i_10_basic.yaml
+++ b/playbooks/i_10_basic.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_10_basic.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_10_basic.yaml
\ No newline at end of file
diff --git a/playbooks/i_15_server_packages.yaml b/playbooks/i_15_server_packages.yaml
index 5d15839..1fc2481 120000
--- a/playbooks/i_15_server_packages.yaml
+++ b/playbooks/i_15_server_packages.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_15_server_packages.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_15_server_packages.yaml
\ No newline at end of file
diff --git a/playbooks/i_17_configuration.yaml b/playbooks/i_17_configuration.yaml
new file mode 120000
index 0000000..6b099d5
--- /dev/null
+++ b/playbooks/i_17_configuration.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/i_17_configuration.yaml
\ No newline at end of file
diff --git a/playbooks/i_20_nginx.yaml b/playbooks/i_20_nginx.yaml
index fef4661..b0dc6fc 120000
--- a/playbooks/i_20_nginx.yaml
+++ b/playbooks/i_20_nginx.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_20_nginx.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_20_nginx.yaml
\ No newline at end of file
diff --git a/playbooks/i_21_nginx_sites.yaml b/playbooks/i_21_nginx_sites.yaml
new file mode 120000
index 0000000..6534df3
--- /dev/null
+++ b/playbooks/i_21_nginx_sites.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/i_21_nginx_sites.yaml
\ No newline at end of file
diff --git a/playbooks/i_30_mariadb.yaml b/playbooks/i_30_mariadb.yaml
index d1c8dd2..eea6a1a 120000
--- a/playbooks/i_30_mariadb.yaml
+++ b/playbooks/i_30_mariadb.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_30_mariadb.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_30_mariadb.yaml
\ No newline at end of file
diff --git a/playbooks/i_40_php8.2.yaml b/playbooks/i_40_php8.2.yaml
index 37b9910..10f9ef9 120000
--- a/playbooks/i_40_php8.2.yaml
+++ b/playbooks/i_40_php8.2.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_40_php8.2.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_40_php8.2.yaml
\ No newline at end of file
diff --git a/playbooks/i_50_git_server.yaml b/playbooks/i_50_git_server.yaml
index 31bad60..5028aef 120000
--- a/playbooks/i_50_git_server.yaml
+++ b/playbooks/i_50_git_server.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_50_git_server.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_50_git_server.yaml
\ No newline at end of file
diff --git a/playbooks/i_60_postfix.yaml b/playbooks/i_60_postfix.yaml
new file mode 120000
index 0000000..de7b450
--- /dev/null
+++ b/playbooks/i_60_postfix.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/i_60_postfix.yaml
\ No newline at end of file
diff --git a/playbooks/i_62_postfix_dkim.yaml b/playbooks/i_62_postfix_dkim.yaml
new file mode 120000
index 0000000..b4802c6
--- /dev/null
+++ b/playbooks/i_62_postfix_dkim.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/i_62_postfix_dkim.yaml
\ No newline at end of file
diff --git a/playbooks/i_70_webapps.yaml b/playbooks/i_70_webapps.yaml
new file mode 120000
index 0000000..a0d2f94
--- /dev/null
+++ b/playbooks/i_70_webapps.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/i_70_webapps.yaml
\ No newline at end of file
diff --git a/playbooks/i_99_test.yaml b/playbooks/i_99_test.yaml
index e7ae028..ad5ced5 120000
--- a/playbooks/i_99_test.yaml
+++ b/playbooks/i_99_test.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/i_99_test.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/i_99_test.yaml
\ No newline at end of file
diff --git a/playbooks/lets_create.yaml b/playbooks/lets_create.yaml
new file mode 120000
index 0000000..3d2d883
--- /dev/null
+++ b/playbooks/lets_create.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/lets_create.yaml
\ No newline at end of file
diff --git a/playbooks/mysql_create_admin.yaml b/playbooks/mysql_create_admin.yaml
index 9ebc574..d9ad300 120000
--- a/playbooks/mysql_create_admin.yaml
+++ b/playbooks/mysql_create_admin.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/mysql_create_admin.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/mysql_create_admin.yaml
\ No newline at end of file
diff --git a/playbooks/mysql_create_db_and_user copy.yaml b/playbooks/mysql_create_db_and_user copy.yaml
deleted file mode 120000
index 33e8e09..0000000
--- a/playbooks/mysql_create_db_and_user copy.yaml	
+++ /dev/null
@@ -1 +0,0 @@
-../../ansknife/playbooks/mysql_create_db_and_user.yaml
\ No newline at end of file
diff --git a/playbooks/mysql_create_db_and_user.yaml b/playbooks/mysql_create_db_and_user.yaml
index 33e8e09..f8fdcb6 120000
--- a/playbooks/mysql_create_db_and_user.yaml
+++ b/playbooks/mysql_create_db_and_user.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/mysql_create_db_and_user.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/mysql_create_db_and_user.yaml
\ No newline at end of file
diff --git a/playbooks/nginx_create_site.yaml b/playbooks/nginx_create_site.yaml
new file mode 120000
index 0000000..948f2a1
--- /dev/null
+++ b/playbooks/nginx_create_site.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/nginx_create_site.yaml
\ No newline at end of file
diff --git a/playbooks/ssl_create_certificate.yaml b/playbooks/ssl_create_certificate.yaml
new file mode 120000
index 0000000..4dbc7b3
--- /dev/null
+++ b/playbooks/ssl_create_certificate.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/ssl_create_certificate.yaml
\ No newline at end of file
diff --git a/playbooks/webapp_backup.yaml b/playbooks/webapp_backup.yaml
new file mode 120000
index 0000000..b4b1322
--- /dev/null
+++ b/playbooks/webapp_backup.yaml
@@ -0,0 +1 @@
+../../ansknife/playbooks.templates/webapp_backup.yaml
\ No newline at end of file
diff --git a/playbooks/webapp_create.yaml b/playbooks/webapp_create.yaml
index b9d23a9..2e4d5bf 120000
--- a/playbooks/webapp_create.yaml
+++ b/playbooks/webapp_create.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/webapp_create.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/webapp_create.yaml
\ No newline at end of file
diff --git a/playbooks/webapp_export.yaml b/playbooks/webapp_export.yaml
index 0d1daad..180b162 120000
--- a/playbooks/webapp_export.yaml
+++ b/playbooks/webapp_export.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/webapp_export.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/webapp_export.yaml
\ No newline at end of file
diff --git a/playbooks/webapp_import.yaml b/playbooks/webapp_import.yaml
index a06bb76..90070a3 120000
--- a/playbooks/webapp_import.yaml
+++ b/playbooks/webapp_import.yaml
@@ -1 +1 @@
-../../ansknife/playbooks/webapp_import.yaml
\ No newline at end of file
+../../ansknife/playbooks.templates/webapp_import.yaml
\ No newline at end of file
diff --git a/scripts/CreatePlaybook b/scripts/CreatePlaybook
index 71ad78a..12ca5f9 120000
--- a/scripts/CreatePlaybook
+++ b/scripts/CreatePlaybook
@@ -1 +1 @@
-../../ansknife/scripts/CreatePlaybook
\ No newline at end of file
+../../ansknife/scripts.templates/CreatePlaybook
\ No newline at end of file
diff --git a/scripts/CreateTask b/scripts/CreateTask
index af89d80..63de13c 120000
--- a/scripts/CreateTask
+++ b/scripts/CreateTask
@@ -1 +1 @@
-../../ansknife/scripts/CreateTask
\ No newline at end of file
+../../ansknife/scripts.templates/CreateTask
\ No newline at end of file
diff --git a/scripts/build_dkim_text.py b/scripts/build_dkim_text.py
new file mode 120000
index 0000000..23a1370
--- /dev/null
+++ b/scripts/build_dkim_text.py
@@ -0,0 +1 @@
+../../ansknife/scripts/build_dkim_text.py
\ No newline at end of file
diff --git a/tasks/t_copy_wildcard.yaml b/tasks/t_copy_wildcard.yaml
new file mode 120000
index 0000000..1339fc9
--- /dev/null
+++ b/tasks/t_copy_wildcard.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_copy_wildcard.yaml
\ No newline at end of file
diff --git a/tasks/t_dkim.yaml b/tasks/t_dkim.yaml
new file mode 120000
index 0000000..772b66e
--- /dev/null
+++ b/tasks/t_dkim.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_dkim.yaml
\ No newline at end of file
diff --git a/tasks/t_dkim_dns.yaml b/tasks/t_dkim_dns.yaml
new file mode 120000
index 0000000..d191d7c
--- /dev/null
+++ b/tasks/t_dkim_dns.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_dkim_dns.yaml
\ No newline at end of file
diff --git a/tasks/t_dkim_keys.yaml b/tasks/t_dkim_keys.yaml
new file mode 120000
index 0000000..7972dea
--- /dev/null
+++ b/tasks/t_dkim_keys.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_dkim_keys.yaml
\ No newline at end of file
diff --git a/tasks/t_dmarc.yaml b/tasks/t_dmarc.yaml
new file mode 120000
index 0000000..4f8c758
--- /dev/null
+++ b/tasks/t_dmarc.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_dmarc.yaml
\ No newline at end of file
diff --git a/tasks/t_dmarc_dns.yaml b/tasks/t_dmarc_dns.yaml
new file mode 120000
index 0000000..665a4a9
--- /dev/null
+++ b/tasks/t_dmarc_dns.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_dmarc_dns.yaml
\ No newline at end of file
diff --git a/tasks/t_lets_create.yaml b/tasks/t_lets_create.yaml
new file mode 120000
index 0000000..ac927a7
--- /dev/null
+++ b/tasks/t_lets_create.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_lets_create.yaml
\ No newline at end of file
diff --git a/tasks/t_link_wildcard.yaml b/tasks/t_link_wildcard.yaml
new file mode 120000
index 0000000..6d483f6
--- /dev/null
+++ b/tasks/t_link_wildcard.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_link_wildcard.yaml
\ No newline at end of file
diff --git a/tasks/t_mysql_create_admin.yaml b/tasks/t_mysql_create_admin.yaml
index 0df504c..bb2a061 120000
--- a/tasks/t_mysql_create_admin.yaml
+++ b/tasks/t_mysql_create_admin.yaml
@@ -1 +1 @@
-../../ansknife/tasks/t_mysql_create_admin.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_mysql_create_admin.yaml
\ No newline at end of file
diff --git a/tasks/t_mysql_create_db_and_user.yaml b/tasks/t_mysql_create_db_and_user.yaml
index f91e0db..893f120 120000
--- a/tasks/t_mysql_create_db_and_user.yaml
+++ b/tasks/t_mysql_create_db_and_user.yaml
@@ -1 +1 @@
-../../ansknife/tasks/t_mysql_create_db_and_user.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_mysql_create_db_and_user.yaml
\ No newline at end of file
diff --git a/tasks/t_nginx_create_site.yaml b/tasks/t_nginx_create_site.yaml
new file mode 120000
index 0000000..c09d257
--- /dev/null
+++ b/tasks/t_nginx_create_site.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_nginx_create_site.yaml
\ No newline at end of file
diff --git a/tasks/t_spf_configuration.yaml b/tasks/t_spf_configuration.yaml
new file mode 120000
index 0000000..0462a41
--- /dev/null
+++ b/tasks/t_spf_configuration.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_spf.yaml
\ No newline at end of file
diff --git a/tasks/t_ssl_create_certificate.yaml b/tasks/t_ssl_create_certificate.yaml
new file mode 120000
index 0000000..d188b12
--- /dev/null
+++ b/tasks/t_ssl_create_certificate.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_ssl_create_certificate.yaml
\ No newline at end of file
diff --git a/tasks/t_webapp_backup.yaml b/tasks/t_webapp_backup.yaml
new file mode 120000
index 0000000..748ec55
--- /dev/null
+++ b/tasks/t_webapp_backup.yaml
@@ -0,0 +1 @@
+../../ansknife/tasks.templates/t_webapp_backup.yaml
\ No newline at end of file
diff --git a/tasks/t_webapp_create.yaml b/tasks/t_webapp_create.yaml
index 194111e..6021601 120000
--- a/tasks/t_webapp_create.yaml
+++ b/tasks/t_webapp_create.yaml
@@ -1 +1 @@
-../../ansknife/tasks/t_webapp_create.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_webapp_create.yaml
\ No newline at end of file
diff --git a/tasks/t_webapp_export.yaml b/tasks/t_webapp_export.yaml
index 7df312c..fdf8da3 120000
--- a/tasks/t_webapp_export.yaml
+++ b/tasks/t_webapp_export.yaml
@@ -1 +1 @@
-../../ansknife/tasks/t_webapp_export.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_webapp_export.yaml
\ No newline at end of file
diff --git a/tasks/t_webapp_import.yaml b/tasks/t_webapp_import.yaml
index fe09c5c..80f0a64 120000
--- a/tasks/t_webapp_import.yaml
+++ b/tasks/t_webapp_import.yaml
@@ -1 +1 @@
-../../ansknife/tasks/t_webapp_import.yaml
\ No newline at end of file
+../../ansknife/tasks.templates/t_webapp_import.yaml
\ No newline at end of file
diff --git a/templates.fix b/templates.fix
new file mode 120000
index 0000000..bce566d
--- /dev/null
+++ b/templates.fix
@@ -0,0 +1 @@
+../ansknife/templates.fix/
\ No newline at end of file
diff --git a/templates.local/antispam/ignore.hosts b/templates.local/antispam/ignore.hosts
new file mode 100644
index 0000000..d15cd1d
--- /dev/null
+++ b/templates.local/antispam/ignore.hosts
@@ -0,0 +1,4 @@
+# Ansible controlled: do not change on server manually
+127.0.0.1
+::1
+localhost
\ No newline at end of file
diff --git a/templates.local/antispam/opendkim.conf b/templates.local/antispam/opendkim.conf
new file mode 100644
index 0000000..3018e24
--- /dev/null
+++ b/templates.local/antispam/opendkim.conf
@@ -0,0 +1,20 @@
+# Ansible controlled: do not change on server manually
+UserID                  opendkim:opendkim
+UMask                   002
+PidFile                 /var/run/opendkim/opendkim.pid
+SOCKET                  local:/var/spool/postfix/opendkim/opendkim.sock
+Mode                    sv
+Domain                  *
+#Selector               mail
+Canonicalization        relaxed/relaxed
+SignatureAlgorithm      rsa-sha256
+OversignHeaders         From
+AutoRestart             yes
+AutoRestartRate         10/1h
+SigningTable            refile:/etc/opendkim/signing.table
+KeyTable                /etc/opendkim/key.table
+ExternalIgnoreList      refile:/etc/opendkim/trusted.hosts
+InternalHosts           refile:/etc/opendkim/trusted.hosts
+Syslog                  yes
+SyslogSuccess           yes
+LogWhy                  yes
diff --git a/templates.local/antispam/opendmarc.conf b/templates.local/antispam/opendmarc.conf
new file mode 100644
index 0000000..8415ed1
--- /dev/null
+++ b/templates.local/antispam/opendmarc.conf
@@ -0,0 +1,20 @@
+# Ansible controlled: do not change on server manually
+AuthservID              nest1.gemeinwohl-gesellschaft.de
+TrustedAuthservIDs      nest1.gemeinwohl-gesellschaft.de
+UMask                   0002
+UserID                  opendmarc
+AutoRestart             true
+Socket                  local:/var/spool/postfix/opendmarc/opendmarc.sock
+RejectFailures          true
+IgnoreMailFrom          f-r-e-i.de
+IgnoreHosts             /etc/opendmarc/ignore.hosts
+PublicSuffixList        /etc/opendmarc/public_suffix_list.dat
+SoftwareHeader          false
+FailureReports          true
+FailureReportsSentBy    no-reply.dmarc.reports@f-r-e-i.de
+#FailureReportsBcc
+BaseDirectory           /var/run/opendmarc
+PidFile                 /var/run/opendmarc/opendmarc.pid
+HistoryFile             /var/run/opendmarc/opendmarc.dat
+Syslog                  true
+SyslogFacility          mail
\ No newline at end of file
diff --git a/templates.local/antispam/trusted.hosts b/templates.local/antispam/trusted.hosts
new file mode 100644
index 0000000..d15cd1d
--- /dev/null
+++ b/templates.local/antispam/trusted.hosts
@@ -0,0 +1,4 @@
+# Ansible controlled: do not change on server manually
+127.0.0.1
+::1
+localhost
\ No newline at end of file
diff --git a/templates.local/nginx/http.conf b/templates.local/nginx/http.conf
new file mode 100644
index 0000000..0eed601
--- /dev/null
+++ b/templates.local/nginx/http.conf
@@ -0,0 +1,9 @@
+client_max_body_size 512M;
+## Detect when HTTPS is used
+map $scheme $fastcgi_https {
+    default off;
+    https on;
+}
+fastcgi_read_timeout 3600s;
+fastcgi_request_buffering off;
+error_log /var/log/nginx/error.log;
diff --git a/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de b/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de
new file mode 100644
index 0000000..76ba089
--- /dev/null
+++ b/templates.local/nginx/sites/nest1.gemeinwohl-gesellschaft.de
@@ -0,0 +1,57 @@
+# Ansible controlled. Do not change this file on the remote server manually.
+server {
+    listen 80;
+    listen [::]:80;
+    server_name nest1.gemeinwohl-gesellschaft.de hamatoma.de;
+    include snippets/letsencrypt.conf;
+    server_name nest1.gemeinwohl-gesellschaft.de;
+    root /srv/www/nest1.gemeinwohl-gesellschaft.de;
+    location / {
+      return 301 https://nest1.gemeinwohl-gesellschaft.de$request_uri;
+    }
+  }
+  
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name nest1.gemeinwohl-gesellschaft.de;
+  access_log /var/log/nginx/a_nest1.log;
+  error_log /var/log/nginx/e_nest1.log;
+  
+  ssl_certificate /etc/letsencrypt/live/nest1.gemeinwohl-gesellschaft.de/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/nest1.gemeinwohl-gesellschaft.de/privkey.pem;
+  #ssl_certificate /etc/ssl/certs/nest1.gemeinwohl-gesellschaft.de.pem;
+  #ssl_certificate_key /etc/ssl/private/nest1.gemeinwohl-gesellschaft.de.key;
+  
+  # Path to the root of your installation
+  root /srv/www/nest1.gemeinwohl-gesellschaft.de;
+  autoindex off;
+  client_max_body_size 1m; # set max upload size
+  fastcgi_buffers 64 4K;
+  
+  index index.html index.php;
+  
+  location = /robots.txt {
+     allow all;
+     log_not_found off;
+     access_log off;
+  }
+  location / {
+    allow all;
+  }
+  # Optional: set long EXPIRES header on static assets
+  location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+    expires 30d;
+    # Optional: Don't log access to assets
+    access_log off;
+  }
+  location ~ ^(.+?\.php)(/.*)?$ {
+    try_files $1 = 404;
+  
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$1;
+    fastcgi_param PATH_INFO $2;
+    fastcgi_param HTTPS on;
+    fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+  }
+} 
diff --git a/templates.local/nginx/sites/wissen.gemeinwohl-gesellschaft.org b/templates.local/nginx/sites/wissen.gemeinwohl-gesellschaft.org
new file mode 100644
index 0000000..d1f9c93
--- /dev/null
+++ b/templates.local/nginx/sites/wissen.gemeinwohl-gesellschaft.org
@@ -0,0 +1,79 @@
+server {
+  listen 80;
+  server_name wissen.gemeinwohl-gesellschaft.org;
+  include snippets/letsencrypt.conf;
+  root /srv/www/wissen.gemeinwohl-gesellschaft.org;
+  location / {
+    return 301 https://$server_name$request_uri;  # enforce https
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  server_name wissen.gemeinwohl-gesellschaft.org;
+  access_log /var/log/nginx/a_gwg.log;
+  error_log /var/log/nginx/e_gwg.log;
+
+  ssl_certificate     /etc/letsencrypt/live/wissen.gemeinwohl-gesellschaft.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/wissen.gemeinwohl-gesellschaft.org/privkey.pem;
+  #ssl_certificate /etc/ssl/certs/wissen.gemeinwohl-gesellschaft.org.pem;
+  #ssl_certificate_key /etc/ssl/private/wissen.gemeinwohl-gesellschaft.org.key;
+
+
+  # Path to the root of your installation
+  root /srv/www/wissen.gemeinwohl-gesellschaft.org;
+  autoindex on;
+  client_max_body_size 1G; # set max upload size
+  fastcgi_buffers 64 4K;
+
+  rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
+  rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
+  rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+
+  index index.php;
+  error_page 403 /core/templates/403.php;
+  error_page 404 /core/templates/404.php;
+
+  location = /robots.txt {
+      allow all;
+      log_not_found off;
+      access_log off;
+  }
+
+  location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+    deny all;
+  }
+
+  location / {
+    # The following 2 rules are only needed with webfinger
+    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+    rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
+    rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
+
+    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+
+    try_files $uri $uri/ index.php;
+  }
+
+  location ~ ^(.+?\.php)(/.*)?$ {
+    try_files $1 = 404;
+
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$1;
+    fastcgi_param PATH_INFO $2;
+    fastcgi_param HTTPS on;
+    fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+  }
+
+  # Optional: set long EXPIRES header on static assets
+  location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+    expires 30d;
+    # Optional: Don't log access to assets
+    access_log off;
+  }
+  location ~ /.well-known {
+    allow all;
+  }
+}
diff --git a/templates.local/nginx/sites/zentrum.gemeinwohl-gesellschaft.org b/templates.local/nginx/sites/zentrum.gemeinwohl-gesellschaft.org
new file mode 100644
index 0000000..379b0d1
--- /dev/null
+++ b/templates.local/nginx/sites/zentrum.gemeinwohl-gesellschaft.org
@@ -0,0 +1,51 @@
+server{
+  listen 80;
+  #listen [::]:80;
+  server_name zentrum.gemeinwohl-gesellschaft.org;
+  include snippets/letsencrypt.conf;
+  root /srv/www/zentrum.gemeinwohl-gesellschaft.org;
+  location / {
+    return 301 https://$server_name$request_uri;  # enforce https
+  }
+}
+server {
+  listen 443 ssl http2;
+  #listen [::]:443 ssl http2;
+  server_name zentrum.gemeinwohl-gesellschaft.org;
+  root /srv/www/zentrum.gemeinwohl-gesellschaft.org/public;
+
+  ssl_certificate /etc/letsencrypt/live/zentrum.gemeinwohl-gesellschaft.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/zentrum.gemeinwohl-gesellschaft.org/privkey.pem;
+  #ssl_certificate /etc/ssl/certs/zentrum.gemeinwohl-gesellschaft.org.pem;
+  #ssl_certificate_key /etc/ssl/private/zentrum.gemeinwohl-gesellschaft.org.key;
+  client_max_body_size 1G;
+  access_log /var/log/nginx/a_zentrum.log;
+  error_log /var/log/nginx/e_zentrum.log;
+
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-Content-Type-Options "nosniff";
+
+  index index.php;
+
+  charset utf-8;
+
+  location / {
+    try_files $uri $uri/ /index.php?$query_string;
+  }
+
+  location = /favicon.ico { access_log off; log_not_found off; }
+  location = /robots.txt  { access_log off; log_not_found off; }
+
+  error_page 404 /index.php;
+
+  location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
+    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+    client_max_body_size 512M;
+    include fastcgi_params;
+  }
+
+  location ~ /\.(?!well-known).* {
+    deny all;
+  }
+}
diff --git a/templates.local/postfix/aliases b/templates.local/postfix/aliases
new file mode 100644
index 0000000..703b964
--- /dev/null
+++ b/templates.local/postfix/aliases
@@ -0,0 +1,9 @@
+# Ansible controlled: do not change on remote server manually
+#
+postmaster: root
+devnull: /dev/null
+mailer-daemon: root
+webmaster: root
+www: root
+security: root
+root: root.nest1@hamatoma.de
diff --git a/templates.local/postfix/email_forwarding/main.cf b/templates.local/postfix/email_forwarding/main.cf
new file mode 100644
index 0000000..aea1821
--- /dev/null
+++ b/templates.local/postfix/email_forwarding/main.cf
@@ -0,0 +1,38 @@
+myorigin = /etc/mailname
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+#delay_warning_time = 4h
+readme_directory = no
+compatibility_level = 3.6
+
+
+#smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem
+#smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+smtpd_use_tls=yes
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+myhostname = nest1.gemeinwohl-gesellschaft.de
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+
+virtual_alias_maps = hash:/etc/postfix/virtual
+virtual_alias_domains = f-r-e-i.de
+
+myorigin = /etc/mailname
+mydestination = $myhostname, localhost.{{ postfix_domain }}, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
diff --git a/templates.local/postfix/email_forwarding/master.cf b/templates.local/postfix/email_forwarding/master.cf
new file mode 100644
index 0000000..5b07173
--- /dev/null
+++ b/templates.local/postfix/email_forwarding/master.cf
@@ -0,0 +1,138 @@
+# Ansible controlled: do not change on remote server manually
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+#127.0.0.1:submission inet n -   y       -       -       smtpd
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#     Instead of specifying complex smtpd_<xxx>_restrictions here,
+#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+#     here, and specify mua_<xxx>_restrictions in main.cf (where
+#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+#  -o smtpd_client_restrictions=
+#  -o smtpd_helo_restrictions=
+#  -o smtpd_sender_restrictions=
+#  -o smtpd_relay_restrictions=
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable submissions for loopback clients only, or for any client.
+#127.0.0.1:submissions inet n  -       y       -       -       smtpd
+#submissions     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submissions
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#     Instead of specifying complex smtpd_<xxx>_restrictions here,
+#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+#     here, and specify mua_<xxx>_restrictions in main.cf (where
+#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+#  -o smtpd_client_restrictions=
+#  -o smtpd_helo_restrictions=
+#  -o smtpd_sender_restrictions=
+#  -o smtpd_relay_restrictions=
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix -       n       n       -       2       pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
diff --git a/templates.local/postfix/send_only/main.cf b/templates.local/postfix/send_only/main.cf
new file mode 100644
index 0000000..c6f17d2
--- /dev/null
+++ b/templates.local/postfix/send_only/main.cf
@@ -0,0 +1,31 @@
+myorigin = /etc/mailname
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+#delay_warning_time = 4h
+readme_directory = no
+compatibility_level = 3.6
+
+
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ postfix_host }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ postfix_host }}/privkey.pem
+#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = nest1.gemeinwohl-gesellschaft.de
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, localhost.{{ postfix_domain }}, , localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
diff --git a/templates.local/postfix/send_only/master.cf b/templates.local/postfix/send_only/master.cf
new file mode 100644
index 0000000..fd0d581
--- /dev/null
+++ b/templates.local/postfix/send_only/master.cf
@@ -0,0 +1,137 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+#127.0.0.1:submission inet n -   y       -       -       smtpd
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#     Instead of specifying complex smtpd_<xxx>_restrictions here,
+#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+#     here, and specify mua_<xxx>_restrictions in main.cf (where
+#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+#  -o smtpd_client_restrictions=
+#  -o smtpd_helo_restrictions=
+#  -o smtpd_sender_restrictions=
+#  -o smtpd_relay_restrictions=
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable submissions for loopback clients only, or for any client.
+#127.0.0.1:submissions inet n  -       y       -       -       smtpd
+#submissions     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submissions
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#     Instead of specifying complex smtpd_<xxx>_restrictions here,
+#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
+#     here, and specify mua_<xxx>_restrictions in main.cf (where
+#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
+#  -o smtpd_client_restrictions=
+#  -o smtpd_helo_restrictions=
+#  -o smtpd_sender_restrictions=
+#  -o smtpd_relay_restrictions=
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix -       n       n       -       2       pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
diff --git a/templates.local/postfix/virtual b/templates.local/postfix/virtual
new file mode 100644
index 0000000..3ac55ab
--- /dev/null
+++ b/templates.local/postfix/virtual
@@ -0,0 +1,10 @@
+# Ansible controlled: do not change on remote server manually
+root mail.nest1@hamatoma.de
+webmaster mail.nest1@hamatoma.de
+postmaster mail.nest1@hamatoma.de
+
+t-online@f-r-e-i.de dragon.lx@t-online.de
+gmx@f-r-e-i.de hamatoma@gmx.de
+mail@f-r-e-i.de hamatoma@mail.de
+@f-r-e-i.de hamatoma@mail.de
+
diff --git a/templates.local/readme.txt b/templates.local/readme.txt
new file mode 100644
index 0000000..bb20bd9
--- /dev/null
+++ b/templates.local/readme.txt
@@ -0,0 +1,2 @@
+Objective: This directory contains templates that are specific to the project and must be adapted for each project.
+Therefore, the files may only be copied into the project, not linked.
diff --git a/templates/nginx/hi1.txt b/templates/nginx/hi1.txt
deleted file mode 100644
index 877acc4..0000000
--- a/templates/nginx/hi1.txt
+++ /dev/null
@@ -1 +0,0 @@
-Hi 1!
diff --git a/templates/nginx/hi2.txt b/templates/nginx/hi2.txt
deleted file mode 100644
index e42aa2a..0000000
--- a/templates/nginx/hi2.txt
+++ /dev/null
@@ -1 +0,0 @@
-Hi 2!
diff --git a/templates/nginx/http.conf b/templates/nginx/http.conf
deleted file mode 100644
index 0eed601..0000000
--- a/templates/nginx/http.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-client_max_body_size 512M;
-## Detect when HTTPS is used
-map $scheme $fastcgi_https {
-    default off;
-    https on;
-}
-fastcgi_read_timeout 3600s;
-fastcgi_request_buffering off;
-error_log /var/log/nginx/error.log;
diff --git a/templates/nginx/index.html b/templates/nginx/index.html
deleted file mode 100644
index 0e0cbca..0000000
--- a/templates/nginx/index.html
+++ /dev/null
@@ -1,5 +0,0 @@
-<html>
-<body>
-<h1>Welcome to {{hostname}}!</h1>
-</body
-</html>
\ No newline at end of file
diff --git a/templates/nginx/index.php b/templates/nginx/index.php
deleted file mode 100644
index bfd863b..0000000
--- a/templates/nginx/index.php
+++ /dev/null
@@ -1,2 +0,0 @@
-<?php
-phpinfo();
\ No newline at end of file
diff --git a/templates/nginx/letsencrypt.conf b/templates/nginx/letsencrypt.conf
deleted file mode 100644
index 67149c9..0000000
--- a/templates/nginx/letsencrypt.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-location ^~ /.well-known/acme-challenge/ {
-    default_type "text/plain";
-    root /home/www/letsencrypt;
-}
-# Hide /acme-challenge subdirectory and return 404 on all requests.
-# It is somewhat more secure than letting Nginx return 403.
-# Ending slash is important!
-location = /.well-known/acme-challenge/ {
-    return 404;
-}
-
diff --git a/templates/nginx/test.site b/templates/nginx/test.site
deleted file mode 100644
index 7e8c6e5..0000000
--- a/templates/nginx/test.site
+++ /dev/null
@@ -1,57 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name {{hostname}} hamatoma.de;
-    include snippets/letsencrypt.conf;
-    server_name {{hostname}};
-    root /srv/www/{{hostname}};
-    location / {
-      return 301 https://{{hostname}}$request_uri;  # enforce https
-    }
-  }
-  
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  server_name {{hostname}};
-  access_log /var/log/nginx/a_{{log_name}}.log;
-  error_log /var/log/nginx/e_{{log_name}}.log;
-  
-  #ssl_certificate     /etc/letsencrypt/live/latest/fullchain.pem;
-  #ssl_certificate_key /etc/letsencrypt/live/latest/privkey.pem;
-  ssl_certificate /etc/ssl/certs/{{hostname}}.pem;
-  ssl_certificate_key /etc/ssl/private/{{hostname}}.key;
-  
-  # Path to the root of your installation
-  root /home/www/{{hostname}};
-  autoindex off;
-  client_max_body_size 1m; # set max upload size
-  fastcgi_buffers 64 4K;
-  
-  index index.html;
-  
-  location = /robots.txt {
-     allow all;
-     log_not_found off;
-     access_log off;
-  }
-  location / {
-    allow all;
-  }
-  # Optional: set long EXPIRES header on static assets
-  location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
-    expires 30d;
-    # Optional: Don't log access to assets
-    access_log off;
-  }
-  location ~ ^(.+?\.php)(/.*)?$ {
-    try_files $1 = 404;
-  
-    include fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$1;
-    fastcgi_param PATH_INFO $2;
-    fastcgi_param HTTPS on;
-    fastcgi_pass unix:/run/php/php8.3-fpm.sock;
-  }
-} 
-  
\ No newline at end of file
diff --git a/var/antispam.yaml b/var/antispam.yaml
new file mode 100644
index 0000000..a890afc
--- /dev/null
+++ b/var/antispam.yaml
@@ -0,0 +1,15 @@
+# Ansible controlled: do not change on server
+dkim_domains: ["f-r-e-i.de"]
+dkim_opendkim_config_dir: /etc/opendkim
+dkim_config_file: /etc/opendkim.conf
+dkim_selector: "20250419"
+dkim_user: opendkim
+dkim_group: opendkim
+dkim_rsa_keylen: 2048
+dkim_socket_port: 12301
+
+dmarc_config_file: /etc/opendmarc.conf
+dmarc_config_dir: /etc/opendmarc
+dmarc_email_report: report.dmarc@hamatoma.de
+dmarc_user: opendmarc
+dmarc_group: opendmarc
diff --git a/var/common.yaml b/var/common.yaml
index 9031605..45bf7df 100644
--- a/var/common.yaml
+++ b/var/common.yaml
@@ -1,3 +1,11 @@
 configuration_directory: /etc/ansknife
 remote_webapps_directory: "{{ configuration_directory }}/webapps.d"
-local_webapps_directory: "../webapps"
\ No newline at end of file
+local_webapps_directory: "../webapps"
+remote_www_directory: "/home/www"
+systemd_journal_system_max_use: 200M
+systemd_journal_system_max_file_size: 50M
+postfix_host: "nest1.gemeinwohl-gesellschaft.de"
+postfix_domain: "gemeinwohl-gesellschaft.de"
+postfix_receipient_email: "nest1.mail@hamatoma.de"
+postfix_mode: email_forwarding
+webmaster_email: "nest1@hamatoma.de"
diff --git a/var/ssl-certificate.yaml b/var/ssl-certificate.yaml
index 07bc809..2710dc9 100644
--- a/var/ssl-certificate.yaml
+++ b/var/ssl-certificate.yaml
@@ -1,7 +1,8 @@
 ---
 # "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}"
-SSL_COUNTRY: DE
-SSL_STATE: Bavaria
-SSL_LOCALITY: Kempten
-SSL_ORGANIZATION: IT
-
+ssl_country: DE
+ssl_state: Bavaria
+ssl_locality: Kempten
+ssl_organization: 'Gemeinwohl-Gesellschaft e.V.'
+ssl_lifetime: 365
+ssl_rsa_key_size: 2048
diff --git a/var/vault_db.yaml b/var/vault_db.yaml
index 4830f1e..315a8bb 100644
--- a/var/vault_db.yaml
+++ b/var/vault_db.yaml
@@ -1 +1 @@
-vault_dba_password: Sekret.Top
\ No newline at end of file
+vault_dba_password: {{ vault_state_infeos_net_db_password }}
\ No newline at end of file
diff --git a/var/vault_webapps.yaml b/var/vault_webapps.yaml
new file mode 100644
index 0000000..76f37a9
--- /dev/null
+++ b/var/vault_webapps.yaml
@@ -0,0 +1 @@
+- vault_state_infeos_net_db_password: Sekret.Top
\ No newline at end of file
diff --git a/var/webapps.yaml b/var/webapps.yaml
index 40f6e88..aa7f0d2 100644
--- a/var/webapps.yaml
+++ b/var/webapps.yaml
@@ -1,11 +1,16 @@
 webapps_list:
-  - webapp_name: myapp5.example.com
-    db_name: dbdummy5
-    db_user: dummy5
-    db_password: NeverKnown5
-    directory: /srv/www/myapp5.example.com
-  - webapp_name: 'app7.example.com'
-    db_name: 'dbapp7'
-    db_user: 'appusr7'
-    db_password: 'Unknown7'
-    directory: '/srv/www/app7.example.com'
+  - webapp_name: 'nest1.gemeinwohl-gesellschaft.de'
+    db_name: ''
+    db_user: ''
+    db_password: ''
+    directory: '/srv/www/nest1.gemeinwohl-gesellschaft.de'
+  - webapp_name: 'wissen.gemeinwohl-gesellschaft.org'
+    db_name: 'mwwissen'
+    db_user: 'wissen'
+    db_password: 'NobodyKennts'
+    directory: '/srv/www/wissen.gemeinwohl-gesellschaft.org'
+  - webapp_name: 'zentrum.gemeinwohl-gesellschaft.org'
+    db_name: 'lrvzentrum'
+    db_user: 'lrvzentrum'
+    db_password: 'TopSecret'
+    directory: '/srv/www/zentrum.gemeinwohl-gesellschaft.org'