commited current state (new functions, may not work by now)

playbooks/deploy-clamav-server.yml

@@ -0,0 +1,4 @@
+---
+- hosts: clamav-servers
+  roles:
+    - deploy-clamd

playbooks/hardening/manage-ssh-keys.yaml

@@ -1,6 +1,6 @@
 - hosts: all
-  vars:
-    good_keys: "{{ lookup('env', 'good_keys') | from_json }}"
-    bad_keys: "{{ lookup('env', 'bad_keys') | from_json }}"
+  # vars:
+  #   good_keys: "{{ lookup('env', 'good_keys') | from_json }}"
+  #   bad_keys: "{{ lookup('env', 'bad_keys') | from_json }}"
   roles:
     - role: manage-ssh-keys

playbooks/managed-mailcow/count-mailboxes.yml

@@ -0,0 +1,43 @@
+---
+- name: Mailcow Mailbox Counter
+  hosts: all
+  gather_facts: no
+  tasks:
+    - import_role:
+        name: managed-mailcow
+        tasks_from: find-mailcow-composedir.yml
+
+    - name: Read mailcow.conf and extract DBROOT
+      ansible.builtin.shell: |
+        bash -c 'source {{ mailcow_dir_result.files[0].path }}/mailcow.conf && echo $DBROOT'
+      register: dbroot_output
+
+    - name: Count active mailboxes from mailcow database
+      ansible.builtin.shell: |
+        docker compose exec mysql-mailcow \
+        mysql -u root -p{{ dbroot_output.stdout }} -D mailcow -N -e \
+        "SELECT COUNT(*) FROM mailbox WHERE active=1;"
+      args:
+        chdir: "{{ mailcow_dir_result.files[0].path }}"
+      register: mailbox_count
+      changed_when: false
+
+    - name: Set fact with mailbox count as integer
+      ansible.builtin.set_fact:
+        mailbox_count_int: "{{ mailbox_count.stdout | int }}"
+
+- name: Summiere alle Mailboxen über alle Hosts
+  hosts: all
+  gather_facts: false
+  run_once: true
+  tasks:
+
+    - name: Summiere aktive Mailboxen
+      ansible.builtin.set_fact:
+        total_mailboxes: "{{ (total_mailboxes | default(0) | int) + (item.value.mailbox_count_int | default(0) | int) }}"
+      loop: "{{ hostvars | dict2items }}"
+      when: "'mailbox_count_int' in item.value"
+
+    - name: Zeige Gesamtsumme
+      ansible.builtin.debug:
+        msg: "Gesamtanzahl aktiver Mailboxen: {{ total_mailboxes }}"

playbooks/managed-mailcow/find-roundcube-versions.yaml

@@ -0,0 +1,69 @@
+---
+- name: Prüfe mailcow-Installation und extrahiere Roundcube-Version aus CHANGELOG.md
+  hosts: all
+  become: true
+  vars:
+    mailcow_search_paths:
+      - /opt
+      - /data
+      - /root
+      - /storage
+    rc_dirs:
+      - rc
+      - roundcube
+      - roundcubemail
+
+  tasks:
+    - name: Finde mailcow-dockerized Verzeichnis
+      ansible.builtin.find:
+        file_type: directory
+        paths: "{{ mailcow_search_paths }}"
+        patterns: mailcow-dockerized
+        recurse: yes
+      register: mailcow_dir_result
+      ignore_errors: true
+
+    - name: Setze mailcow_root wenn gefunden
+      ansible.builtin.set_fact:
+        mailcow_root: "{{ mailcow_dir_result.files[0].path }}"
+      when: mailcow_dir_result.matched > 0
+
+    - name: Prüfe auf Roundcube-Ordner unter data/web
+      ansible.builtin.stat:
+        path: "{{ mailcow_root }}/data/web/{{ item }}"
+      loop: "{{ rc_dirs }}"
+      register: rc_stat
+      when: mailcow_root is defined
+
+    - name: Bestimme den tatsächlichen Roundcube-Pfad
+      ansible.builtin.set_fact:
+        rc_path: "{{ mailcow_root }}/data/web/{{ item.item }}"
+      loop: "{{ rc_stat.results }}"
+      when: item.stat.exists and item.stat.isdir
+
+    - name: Prüfe ob CHANGELOG.md existiert
+      ansible.builtin.stat:
+        path: "{{ rc_path }}/CHANGELOG.md"
+      register: changelog_stat
+      when: rc_path is defined
+
+    - name: Extrahiere Version aus CHANGELOG.md
+      ansible.builtin.shell: |
+        grep -m1 -Po '(?<=## Release )\S+' {{ rc_path }}/CHANGELOG.md
+      register: rc_version
+      changed_when: false
+      when:
+        - changelog_stat.stat.exists
+        - changelog_stat.stat.isfile
+
+    - name: Gib gefundene Roundcube-Version aus
+      ansible.builtin.debug:
+        msg: "Roundcube-Version (laut CHANGELOG.md): {{ rc_version.stdout }}"
+      when: rc_version.stdout != ""
+
+    - name: Warnung wenn keine CHANGELOG.md gefunden wurde
+      ansible.builtin.debug:
+        msg: "Keine CHANGELOG.md unter {{ rc_path }} gefunden."
+      when:
+        - rc_path is defined
+        - not changelog_stat.stat.exists

playbooks/managed-mailcow/install-register-cmk-agent.yaml

@@ -0,0 +1,44 @@
+- name: "Register hosts against a remote site. Both for updates and TLS."
+  hosts: all
+  strategy: linear
+  vars:
+    # Basic server and authentication information.
+    # You have to provide the distributed setup yourself.
+    checkmk_agent_version: "2.3.0p14"
+    checkmk_agent_edition: "cee"
+    checkmk_agent_user: "automation"
+    checkmk_agent_pass: "@JQVEOANOYTUKWGALS@E"
+    # Here comes the part, where we get into remote registration
+    checkmk_agent_server_protocol: https
+    # The following should be set to the central site.
+    # This where you configure the host objects.
+    # Currently the agent package is also pulled from here.
+    checkmk_agent_server: servercow.observer
+    checkmk_agent_site: "scowmon"
+    # The following should be pointed to the respective remote site.
+    # This is where the registration will happen.
+    checkmk_agent_registration_server: "{{ checkmk_agent_server }}"
+    checkmk_agent_registration_site: "{{ checkmk_agent_site }}"
+    # The folder might differ from your remote site name,
+    # as it is the technical path. Check your configuration for this information.
+    checkmk_agent_folder: "/managed_mailcows"
+    # These options need to be enabled for all registrations to work.
+    # You can however disable the one you do not want to perform.
+    # But the host needs to be added and changes activated in any case.
+    checkmk_agent_auto_activate: 'true'
+    checkmk_agent_update: 'true'
+    checkmk_agent_tls: 'true'
+    checkmk_agent_add_host: 'true'
+    # These are some generic agent options you might want to configure.
+    checkmk_agent_discover: 'true'
+    checkmk_agent_discover_max_parallel_tasks: 2
+    checkmk_agent_force_install: 'true'
+    checkmk_agent_delegate_api_calls: localhost
+    checkmk_agent_delegate_download: "{{ inventory_hostname }}"
+    checkmk_agent_host_name: "{{ inventory_hostname }}"
+    checkmk_agent_host_folder: "{{ checkmk_agent_folder }}"
+    checkmk_agent_host_ip: "{{ ansible_host }}"
+    checkmk_agent_host_attributes:
+      ipaddress: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+  roles:
+    - checkmk.general.agent

playbooks/managed-mailcow/update-mailcow.yaml

@@ -1,14 +1,27 @@
 - name: Update mailcow (update.sh)
   hosts: all
+  vars:
+    github_mailcow_ver: "2025-09b" # GitHub Version Tag | Value to compare the current running mailcow version to.
+    disk_space_percent_max: "97" # Number in percent | Defines the max allowed disk utilization until ansible is not updating mailcow automatically
+    debug: true # Or False if you dont' wanna see verbose outputs of role outputs
   tasks:
     - import_role:
         name: roles/managed-mailcow
         tasks_from: find-mailcow-composedir.yml
-    
+
+    - import_role:
+        name: roles/managed-mailcow
+        tasks_from: install-mailcow-components.yml
+
     - import_role:
         name: roles/managed-mailcow
         tasks_from: update-mailcow.yml
-      vars:
-        github_mailcow_ver: "2024-11b" # GitHub Version Tag | Value to compare the current running mailcow version to.
-        disk_space_percent_max: "97" # Number in percent | Defines the max allowed disk utilization until ansible is not updating mailcow automatically
-        debug: true # Or False if you dont' wanna see verbose outputs of role outputs
+
+    - import_role:
+        name: roles/docker
+        tasks_from: restart-daemon.yml
+      when: github_mailcow_ver == "2025-09b" # Only restart docker if mailcow was updated
+    
+    - import_role:
+        name: roles/docker
+        tasks_from: cleanup-all.yml

playbooks/os-change-mirror.yml

@@ -0,0 +1,17 @@
+- name: "Change Mirror"
+  hosts: all
+  tasks:
+    - name: Verify if system is Debian
+      ansible.builtin.debug:
+        msg: "This playbook is running on a Debian system."
+      when: ansible_os_family == "Debian"
+
+    - name: Stop playbook if system is not Debian
+      ansible.builtin.fail:
+        msg: "This playbook only supports Debian."
+      when: ansible_os_family != "Debian"
+
+    - name: Include OS change mirror role
+      ansible.builtin.include_role:
+        name: os-updates
+        tasks_from: update_mirrors

playbooks/os-major-upgrade.yml

@@ -0,0 +1,20 @@
+- hosts: all
+  vars:
+    os_update_major_version: true # Can either be true or false | To toggle if systems need to be upgraded to newer codename
+    os_update_version_codename: "trixie" # Change to switch major release (e.g. bookworm or trixie) | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
+  tasks:
+    - name: Verify if system is Debian
+      debug:
+        msg: "This playbook is running on a Debian system."
+      when: ansible_os_family == "Debian"
+
+    - name: Stop playbook if system is not Debian
+      fail:
+        msg: "This playbook only supports Debian."
+      when: ansible_os_family != "Debian"
+
+    - name: Include OS update role
+      ansible.builtin.include_role:
+        name: os-updates
+        tasks_from: update_major_version
+      when: ansible_os_family == "Debian"

playbooks/os-update.yml

@@ -1,4 +1,7 @@
 - hosts: all
+  vars:
+    os_update_major_version: true # Can either be true or false | To toggle if systems need to be upgraded to newer codename
+    os_update_version_codename: "trixie" # Change to switch major release (e.g. bookworm or trixie) | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
   tasks:
     - name: Verify if system is Debian
       debug:

playbooks/setup-checkmk-monitoring.yml

@@ -0,0 +1,35 @@
+- name: "Setup CheckMK Monitoring"
+  hosts: all
+  vars_files:
+    - ../vault.yml
+  tasks:
+    - name: "Import create Host Task"
+      become: true
+      ansible.builtin.import_role:
+        name: checkmk-monitoring
+        tasks_from: create-host.yaml
+
+    - name: "Import sign-bake-agents Task"
+      become: true
+      ansible.builtin.import_role:
+        name: checkmk-monitoring
+        tasks_from: sign-bake-agents.yaml
+      ignore_errors: true
+
+    - name: "Register hosts against a remote site. Both for updates and TLS."
+      import_role:
+        name: checkmk.general.agent
+      tags:
+        - checkmk-deploy
+
+    - name: "Wait 2 Minutes for CheckMK Agent to be ready"
+      ansible.builtin.pause:
+        minutes: 2
+      tags:
+        - checkmk-deploy
+
+    - name: "Import discover-host Task"
+      become: true
+      ansible.builtin.import_role:
+        name: checkmk-monitoring
+        tasks_from: discover-host.yaml

playbooks/setup-chronyd.yml

@@ -0,0 +1,12 @@
+- name: "Setup chronyd"
+  hosts: all
+  tasks:
+    - name: Verify if system is Debian or Ubuntu
+      ansible.builtin.debug:
+        msg: "This playbook is running on a Debian or Ubuntu system."
+      when: ansible_os_family in ["Debian", "Ubuntu"]
+
+    - name: Import chronyd role
+      ansible.builtin.include_role:
+        name: system
+        tasks_from: setup-timeserver