Plugin (scaffold): configuration/mailcow with native Keycloak OIDC SSO defaults and Traefik integration examples (v2 labels, v3 file-provider and labels).
Plugin (scaffold): configuration/nextcloud-hpb for Nextcloud with Talk High Performance Backend, optional external DB/Redis, and TURN support.
Plugin: configuration/turn shared coturn service (UDP 3478/5349 by default) with hardened container settings for multi-consumer use (Nextcloud, NetBird, VoIP).
Keycloak role: plugins/configuration/keycloak/roles/manage_clients to programmatically create/update OIDC clients; includes example playbook for Mailcow client.
Docs: Security sections for Keycloak and NetBird Controller READMEs.
Docs: Conventions section in plugins/README.md and stack-style skeleton in _TEMPLATE_/playbook.yml.
Changed
Initializer moved to scripts/init_ansible_project.sh; root file now delegates to the scripts path.
Installer hardened: umask 077, rsync --safe-links, backup dir 700 perms, denylist for user-owned areas.
CI now regenerates plugin artifacts (requirements, lockfile, index) and fails on diffs to enforce committed artifacts.
Consistency sweep across playbooks: added deploy gating (<ns>.deploy | default(true)), preflight summaries, standardized tags (preflight, render, deploy, health), and container health asserts where applicable.
Keycloak and Traefik playbooks aligned with standardized structure; NetBird client and NetBox sync tagged and validated.
Nextcloud HPB: embedded TURN defaults moved to UDP 3479/5350 to avoid conflicts with shared TURN (3478/5349).
Mailcow README: added Traefik v2/v3 integration examples and native OIDC field mapping cheatsheet.
Fixed
Minor ShellCheck issues and safer defaults in setup.sh.
Documentation updates for README requirements, schema validation, lockfile, and collections install path strategy.
YAML lint fixes (duplicate pre_tasks in inventory/netbox_sync/playbook.yml).
Added
setup.shfront-door for fresh installs and updates (channel/tag resolution, dry-run, backups, change summary).--insecure-verify)..envusage, option precedence, and a compact option reference.plugins/tools/validate_readme.py --strict) and local warn-only pre-commit hook.meta.yml(plugins/schema/meta.schema.json) and validator with strict CI enforcement.plugins/collections/requirements.lock.yml) with pre-commit and CI enforcement.listUX with--sort,--columns,--format, and colorized output (--no-color).configuration/traefikhardened Traefik v2 proxy (ACME HTTP-01/TLS-ALPN-01, HTTPS redirect, security headers, reusable rate-limit middleware, external network).configuration/mailcowwith native Keycloak OIDC SSO defaults and Traefik integration examples (v2 labels, v3 file-provider and labels).configuration/nextcloud-hpbfor Nextcloud with Talk High Performance Backend, optional external DB/Redis, and TURN support.configuration/turnshared coturn service (UDP 3478/5349 by default) with hardened container settings for multi-consumer use (Nextcloud, NetBird, VoIP).plugins/configuration/keycloak/roles/manage_clientsto programmatically create/update OIDC clients; includes example playbook for Mailcow client.plugins/README.mdand stack-style skeleton in_TEMPLATE_/playbook.yml.Changed
scripts/init_ansible_project.sh; root file now delegates to the scripts path.umask 077, rsync--safe-links, backup dir700perms, denylist for user-owned areas.<ns>.deploy | default(true)), preflight summaries, standardized tags (preflight,render,deploy,health), and container health asserts where applicable.Fixed
setup.sh.pre_tasksininventory/netbox_sync/playbook.yml).