feat(net_config): support IPForward and IPMasquerade in network config

Drop separate dataset-ownership.yml task file. Use
extra_zfs_properties.mountpoint directly instead of zfs get.
Add rmdir cleanup for absent dataset mountpoints.

README.md

@@ -77,7 +77,8 @@ If you have a password on your ssh key `--ask-pass` is recommended, `--ask-becom
 ```sh
 ansible-playbook -i inventory/hosts.yml playbook.yml \
 --ask-pass \
---ask-become-pass
+--ask-become-pass \
+--ask-vault-pass
 ```
 
 You can also call you ssh agent to unlock your key prior to simplify your calls:

roles/fdroid/README.md

@@ -0,0 +1,71 @@
+# fdroid - F-Droid Custom APK Repository
+
+Deploys an [F-Droid](https://f-droid.org/) repository server using [austozi/fdroidserver](https://github.com/austozi/docker-fdroidserver) to host custom APKs for family devices.
+
+## Configuration
+
+### Required Variables
+
+Set in inventory or vault:
+
+```yaml
+fdroid_keystore_password: "your-secure-password-here"  # Min 12 chars
+```
+
+### Optional Variables
+
+See [defaults/main.yml](defaults/main.yml) for all configuration options.
+
+Key settings:
+
+```yaml
+fdroid_version: "26.2.1"
+fdroid_port: 8070
+fdroid_repo_url: "https://apk.jokester.fr/repo"
+fdroid_repo_name: "F-Droid Repository"
+fdroid_repo_description: "Custom APK repository"
+fdroid_update_interval: "12h"
+
+# Nginx reverse proxy
+fdroid_nginx_enabled: false
+fdroid_nginx_hostname: apk.nas.local
+```
+
+## Usage
+
+### Adding APKs
+
+```bash
+scp my-app.apk jokester@andromeda:/opt/podman/fdroid/data/repo/
+```
+
+The container automatically re-runs `fdroid update` every `fdroid_update_interval` (default: 12h) to regenerate the signed index.
+
+To trigger an immediate update:
+
+```bash
+ssh jokester@andromeda "podman exec fdroid-server fdroid update -c"
+```
+
+### F-Droid Client Setup
+
+On family phones, open F-Droid and add a new repository:
+
+- **Repository URL:** `https://apk.jokester.fr/repo`
+- Accept the fingerprint on first connection
+
+### Keystore Backup
+
+The signing keystore at `{{ podman_projects_dir }}/fdroid/data/keystore.p12` is critical. If lost, all clients must re-add the repository. Back it up.
+
+## Architecture
+
+- **Container**: `austozi/fdroidserver` (Apache + fdroidserver + Android build-tools)
+- **Storage**: Persistent data directory for keystore, config, metadata, and APKs
+- **Networking**: Localhost binding, nginx reverse proxy for HTTPS
+- **Index updates**: Automatic on configurable interval
+
+## Dependencies
+
+- podman
+- nginx (if `fdroid_nginx_enabled: true`)

roles/fdroid/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+# F-Droid repository version (austozi/fdroidserver image tag)
+fdroid_version: "26.2.1"
+
+# Container image
+fdroid_image: austozi/fdroidserver
+
+# Host port mapping
+fdroid_port: 8070
+
+# Data directory (keystore, config, metadata, repo APKs)
+fdroid_data_dir: "{{ podman_projects_dir }}/fdroid/data"
+
+# Repository metadata
+fdroid_repo_url: "https://apk.mysite.fr/repo"
+fdroid_repo_name: "F-Droid Repository"
+fdroid_repo_description: "Custom APK repository"
+fdroid_repo_icon: "fdroid.svg"
+fdroid_repo_icon_url: "https://f-droid.org/assets/fdroid-logo-text_S0MUfk_FsnAYL7n2MQye-34IoSNm6QM6xYjDnMqkufo=.svg"
+
+# How often the container re-runs 'fdroid update' to re-sign the index
+fdroid_update_interval: "24h"
+
+# Keystore password for signing the repository index
+# fdroid_keystore_password: ""  # Intentionally undefined - role will fail if not set
+
+# Nginx reverse proxy configuration
+fdroid_nginx_enabled: false
+fdroid_nginx_hostname: apk.nas.local

roles/fdroid/handlers/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Reload systemd user
+  ansible.builtin.systemd:
+    daemon_reload: true
+    scope: user
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Restart fdroid
+  ansible.builtin.systemd:
+    name: fdroid.service
+    state: restarted
+    scope: user
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Reload nginx
+  ansible.builtin.systemd:
+    name: nginx
+    state: reloaded

roles/fdroid/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: podman

roles/fdroid/tasks/main.yml

@@ -0,0 +1,179 @@
+---
+- name: Validate required passwords are set
+  ansible.builtin.assert:
+    that:
+      - fdroid_keystore_password is defined
+      - fdroid_keystore_password | length >= 12
+    fail_msg: |
+      fdroid_keystore_password is required (min 12 chars).
+      See roles/fdroid/defaults/main.yml for configuration instructions.
+    success_msg: "Password validation passed"
+
+- name: Create fdroid project directory
+  ansible.builtin.file:
+    path: "{{ podman_projects_dir | default('/opt/podman') }}/fdroid"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Create fdroid data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+  loop:
+    - "{{ fdroid_data_dir }}"
+    - "{{ fdroid_data_dir }}/repo"
+    - "{{ fdroid_data_dir }}/metadata"
+
+- name: Create fdroid repo icons directory
+  ansible.builtin.file:
+    path: "{{ fdroid_data_dir }}/repo/icons"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Download fdroid repository icon
+  ansible.builtin.get_url:
+    url: "{{ fdroid_repo_icon_url }}"
+    dest: "{{ fdroid_data_dir }}/repo/icons/{{ fdroid_repo_icon }}"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0644"
+
+- name: Deploy fdroid repository configuration
+  ansible.builtin.template:
+    src: config.yml.j2
+    dest: "{{ fdroid_data_dir }}/config.yml"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0600"
+  notify: Restart fdroid
+
+- name: Pull fdroid container image
+  ansible.builtin.command: "podman pull {{ fdroid_image }}:{{ fdroid_version }}"
+  changed_when: pull_result.stdout is search('Writing manifest')
+  register: pull_result
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Deploy Kubernetes YAML for fdroid
+  ansible.builtin.template:
+    src: fdroid.yaml.j2
+    dest: "{{ podman_projects_dir | default('/opt/podman') }}/fdroid/fdroid.yaml"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0644"
+  notify: Restart fdroid
+
+- name: Get home directory for {{ ansible_user }}
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ ansible_user }}"
+
+- name: Set user home directory fact
+  ansible.builtin.set_fact:
+    user_home_dir: "{{ ansible_facts['getent_passwd'][ansible_user][4] }}"
+
+- name: Create systemd user directory for fdroid
+  ansible.builtin.file:
+    path: "{{ user_home_dir }}/.config/systemd/user"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0755"
+
+- name: Create systemd service for fdroid (user scope)
+  ansible.builtin.template:
+    src: fdroid.service.j2
+    dest: "{{ user_home_dir }}/.config/systemd/user/fdroid.service"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: "0644"
+  notify: Reload systemd user
+
+- name: Check if lingering is enabled for {{ ansible_user }}
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ ansible_user }}"
+  register: linger_file
+
+- name: Enable lingering for user {{ ansible_user }}
+  ansible.builtin.command: "loginctl enable-linger {{ ansible_user }}"
+  changed_when: true
+  when:
+    - ansible_user != 'root'
+    - not linger_file.stat.exists
+
+- name: Check if keystore already exists
+  ansible.builtin.stat:
+    path: "{{ fdroid_data_dir }}/keystore.p12"
+  register: fdroid_keystore
+
+- name: Initialize fdroid repository (generate keystore and first index)
+  ansible.builtin.command:
+    argv:
+      - podman
+      - run
+      - --rm
+      - -v
+      - "{{ fdroid_data_dir }}:/fdroid"
+      - -e
+      - "FDROID_REPO_URL={{ fdroid_repo_url }}"
+      - -e
+      - "FDROID_REPO_NAME={{ fdroid_repo_name }}"
+      - -e
+      - "FDROID_REPO_DESCRIPTION={{ fdroid_repo_description }}"
+      - -e
+      - "FDROID_REPO_ICON={{ fdroid_repo_icon }}"
+      - "{{ fdroid_image }}:{{ fdroid_version }}"
+      - "fdroid update -c --create-key"
+  when: not fdroid_keystore.stat.exists
+  register: fdroid_init
+  changed_when: fdroid_init.rc == 0
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Flush handlers before starting fdroid
+  ansible.builtin.meta: flush_handlers
+
+- name: Enable and start fdroid service (user scope)
+  ansible.builtin.systemd:
+    name: fdroid.service
+    enabled: true
+    state: started
+    scope: user
+  become: false
+  become_user: "{{ ansible_user }}"
+
+- name: Wait for fdroid to be ready
+  ansible.builtin.wait_for:
+    port: "{{ fdroid_port }}"
+    host: 127.0.0.1
+    timeout: 60
+
+- name: Provision TLS certificate for fdroid
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ fdroid_nginx_hostname }}"
+  when: fdroid_nginx_enabled
+
+- name: Deploy nginx vhost configuration for fdroid
+  ansible.builtin.template:
+    src: nginx-vhost.conf.j2
+    dest: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/fdroid.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  when: fdroid_nginx_enabled
+  notify: Reload nginx
+
+- name: Remove nginx vhost configuration for fdroid
+  ansible.builtin.file:
+    path: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/fdroid.conf"
+    state: absent
+  when: not fdroid_nginx_enabled
+  notify: Reload nginx

roles/fdroid/templates/config.yml.j2

@@ -0,0 +1,14 @@
+# F-Droid repository configuration
+# Managed by Ansible - DO NOT EDIT MANUALLY
+
+repo_url: "{{ fdroid_repo_url }}"
+repo_name: "{{ fdroid_repo_name }}"
+repo_description: "{{ fdroid_repo_description }}"
+repo_icon: "{{ fdroid_repo_icon }}"
+
+# Keystore configuration (auto-generated on first 'fdroid update -c --create-key')
+repo_keyalias: fdroid-repo-key
+keystore: keystore.p12
+keystorepass: "{{ fdroid_keystore_password }}"
+keypass: "{{ fdroid_keystore_password }}"
+keydname: "CN={{ fdroid_nginx_hostname }}"

roles/fdroid/templates/nginx-vhost.conf.j2

@@ -0,0 +1,56 @@
+# F-Droid repository vhost with Let's Encrypt (Certbot)
+# Managed by Ansible - DO NOT EDIT MANUALLY
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ fdroid_nginx_hostname }};
+
+    # Certbot webroot for ACME challenges
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Redirect to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ fdroid_nginx_hostname }};
+
+    # Let's Encrypt certificates (managed by Certbot)
+    ssl_certificate /etc/letsencrypt/live/{{ fdroid_nginx_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ fdroid_nginx_hostname }}/privkey.pem;
+
+    # SSL configuration
+    ssl_protocols {{ nginx_ssl_protocols | default('TLSv1.3') }};
+    ssl_prefer_server_ciphers on;
+
+{% if nginx_log_backend | default('journald') == 'journald' %}
+    access_log syslog:server=unix:/dev/log,nohostname,tag=nginx_fdroid;
+    error_log syslog:server=unix:/dev/log,nohostname,tag=nginx_fdroid;
+{% else %}
+    access_log /var/log/nginx/{{ fdroid_nginx_hostname }}_access.log main;
+    error_log /var/log/nginx/{{ fdroid_nginx_hostname }}_error.log;
+{% endif %}
+
+    # Allow large APK uploads if ever needed
+    client_max_body_size 200M;
+
+    # Redirect root to /repo for F-Droid client compatibility
+    location = / {
+        return 302 /repo;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:{{ fdroid_port }};
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

roles/net_config/templates/systemd.network.j2

@@ -14,6 +14,12 @@ RouteMetric={{ interface.ipv4.metric }}
 {% if interface.type is defined and interface.type == 'bridge' %}
 ConfigureWithoutCarrier=yes
 {% endif %}
+{% if interface.ipv4.forward | default(false) %}
+IPForward=ipv4
+{% endif %}
+{% if interface.ipv4.masquerade | default(false) %}
+IPMasquerade=ipv4
+{% endif %}
 {% if interface.ipv4.nameservers is defined %}
 {% for dns in interface.ipv4.nameservers %}
 DNS={{ dns }}

roles/nut/README.md

@@ -0,0 +1,88 @@
+# nut — Network UPS Tools
+
+Monitors a UPS over USB (or serial/network), notifies via ntfy on power events
+and gracefully shuts the host down on low battery.
+
+## Supported distributions
+
+- Arch Linux
+- Debian/Ubuntu
+
+## What it does
+
+- Installs `nut` and configures it in **standalone** mode (single host, no
+  network slaves).
+- Configures the `usbhid-ups` driver against the UPS defined in `nut_ups_name`
+  (default: EATON Ellipse 1600, vendorid `0463`).
+- Binds `upsd` to `127.0.0.1:3493` only — no LAN exposure.
+- Runs `upsmon` as master, which:
+  - calls `SHUTDOWNCMD` (`systemctl poweroff`) on `LOWBATT`,
+  - dispatches every event to a `NOTIFYCMD` wrapper that POSTs to ntfy with
+    severity, tags and a host-aware title.
+
+## Configuration
+
+Variables — see [defaults/main.yml](defaults/main.yml).
+
+Required (role asserts at start):
+
+```yaml
+nut_monitor_password: "<min 12 chars>"  # local upsd user used by upsmon + exporter
+nut_ntfy_topic: "ups-<host>"
+```
+
+Optional but commonly tweaked:
+
+```yaml
+nut_ups_name: eaton
+nut_ups_description: "EATON Ellipse 1600"
+nut_ups_vendorid: "0463"
+nut_ntfy_server: https://ntfy.jokester.fr
+nut_ntfy_token: "tk_..."  # publish token for nut_ntfy_topic
+```
+
+## Operations
+
+### Check UPS status
+
+```bash
+upsc {{ nut_ups_name }}@localhost
+```
+
+### List configured UPSes
+
+```bash
+upsc -l
+```
+
+### Test the NOTIFYCMD pipeline without unplugging
+
+```bash
+sudo -u nut NOTIFYTYPE=ONBATT /usr/local/bin/ups-notify "Simulated ONBATT for ntfy plumbing test"
+```
+
+### Simulate a full power loss (DANGEROUS — actually powers off)
+
+```bash
+sudo upsmon -c fsd
+```
+
+### Logs
+
+```bash
+journalctl -u nut-monitor -u nut-server -u 'nut-driver@*' -f
+```
+
+## Security
+
+- `upsd` binds to `127.0.0.1` only.
+- `upsd.users` mode `0640` owned by `root:nut`.
+- No anonymous read access — exporter and upsmon both authenticate as
+  `nut_monitor_user`.
+- udev rules shipped by the `nut` package grant USB device access to the `nut`
+  group only.
+
+## Companion role
+
+See [`nut_exporter`](../nut_exporter/README.md) to expose Prometheus metrics
+based on the same upsd instance.

roles/nut/defaults/main.yml

@@ -0,0 +1,63 @@
+---
+# NUT (Network UPS Tools) configuration
+# See: https://networkupstools.org/docs/man/upsmon.conf.html
+
+# UPS definition
+# --------------
+# Logical name of the UPS as referenced everywhere (ups.conf section, upsmon
+# MONITOR line, nut_exporter ?ups= query parameter).
+nut_ups_name: eaton
+
+# Human-readable description (shown in upsc output).
+nut_ups_description: "EATON Ellipse 1600"
+
+# Driver to use. usbhid-ups covers all USB HID-compliant UPSes (EATON, APC,
+# CyberPower, etc.). See: https://networkupstools.org/stable-hcl.html
+nut_ups_driver: usbhid-ups
+
+# USB vendorid filter (EATON = 0463). Helps disambiguate if multiple USB HID
+# devices are present. Leave empty to auto-detect.
+nut_ups_vendorid: "0463"
+
+# Driver polling interval in seconds. Some Eaton/MGE units lock up if polled too
+# aggressively (the default is 2). 10-15s gives the microcontroller breathing room.
+nut_ups_pollinterval: 15
+# Number of connection attempts before the driver gives up. If the USB chip
+# freezes, the driver will try to reopen the port up to this many times.
+nut_ups_maxretry: 3
+
+# upsd server
+# -----------
+# Bind addresses for upsd. Keep localhost-only unless you want to monitor from
+# other hosts (in which case add the wireguard IP and adjust firewall).
+nut_upsd_listen:
+  - { addr: "127.0.0.1", port: 3493 }
+
+# Local monitor user used by upsmon and nut_exporter. Password must be set.
+nut_monitor_user: monitor
+# nut_monitor_password: ""  # Intentionally undefined - role will fail if not set
+
+# upsmon (shutdown manager + NOTIFYCMD dispatcher)
+# ------------------------------------------------
+# Battery charge percentage below which an early shutdown is triggered, even if
+# the UPS has not yet asserted LOWBATT. Set to 0 to rely solely on LOWBATT.
+nut_upsmon_minsupplies: 1
+nut_upsmon_pollfreq: 5         # seconds between polls when on line power
+nut_upsmon_pollfreqalert: 5    # seconds between polls when on battery
+nut_upsmon_deadtime: 15        # seconds before declaring a UPS dead
+nut_upsmon_hostsync: 15        # seconds to wait for slaves before shutting down
+nut_upsmon_finaldelay: 5       # seconds between SHUTDOWN notification and poweroff
+
+# Command run on the host once the master decides it is time to power off.
+# systemctl poweroff is sufficient for a single-host standalone setup.
+nut_upsmon_shutdown_cmd: "/usr/bin/systemctl poweroff"
+
+# ntfy notifications
+# ------------------
+# Topic to publish UPS events to. Should be a dedicated topic for power events.
+# nut_ntfy_topic: ""  # Intentionally undefined - role will fail if not set
+nut_ntfy_server: https://ntfy.jokester.fr
+# nut_ntfy_token: ""  # Intentionally undefined - unauthenticated if not set
+
+# Path of the deployed NOTIFYCMD wrapper.
+nut_notify_script_path: /usr/local/bin/ups-notify

roles/nut/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Restart NUT driver enumerator
+  ansible.builtin.systemd:
+    name: nut-driver-enumerator.service
+    state: restarted
+
+- name: Restart NUT server
+  ansible.builtin.systemd:
+    name: nut-server.service
+    state: restarted
+
+- name: Restart NUT monitor
+  ansible.builtin.systemd:
+    name: nut-monitor.service
+    state: restarted

roles/nut/meta/main.yml

@@ -0,0 +1,2 @@
+---
+dependencies: []

roles/nut/tasks/main.yml

@@ -0,0 +1,97 @@
+---
+- name: Validate required configuration
+  ansible.builtin.assert:
+    that:
+      - nut_monitor_password is defined
+      - nut_monitor_password | length >= 12
+      - nut_ntfy_topic is defined
+      - nut_ntfy_topic | length > 0
+    fail_msg: |
+      nut_monitor_password (>=12 chars) and nut_ntfy_topic are required.
+      See roles/nut/defaults/main.yml for configuration.
+
+- name: Load OS-specific variables
+  ansible.builtin.include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_facts['os_family'] }}.yml"
+    - debian.yml
+
+- name: Install NUT
+  ansible.builtin.package:
+    name: "{{ nut_package }}"
+    state: present
+
+- name: Ensure NUT config directory exists
+  ansible.builtin.file:
+    path: "{{ nut_config_dir }}"
+    state: directory
+    owner: root
+    group: "{{ nut_group }}"
+    mode: "0750"
+
+- name: Set NUT to standalone mode
+  ansible.builtin.copy:
+    dest: "{{ nut_config_dir }}/nut.conf"
+    content: |
+      # Managed by Ansible - DO NOT EDIT MANUALLY
+      MODE=standalone
+    owner: root
+    group: "{{ nut_group }}"
+    mode: "0640"
+  notify:
+    - Restart NUT driver enumerator
+    - Restart NUT server
+    - Restart NUT monitor
+
+- name: Deploy ups.conf
+  ansible.builtin.template:
+    src: ups.conf.j2
+    dest: "{{ nut_config_dir }}/ups.conf"
+    owner: root
+    group: "{{ nut_group }}"
+    mode: "0640"
+  notify:
+    - Restart NUT driver enumerator
+    - Restart NUT server
+
+- name: Deploy upsd.conf
+  ansible.builtin.template:
+    src: upsd.conf.j2
+    dest: "{{ nut_config_dir }}/upsd.conf"
+    owner: root
+    group: "{{ nut_group }}"
+    mode: "0640"
+  notify: Restart NUT server
+
+- name: Deploy upsd.users
+  ansible.builtin.template:
+    src: upsd.users.j2
+    dest: "{{ nut_config_dir }}/upsd.users"
+    owner: root
+    group: "{{ nut_group }}"
+    mode: "0640"
+  notify: Restart NUT server
+
+- name: Deploy ntfy NOTIFYCMD script
+  ansible.builtin.template:
+    src: ups-notify.sh.j2
+    dest: "{{ nut_notify_script_path }}"
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Deploy upsmon.conf
+  ansible.builtin.template:
+    src: upsmon.conf.j2
+    dest: "{{ nut_config_dir }}/upsmon.conf"
+    owner: root
+    group: "{{ nut_group }}"
+    mode: "0640"
+  notify: Restart NUT monitor
+
+- name: Enable and start NUT services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop: "{{ nut_services }}"

roles/nut/templates/ups-notify.sh.j2

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Managed by Ansible - DO NOT EDIT MANUALLY
+#
+# Wrapper invoked by upsmon as NOTIFYCMD.
+# upsmon passes the rendered NOTIFYMSG as $1 and sets NOTIFYTYPE in the env.
+# See: https://networkupstools.org/docs/man/upsmon.conf.html
+set -euo pipefail
+
+NTFY_SERVER="{{ nut_ntfy_server }}"
+NTFY_TOPIC="{{ nut_ntfy_topic }}"
+{% if nut_ntfy_token is defined %}
+NTFY_TOKEN="{{ nut_ntfy_token }}"
+{% else %}
+NTFY_TOKEN=""
+{% endif %}
+
+MESSAGE="${1:-UPS event}"
+EVENT="${NOTIFYTYPE:-UNKNOWN}"
+HOST="$(uname -n)"
+
+case "$EVENT" in
+  ONBATT)
+    TITLE="UPS on battery — $HOST"
+    PRIORITY="urgent"
+    TAGS="warning,electric_plug"
+    ;;
+  LOWBATT)
+    TITLE="UPS low battery — $HOST"
+    PRIORITY="urgent"
+    TAGS="rotating_light,battery"
+    ;;
+  FSD|SHUTDOWN)
+    TITLE="UPS forced shutdown — $HOST"
+    PRIORITY="max"
+    TAGS="skull"
+    ;;
+  ONLINE)
+    TITLE="UPS back on line power — $HOST"
+    PRIORITY="default"
+    TAGS="white_check_mark,zap"
+    ;;
+  COMMBAD|NOCOMM)
+    TITLE="UPS communication lost — $HOST"
+    PRIORITY="high"
+    TAGS="warning,satellite"
+    ;;
+  COMMOK)
+    TITLE="UPS communication restored — $HOST"
+    PRIORITY="default"
+    TAGS="white_check_mark"
+    ;;
+  REPLBATT)
+    TITLE="UPS battery needs replacement — $HOST"
+    PRIORITY="high"
+    TAGS="battery,wrench"
+    ;;
+  *)
+    TITLE="UPS event ($EVENT) — $HOST"
+    PRIORITY="default"
+    TAGS="information_source"
+    ;;
+esac
+
+auth_args=()
+if [[ -n "$NTFY_TOKEN" ]]; then
+  auth_args=(-H "Authorization: Bearer $NTFY_TOKEN")
+fi
+
+# --max-time is important: upsmon will hang on poweroff if curl blocks.
+curl -fsS --max-time 10 \
+  "${auth_args[@]}" \
+  -H "Title: $TITLE" \
+  -H "Priority: $PRIORITY" \
+  -H "Tags: $TAGS" \
+  -d "$MESSAGE" \
+  "${NTFY_SERVER%/}/${NTFY_TOPIC}" >/dev/null || \
+  logger -t ups-notify "Failed to publish ntfy notification for $EVENT"

roles/nut/templates/ups.conf.j2

@@ -0,0 +1,12 @@
+# Managed by Ansible - DO NOT EDIT MANUALLY
+# See: https://networkupstools.org/docs/man/ups.conf.html
+
+[{{ nut_ups_name }}]
+  driver = {{ nut_ups_driver }}
+  port = auto
+  desc = "{{ nut_ups_description }}"
+  pollinterval = {{ nut_ups_pollinterval }}
+  maxretry = {{ nut_ups_maxretry }}
+{% if nut_ups_vendorid %}
+  vendorid = {{ nut_ups_vendorid }}
+{% endif %}

roles/nut/templates/upsd.conf.j2

@@ -0,0 +1,6 @@
+# Managed by Ansible - DO NOT EDIT MANUALLY
+# See: https://networkupstools.org/docs/man/upsd.conf.html
+
+{% for listen in nut_upsd_listen %}
+LISTEN {{ listen.addr }} {{ listen.port }}
+{% endfor %}

roles/nut/templates/upsd.users.j2

@@ -0,0 +1,6 @@
+# Managed by Ansible - DO NOT EDIT MANUALLY
+# See: https://networkupstools.org/docs/man/upsd.users.html
+
+[{{ nut_monitor_user }}]
+  password = {{ nut_monitor_password }}
+  upsmon master

roles/nut/templates/upsmon.conf.j2

@@ -0,0 +1,37 @@
+# Managed by Ansible - DO NOT EDIT MANUALLY
+# See: https://networkupstools.org/docs/man/upsmon.conf.html
+
+MONITOR {{ nut_ups_name }}@localhost {{ nut_upsmon_minsupplies }} {{ nut_monitor_user }} {{ nut_monitor_password }} master
+
+MINSUPPLIES {{ nut_upsmon_minsupplies }}
+SHUTDOWNCMD "{{ nut_upsmon_shutdown_cmd }}"
+NOTIFYCMD "{{ nut_notify_script_path }}"
+
+POLLFREQ {{ nut_upsmon_pollfreq }}
+POLLFREQALERT {{ nut_upsmon_pollfreqalert }}
+DEADTIME {{ nut_upsmon_deadtime }}
+HOSTSYNC {{ nut_upsmon_hostsync }}
+FINALDELAY {{ nut_upsmon_finaldelay }}
+
+# Default notification messages (overridable per event).
+NOTIFYMSG ONLINE   "UPS %s is back on line power"
+NOTIFYMSG ONBATT   "UPS %s is on battery (mains lost)"
+NOTIFYMSG LOWBATT  "UPS %s battery is low — shutdown imminent"
+NOTIFYMSG FSD      "UPS %s forced shutdown in progress"
+NOTIFYMSG COMMOK   "Communications with UPS %s restored"
+NOTIFYMSG COMMBAD  "Communications with UPS %s lost"
+NOTIFYMSG SHUTDOWN "System is shutting down due to UPS %s"
+NOTIFYMSG REPLBATT "UPS %s battery needs replacement"
+NOTIFYMSG NOCOMM   "UPS %s is unavailable"
+
+# Route events through SYSLOG and the NOTIFYCMD wrapper. NUT also supports
+# WALL (broadcast to logged-in users) but it's noisy and not useful here.
+NOTIFYFLAG ONLINE   SYSLOG+EXEC
+NOTIFYFLAG ONBATT   SYSLOG+EXEC
+NOTIFYFLAG LOWBATT  SYSLOG+EXEC
+NOTIFYFLAG FSD      SYSLOG+EXEC
+NOTIFYFLAG COMMOK   SYSLOG+EXEC
+NOTIFYFLAG COMMBAD  SYSLOG+EXEC
+NOTIFYFLAG SHUTDOWN SYSLOG+EXEC
+NOTIFYFLAG REPLBATT SYSLOG+EXEC
+NOTIFYFLAG NOCOMM   SYSLOG+EXEC

roles/nut/vars/archlinux.yml

@@ -0,0 +1,9 @@
+---
+nut_package: nut
+nut_config_dir: /etc/nut
+nut_user: nut
+nut_group: nut
+nut_services:
+  - nut-driver-enumerator.service
+  - nut-server.service
+  - nut-monitor.service

roles/nut/vars/debian.yml

@@ -0,0 +1,9 @@
+---
+nut_package: nut
+nut_config_dir: /etc/nut
+nut_user: nut
+nut_group: nut
+nut_services:
+  - nut-driver-enumerator.service
+  - nut-server.service
+  - nut-monitor.service

roles/nut_exporter/README.md

@@ -0,0 +1,60 @@
+# nut_exporter — Prometheus exporter for NUT
+
+Scrapes a local `upsd` and exposes UPS metrics for Prometheus.
+
+## Supported distributions
+
+- Arch Linux (AUR package `prometheus-nut-exporter`, installed via `paru`)
+
+Debian/Ubuntu is not packaged upstream — add it on demand.
+
+## Configuration
+
+See [defaults/main.yml](defaults/main.yml).
+
+Required:
+
+```yaml
+nut_exporter_nut_password: "<same as nut_monitor_password>"
+```
+
+Optional:
+
+```yaml
+nut_exporter_listen_address: "127.0.0.1:9199"
+nut_exporter_nut_server: "127.0.0.1:3493"
+nut_exporter_nut_user: monitor
+```
+
+## Pairing with Prometheus
+
+Typical scrape config (target uses the multi-target pattern: the exporter
+queries a remote upsd specified in the URL parameters):
+
+```yaml
+prometheus_scrape_configs:
+  - job_name: 'nut'
+    metrics_path: /nut
+    static_configs:
+      - targets: ['eaton@localhost']  # ups@host syntax
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: 127.0.0.1:9199
+```
+
+## Operations
+
+```bash
+systemctl status prometheus-nut-exporter
+curl -s 'http://127.0.0.1:9199/nut?target=localhost&ups=eaton' | head
+journalctl -u prometheus-nut-exporter -f
+```
+
+## Dependencies
+
+Requires the [`nut`](../nut/README.md) role (or any other running upsd) on the
+same host.

roles/nut_exporter/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+# Prometheus NUT exporter configuration
+
+# Address the exporter listens on.
+nut_exporter_listen_address: "127.0.0.1:9199"
+
+# upsd server to connect to (kept local — exporter sits next to upsd).
+nut_exporter_nut_server: "127.0.0.1:3493"
+
+# Credentials used to log into upsd. These should match the upsd user defined
+# by the nut role (nut_monitor_user / nut_monitor_password).
+nut_exporter_nut_user: "{{ nut_monitor_user | default('monitor') }}"
+# nut_exporter_nut_password: ""  # Inherits nut_monitor_password by default

roles/nut_exporter/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart nut_exporter
+  ansible.builtin.systemd:
+    name: "{{ nut_exporter_service }}"
+    state: restarted

roles/nut_exporter/meta/main.yml

@@ -0,0 +1,2 @@
+---
+dependencies: []

roles/nut_exporter/tasks/main.yml

@@ -0,0 +1,46 @@
+---
+- name: Validate required configuration
+  ansible.builtin.assert:
+    that:
+      - nut_exporter_nut_password is defined
+      - nut_exporter_nut_password | length >= 12
+    fail_msg: |
+      nut_exporter_nut_password (>=12 chars) is required.
+      Usually set to the same value as nut_monitor_password.
+
+- name: Load OS-specific variables
+  ansible.builtin.include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_facts['os_family'] }}.yml"
+
+- name: Install prometheus-nut-exporter (AUR via paru)
+  ansible.builtin.command: "paru -S --noconfirm --needed {{ nut_exporter_package }}"
+  register: nut_exporter_install
+  changed_when: "'there is nothing to do' not in nut_exporter_install.stdout | lower"
+  when: ansible_facts['os_family'] == 'Archlinux'
+
+- name: Ensure systemd override directory exists
+  ansible.builtin.file:
+    path: "{{ nut_exporter_override_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Deploy systemd override (listen address + upsd credentials)
+  ansible.builtin.template:
+    src: override.conf.j2
+    dest: "{{ nut_exporter_override_dir }}/override.conf"
+    owner: root
+    group: root
+    mode: "0640"
+  notify:
+    - Reload systemd
+    - Restart nut_exporter
+
+- name: Enable and start nut_exporter
+  ansible.builtin.systemd:
+    name: "{{ nut_exporter_service }}"
+    enabled: true
+    state: started
+    daemon_reload: true

roles/nut_exporter/templates/override.conf.j2

@@ -0,0 +1,10 @@
+# Managed by Ansible - DO NOT EDIT MANUALLY
+# Override for prometheus-nut-exporter to inject listen address and upsd
+# credentials. The exporter reads NUT_EXPORTER_* env vars at startup.
+
+[Service]
+Environment="HTTP_LISTEN_ADDRESS={{ nut_exporter_listen_address }}"
+Environment="NUT_EXPORTER_SERVER={{ nut_exporter_nut_server.split(':')[0] }}"
+Environment="NUT_EXPORTER_PORT={{ nut_exporter_nut_server.split(':')[1] }}"
+Environment="NUT_EXPORTER_USERNAME={{ nut_exporter_nut_user }}"
+Environment="NUT_EXPORTER_PASSWORD={{ nut_exporter_nut_password }}"

roles/nut_exporter/vars/archlinux.yml

@@ -0,0 +1,6 @@
+---
+nut_exporter_package: prometheus-nut-exporter
+nut_exporter_service: prometheus-nut-exporter.service
+nut_exporter_user: nut-exporter
+nut_exporter_group: nut-exporter
+nut_exporter_override_dir: /etc/systemd/system/prometheus-nut-exporter.service.d

roles/syncthing/README.md

@@ -0,0 +1,48 @@
+# syncthing
+
+Installs and configures [Syncthing](https://syncthing.net/) as a system service.
+Runs as a dedicated `syncthing` system user via `syncthing@syncthing.service`.
+
+Supports Arch Linux and Debian-based distributions.
+
+## Required variables
+
+Set these in `inventory/host_vars/<host>.yml`:
+
+```yaml
+syncthing_gui_user: admin
+syncthing_gui_password: "{{ vault_syncthing_gui_password }}"
+```
+
+`syncthing_gui_password` must be at least 12 characters. Set the actual value
+in your vault file and reference it via `vault_syncthing_gui_password`.
+Syncthing will bcrypt-hash the password on first start.
+
+## Optional variables
+
+See `defaults/main.yml` for the full list. Key options:
+
+| Variable                    | Default                        | Description                        |
+|-----------------------------|--------------------------------|------------------------------------|
+| `syncthing_user`            | `syncthing`                    | OS user to run syncthing as        |
+| `syncthing_home`            | `/var/lib/syncthing`           | Home directory for the system user |
+| `syncthing_config_dir`      | `{{ syncthing_home }}/.config/syncthing` | Config directory      |
+| `syncthing_gui_bind`        | `0.0.0.0`                      | GUI listen address                 |
+| `syncthing_gui_port`        | `8384`                         | GUI listen port                    |
+| `syncthing_port`            | `22000`                        | Sync protocol port (TCP)           |
+| `syncthing_allowed_networks` | `[]`                          | UFW rules for GUI and sync ports   |
+
+## Notes
+
+- `config.xml` is written only on first run — the task is skipped on subsequent
+  runs if the file already exists. Syncthing manages the file after that (device
+  ID, folder config, hashed password). Re-running the playbook is safe.
+- Folder and device pairing must be done via the Syncthing web UI or REST API
+  after the service is running.
+- The GUI binds to `0.0.0.0` by default — use `syncthing_allowed_networks` to
+  restrict access via UFW to specific LAN/VPN ranges.
+
+## Debian notes
+
+The `syncthing` package in some Debian versions may be outdated. Consider adding
+the [official APT repository](https://apt.syncthing.net/) before applying this role.

roles/syncthing/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+# System user to run syncthing as
+syncthing_user: syncthing
+syncthing_group: syncthing
+syncthing_home: /var/lib/syncthing
+
+# Config directory (syncthing reads and writes this at runtime)
+syncthing_config_dir: "{{ syncthing_home }}/.config/syncthing"
+
+# GUI credentials (REQUIRED - must be set explicitly)
+# syncthing_gui_user: ""      # Intentionally undefined - role will fail if not set
+# syncthing_gui_password: ""  # Intentionally undefined - role will fail if not set
+
+# GUI listen address and port
+syncthing_gui_bind: "0.0.0.0"
+syncthing_gui_port: 8384
+
+# Sync protocol port (TCP)
+syncthing_port: 22000
+
+# Package and service names
+syncthing_package: syncthing
+syncthing_service: "syncthing@{{ syncthing_user }}"
+
+# Firewall rules - list of allowed source ranges for GUI and sync ports
+syncthing_allowed_networks:
+  - { src: "127.0.0.1/8", comment: "Localhost" }

roles/syncthing/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart syncthing
+  ansible.builtin.systemd:
+    name: "{{ syncthing_service }}"
+    state: restarted

roles/syncthing/tasks/main.yml

@@ -0,0 +1,81 @@
+---
+- name: Validate required variables are set
+  ansible.builtin.assert:
+    that:
+      - syncthing_gui_user is defined
+      - syncthing_gui_user | length >= 1
+      - syncthing_gui_password is defined
+      - syncthing_gui_password | length >= 12
+    fail_msg: |
+      syncthing_gui_user and syncthing_gui_password are required.
+      syncthing_gui_password must be at least 12 characters.
+      See roles/syncthing/defaults/main.yml for configuration instructions.
+
+- name: Install syncthing
+  ansible.builtin.package:
+    name: "{{ syncthing_package }}"
+    state: present
+
+- name: Create syncthing system group
+  ansible.builtin.group:
+    name: "{{ syncthing_group }}"
+    system: true
+    state: present
+
+- name: Create syncthing system user
+  ansible.builtin.user:
+    name: "{{ syncthing_user }}"
+    group: "{{ syncthing_group }}"
+    home: "{{ syncthing_home }}"
+    shell: /sbin/nologin
+    system: true
+    create_home: true
+    state: present
+
+- name: Create syncthing config directory
+  ansible.builtin.file:
+    path: "{{ syncthing_config_dir }}"
+    state: directory
+    owner: "{{ syncthing_user }}"
+    group: "{{ syncthing_group }}"
+    mode: "0700"
+
+- name: Check if syncthing config already exists
+  ansible.builtin.stat:
+    path: "{{ syncthing_config_dir }}/config.xml"
+  register: syncthing_config_stat
+
+- name: Deploy initial syncthing config (skipped if already exists)
+  ansible.builtin.template:
+    src: config.xml.j2
+    dest: "{{ syncthing_config_dir }}/config.xml"
+    owner: "{{ syncthing_user }}"
+    group: "{{ syncthing_group }}"
+    mode: "0600"
+  when: not syncthing_config_stat.stat.exists
+  notify: Restart syncthing
+
+- name: Allow syncthing GUI and sync traffic through firewall
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.1.port }}"
+    proto: tcp
+    from: "{{ item.0.src }}"
+    direction: in
+    comment: "{{ item.0.comment }}"
+  loop: "{{ syncthing_allowed_networks | product(syncthing_ufw_ports) | list }}"
+  vars:
+    syncthing_ufw_ports:
+      - { port: "{{ syncthing_gui_port }}" }
+      - { port: "{{ syncthing_port }}" }
+  when: syncthing_allowed_networks | length > 0
+  retries: 5
+  delay: 2
+  register: ufw_result
+  until: ufw_result is succeeded
+
+- name: Enable and start syncthing service
+  ansible.builtin.systemd:
+    name: "{{ syncthing_service }}"
+    enabled: true
+    state: started

roles/syncthing/templates/config.xml.j2

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Managed by Ansible - initial bootstrap only, DO NOT EDIT MANUALLY -->
+<!-- Syncthing will manage this file after first start -->
+<configuration version="37">
+    <gui enabled="true" tls="false" debugging="false">
+        <address>{{ syncthing_gui_bind }}:{{ syncthing_gui_port }}</address>
+        <user>{{ syncthing_gui_user }}</user>
+        <!-- Plaintext password; syncthing will bcrypt-hash it on first start -->
+        <password>{{ syncthing_gui_password }}</password>
+        <theme>default</theme>
+        <insecureSkipHostcheck>false</insecureSkipHostcheck>
+    </gui>
+    <options>
+        <startBrowser>false</startBrowser>
+        <crashReportingEnabled>false</crashReportingEnabled>
+        <!-- Opt out of anonymous usage reporting -->
+        <urAccepted>-1</urAccepted>
+        <!-- Disable automatic upgrades (managed by package manager) -->
+        <autoUpgradeIntervalH>0</autoUpgradeIntervalH>
+    </options>
+</configuration>

roles/zfs/tasks/dataset-ownership.yml

@@ -1,24 +0,0 @@
----
-# due to Ansible limitations, we cannot loop over a block, so we loop over distinct task files
-# @see https://stackoverflow.com/a/58911694
-- name: Set ownership on dataset mountpoint
-  block:
-    - name: Get the mountpoint
-      ansible.builtin.command: "zfs get -H -o value mountpoint {{ dataset.name }}"
-      register: mountpoint
-      changed_when: false
-
-    - name: Fail if mountpoint is system directory
-      ansible.builtin.fail:
-        msg: "Mountpoint resolved to a system directory ({{ mountpoint.stdout }}), aborting to avoid changing ownership."
-      when:
-        - mountpoint.stdout | trim == ''
-        - mountpoint.stdout | trim is not match('^/$|^(/usr|/bin|/sbin|/etc|/var|/lib|/lib64)$')
-
-    - name: Set mountpoint ownership
-      ansible.builtin.file:
-        path: "{{ mountpoint.stdout }}"
-        owner: "{{ dataset.user | default(ansible_user) }}"
-        group: "{{ dataset.group | default(ansible_user) }}"
-        state: directory
-        recurse: false

roles/zfs/tasks/datasets.yml

@@ -3,13 +3,33 @@
 - name: Managing filesystems, volumes, snapshots
   community.general.zfs:
     name: "{{ item.name }}"
-    state: "{{  item.state }}"
+    state: "{{ item.state }}"
     extra_zfs_properties: "{{ item.extra_zfs_properties | default(omit) }}"
     origin: "{{ item.origin | default(omit) }}"
   with_items: "{{ zfs_datasets }}"
 
-- name: Set dataset ownership
+- name: Set dataset mountpoint ownership
-  ansible.builtin.include_tasks: "./dataset-ownership.yml"
+  ansible.builtin.file:
+    path: "{{ item.extra_zfs_properties.mountpoint }}"
+    owner: "{{ item.user | default(ansible_user) }}"
+    group: "{{ item.group | default(ansible_user) }}"
+    state: directory
+    recurse: false
   loop: "{{ zfs_datasets }}"
-  loop_control:
+  when:
-    loop_var: dataset
+    - item.state | default('present') == 'present'
+    - item.extra_zfs_properties.mountpoint is defined
+    - item.extra_zfs_properties.mountpoint not in ['none', 'legacy']
+
+- name: Remove leftover empty mountpoint for absent datasets
+  ansible.builtin.command: "rmdir {{ item.extra_zfs_properties.mountpoint }}"
+  register: rmdir_result
+  failed_when:
+    - rmdir_result.rc != 0
+    - "'No such file or directory' not in rmdir_result.stderr"
+    - "'Directory not empty' not in rmdir_result.stderr"
+  changed_when: rmdir_result.rc == 0
+  loop: "{{ zfs_datasets }}"
+  when:
+    - item.state | default('present') == 'absent'
+    - item.extra_zfs_properties.mountpoint is defined