From e1f3a22a231316002c8373624ed2eb8b3b7dae04 Mon Sep 17 00:00:00 2001
From: Iurii Tatishchev <itatishch@gmail.com>
Date: Fri, 28 Jun 2024 22:39:24 -0700
Subject: [PATCH] refactor: simplify stack templates, move vars into
 group_vars/alpina

this vault setup for injective sensitive variables uses the approach described in https://docs.ansible.com/ansible/10/tips_tricks/ansible_tips_tricks.html#keep-vaulted-variables-safely-visible
---
 .idea/alpina.iml                              |  1 +
 group_vars/alpina/vars.yml                    | 48 ++++++++++
 group_vars/alpina/vault.yml                   | 88 +++++++++++++++++++
 group_vars/docker_hosts.yml                   |  6 --
 inventories/prod/group_vars/all.yml           | 46 ----------
 inventories/prod/group_vars/alpina/vars.yml   | 14 +++
 inventories/prod/group_vars/alpina/vault.yml  | 21 +++++
 inventories/prod/group_vars/docker_hosts.yml  |  1 -
 inventories/prod/hosts                        |  2 +-
 inventories/staging/group_vars/all.yml        | 46 ----------
 .../staging/group_vars/alpina/vars.yml        | 14 +++
 .../staging/group_vars/alpina/vault.yml       | 21 +++++
 .../staging/group_vars/docker_hosts.yml       |  1 -
 inventories/staging/hosts                     |  2 +-
 .../collections/apps/arrstack/app_config.yml  |  8 --
 .../collections/apps/gitea/app_config.yml     | 27 ------
 .../apps/gitea/templates/.env.db.j2           |  3 -
 .../collections/apps/jellyfin/app_config.yml  |  6 --
 .../collections/apps/nextcloud/app_config.yml | 14 ---
 .../services/authentik/app_config.yml         | 27 ------
 .../collections/services/minio/app_config.yml |  9 --
 .../services/monitoring/app_config.yml        | 19 ----
 .../services/traefik/app_config.yml           | 10 ---
 roles/alpina/tasks/deploy_collection.yml      |  9 +-
 roles/alpina/tasks/deploy_compose_stack.yml   | 10 +--
 roles/alpina/tasks/main.yml                   |  2 +-
 .../apps/arrstack}/.env.gluetun.j2            |  3 +-
 .../apps/arrstack}/docker-compose.yml.j2      |  0
 roles/alpina/templates/apps/gitea/.env.db.j2  |  3 +
 .../apps/gitea}/.env.gitea.j2                 |  8 +-
 .../apps/gitea}/docker-compose.yml.j2         |  0
 .../apps/jellyfin}/.env.jellyfin.j2           |  0
 .../apps/jellyfin}/docker-compose.yml.j2      |  0
 .../apps/nextcloud}/.env.db.j2                |  2 +-
 .../apps/nextcloud}/.env.j2                   |  0
 .../apps/nextcloud}/.env.nextcloud.j2         |  4 +-
 .../apps/nextcloud}/.env.redis.j2             |  0
 .../apps/nextcloud}/docker-compose.yml.j2     |  0
 .../apps/nextcloud}/nginx.conf.j2             |  0
 .../services/authentik}/.env.authentik.j2     |  4 +-
 .../services/authentik}/.env.db.j2            |  2 +-
 .../authentik}/blueprints/apps-oauth2.yaml.j2 |  0
 .../authentik}/blueprints/apps-proxy.yaml.j2  |  0
 .../blueprints/default-authentication.yaml.j2 |  0
 .../blueprints/github-oauth.yaml.j2           |  0
 .../blueprints/services-oauth2.yaml.j2        |  0
 .../services/authentik}/docker-compose.yml.j2 |  0
 .../services/minio}/.env.minio.j2             |  0
 .../services/minio}/docker-compose.yml.j2     |  0
 .../services/monitoring}/.env.influxdb.j2     |  0
 .../monitoring}/docker-compose.yml.j2         |  0
 .../monitoring}/grafana_config/grafana.ini.j2 |  0
 .../provisioning/datasources/alpina.yaml.j2   |  0
 .../loki_config/loki-config.yaml.j2           |  0
 .../prometheus_config/extra/.gitkeep          |  0
 .../prometheus_config/prometheus.yml.j2       |  0
 .../promtail_config/promtail-config.yaml      |  0
 .../services/traefik}/.env.traefik.j2         |  0
 .../services/traefik}/docker-compose.yml.j2   |  0
 .../traefik}/rules/traefik-dash.yml.j2        |  0
 .../services/traefik}/traefik.yml.j2          |  0
 roles/docker_host/tasks/main.yml              |  2 +-
 services.yml                                  |  2 +-
 63 files changed, 231 insertions(+), 254 deletions(-)
 create mode 100644 group_vars/alpina/vars.yml
 create mode 100644 group_vars/alpina/vault.yml
 delete mode 100644 group_vars/docker_hosts.yml
 create mode 100644 inventories/prod/group_vars/alpina/vars.yml
 create mode 100644 inventories/prod/group_vars/alpina/vault.yml
 delete mode 100644 inventories/prod/group_vars/docker_hosts.yml
 create mode 100644 inventories/staging/group_vars/alpina/vars.yml
 create mode 100644 inventories/staging/group_vars/alpina/vault.yml
 delete mode 100644 inventories/staging/group_vars/docker_hosts.yml
 delete mode 100644 roles/alpina/collections/apps/arrstack/app_config.yml
 delete mode 100644 roles/alpina/collections/apps/gitea/app_config.yml
 delete mode 100644 roles/alpina/collections/apps/gitea/templates/.env.db.j2
 delete mode 100644 roles/alpina/collections/apps/jellyfin/app_config.yml
 delete mode 100644 roles/alpina/collections/apps/nextcloud/app_config.yml
 delete mode 100644 roles/alpina/collections/services/authentik/app_config.yml
 delete mode 100644 roles/alpina/collections/services/minio/app_config.yml
 delete mode 100644 roles/alpina/collections/services/monitoring/app_config.yml
 delete mode 100644 roles/alpina/collections/services/traefik/app_config.yml
 rename roles/alpina/{collections/apps/arrstack/templates => templates/apps/arrstack}/.env.gluetun.j2 (93%)
 rename roles/alpina/{collections/apps/arrstack/templates => templates/apps/arrstack}/docker-compose.yml.j2 (100%)
 create mode 100644 roles/alpina/templates/apps/gitea/.env.db.j2
 rename roles/alpina/{collections/apps/gitea/templates => templates/apps/gitea}/.env.gitea.j2 (78%)
 rename roles/alpina/{collections/apps/gitea/templates => templates/apps/gitea}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/apps/jellyfin/templates => templates/apps/jellyfin}/.env.jellyfin.j2 (100%)
 rename roles/alpina/{collections/apps/jellyfin/templates => templates/apps/jellyfin}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/apps/nextcloud/templates => templates/apps/nextcloud}/.env.db.j2 (50%)
 rename roles/alpina/{collections/apps/nextcloud/templates => templates/apps/nextcloud}/.env.j2 (100%)
 rename roles/alpina/{collections/apps/nextcloud/templates => templates/apps/nextcloud}/.env.nextcloud.j2 (82%)
 rename roles/alpina/{collections/apps/nextcloud/templates => templates/apps/nextcloud}/.env.redis.j2 (100%)
 rename roles/alpina/{collections/apps/nextcloud/templates => templates/apps/nextcloud}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/apps/nextcloud/templates => templates/apps/nextcloud}/nginx.conf.j2 (100%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/.env.authentik.j2 (81%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/.env.db.j2 (50%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/blueprints/apps-oauth2.yaml.j2 (100%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/blueprints/apps-proxy.yaml.j2 (100%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/blueprints/default-authentication.yaml.j2 (100%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/blueprints/github-oauth.yaml.j2 (100%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/blueprints/services-oauth2.yaml.j2 (100%)
 rename roles/alpina/{collections/services/authentik/templates => templates/services/authentik}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/services/minio/templates => templates/services/minio}/.env.minio.j2 (100%)
 rename roles/alpina/{collections/services/minio/templates => templates/services/minio}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/.env.influxdb.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/grafana_config/grafana.ini.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/grafana_config/provisioning/datasources/alpina.yaml.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/loki_config/loki-config.yaml.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/prometheus_config/extra/.gitkeep (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/prometheus_config/prometheus.yml.j2 (100%)
 rename roles/alpina/{collections/services/monitoring/templates => templates/services/monitoring}/promtail_config/promtail-config.yaml (100%)
 rename roles/alpina/{collections/services/traefik/templates => templates/services/traefik}/.env.traefik.j2 (100%)
 rename roles/alpina/{collections/services/traefik/templates => templates/services/traefik}/docker-compose.yml.j2 (100%)
 rename roles/alpina/{collections/services/traefik/templates => templates/services/traefik}/rules/traefik-dash.yml.j2 (100%)
 rename roles/alpina/{collections/services/traefik/templates => templates/services/traefik}/traefik.yml.j2 (100%)

diff --git a/.idea/alpina.iml b/.idea/alpina.iml
index 56807d5..c9c1f59 100644
--- a/.idea/alpina.iml
+++ b/.idea/alpina.iml
@@ -24,6 +24,7 @@
     <option name="TEMPLATE_FOLDERS">
       <list>
         <option value="$MODULE_DIR$/roles/docker_host/templates" />
+        <option value="$MODULE_DIR$/roles/alpina/templates" />
       </list>
     </option>
   </component>
diff --git a/group_vars/alpina/vars.yml b/group_vars/alpina/vars.yml
new file mode 100644
index 0000000..feab25c
--- /dev/null
+++ b/group_vars/alpina/vars.yml
@@ -0,0 +1,48 @@
+# Shared variables between environments
+
+---
+alpina_svc_path: ~/alpina
+base_volume_path: /mnt/dock
+media_volume_path: /mnt/media
+
+traefik_subnet: 172.16.122.0
+
+# Authentik
+authentik_db_password: "{{ vault_authentik_db_password }}"
+authentik_secret_key: "{{ vault_authentik_secret_key }}"
+
+authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
+
+auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+arrstack_password: "{{ vault_arrstack_password }}"
+
+# Minio
+minio_password: "{{ vault_minio_password }}"
+
+# Monitoring
+## auth_grafana_client_secret:
+influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
+influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
+
+# Traefik
+acme_email: "{{ vault_acme_email }}"
+cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
+
+# Arrstack
+wg_peer_pubkey: "{{ vault_wg_peer_pubkey }}"
+vpn_server_names: "{{ vault_vpn_server_names }}"
+
+# Gitea
+gitea_db_password: "{{ vault_gitea_db_password }}"
+gitea_sendgrid_api_key: "{{ vault_gitea_sendgrid_api_key }}"
+## Security
+secret_key: "{{ vault_secret_key }}"
+internal_token: "{{ vault_internal_token }}"
+jwt_secret: "{{ vault_jwt_secret }}"
+
+# Jellyfin
+
+# Nextcloud
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
+redis_password: "{{ vault_redis_password }}"
+nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}"
diff --git a/group_vars/alpina/vault.yml b/group_vars/alpina/vault.yml
new file mode 100644
index 0000000..59af3e3
--- /dev/null
+++ b/group_vars/alpina/vault.yml
@@ -0,0 +1,88 @@
+$ANSIBLE_VAULT;1.1;AES256
+36636236366435333738633465323539336231393239656538643863643233346563333836623335
+3136393936656261396434316232356338313838373666660a653464613833306133343232623864
+61666561336462376664363463313533353238623031613664353063396236343663643936303730
+6235646336306636360a653238633038306532613436633132363231613862383636313838623461
+32633366326136346435613232396632396365656138643361643139353430663637353565383664
+36623961663030653639316131376535363138343965636437653139646233613765323439393030
+31666137346339663162393836636638636431326232323461353661613062623032306130393965
+38313931313935666633343835303232333961633232623538383138366262663335323764323939
+32373333663834626633363265373632356439633862316562323565646530383534653338353165
+38396434353332623164346137383238343536303130616666643065306431656137303263323135
+34316662353031653932396239623733313037383935383762623136346636323434363231623161
+30393864353466643637316566663366363231373335663331323932663837626239663633663965
+66333531323861663130353531323339386566303630366236636135393439356634393732623033
+31336231363935633436363962316666666336303338313636386163313666636336343464336133
+33313730303961663632323435323963663530623265663664343735643061323332343265343431
+61363039333730623562363233373537633138663239313132336666313237373137353663326538
+32366130326635366433393434653735616132366264386461363063393265623765666461626366
+38636239376534653230663932393930343162333262643130633835343363613061623932363761
+64643164323335376565646137643763316562343565366462376162333633313737303465373362
+63343734633536353661353165346632666230616138396461336332623365366432313734343837
+30613736313961663334326335333834336634373338326631313739363765303036303132346166
+37313030373264383564383936396339623061616134356663333733653838393537306336313135
+32336261356437653863653839373130323035346538343938646265653239376236373932646433
+35373932326535643763396563373138626239393661373231393066323335336264373835336635
+38393732643630336364363834303534663334396363623261383339313939663461303236646237
+36393330373534383836373065373239353836653137306338336638396662363434303839363466
+37303332343464663733653632363239366337656364333532313237633935616637333361383763
+62363063323362323565363837333264346161353032643039323839336666656333336433376231
+36363335626137366135373230613436653232663138343862623562306331336330356630316166
+30613264353165343634663461373630653632366333313837373237613339336638396338376465
+64633638373263376330343561303664666139663237326637663964386133623164626339346635
+66636365366562343636653362656133306164353761346661343430356633613063656466316262
+31633932313532663930303837353863333664393563646566396164666236633832633235653362
+63663931353436623034653733313766393465363466363831643130643939356335643166356436
+38386530333264313263636438376134666235646636316233653330613735323234313036356639
+61316164376434616239646235326661323363333835393430646462323234356138653163616530
+65623233636435396462343437626130353735643530376538633762346332653162353563386366
+32656633633935626238323431643631633434633032303435383037353834653964326336616530
+30363765663133313239373664383830393238303439653531316664636532363135636563356666
+34376636373033353665373261363536393562653638306661663832326139383565613862333831
+38616238616332326532656430393331383161376237393365666639363732363164306332343336
+37366638326464373261386431623731306663616262633837313965633530616265326536323136
+62366365666461383535663637633332626464643062653139623333663038316536353930653266
+37343830613062346533613762663738343138383537396435643765323237623130363564396462
+61663063643135303539313062396338353061346336303938626361343238366366393533363638
+31313437623631626437393761366537636664393863306164373431653133316639623630353336
+65313037636533393362363266366231393334613264343331623531393666336336626265366163
+34663161396633666162326564313735373137303337386538633866653331646635633532336465
+34386166373436386566656135313438363733353139663630613430363332656239356139393532
+35626337666639376664346631323938316538333066353363646562323266353165366632656137
+66366162376165626564363230353062666364646363366637666433636333316536623435623836
+62346566363362363939353038396566653238666138666531396338323262323965383031336362
+34613332363334653531383231363539343133333531666564386133346562323338366139663438
+31613466366438643566333632326239653662636464373337326537313234393038306132343730
+36633136366162643966396362643165313336383862653435343630646431306366656636353230
+64326633346561613662383863356531306563623439363566643733336535303335303164633535
+36356463616162313039386434323637383937613133623131373033373462363365643730666166
+65383166346638313533326366346433656461346439343838306564393336383536633732343965
+39306231386130303433616361366363366163646534316138623362393063663438313165643762
+39393332653564333762663762366633386135353865366338396138666265653662373535666366
+35613937613366323064316561643435353830316239396464393737613835373964626437316464
+39643664656565633966393832643033323130636562383233323636363361353430353062323439
+39396464633336623963633963326461316562333162333766613064336462613235336531623437
+30383063653666633839646533386239366637346230363033306161386537303039376465303535
+34643162323065326264343662303138313063303834353832393663616239383739313133393532
+62393766343037666564326132386139346661383564366366646530346434373366326531356138
+31323531653338653130303733363764636430336563336439666132626434363463306631363334
+39623332376334383338633132653262653735346563626365613336623435396539383630366332
+31316638393562376131363166633163333332633332393062393962613132366538653865663264
+38313237393436353333323431336361653938343034346164353335366535396265633961333138
+65386137356161643732636531613166633464326163303336303439383435376331373935333563
+64633961623761393131333234656530653737346563643963643833383262383434653266343362
+35623832643032346133346363646136646438663761363330666231316434306232623339656535
+34393337666237656262313439386336336466373466663663616139353463316265396135626366
+62313562306334343831616364633933343463386233323637313832316635346235623830333461
+33663530343966383739643261653736363865323438363430653661653964643339633833386438
+36333331366334366461346636636462343335313234663864613864366134356161396662383632
+36663538373761353937313666363262626435623537646665646364353934373638366261333234
+36353439303663656531666637376364313838386130343966316138356338643135316139363630
+30386635376565363931333331336431303562346431323534643238333337386264616161356163
+35663766306635626235373663643064393233346364666663393236353561653362373361666164
+65653566666234626464356338613834323332383939643935323337376162316163333034643062
+63646237646234636561313038383636373936656164333735323461626233633337623764383830
+66383161346336633962643032376662656566396666343662656337306333313836613335643961
+64323961663032373239636430306430383639306333363938303837386139643230353061623937
+36373733636337616264313432643230303935626666633533666135666538626266626266643864
+376430653461346366626432636336653437
\ No newline at end of file
diff --git a/group_vars/docker_hosts.yml b/group_vars/docker_hosts.yml
deleted file mode 100644
index bcf8e9c..0000000
--- a/group_vars/docker_hosts.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-my_svc_path: ~/alpina
-base_volume_path: /mnt/dock
-media_volume_path: /mnt/media
-
-traefik_subnet: 172.16.122.0
diff --git a/inventories/prod/group_vars/all.yml b/inventories/prod/group_vars/all.yml
index 5f8c39d..ceeb024 100644
--- a/inventories/prod/group_vars/all.yml
+++ b/inventories/prod/group_vars/all.yml
@@ -1,47 +1 @@
 domain: cazzzer.com
-
-wg_privkey: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31663639306133623739366363353430303338656137386434303862346434633665333434613931
-  3430313162333937636234313761366337393431616630330a393962643962353234343431653439
-  35323966643531386538643636623439636633326638316233386266343964333563306330383437
-  6132333063626365330a353232366464636663633236383563343834316164636434613639363765
-  37653738663463303236333232663338623034363737643138303238663033323361373064343334
-  3762303565343765393332626565333637643462353631343833
-
-wg_psk: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31353436343638306237623864633533626662376362656531616665356333326238353533306438
-  3164646631633464313966353533633137643234333264650a666134613666613262323461306131
-  32383438363566653766613337363236616139616661343930656362636366346133353137366639
-  3762623635386330320a643465396563666562383261623964396431366466663766303939336434
-  61626434363763303637316165343566383064613663626339366635343537646130323731376461
-  6231346162313465323739623939306436656438336565336436
-
-wg_addresses: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  66306130383462373166306561663431366262626537393330373061616636306433323734643632
-  6332363262346630353338626632353039636666636264340a616537363638386635383934303533
-  34376136636334616332626161386435333031363931616331363232313338346234316361383033
-  3236626331333032390a353466323863326565386531643335653565386433613431623337313666
-  32643065653763643563623232313262316534326266386135633463623966636532356463653765
-  32656333623032633263643539336537313536326263303465373066633738353832363064306465
-  353636666162393734333338653834366333
-
-fw_vpn_input_ports: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  36353933613361353132366636386138616336323437616366613164633036343234313338303830
-  3662663462346134343338363264303030663935393865650a666161633163383437373139663362
-  35666633363762633135616630336239623065366266633335623832323762613565376166383131
-  6163646561353335360a386664386166626134366339393566613461626230323836646139316463
-  3938
-
-github_consumer_key: 32d5cae58d744c56fcc9
-github_consumer_secret: !vault |
-          $ANSIBLE_VAULT;1.2;AES256;alpina
-          36353230356266303131333732363736383633313038326161346434303061633464393738383433
-          3933343436316530306439326237353265363333656264620a373036383835313733303561333233
-          33343834313163613037643734653535306365326536383532366166313261323265616133333865
-          3362663865666466320a363338303436626532393665663564313937366362326263396431316538
-          33396237333766666635333039643338333133346636363966326437646334636138353934333834
-          3139363661653364306231303966346333643166326536383164
diff --git a/inventories/prod/group_vars/alpina/vars.yml b/inventories/prod/group_vars/alpina/vars.yml
new file mode 100644
index 0000000..b918c45
--- /dev/null
+++ b/inventories/prod/group_vars/alpina/vars.yml
@@ -0,0 +1,14 @@
+# Environment specific variables (prod)
+
+---
+docker_ipv6_index: 255
+
+# Arrstack VPN
+wg_privkey: "{{ vault_wg_privkey }}"
+wg_psk: "{{ vault_wg_psk }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
+
+# Authentik GitHub OAuth
+github_consumer_key: 32d5cae58d744c56fcc9
+github_consumer_secret: "{{ vault_github_consumer_secret }}"
diff --git a/inventories/prod/group_vars/alpina/vault.yml b/inventories/prod/group_vars/alpina/vault.yml
new file mode 100644
index 0000000..e834846
--- /dev/null
+++ b/inventories/prod/group_vars/alpina/vault.yml
@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+61656162363565633436373135333536623561663136303736393865623830633539376362363363
+3938333137343336626634346262363964316563643261310a366538363037343965363766646535
+61636239326464373039333462653562373933396665393039633266326234663335363337666439
+6137323332303533640a383062383135633762323561313666636566306531306636633466316536
+66623731626266333731303336323733343336626366343833633365616330343565363035323039
+35313961383131616133386663376331336639633137383137346164353632653939363266613562
+36316631366661353632386230306532633862393963663465383862653964646462666334396666
+66626636353539316266343937623662613336616331626439306538363764636366656635356639
+30663535393366383261333832356237373230663037373638303161303534636230616464636265
+37623938303638646233346338616239393838396433313063343065386666323264646461373032
+63376661646139316430303533643063336634333364643231336130613638626431623732646434
+63643833353164313465633333646232653761356333323933396666323837656334343866363762
+39646263653137356632323534356631366531636530613736343438393136363835373435636230
+30313163386335353935663432323033326235653963653930396235373863373232666334326661
+34336632666365666563326366376461386130343965363832343430396537323734363533353065
+64313837623366356261383437306465633730353332636561333462356363326132313933653234
+66363634333664333433613466396639306436353035346134373430663532373934343861323262
+30666664336336393835346234316238613839326436363162626439376530306133343530303365
+65393030633237333166336637363435646435323736353461333932366638333264333239373733
+30623062643336643431
diff --git a/inventories/prod/group_vars/docker_hosts.yml b/inventories/prod/group_vars/docker_hosts.yml
deleted file mode 100644
index 805c9dc..0000000
--- a/inventories/prod/group_vars/docker_hosts.yml
+++ /dev/null
@@ -1 +0,0 @@
-docker_ipv6_index: 255
diff --git a/inventories/prod/hosts b/inventories/prod/hosts
index 50fea0c..9ad886e 100644
--- a/inventories/prod/hosts
+++ b/inventories/prod/hosts
@@ -1,2 +1,2 @@
-[docker_hosts]
+[alpina]
 debbi.lab.home
diff --git a/inventories/staging/group_vars/all.yml b/inventories/staging/group_vars/all.yml
index ee55778..b64c48e 100644
--- a/inventories/staging/group_vars/all.yml
+++ b/inventories/staging/group_vars/all.yml
@@ -1,47 +1 @@
 domain: lab.cazzzer.com
-
-wg_privkey: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31333936633664396332303835396261626463383139326538356363303832323533643636383364
-  3364613639616462313462313361363836396338623636660a376230646137346536393330393837
-  64363065396332316262386330313534636135303264636532373432356265383337306365363531
-  6533343563393062640a366364346136353361653033383731613764363762663865643031303663
-  62623562636563633038366465636430656231323431643236323461333134623633613464393439
-  3331663962646534353931336630333961616134343931343534
-
-wg_psk: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31393235386262363733633063393031396532336161613138353931616364616165613131336138
-  3861323766326233383836613233333332306166633138300a373164306664393061643135646662
-  30626536646562363263303238663430393361653566306134373633626534643038326566616237
-  3233363838343466640a306364663738346235323535643465663330616235373266383233646263
-  31373332613461376235343431396431633733653865636636363733303466366430316431663730
-  6537663563613233353838303738653532633136663430383961
-
-wg_addresses: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  36613639386139353965346134663431343032626637326238303830653335633062633936373938
-  3633636637613033303362343038653262626165636537350a356136363730643738383264306662
-  34363731313730613164646138653235653363303033663637386230373161623965326265663439
-  6365643730373235320a323065336535356636646131666262636133643435633237396331653833
-  63393836393162623164633130393034643364373838313939346438623761326364316337343066
-  30643131636636643038366634663137643436323833326362373666393563316235306533373039
-  636233633762303639373239353661343162
-
-fw_vpn_input_ports: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  39326564343633633465376363396633396332636664383539373230633033383161626434643435
-  3539336531356336663638626630613934323162313639610a626637393637363837636631666534
-  38663031306536323866336365373565633634666561663636653938643538336630393061326564
-  3863363030346530630a343138623664323336353036343430323261393036373563393762663530
-  3730
-
-github_consumer_key: dbacb8621c37320eb745
-github_consumer_secret: !vault |
-          $ANSIBLE_VAULT;1.2;AES256;alpina
-          65393439653532323865356337353164666331653438396564613663363865643233323666316537
-          6365303062326139366139623232366338663831333333610a343035313364383738396635633737
-          32616366393365643565636337633334363637356435386235373638653139326665353537363939
-          3936336336663264310a343137653436323831366237376539353231656463663164316133376333
-          37373937356438373335663234616165663739626663663635316335333534333566326632346437
-          3539656334346163663635376533376362626235343466303430
diff --git a/inventories/staging/group_vars/alpina/vars.yml b/inventories/staging/group_vars/alpina/vars.yml
new file mode 100644
index 0000000..cb6bc48
--- /dev/null
+++ b/inventories/staging/group_vars/alpina/vars.yml
@@ -0,0 +1,14 @@
+# Environment specific variables (staging)
+
+---
+docker_ipv6_index: 254
+
+# Arrstack VPN
+wg_privkey: "{{ vault_wg_privkey }}"
+wg_psk: "{{ vault_wg_psk }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
+
+# Authentik GitHub OAuth
+github_consumer_key: dbacb8621c37320eb745
+github_consumer_secret: "{{ vault_github_consumer_secret }}"
diff --git a/inventories/staging/group_vars/alpina/vault.yml b/inventories/staging/group_vars/alpina/vault.yml
new file mode 100644
index 0000000..0005ca7
--- /dev/null
+++ b/inventories/staging/group_vars/alpina/vault.yml
@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+63633535633462326534626562373461373363643166383961303861623531663263323534366537
+3263633238646439306430356365623233313838326639350a386633363434623737313565316535
+33393734633937333637373432366132323366343836393538366339626235613937323066613666
+3737393262646333390a623331333461373563313166323232343234616538623433376166313532
+32323834346336336164343938303062336438643566343866316164643535663039326331646465
+36666162393365323633646635333666613030386265306238633434303234336439646663356363
+63323638373035326465633934326363316364616539613462653232393465633233366666373664
+66616361646564303530356331323864343966633736643434653237316236363063613634646438
+35303238646632616465643264316164363139393834626362326538613033656464323435396638
+31346631653764303332386331663361623766333332366537313634636333346538653537346631
+62363438303036386530633236376633326162336434343861346261373835653735323161323965
+62353965373164616537346134303232363033323134323130316439386339613966646330666533
+65346239383230646565346133663530613462363532663562326136376233303638323332326630
+35656432363563653663616236393932663637323139666664636237336136366438656666633865
+66353162656364356638313236643131613830393838636264663833343461373963613431656364
+32303331623033303433333631313038316336653638656638373031653234356164333363336532
+37316334353463376562643138346633613633353536653939376564333166323931353634333736
+63616133663266383339323562343265613461623865623263623139396163343065623264366230
+32633362336335396562366563363830636133376238646433386236666461333731353337386333
+61323931643766326338
diff --git a/inventories/staging/group_vars/docker_hosts.yml b/inventories/staging/group_vars/docker_hosts.yml
deleted file mode 100644
index 560d458..0000000
--- a/inventories/staging/group_vars/docker_hosts.yml
+++ /dev/null
@@ -1 +0,0 @@
-docker_ipv6_index: 254
diff --git a/inventories/staging/hosts b/inventories/staging/hosts
index 05ded5f..56532fb 100644
--- a/inventories/staging/hosts
+++ b/inventories/staging/hosts
@@ -1,2 +1,2 @@
-[docker_hosts]
+[alpina]
 etappi.lab.home
diff --git a/roles/alpina/collections/apps/arrstack/app_config.yml b/roles/alpina/collections/apps/arrstack/app_config.yml
deleted file mode 100644
index 2540438..0000000
--- a/roles/alpina/collections/apps/arrstack/app_config.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-66613933613334643836373939636238303035626535666161323634323837623565383337666232
-6166363839626433636231323434633164643033633466650a393032356231306436663563613734
-37316438306536316438383236373431333931373933323361623162323363623332333130653366
-6363616430353835620a366666303230313239393430326538346436626239663431316639633139
-33663261303864326162313235663536363332633731383636663165313061343863373333396536
-31336234306337393730343861636232643561356165393664633537623662353830613338363833
-306537353361653834656134383632306239
\ No newline at end of file
diff --git a/roles/alpina/collections/apps/gitea/app_config.yml b/roles/alpina/collections/apps/gitea/app_config.yml
deleted file mode 100644
index 02af00c..0000000
--- a/roles/alpina/collections/apps/gitea/app_config.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-35303032386566343430633238343936366234333434343763666231666232633539303232383534
-3035346233346162373939333531613535353232626531640a646537616163353736653161326265
-31336530316335623335353661373834613264326436303933326135396166346562343136353931
-6439383039346465300a366266393130356630316630333336616565366562613038393239623738
-65626664643630353236333932373337333363626337386163613464306638633964663264363964
-30373661393531306662323134626664656233323762393037356434353066343830333033316365
-65616636613437663737306263373066306361376630616331663031346434336663393862316464
-62343339663461353934323063653566303932656264363562333136353665336263646230323832
-35376666303531383961646234663230663634393135326664386665633538616233613866373965
-64363361313232316336376631646662376565353536316438306361306261663532386564616566
-61663534393035343233326562303863646165346538393761326335376165623964396130393831
-64333665313461666335383134613831376138393061343238643661366439636534626265323865
-35393035336632653038623438626366373733626331633866373935616531623664303063376562
-31356332346164663364636235333461383437623161343338643839323765336237633266633864
-64363234646533616439313638363865373364623637636537623666383664656630333533303233
-64383734366666633832393230663739333435666138636462336332373061346239306136336263
-39643666303863303035313738343664636536663939616335303834333834363739303938646665
-66303637633239373461393434313036316563313132356432633337666537616363373830313034
-61313538633663653230643262613333306361666131663036643162343966313365653566393235
-36623832663034373734653664613038363137366437326565373761663963636336393536386435
-30393831326134376639366661653439616138643438646363343632346131306532663439396534
-32383661306539306635336262383563376561303862396532633362666266313562623336383235
-36366565633734633639653239306331333237353233326563653930653739316230666362323931
-39663931376562653530323434656436353166393836643238643632396430353034333034333665
-62323338373839383132323537353431636537616366393965643463316164323034316536383961
-6164333537633631646663333463306236613038326339643439
diff --git a/roles/alpina/collections/apps/gitea/templates/.env.db.j2 b/roles/alpina/collections/apps/gitea/templates/.env.db.j2
deleted file mode 100644
index f164ebb..0000000
--- a/roles/alpina/collections/apps/gitea/templates/.env.db.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-POSTGRES_USER=gitea
-POSTGRES_DB=gitea
-POSTGRES_PASSWORD={{ db_password }}
diff --git a/roles/alpina/collections/apps/jellyfin/app_config.yml b/roles/alpina/collections/apps/jellyfin/app_config.yml
deleted file mode 100644
index f253886..0000000
--- a/roles/alpina/collections/apps/jellyfin/app_config.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-61626665353536663033663661393434616339396434383530306265363837313839303939623465
-3634333839333530383464613966326238363738663637360a343837623832343232316565346131
-66663831356162653363383131396665326531363430656539333866313031306537343864343262
-3730643765633232620a643734623336646565663266656262343162613239306166386665333139
-6366
\ No newline at end of file
diff --git a/roles/alpina/collections/apps/nextcloud/app_config.yml b/roles/alpina/collections/apps/nextcloud/app_config.yml
deleted file mode 100644
index 2fed906..0000000
--- a/roles/alpina/collections/apps/nextcloud/app_config.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-65313636646233613364363933616361346639653939346337303832646339316632383966666237
-3766396134383434613534373937663162393134306536300a626139373732393037346630333838
-63663439353238643532316231623866396434303034313130386635623363353263626362376334
-3933346434633662320a386432373465646432343338666561366161646335636232353133393933
-65313364666564353039626238383033343765323730316633356139326666623135326131353864
-32386237643538636538356261393164633137636235346564393930346539623731386633336339
-31303466653936343166366164383134306232613236663735623834393963306331376435616365
-31313866383730393063353335626164303632636331303830636530656131636139376633623439
-63663639323964623231343066373538633336353561646230363363643762393634643435306164
-31366364326237636365336363343264343562353337303235633034383635373934376334353336
-61373065386639643064303431623162373665363937353832313561386134613834613935653964
-64656339316165313936333736643030356366663162316462636662326134396539356262666536
-64336133393937396330353234316563356337623733326264363333373536633833
diff --git a/roles/alpina/collections/services/authentik/app_config.yml b/roles/alpina/collections/services/authentik/app_config.yml
deleted file mode 100644
index d5dcaa4..0000000
--- a/roles/alpina/collections/services/authentik/app_config.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-34666662336362656236356334333333396363393966626563643264306538333865623964373561
-3038373931313365383531333762616439396136633230610a626435336166633261323266656366
-36323335633865663538326331393635313766333639643861383738633835316533666463666363
-6139323764386533390a363361636361636163373162626135393662666436323265646233653039
-61353439356331393564363232303734626431333239633930373431616261306537393762383261
-64336234653536316236383065636364326433393334316531316438323430306437666431323063
-61383036336536343831633134636437633830346463336132653737376231666630383766656230
-37376137336264363765653535303166626138646366353466616333613964323762306166376537
-39633534336366333333316664326262353964386134333138316466303030636633383137613862
-32646332323039386365653736666435373436633531323034633064633033646466306331383835
-34386636386334396262666531356534663136393639623863326338643531346537353833663166
-35613438306432623731633566393661376533653731373130306262393137663533333230653165
-30653531636534656636393832383139626330383234376636313162373462313762666439323031
-39393063303566353733666237666165633562333962386331626164343434643964343735313265
-62313739376138656163623836663864616539336362626166336362633032326264313766346561
-62396132386333663030333639623130376130353837326630383162323931396638366331393632
-37383864666561323566383936353935396232363532356462366135313066633037306534393638
-33333439613065333432303466303635363933313036306364393434333737353361393830663032
-37636335393361343166343361396235316465373665663533663135373863663837313135343262
-66326539653033313431396163303135373462373564623863346630353964303061303434303137
-61613330363366346131396630656565333539353231623939383132303138353566653732306463
-64303961653865333738613834353333313063393064343535353562383862666561393465386135
-36373633303262343034393431613938363338346163396233663939613565306430663061623130
-66323464373438366265373937303636313530376138356433643632353461376365333535303531
-37616662323033633834343366626166363536383830356638633465333233663631396133653036
-3233323563333632303365333661386435353830313435666132
\ No newline at end of file
diff --git a/roles/alpina/collections/services/minio/app_config.yml b/roles/alpina/collections/services/minio/app_config.yml
deleted file mode 100644
index 24f3359..0000000
--- a/roles/alpina/collections/services/minio/app_config.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-34333936316336663466376163333433336136386632356366363139343239393333623138623265
-3234373031623162623161383832613737393938653533630a353937373463626532306562316461
-62646637353039396536623735613931373230643135373964313232376561303530386566343266
-3261366363393335620a373162303030626461666164313432383263616237383230313937653435
-65346564653230643837613436633565363865616636303031636530623063646630623730383163
-66333864393362326462356531343039613061613466356237336365633339356464626162646538
-66633235613638653036326439333833306237626539653564653536376434666238383638376333
-32383637333766636337
\ No newline at end of file
diff --git a/roles/alpina/collections/services/monitoring/app_config.yml b/roles/alpina/collections/services/monitoring/app_config.yml
deleted file mode 100644
index 7e3414b..0000000
--- a/roles/alpina/collections/services/monitoring/app_config.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-61306635623363343430383032666564666533343661386663346334626137646137653533636461
-6466643635383162343463303536323563646439323333390a366134333630373464666334333037
-33303361383334353833633364313430636435326361343461616664623261616566306165663966
-6262323130623766380a336135333361656665356433346366386664623361343832363537633237
-34303437303035653136323964643761383261646131346466643663323665323166643364646262
-37363564346639393765376630313361663835343736336361313365313234303935393066646561
-61356432666130653230396435663064623462333537363962386534626566386630303638393332
-66353165643032373766633564653237333663663465363431343132353738663636373037656136
-39366430353632633461373939326330306530353762643764396233323835333030613165613334
-35623361656638356462363264336565383133346533343666663532306139653965383831393733
-30656462303234616566646336376234396430353466363062383935353162333363626565653665
-64343234333132663138633935656565303235626235633562363566393861363436323331643935
-33343030366563383735363233613830303930303762626365376338316436396238313565373562
-36343737373164653836613436646638336638393636303534303262643336356533313630306632
-64303138333834616662666332303266373932396263666239653133313936336531666536616338
-37613764376232333438383465346463313531613030323463666532383666376238303161356136
-39303236343837643039376266636334353530623764633161373434313962366430326166366333
-3733656135343438393961663334653330646562643865303339
\ No newline at end of file
diff --git a/roles/alpina/collections/services/traefik/app_config.yml b/roles/alpina/collections/services/traefik/app_config.yml
deleted file mode 100644
index a44106b..0000000
--- a/roles/alpina/collections/services/traefik/app_config.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-36343837633635363835346435333839633930656434343636623861663930333231303563313339
-6139343262316564306533396465393664356637666530310a616535376436323031386435643538
-31643935373036373839363863653434643263613731346666626163376266383635343866613536
-3835313930383238630a363138656533616337643839383330356432303236346335613464393565
-62363864323031343361643862356136316339643332393830373133656638333234656263613631
-63633837633965633033316338336338643937363131393338396661636331363538346131303564
-63313134636635663636363933373733633439663335356633313963326538663733373064303936
-37663461333664333631633838316661383733356366613531626134303236643739366361306262
-64363137666265366262373562386138313934313436363631636337373038613737
\ No newline at end of file
diff --git a/roles/alpina/tasks/deploy_collection.yml b/roles/alpina/tasks/deploy_collection.yml
index 0751a23..a2c8633 100644
--- a/roles/alpina/tasks/deploy_collection.yml
+++ b/roles/alpina/tasks/deploy_collection.yml
@@ -1,18 +1,15 @@
 - name: Ensure {{ collection }} collection directory exists
   file:
-    path: "{{ my_svc_path }}/{{ collection }}"
+    path: "{{ alpina_svc_path }}/{{ collection }}"
     state: directory
     mode: "700"
 
 - name: Deploy docker compose stacks for {{ collection }}
   vars:
     current_stack_name: "{{ stack }}"
-    current_stack_dest: "{{ my_svc_path }}/{{ collection }}/{{ stack }}"
-    current_stack_source: "{{ role_path }}/collections/{{ collection }}/{{ stack }}"
+    current_stack_dest: "{{ alpina_svc_path }}/{{ collection }}/{{ stack }}"
+    current_stack_source: "{{ role_path }}/templates/{{ collection }}/{{ stack }}"
   include_tasks: deploy_compose_stack.yml
   loop: "{{ stacks }}"
   loop_control:
     loop_var: stack
-
-- debug:
-    var: acme_email
diff --git a/roles/alpina/tasks/deploy_compose_stack.yml b/roles/alpina/tasks/deploy_compose_stack.yml
index d828789..158d80c 100644
--- a/roles/alpina/tasks/deploy_compose_stack.yml
+++ b/roles/alpina/tasks/deploy_compose_stack.yml
@@ -11,21 +11,15 @@
     path: "{{ current_stack_dest }}/{{ item.path }}"
     state: directory
     mode: "700"
-  loop: "{{ lookup('community.general.filetree', current_stack_source + '/templates') }}"
+  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
   when: item.state == "directory"
 
-# TODO: This is not ideal as it leaks the variables between stacks
-# But that's also not really a problem, as they won't conflict if everything is done right
-- name: Include variables for stack {{ stack }}
-  include_vars:
-    file: "{{ current_stack_source }}/app_config.yml"
-
 - name: Generate {{ current_stack_name }} deployment from templates
   template:
     src: "{{ item.src }}"
     dest: "{{ current_stack_dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
     mode: "600"
-  loop: "{{ lookup('community.general.filetree', current_stack_source + '/templates') }}"
+  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
   when: item.state == "file"
 
 - name: Deploy docker-compose for {{ current_stack_name }}
diff --git a/roles/alpina/tasks/main.yml b/roles/alpina/tasks/main.yml
index ed4c3e8..9a96600 100644
--- a/roles/alpina/tasks/main.yml
+++ b/roles/alpina/tasks/main.yml
@@ -10,7 +10,7 @@
 - name: Ensure alpina directory exists
   file:
     state: directory
-    path: "{{ my_svc_path }}"
+    path: "{{ alpina_svc_path }}"
     mode: "700"
 
 - name: Deploy collection services
diff --git a/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2 b/roles/alpina/templates/apps/arrstack/.env.gluetun.j2
similarity index 93%
rename from roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
rename to roles/alpina/templates/apps/arrstack/.env.gluetun.j2
index ffec399..209dacc 100644
--- a/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
+++ b/roles/alpina/templates/apps/arrstack/.env.gluetun.j2
@@ -21,8 +21,7 @@
 ## AirVPN
 VPN_SERVICE_PROVIDER=airvpn
 VPN_TYPE=wireguard
-SERVER_NAMES=Bunda,Imai,Saclateni
-#SERVER_NAMES=Bunda
+SERVER_NAMES={{ vpn_server_names }}
 WIREGUARD_PUBLIC_KEY={{ wg_peer_pubkey }}
 WIREGUARD_PRIVATE_KEY={{ wg_privkey }}
 WIREGUARD_PRESHARED_KEY={{ wg_psk }}
diff --git a/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2 b/roles/alpina/templates/apps/arrstack/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
rename to roles/alpina/templates/apps/arrstack/docker-compose.yml.j2
diff --git a/roles/alpina/templates/apps/gitea/.env.db.j2 b/roles/alpina/templates/apps/gitea/.env.db.j2
new file mode 100644
index 0000000..6000e0d
--- /dev/null
+++ b/roles/alpina/templates/apps/gitea/.env.db.j2
@@ -0,0 +1,3 @@
+POSTGRES_USER=gitea
+POSTGRES_DB=gitea
+POSTGRES_PASSWORD={{ gitea_db_password }}
diff --git a/roles/alpina/collections/apps/gitea/templates/.env.gitea.j2 b/roles/alpina/templates/apps/gitea/.env.gitea.j2
similarity index 78%
rename from roles/alpina/collections/apps/gitea/templates/.env.gitea.j2
rename to roles/alpina/templates/apps/gitea/.env.gitea.j2
index bc74e67..09d6d1f 100644
--- a/roles/alpina/collections/apps/gitea/templates/.env.gitea.j2
+++ b/roles/alpina/templates/apps/gitea/.env.gitea.j2
@@ -3,9 +3,9 @@ GITEA____APP_NAME=CazGitea
 # Database
 GITEA__database__DB_TYPE=postgres
 GITEA__database__HOST=db:5432
-GITEA__database__NAME={{ db_user }}
-GITEA__database__USER={{ db_name }}
-GITEA__database__PASSWD={{ db_password }}
+GITEA__database__NAME=gitea
+GITEA__database__USER=gitea
+GITEA__database__PASSWD={{ gitea_db_password }}
 
 # Server
 GITEA__server__ROOT_URL=https://gitea.{{ domain }}/
@@ -17,7 +17,7 @@ GITEA__mailer__SMTP_ADDR=smtp.sendgrid.net
 GITEA__mailer__SMTP_PORT=587
 GITEA__mailer__FROM=gitea@cazzzer.com
 GITEA__mailer__USER=apikey
-GITEA__mailer__PASSWD={{ sendgrid_api_key }}
+GITEA__mailer__PASSWD={{ gitea_sendgrid_api_key }}
 
 # Security
 GITEA__security__SECRET_KEY={{ secret_key }}
diff --git a/roles/alpina/collections/apps/gitea/templates/docker-compose.yml.j2 b/roles/alpina/templates/apps/gitea/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/apps/gitea/templates/docker-compose.yml.j2
rename to roles/alpina/templates/apps/gitea/docker-compose.yml.j2
diff --git a/roles/alpina/collections/apps/jellyfin/templates/.env.jellyfin.j2 b/roles/alpina/templates/apps/jellyfin/.env.jellyfin.j2
similarity index 100%
rename from roles/alpina/collections/apps/jellyfin/templates/.env.jellyfin.j2
rename to roles/alpina/templates/apps/jellyfin/.env.jellyfin.j2
diff --git a/roles/alpina/collections/apps/jellyfin/templates/docker-compose.yml.j2 b/roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/apps/jellyfin/templates/docker-compose.yml.j2
rename to roles/alpina/templates/apps/jellyfin/docker-compose.yml.j2
diff --git a/roles/alpina/collections/apps/nextcloud/templates/.env.db.j2 b/roles/alpina/templates/apps/nextcloud/.env.db.j2
similarity index 50%
rename from roles/alpina/collections/apps/nextcloud/templates/.env.db.j2
rename to roles/alpina/templates/apps/nextcloud/.env.db.j2
index 65d25bf..76787b2 100644
--- a/roles/alpina/collections/apps/nextcloud/templates/.env.db.j2
+++ b/roles/alpina/templates/apps/nextcloud/.env.db.j2
@@ -1,3 +1,3 @@
 POSTGRES_USER=nextcloud
 POSTGRES_DB=nextcloud
-POSTGRES_PASSWORD={{ db_password }}
+POSTGRES_PASSWORD={{ nextcloud_db_password }}
diff --git a/roles/alpina/collections/apps/nextcloud/templates/.env.j2 b/roles/alpina/templates/apps/nextcloud/.env.j2
similarity index 100%
rename from roles/alpina/collections/apps/nextcloud/templates/.env.j2
rename to roles/alpina/templates/apps/nextcloud/.env.j2
diff --git a/roles/alpina/collections/apps/nextcloud/templates/.env.nextcloud.j2 b/roles/alpina/templates/apps/nextcloud/.env.nextcloud.j2
similarity index 82%
rename from roles/alpina/collections/apps/nextcloud/templates/.env.nextcloud.j2
rename to roles/alpina/templates/apps/nextcloud/.env.nextcloud.j2
index ee8e30f..1400b0a 100644
--- a/roles/alpina/collections/apps/nextcloud/templates/.env.nextcloud.j2
+++ b/roles/alpina/templates/apps/nextcloud/.env.nextcloud.j2
@@ -1,6 +1,6 @@
 POSTGRES_DB=nextcloud
 POSTGRES_USER=nextcloud
-POSTGRES_PASSWORD={{ db_password }}
+POSTGRES_PASSWORD={{ nextcloud_db_password }}
 POSTGRES_HOST=db
 
 NEXTCLOUD_TRUSTED_DOMAINS=nc.{{ domain }}
@@ -13,7 +13,7 @@ SMTP_SECURE=tls
 SMTP_PORT=587
 SMTP_AUTHTYPE=LOGIN
 SMTP_NAME=apikey
-SMTP_PASSWORD={{ sendgrid_api_key }}
+SMTP_PASSWORD={{ nextcloud_sendgrid_api_key }}
 MAIL_FROM_ADDRESS=nc
 MAIL_DOMAIN=cazzzer.com
 
diff --git a/roles/alpina/collections/apps/nextcloud/templates/.env.redis.j2 b/roles/alpina/templates/apps/nextcloud/.env.redis.j2
similarity index 100%
rename from roles/alpina/collections/apps/nextcloud/templates/.env.redis.j2
rename to roles/alpina/templates/apps/nextcloud/.env.redis.j2
diff --git a/roles/alpina/collections/apps/nextcloud/templates/docker-compose.yml.j2 b/roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/apps/nextcloud/templates/docker-compose.yml.j2
rename to roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2
diff --git a/roles/alpina/collections/apps/nextcloud/templates/nginx.conf.j2 b/roles/alpina/templates/apps/nextcloud/nginx.conf.j2
similarity index 100%
rename from roles/alpina/collections/apps/nextcloud/templates/nginx.conf.j2
rename to roles/alpina/templates/apps/nextcloud/nginx.conf.j2
diff --git a/roles/alpina/collections/services/authentik/templates/.env.authentik.j2 b/roles/alpina/templates/services/authentik/.env.authentik.j2
similarity index 81%
rename from roles/alpina/collections/services/authentik/templates/.env.authentik.j2
rename to roles/alpina/templates/services/authentik/.env.authentik.j2
index a0446de..c4046fa 100644
--- a/roles/alpina/collections/services/authentik/templates/.env.authentik.j2
+++ b/roles/alpina/templates/services/authentik/.env.authentik.j2
@@ -4,14 +4,14 @@ AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_POSTGRESQL__HOST=postgres
 AUTHENTIK_POSTGRESQL__USER=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
-AUTHENTIK_POSTGRESQL__PASSWORD={{ db_password }}
+AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
 
 AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
 
 AUTHENTIK_EMAIL__HOST=smtp.sendgrid.net
 AUTHENTIK_EMAIL__PORT=587
 AUTHENTIK_EMAIL__USERNAME=apikey
-AUTHENTIK_EMAIL__PASSWORD={{ sengrid_api_key }}
+AUTHENTIK_EMAIL__PASSWORD={{ authentik_sendgrid_api_key }}
 
 AUTHENTIK_EMAIL__USE_TLS=true
 AUTHENTIK_EMAIL__TIMEOUT=10
diff --git a/roles/alpina/collections/services/authentik/templates/.env.db.j2 b/roles/alpina/templates/services/authentik/.env.db.j2
similarity index 50%
rename from roles/alpina/collections/services/authentik/templates/.env.db.j2
rename to roles/alpina/templates/services/authentik/.env.db.j2
index ab2eb10..776a635 100644
--- a/roles/alpina/collections/services/authentik/templates/.env.db.j2
+++ b/roles/alpina/templates/services/authentik/.env.db.j2
@@ -1,3 +1,3 @@
 POSTGRES_USER=authentik
 POSTGRES_DB=authentik
-POSTGRES_PASSWORD={{ db_password }}
+POSTGRES_PASSWORD={{ authentik_db_password }}
diff --git a/roles/alpina/collections/services/authentik/templates/blueprints/apps-oauth2.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/authentik/templates/blueprints/apps-oauth2.yaml.j2
rename to roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
diff --git a/roles/alpina/collections/services/authentik/templates/blueprints/apps-proxy.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/authentik/templates/blueprints/apps-proxy.yaml.j2
rename to roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
diff --git a/roles/alpina/collections/services/authentik/templates/blueprints/default-authentication.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/default-authentication.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/authentik/templates/blueprints/default-authentication.yaml.j2
rename to roles/alpina/templates/services/authentik/blueprints/default-authentication.yaml.j2
diff --git a/roles/alpina/collections/services/authentik/templates/blueprints/github-oauth.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/github-oauth.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/authentik/templates/blueprints/github-oauth.yaml.j2
rename to roles/alpina/templates/services/authentik/blueprints/github-oauth.yaml.j2
diff --git a/roles/alpina/collections/services/authentik/templates/blueprints/services-oauth2.yaml.j2 b/roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/authentik/templates/blueprints/services-oauth2.yaml.j2
rename to roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
diff --git a/roles/alpina/collections/services/authentik/templates/docker-compose.yml.j2 b/roles/alpina/templates/services/authentik/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/authentik/templates/docker-compose.yml.j2
rename to roles/alpina/templates/services/authentik/docker-compose.yml.j2
diff --git a/roles/alpina/collections/services/minio/templates/.env.minio.j2 b/roles/alpina/templates/services/minio/.env.minio.j2
similarity index 100%
rename from roles/alpina/collections/services/minio/templates/.env.minio.j2
rename to roles/alpina/templates/services/minio/.env.minio.j2
diff --git a/roles/alpina/collections/services/minio/templates/docker-compose.yml.j2 b/roles/alpina/templates/services/minio/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/minio/templates/docker-compose.yml.j2
rename to roles/alpina/templates/services/minio/docker-compose.yml.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/.env.influxdb.j2 b/roles/alpina/templates/services/monitoring/.env.influxdb.j2
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/.env.influxdb.j2
rename to roles/alpina/templates/services/monitoring/.env.influxdb.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/docker-compose.yml.j2 b/roles/alpina/templates/services/monitoring/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/docker-compose.yml.j2
rename to roles/alpina/templates/services/monitoring/docker-compose.yml.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/grafana_config/grafana.ini.j2 b/roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/grafana_config/grafana.ini.j2
rename to roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/grafana_config/provisioning/datasources/alpina.yaml.j2 b/roles/alpina/templates/services/monitoring/grafana_config/provisioning/datasources/alpina.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/grafana_config/provisioning/datasources/alpina.yaml.j2
rename to roles/alpina/templates/services/monitoring/grafana_config/provisioning/datasources/alpina.yaml.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/loki_config/loki-config.yaml.j2 b/roles/alpina/templates/services/monitoring/loki_config/loki-config.yaml.j2
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/loki_config/loki-config.yaml.j2
rename to roles/alpina/templates/services/monitoring/loki_config/loki-config.yaml.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/prometheus_config/extra/.gitkeep b/roles/alpina/templates/services/monitoring/prometheus_config/extra/.gitkeep
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/prometheus_config/extra/.gitkeep
rename to roles/alpina/templates/services/monitoring/prometheus_config/extra/.gitkeep
diff --git a/roles/alpina/collections/services/monitoring/templates/prometheus_config/prometheus.yml.j2 b/roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/prometheus_config/prometheus.yml.j2
rename to roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2
diff --git a/roles/alpina/collections/services/monitoring/templates/promtail_config/promtail-config.yaml b/roles/alpina/templates/services/monitoring/promtail_config/promtail-config.yaml
similarity index 100%
rename from roles/alpina/collections/services/monitoring/templates/promtail_config/promtail-config.yaml
rename to roles/alpina/templates/services/monitoring/promtail_config/promtail-config.yaml
diff --git a/roles/alpina/collections/services/traefik/templates/.env.traefik.j2 b/roles/alpina/templates/services/traefik/.env.traefik.j2
similarity index 100%
rename from roles/alpina/collections/services/traefik/templates/.env.traefik.j2
rename to roles/alpina/templates/services/traefik/.env.traefik.j2
diff --git a/roles/alpina/collections/services/traefik/templates/docker-compose.yml.j2 b/roles/alpina/templates/services/traefik/docker-compose.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/traefik/templates/docker-compose.yml.j2
rename to roles/alpina/templates/services/traefik/docker-compose.yml.j2
diff --git a/roles/alpina/collections/services/traefik/templates/rules/traefik-dash.yml.j2 b/roles/alpina/templates/services/traefik/rules/traefik-dash.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/traefik/templates/rules/traefik-dash.yml.j2
rename to roles/alpina/templates/services/traefik/rules/traefik-dash.yml.j2
diff --git a/roles/alpina/collections/services/traefik/templates/traefik.yml.j2 b/roles/alpina/templates/services/traefik/traefik.yml.j2
similarity index 100%
rename from roles/alpina/collections/services/traefik/templates/traefik.yml.j2
rename to roles/alpina/templates/services/traefik/traefik.yml.j2
diff --git a/roles/docker_host/tasks/main.yml b/roles/docker_host/tasks/main.yml
index 5d2f535..f0cfcf8 100644
--- a/roles/docker_host/tasks/main.yml
+++ b/roles/docker_host/tasks/main.yml
@@ -58,7 +58,7 @@
 
 - name: Clean alpina directory
   file:
-    path: "{{ my_svc_path }}"
+    path: "{{ alpina_svc_path }}"
     state: absent
   when: clean_desired is true
 
diff --git a/services.yml b/services.yml
index b3fb564..5c09e4d 100644
--- a/services.yml
+++ b/services.yml
@@ -1,4 +1,4 @@
-- hosts: docker_hosts
+- hosts: alpina
   roles:
     - docker_host
     - alpina