[upd]

roles/backend-and-lighttpd/templates/conf.j2

@@ -0,0 +1,47 @@
+$HTTP["host"] == "{{domain}}" {
+	server.name = "{{domain}}"
+	
+	# Anfragen auf Port 80 über IPv4
+	$SERVER["socket"] == ":80" {
+		# auf HTTPS umleiten
+		url.redirect = ("^/(.*)" => "https://{{domain}}/$1")
+	}
+	
+	# Anfragen auf Port 80 über IPv6
+	$SERVER["socket"] == "[::]:80" {
+		# auf HTTPS umleiten
+		url.redirect = ("^/(.*)" => "https://{{domain}}/$1")
+	}
+	
+	# Anfragen auf Port 443 über IPv4
+	$SERVER["socket"] == ":443" {
+		# mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{domain}}.pem"
+	}
+	
+	# Anfragen auf Port 443 über IPv6
+	$SERVER["socket"] == "[::]:443" {
+		# mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{domain}}.pem"
+	}
+	
+	$HTTP["url"] =~ "^/" {
+		proxy.server = (
+			"" => (
+				"" => (
+					"host" => "localhost",
+					"port" => {{port}}
+				)
+			)
+		)
+		proxy.header = (
+			"upgrade" => "enable"
+		)
+	}
+}   

roles/backend-and-nginx/templates/conf.j2

@@ -0,0 +1,25 @@
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}
+
+server {
+	server_name {{domain}};
+	
+	listen 80;
+	listen [::]:80;
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/certs/{{domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	location / {
+		proxy_pass http://localhost:{{port}};
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}

roles/backend/defaults/main.json

@@ -1,38 +1,37 @@
 {
-	"var_linke_espe_backend_directory": "/opt/espe/backend",
-	"var_linke_espe_backend_git_reference": "master",
-	"var_linke_espe_backend_conf_general_verbosity": "notice",
-	"var_linke_espe_backend_conf_general_verification_secret": "REPLACE_ME",
-	"var_linke_espe_backend_conf_server_port": 7979,
-	"var_linke_espe_backend_conf_database_kind": "sqlite",
-	"var_linke_espe_backend_conf_database_data_sqlite_path": "data.sqlite",
-	"var_linke_espe_backend_conf_database_data_postgresql_host": "postgresql.example.org",
-	"var_linke_espe_backend_conf_database_data_postgresql_port": 5432,
-	"var_linke_espe_backend_conf_database_data_postgresql_username": "espe_user",
-	"var_linke_espe_backend_conf_database_data_postgresql_password": "REPLACE_ME",
-	"var_linke_espe_backend_conf_database_data_postgresql_schema": "espe",
-	"var_linke_espe_backend_conf_email_sending_kind": "regular",
-	"var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_host": "smtp.example.org",
-	"var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_port": 587,
-	"var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_username": "REPLACE_ME",
-	"var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_password": "REPLACE_ME",
-	"var_linke_espe_backend_conf_email_sending_data_regular_smtp_sender": "espe@example.org",
-	"var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_host": "smtp.example.org",
-	"var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_port": 587,
-	"var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_username": "REPLACE_ME",
-	"var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_password": "REPLACE_ME",
-	"var_linke_espe_backend_conf_email_sending_data_redirect_smtp_sender": "espe@example.org",
-	"var_linke_espe_backend_conf_email_sending_data_redirect_smtp_target": "espe-admin@example.org",
-	"var_linke_espe_backend_conf_settings_target_domain": "example.org",
-	"var_linke_espe_backend_conf_settings_frontend_url_base": null,
-	"var_linke_espe_backend_conf_settings_login_url": null,
-	"var_linke_espe_backend_conf_settings_password_policy_minimum_length": 8,
-	"var_linke_espe_backend_conf_settings_password_policy_maximum_length": 240,
-	"var_linke_espe_backend_conf_settings_password_policy_must_contain_letter": true,
-	"var_linke_espe_backend_conf_settings_password_policy_must_contain_number": true,
-	"var_linke_espe_backend_conf_settings_password_policy_must_contain_special_character": true,
-	"var_linke_espe_backend_conf_settings_name_index_veil": true,
-	"var_linke_espe_backend_conf_settings_name_index_salt": "REPLACE_ME",
-	"var_linke_espe_backend_conf_admins": [],
-	"var_linke_espe_backend_conf_output_authelia": null
+	"var_espe_backend_directory": "/opt/espe/backend",
+	"var_espe_backend_git_reference": "master",
+	"var_espe_backend_verbosity": "notice",
+	"var_espe_backend_verification_secret": "REPLACE_ME",
+	"var_espe_backend_port": 7979,
+	"var_espe_backend_database_kind": "sqlite",
+	"var_espe_backend_database_data_sqlite_path": "data.sqlite",
+	"var_espe_backend_database_data_postgresql_host": "postgresql.example.org",
+	"var_espe_backend_database_data_postgresql_port": 5432,
+	"var_espe_backend_database_data_postgresql_username": "espe_user",
+	"var_espe_backend_database_data_postgresql_password": "REPLACE_ME",
+	"var_espe_backend_database_data_postgresql_schema": "espe",
+	"var_espe_backend_smtp_host": "smtp.example.org",
+	"var_espe_backend_smtp_port": 587,
+	"var_espe_backend_smtp_username": "REPLACE_ME",
+	"var_espe_backend_smtp_password": "REPLACE_ME",
+	"var_espe_backend_email_sending_kind": "regular",
+	"var_espe_backend_email_sending_data_regular_smtp_sender": "espe@example.org",
+	"var_espe_backend_email_sending_data_redirect_smtp_sender": "espe@example.org",
+	"var_espe_backend_email_sending_data_redirect_smtp_target": "espe-admin@example.org",
+	"var_espe_backend_organisation_name": "Example",
+	"var_espe_backend_organisation_domain": "example.org",
+	"var_espe_backend_prefix_for_veiled_email_addresses": "member-",
+	"var_espe_backend_facultative_membership_number": false,
+	"var_espe_backend_frontend_url_base": null,
+	"var_espe_backend_login_url": null,
+	"var_espe_backend_password_policy_minimum_length": 8,
+	"var_espe_backend_password_policy_maximum_length": 240,
+	"var_espe_backend_password_policy_must_contain_letter": true,
+	"var_espe_backend_password_policy_must_contain_number": true,
+	"var_espe_backend_password_policy_must_contain_special_character": true,
+	"var_espe_backend_name_index_veil": true,
+	"var_espe_backend_name_index_salt": "REPLACE_ME",
+	"var_espe_backend_admins": [],
+	"var_espe_backend_output_authelia": null
 }

roles/backend/tasks/main.json

@@ -4,7 +4,7 @@
 		"delegate_to": "localhost",
 		"ansible.builtin.git": {
 			"repo": "dl-cloud-gitlab:espe/backend",
-			"version": "{{var_linke_espe_backend_git_reference}}",
+			"version": "{{var_espe_backend_git_reference}}",
 			"dest": "/tmp/espe-backend-repo"
 		}
 	},
@@ -21,18 +21,14 @@
 		"delegate_to": "localhost",
 		"ansible.builtin.command": {
 			"chdir": "/tmp/espe-backend-repo",
-			"cmd": "tools/deploy {{ansible_host}} {{var_linke_espe_backend_directory}}"
+			"cmd": "tools/deploy {{ansible_host}} {{var_espe_backend_directory}}"
 		}
 	},
 	{
 		"name": "conf",
 		"ansible.builtin.template": {
 			"src": "conf.json.j2",
-			"dest": "{{var_linke_espe_backend_directory}}/conf.json"
+			"dest": "{{var_espe_backend_directory}}/conf.json"
 		}
-	},
-	{
-		"name": "initialize database",
-		"when": "var_linke_espe_backend_backup_path == None",
 	}
 ]

roles/backend/templates/conf.json.j2

@@ -1,56 +1,56 @@
 {
 	"general": {
-		"verbosity": "{{var_linke_espe_backend_conf_general_verbosity}}",
-		"verification_secret": "{{var_linke_espe_backend_conf_general_verification_secret}}"
+		"verbosity": "{{var_espe_backend_verbosity}}",
+		"verification_secret": "{{var_espe_backend_verification_secret}}"
 	},
 	"server": {
-		"port": {{var_linke_espe_backend_conf_server_port | string}}
+		"port": {{var_espe_backend_port | string}}
 	},
 	"database": {
-{% if var_linke_espe_backend_conf_database_kind == 'sqlite' %}
+{% if var_espe_backend_database_kind == 'sqlite' %}
 		"kind": "sqlite",
 		"data": {
-			"path": "{{var_linke_espe_backend_conf_database_data_sqlite_path}}"
+			"path": "{{var_espe_backend_database_data_sqlite_path}}"
 		}
 {% endif %}
-{% if var_linke_espe_backend_conf_database_kind == 'postgresql' %}
+{% if var_espe_backend_database_kind == 'postgresql' %}
 		"kind": "postgresql",
 		"data": {
-			"host": "{{var_linke_espe_backend_conf_database_data_postgresql_host}}"
-			"port": {{var_linke_espe_backend_conf_database_data_postgresql_port | string}},
-			"username": "{{var_linke_espe_backend_conf_database_data_postgresql_username}}",
-			"password": "{{var_linke_espe_backend_conf_database_data_postgresql_password}}",
-			"schema": "{{var_linke_espe_backend_conf_database_data_postgresql_schema}}"
+			"host": "{{var_espe_backend_database_data_postgresql_host}}"
+			"port": {{var_espe_backend_database_data_postgresql_port | string}},
+			"username": "{{var_espe_backend_database_data_postgresql_username}}",
+			"password": "{{var_espe_backend_database_data_postgresql_password}}",
+			"schema": "{{var_espe_backend_database_data_postgresql_schema}}"
 		}
 {% endif %}
 	},
 	"email_sending": {
-{% if var_linke_espe_backend_conf_database_kind == 'regular' %}
+{% if var_espe_backend_database_kind == 'regular' %}
 		"kind": "regular",
 		"data": {
 			"smtp_credentials": {
-				"host": "{{var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_host}}",
-				"port": {{var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_port | string}},
-				"username": "{{var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_username}}",
-				"password": "{{var_linke_espe_backend_conf_email_sending_data_regular_smtp_credentials_password}}"
+				"host": "{{var_espe_backend_smtp_host}}",
+				"port": {{var_espe_backend_smtp_port | string}},
+				"username": "{{var_espe_backend_smtp_username}}",
+				"password": "{{var_espe_backend_smtp_password}}"
 			},
-			"sender": "{{var_linke_espe_backend_conf_email_sending_data_regular_smtp_sender}}"
+			"sender": "{{var_espe_backend_email_sending_data_regular_smtp_sender}}"
 		}
 {% endif %}
-{% if var_linke_espe_backend_conf_database_kind == 'redirect' %}
+{% if var_espe_backend_database_kind == 'redirect' %}
 		"kind": "redirect",
 		"data": {
 			"smtp_credentials": {
-				"host": "{{var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_host}}",
-				"port": {{var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_port | string}},
-				"username": "{{var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_username}}",
-				"password": "{{var_linke_espe_backend_conf_email_sending_data_redirect_smtp_credentials_password}}"
+				"host": "{{var_espe_backend_smtp_host}}",
+				"port": {{var_espe_backend_smtp_port | string}},
+				"username": "{{var_espe_backend_smtp_username}}",
+				"password": "{{var_espe_backend_smtp_password}}"
 			},
-			"sender": "{{var_linke_espe_backend_conf_email_sending_data_redirect_smtp_sender}}",
-			"target": "{{var_linke_espe_backend_conf_email_sending_data_redirect_smtp_target}}"
+			"sender": "{{var_espe_backend_email_sending_data_redirect_smtp_sender}}",
+			"target": "{{var_espe_backend_email_sending_data_redirect_smtp_target}}"
 		}
 {% endif %}
-{% if var_linke_espe_backend_conf_database_kind == 'drop' %}
+{% if var_espe_backend_database_kind == 'drop' %}
 		"kind": "drop",
 		"data": {
 		}
@@ -62,25 +62,32 @@
 		"lifetime": 86400
 	},
 	"settings": {
-		"target_domain": "{{var_linke_espe_backend_conf_settings_target_domain}}",
-		"frontend_url_base": {{var_linke_espe_backend_conf_settings_frontend_url_base | json}},
-		"login_url": {{var_linke_espe_backend_conf_settings_login_url | json}},
-		"prefix_for_nominal_email_addresses": "mitglied-",
-		"facultative_membership_number": false,
+		"organisation": {
+			"name": "{{var_espe_backend_settings_organisation_name}}",
+			"domain": "{{var_espe_backend_settings_organisation_domain}}"
+		},
+		"misc": {
+			"prefix_for_veiled_email_addresses": "{{var_espe_backend_settings_prefix_for_veiled_email_addresses}}",
+			"facultative_membership_number": {{var_espe_backend_settings_facultative_membership_number | json}}
+		},
 		"password_policy": {
-			"minimum_length": {{var_linke_espe_backend_conf_settings_password_policy_minimum_length | string}},
-			"maximum_length": {{var_linke_espe_backend_conf_settings_password_policy_maximum_length | string}},
-			"must_contain_letter": {{var_linke_espe_backend_conf_settings_password_policy_must_contain_letter | json}},
-			"must_contain_number": {{var_linke_espe_backend_conf_settings_password_policy_must_contain_number | json}},
-			"must_contain_special_character": {{var_linke_espe_backend_conf_settings_password_policy_must_contain_special_character | json}}
+			"minimum_length": {{var_espe_backend_settings_password_policy_minimum_length | string}},
+			"maximum_length": {{var_espe_backend_settings_password_policy_maximum_length | string}},
+			"must_contain_letter": {{var_espe_backend_settings_password_policy_must_contain_letter | json}},
+			"must_contain_number": {{var_espe_backend_settings_password_policy_must_contain_number | json}},
+			"must_contain_special_character": {{var_espe_backend_settings_password_policy_must_contain_special_character | json}}
 		},
 		"name_index": {
-			"veil": {{var_linke_espe_backend_conf_settings_name_index_veil | json}},
-			"salt": "{{var_linke_espe_backend_conf_settings_name_index_salt}}"
+			"veil": {{var_espe_backend_settings_name_index_veil | json}},
+			"salt": "{{var_espe_backend_settings_name_index_salt}}"
+		},
+		"connections": {
+			"frontend_url_base": {{var_espe_backend_settings_frontend_url_base | json}},
+			"login_url": {{var_espe_backend_settings_login_url | json}}
 		}
 	},
-	"admins": {{var_linke_espe_backend_conf_admins | json}},
+	"admins": {{var_espe_backend_admins | json}},
 	"output": {
-		"authelia": {{var_linke_espe_backend_conf_output_authelia | json}}
+		"authelia": {{var_espe_backend_output_authelia | json}}
 	}
 }

roles/backend/vardef.json

@@ -7,7 +7,7 @@
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_general_verbosity": {
+	"verbosity": {
 		"type": "string",
 		"options": [
 			"debug",
@@ -18,46 +18,62 @@
 		],
 		"mandatory": false
 	},
-	"conf_general_verification_secret": {
+	"verification_secret": {
 		"type": "string",
 		"mandatory": true
 	},
-	"conf_server_port": {
+	"port": {
 		"type": "integer",
 		"mandatory": false
 	},
-	"conf_database_kind": {
+	"database_kind": {
 		"type": "string",
 		"options": [
 			"sqlite"
 		],
 		"mandatory": false
 	},
-	"conf_database_data_sqlite_path": {
+	"database_data_sqlite_path": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_database_data_postgresql_host": {
+	"database_data_postgresql_host": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_database_data_postgresql_port": {
+	"database_data_postgresql_port": {
 		"type": "integer",
 		"mandatory": false
 	},
-	"conf_database_data_postgresql_username": {
+	"database_data_postgresql_username": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_database_data_postgresql_password": {
+	"database_data_postgresql_password": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_database_data_postgresql_schema": {
+	"database_data_postgresql_schema": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_kind": {
+	"smtp_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"smtp_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"smtp_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"smtp_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"email_sending_kind": {
 		"type": "string",
 		"options": [
 			"regular",
@@ -66,93 +82,73 @@
 		],
 		"mandatory": false
 	},
-	"conf_email_sending_data_regular_smtp_credentials_host": {
+	"email_sending_data_regular_smtp_sender": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_data_regular_smtp_credentials_port": {
-		"type": "integer",
-		"mandatory": false
-	},
-	"conf_email_sending_data_regular_smtp_credentials_username": {
+	"email_sending_data_redirect_smtp_sender": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_data_regular_smtp_credentials_password": {
+	"email_sending_data_redirect_smtp_target": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_data_regular_smtp_sender": {
+	"settings_organisation_name": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_data_redirect_smtp_credentials_host": {
+	"settings_organisation_domain": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_data_redirect_smtp_credentials_port": {
-		"type": "integer",
-		"mandatory": false
-	},
-	"conf_email_sending_data_redirect_smtp_credentials_username": {
+	"settings_prefix_for_veiled_email_addresses": {
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_email_sending_data_redirect_smtp_credentials_password": {
-		"type": "string",
+	"settings_facultative_membership_number": {
+		"type": "boolean",
 		"mandatory": false
 	},
-	"conf_email_sending_data_redirect_smtp_sender": {
-		"type": "string",
-		"mandatory": false
-	},
-	"conf_email_sending_data_redirect_smtp_target": {
-		"type": "string",
-		"mandatory": false
-	},
-	"conf_settings_target_domain": {
-		"type": "string",
-		"mandatory": false
-	},
-	"conf_settings_frontend_url_base": {
+	"settings_frontend_url_base": {
 		"nullable": true,
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_settings_login_url": {
+	"settings_login_url": {
 		"nullable": true,
 		"type": "string",
 		"mandatory": false
 	},
-	"conf_settings_password_policy_minimum_length": {
+	"settings_password_policy_minimum_length": {
 		"type": "integer",
 		"mandatory": false
 	},
-	"conf_settings_password_policy_maximum_length": {
+	"settings_password_policy_maximum_length": {
 		"type": "integer",
 		"mandatory": false
 	},
-	"conf_settings_password_policy_must_contain_letter": {
+	"settings_password_policy_must_contain_letter": {
 		"type": "boolean",
 		"mandatory": false
 	},
-	"conf_settings_password_policy_must_contain_number": {
+	"settings_password_policy_must_contain_number": {
 		"type": "boolean",
 		"mandatory": false
 	},
-	"conf_settings_password_policy_must_contain_special_character": {
+	"settings_password_policy_must_contain_special_character": {
 		"type": "boolean",
 		"mandatory": false
 	},
-	"conf_settings_name_index_veil": {
+	"settings_name_index_veil": {
 		"type": "boolean",
 		"mandatory": false
 	},
-	"conf_settings_name_index_salt": {
+	"settings_name_index_salt": {
 		"type": "string",
 		"mandatory": true
 	},
-	"conf_admins": {
+	"admins": {
 		"type": "array",
 		"items": {
 			"type": "object",
@@ -175,7 +171,7 @@
 		},
 		"mandatory": false
 	},
-	"conf_output_authelia": {
+	"output_authelia": {
 		"nullable": true,
 		"type": "string"
 	}

roles/frontend-and-lighttpd/templates/conf.j2

@@ -0,0 +1,34 @@
+$HTTP["host"] == "{{domain}}" {
+	server.name = "{{domain}}"
+	server.document-root = "{{directory}}"
+		
+	# Anfragen auf Port 80 über IPv4
+	$SERVER["socket"] == ":80" {
+		# auf HTTPS umleiten
+		url.redirect = ("^/(.*)" => "https://{{domain}}/$1")
+	}
+	
+	# Anfragen auf Port 80 über IPv6
+	$SERVER["socket"] == "[::]:80" {
+		# auf HTTPS umleiten
+		url.redirect = ("^/(.*)" => "https://{{domain}}/$1")
+	}
+	
+	# Anfragen auf Port 443 über IPv4
+	$SERVER["socket"] == ":443" {
+		# mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{domain}}.pem"
+	}
+	
+	# Anfragen auf Port 443 über IPv6
+	$SERVER["socket"] == "[::]:443" {
+		# mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{domain}}.pem"
+	}
+}   

roles/frontend-and-nginx/templates/conf.j2

@@ -0,0 +1,14 @@
+server {
+	server_name {{domain}};
+	
+	listen 80;
+	listen [::]:80;
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/certs/{{domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	root {{directory}};
+}

roles/postgresql-for-espe/defaults/main.json

@@ -1,5 +1,7 @@
 {
 	"var_postgresql_for_espe_username": "espe_user",
 	"var_postgresql_for_espe_password": "REPLACE_ME",
-	"var_postgresql_for_espe_schema": "espe"
+	"var_postgresql_for_espe_schema": "espe",
+	"var_postgresql_for_espe_git_reference": "master",
+	"var_postgresql_for_espe_revision": "r4"
 }

roles/postgresql-for-espe/tasks/main.json

@@ -46,4 +46,39 @@
 			"grant_option": true
 		}
 	}
+	{
+		"name": "structure | fetch",
+		"delegate_to": "localhost",
+		"ansible.builtin.git": {
+			"repo": "dl-cloud-gitlab:espe/datamodel",
+			"version": "{{var_postgresql_for_espe_git_reference}}",
+			"dest": "/tmp/espe-datamodel-repo"
+		}
+	},
+	{
+		"name": "structure | build",
+		"delegate_to": "localhost",
+		"ansible.builtin.command": {
+			"chdir": "/tmp/espe-datamodel-repo",
+			"cmd": "tools/build {{var_postgresql_for_espe_revision}} database:postgresql > /tmp/espe.sql"
+		}
+	},
+	{
+		"name": "structure | transfer",
+		"ansible.builtin.copy": {
+			"src": "/tmp/espe.sql",
+			"dest": "/tmp/espe.sql"
+		}
+	},
+	{
+		"name": "structure | apply",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_query": {
+			"db": "{{var_postgresql_for_espe_schema}}",
+			"login_user": "{{var_postgresql_for_espe_username}}",
+			"login_password": "{{var_postgresql_for_espe_password}}",
+			"query": "{{lookup('ansible.builtin.file','/tmp/espe.sql')}}"
+		}
+	}
 ]

roles/postgresql-for-espe/vardef.json

@@ -0,0 +1,18 @@
+{
+	"username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"password": {
+		"type": "string",
+		"mandatory": true
+	},
+	"schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"git_reference": {
+		"type": "string",
+		"mandatory": false
+	}
+}