From f36556a85091e1f74c31a4ba1b9bfbc75e7b89a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20P=2E?= <nicolo.paraciani@cnr.it>
Date: Mon, 16 Mar 2026 16:43:38 +0100
Subject: [PATCH 1/4] Tentative role for fail2ban

---
 inventory/lab/inventory.yml   |  9 +++++++++
 playbooks/fail2ban.yml        | 10 ++++++++++
 roles/fail2ban/tasks/main.yml | 20 ++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 playbooks/fail2ban.yml
 create mode 100644 roles/fail2ban/tasks/main.yml

diff --git a/inventory/lab/inventory.yml b/inventory/lab/inventory.yml
index adfc2ba..85ffc19 100644
--- a/inventory/lab/inventory.yml
+++ b/inventory/lab/inventory.yml
@@ -10,3 +10,12 @@ all:
         debi13:
           ansible_host: 127.0.0.1
           ansible_port: 2224
+
+    fail2ban:
+      hosts:
+       debi13:
+          ansible_host: 127.0.0.1
+          ansible_port: 2224
+       alma9:
+          ansible_host: 127.0.0.1
+          ansible_port: 2222
diff --git a/playbooks/fail2ban.yml b/playbooks/fail2ban.yml
new file mode 100644
index 0000000..aad5564
--- /dev/null
+++ b/playbooks/fail2ban.yml
@@ -0,0 +1,10 @@
+---
+- name: Install fail2ban on Linux hosts
+  hosts:
+    - fail2ban
+  become: true
+
+  roles:
+    - fail2ban
+
+
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
new file mode 100644
index 0000000..9c48d27
--- /dev/null
+++ b/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Ensure epel-release is installed (RedHat)
+  ansible.builtin.package:
+    name: epel-release
+    state: present
+    update_cache: yes
+  when: ansible_os_family == 'RedHat'
+
+- name: Ensure fail2ban is installed
+  ansible.builtin.package:
+    name: fail2ban
+    state: present
+    update_cache: yes
+
+- name: Start fail2ban for RedHat
+  ansible.builtin.systemd_service:
+    name: fail2ban
+    state: started
+    enabled: true
+  when: ansible_os_family == 'RedHat'

From 37d4e70d406fbcfb6150e1943b54f3dd64f16011 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20P=2E?= <nicolo.paraciani@cnr.it>
Date: Tue, 24 Mar 2026 19:14:36 +0100
Subject: [PATCH 2/4] Add role to deploy GKS IIIF manifests

---
 roles/iiif-manif/defaults/main.yml |  1 +
 roles/iiif-manif/handlers/main.yml |  5 ++++
 roles/iiif-manif/tasks/main.yml    | 38 ++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 roles/iiif-manif/defaults/main.yml
 create mode 100644 roles/iiif-manif/handlers/main.yml
 create mode 100644 roles/iiif-manif/tasks/main.yml

diff --git a/roles/iiif-manif/defaults/main.yml b/roles/iiif-manif/defaults/main.yml
new file mode 100644
index 0000000..a322d3f
--- /dev/null
+++ b/roles/iiif-manif/defaults/main.yml
@@ -0,0 +1 @@
+iiif_repo_url: "https://git.electricmandarine.cloud/nicolo/greek-manifests"
diff --git a/roles/iiif-manif/handlers/main.yml b/roles/iiif-manif/handlers/main.yml
new file mode 100644
index 0000000..11f648b
--- /dev/null
+++ b/roles/iiif-manif/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart PM2
+  ansible.builtin.command: '/home/nicolo/node_modules/bin/pm2 restart all --update-env'
+  become: true
+  become_user: nicolo
diff --git a/roles/iiif-manif/tasks/main.yml b/roles/iiif-manif/tasks/main.yml
new file mode 100644
index 0000000..801e02f
--- /dev/null
+++ b/roles/iiif-manif/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Ensure ACL is installed
+  ansible.builtin.package:
+    name:
+      - acl
+    state: present
+    update_cache: yes
+  when: ansible_os_family == 'RedHat'
+
+- name: Ensure git is installed
+  ansible.builtin.package:
+    name:
+      - git
+    state: present
+    update_cache: yes
+
+- name: Pull from manifest repo
+  ansible.builtin.git:
+    repo: "{{ iiif_repo_url }}"
+    # To be changed!!
+    dest: /home/nicolo/greek-manifests
+    update: true
+    clone: false
+    version: master
+  become: true
+  become_user: nicolo
+
+- name: Install Yarn dependencies based on package.json
+  community.general.yarn:
+    # To be changed!!
+    path: /home/nicolo/greek-manifests
+    executable: /home/nicolo/node_modules/bin/yarn
+    production: true
+  become: true
+  become_user: nicolo
+  # this should alwasy notify 'Restart PM2'
+  changed_when: true
+  notify: Restart PM2

From 73275530daebdd3158190dd828f15756edf2af97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20P=2E?= <nicolo.paraciani@cnr.it>
Date: Sun, 29 Mar 2026 18:58:17 +0200
Subject: [PATCH 3/4] Draft role for Heriverse/Stratigraph

---
 playbooks/heriverse.yml                | 11 +++++
 roles/heriverse/defaults/main.yml      |  3 ++
 roles/heriverse/handlers/main.yml      |  5 ++
 roles/heriverse/tasks/main.yml         | 68 ++++++++++++++++++++++++++
 roles/heriverse/templates/Caddyfile.j2 | 25 ++++++++++
 5 files changed, 112 insertions(+)
 create mode 100644 playbooks/heriverse.yml
 create mode 100644 roles/heriverse/defaults/main.yml
 create mode 100644 roles/heriverse/handlers/main.yml
 create mode 100644 roles/heriverse/tasks/main.yml
 create mode 100644 roles/heriverse/templates/Caddyfile.j2

diff --git a/playbooks/heriverse.yml b/playbooks/heriverse.yml
new file mode 100644
index 0000000..15fbe3f
--- /dev/null
+++ b/playbooks/heriverse.yml
@@ -0,0 +1,11 @@
+---
+- name: Configure webserver with Docker, Heriverse and Caddy
+  hosts:
+    - localhost
+  become: true
+  vars:
+    server_name: "heriverse.stratigraph"
+
+  roles:
+    - docker
+    - heriverse
diff --git a/roles/heriverse/defaults/main.yml b/roles/heriverse/defaults/main.yml
new file mode 100644
index 0000000..67cc8eb
--- /dev/null
+++ b/roles/heriverse/defaults/main.yml
@@ -0,0 +1,3 @@
+heriverse_repo_url: "https://git.3dresearch.it/stratigraph/docker-heriverse"
+# Note: replace with the domain name for Caddy config
+#server_name: "heriverse.stratigraph"
diff --git a/roles/heriverse/handlers/main.yml b/roles/heriverse/handlers/main.yml
new file mode 100644
index 0000000..7e7ab42
--- /dev/null
+++ b/roles/heriverse/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart Caddy
+  ansible.builtin.service:
+    name: caddy
+    state: restarted
diff --git a/roles/heriverse/tasks/main.yml b/roles/heriverse/tasks/main.yml
new file mode 100644
index 0000000..9fcd1e8
--- /dev/null
+++ b/roles/heriverse/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+- name: Ensure ACL is installed
+  ansible.builtin.package:
+    name:
+      - acl
+    state: present
+    update_cache: yes
+
+- name: Ensure git is installed
+  ansible.builtin.package:
+    name:
+      - git
+    state: present
+    update_cache: yes
+
+- name: Ensure Caddy is installed
+  ansible.builtin.package:
+    name:
+      - caddy
+    state: present
+    update_cache: yes
+
+- name: Create Heriverse user
+  ansible.builtin.user:
+    name: heriverse
+    shell: /usr/sbin/nologin
+    home: /opt/heriverse
+    create_home: true
+    password: '*'
+
+- name: Ensure Heriverse directory exists
+  ansible.builtin.file:
+    path: /opt/heriverse/docker-herivese
+    state: directory
+    owner: heriverse
+    group: heriverse
+    mode: "0755"
+
+- name: Clone Heriverse repo
+  ansible.builtin.git:
+    repo: "{{ heriverse_repo_url }}"
+    dest: /opt/heriverse/docker-heriverse
+    clone: true
+  become: true
+  become_user: heriverse
+
+- name: Create and start all Heriverse services
+  community.docker.docker_compose_v2:
+    project_src: /opt/heriverse/docker-heriverse
+    pull: missing
+  register: output
+
+- name: Execute entrypoint script
+  ansible.builtin.command:
+    chdir: /opt/heriverse/docker-heriverse
+    cmd: './entrypoint.sh'
+  become: true
+  become_user: heriverse
+  
+- name: Copy Caddy config file
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: "/etc/caddy/Caddyfile"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Caddy
+  
diff --git a/roles/heriverse/templates/Caddyfile.j2 b/roles/heriverse/templates/Caddyfile.j2
new file mode 100644
index 0000000..b78a80c
--- /dev/null
+++ b/roles/heriverse/templates/Caddyfile.j2
@@ -0,0 +1,25 @@
+{{ server_name }} {
+    # Don't show ATON's frontend home page
+    redir / /a/heriverse 302
+
+    request_body {
+        max_size 2GB # This can be made configurable
+    }
+
+    # `handle_path` is required where URIs must be rewritten
+    handle_path /server/* {
+        reverse_proxy localhost:3000
+    }
+
+    handle /auth* {
+        reverse_proxy localhost:8080
+    }
+
+    handle_path /couchdb/* {
+        reverse_proxy localhost:5984
+    }
+
+    handle /* {
+        reverse_proxy localhost:8081
+    }
+}

From 6c56da620bb171fc616ace64895a0def66c10c0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20P=2E?= <nicolo.paraciani@cnr.it>
Date: Sun, 29 Mar 2026 19:09:56 +0200
Subject: [PATCH 4/4] heriverse: Add docker-compose.yml template

---
 roles/heriverse/tasks/main.yml                | 10 ++
 .../heriverse/templates/docker-compose.yml.j2 | 94 +++++++++++++++++++
 2 files changed, 104 insertions(+)
 create mode 100644 roles/heriverse/templates/docker-compose.yml.j2

diff --git a/roles/heriverse/tasks/main.yml b/roles/heriverse/tasks/main.yml
index 9fcd1e8..037d6cb 100644
--- a/roles/heriverse/tasks/main.yml
+++ b/roles/heriverse/tasks/main.yml
@@ -44,6 +44,16 @@
   become: true
   become_user: heriverse
 
+# Temporary
+- name: Replace docker-compose.yml for prod
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "/opt/heriverse/docker-heriverse"
+    owner: root
+    group: root
+    force: true
+    mode: '0644'
+
 - name: Create and start all Heriverse services
   community.docker.docker_compose_v2:
     project_src: /opt/heriverse/docker-heriverse
diff --git a/roles/heriverse/templates/docker-compose.yml.j2 b/roles/heriverse/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..be7f65f
--- /dev/null
+++ b/roles/heriverse/templates/docker-compose.yml.j2
@@ -0,0 +1,94 @@
+services:
+
+  # =======================
+  # FRONTEND
+  # =======================
+  heriverse:
+    image: git.3dresearch.it:5050/cnr-h2iosc/heriverse/heriverse-wapp:latest
+    container_name: heriverse
+    ports:
+      - "8081:8080"
+    depends_on:
+      - heriverse-server
+      - keycloak
+    volumes:
+      - ./mount/heriverse/config/Utils.js:/aton/wapps/heriverse/config/Utils.js
+    networks:
+      - backend
+    restart: always
+
+  # =======================
+  # BACKEND / API SERVER
+  # =======================
+  heriverse-server:
+    image: git.3dresearch.it:5050/stratigraph/heriverse-server:latest
+    container_name: heriverse-server
+    ports:
+      - "3000:3000"
+    depends_on:
+      - couchdb
+      - keycloak
+    volumes:
+      - ./mount/server/uploads:/app/uploads
+      - ./mount/server/config:/app/conf
+    networks:
+      - backend
+    restart: always
+  # =======================
+  # DATABASE
+  # =======================
+  couchdb:
+    image: apache/couchdb:3
+    container_name: couchdb
+    environment:
+      - COUCHDB_USER=admin
+      - COUCHDB_PASSWORD=admin
+      - COUCHDB_SECRET=heriversesecret
+      - COUCHDB_SINGLE_NODE=true
+    ports:
+      - "5984:5984"
+    volumes:
+      - couchdb_data:/opt/couchdb/data
+      - couchdb_config:/opt/couchdb/etc/local.d
+    networks:
+      - backend
+    restart: always
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0.4
+    container_name: keycloak
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_DB: dev-file
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: "true"
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+    ports:
+      - "8080:8080"
+    command:
+      - start-dev
+      - --import-realm
+      - --http-relative-path=/auth
+      - --proxy-headers=xforwarded
+      - --hostname={{ server_name }}
+      - --hostname-strict=false
+      - --hostname-strict-https=false
+      - --http-enabled=true
+    volumes:
+      - keycloak_data:/opt/keycloak/data
+      - ./mount/keycloak/realms/realm-heriverse.json:/opt/keycloak/data/import/realm-heriverse.json
+    networks:
+      - backend
+    restart: always
+# =======================
+# NETWORK AND VOLUMES
+# =======================
+networks:
+  backend:
+    driver: bridge
+
+volumes:
+  couchdb_data:
+  couchdb_config:
+  keycloak_data: