Merge pull request #14985 from rocky-linux/develop

Merge Downward Changes

.ansible-lint

@@ -0,0 +1,3 @@
+warn_list:
+  - internal-error
+  - syntax-check

ansible/inventories/production/hosts.ini

@@ -104,3 +104,6 @@ matterbridge.rockylinux.org ansible_host=10.100.xx.xx
 
 [matomo]
 matomo.rockylinux.org ansible_host=10.100.xx.xx
+
+[bugtracker]
+bugs.rockylinux.org ansible_host=10.100.xx.xx

ansible/playbooks/files/etc/systemd/system/noggin.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=noggin
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Environment=FLASK_APP=/opt/noggin/noggin/noggin/app.py
+Environment=NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
+Environment=FLASK_DEBUG=1
+User=noggin
+WorkingDirectory=/opt/noggin/noggin
+ExecStart=/bin/bash /opt/noggin/start_noggin.sh
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

ansible/playbooks/init-rocky-bugzilla.yml

@@ -1,8 +1,13 @@
 ---
 # Installs the mantis bug tracker
 - name: Configure MantisBT
-  hosts: "{{ host }}"
+  hosts: "bugtracker"
   become: true
+  vars_files:
+  - vars/common.yml
+  - vars/vaults/encpass.yml
+  - vars/vaults/mantis.yml
+  - vars/mantis.yml
 
   handlers:
     - import_tasks: handlers/main.yml
@@ -20,11 +25,31 @@
         success_msg: "We are not able to run on this node"
         fail_msg: "/etc/no-ansible exists - skipping run on this node"
 
+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
+
   tasks:
     - name: Deploy Mantis
       import_tasks: tasks/mantis.yml
 
   post_tasks:
+    - name: Open firewalld ports
+      ansible.posix.firewalld:
+        service: "{{ item }}"
+        permanent: true
+        immediate: true
+        state: enabled
+      with_items:
+        - http
+        - https
+
+    - name: Ensure httpd is enabled and running
+      service:
+        name: httpd
+        enabled: true
+        state: started
+
     - name: Touching run file that ansible has ran here
       file:
         path: /var/log/ansible.run

ansible/playbooks/init-rocky-noggin.yml

@@ -0,0 +1,34 @@
+---
+# (Re)deploys the noggin theme
+- name: Deploy Noggin
+  hosts: "idp"
+  become: true
+
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are not able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Deploy Noggin
+      import_tasks: "tasks/noggin.yml"
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/init-rocky-repo-servers.yml

@@ -0,0 +1,34 @@
+---
+# Preps a system to be a repository
+- name: Configure repository system
+  hosts: "{{ host }}"
+  become: true
+
+  handlers:
+    - import_tasks: handers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are not able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Configure repository system
+      import_tasks: tasks/repository.yml
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/role-rocky-wikijs.yml

@@ -0,0 +1,69 @@
+---
+# WikiJS
+- name: Install and manage Wikijs
+  hosts: wiki
+  become: false
+  vars_files:
+    - vars/vaults/hostman.yml
+    - vars/vaults/wikijs.yml
+    - vars/wikijs.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+    - name: Install SELinux packages
+      become: true
+      package:
+        name: python3-policycoreutils.noarch
+        state: present
+
+  roles:
+    - role: rockylinux.ipagetcert
+      become: true
+      state: present
+      tags: ['certs']
+
+    - role: rockylinux.wikijs
+      tags: ['wikijs']
+      become: true
+
+    # Define variables in vars/wikijs.yml
+    - role: nginxinc.nginx_core.nginx
+      tags: ['nginx']
+      become: true
+    - role: nginxinc.nginx_core.nginx_config
+      tags: ['nginx']
+      become: true
+
+  post_tasks:
+    - name: Open firewalld ports
+      become: true
+      ansible.posix.firewalld:
+        port: "{{ item.port }}"
+        permanent: "{{ item.permanent }}"
+        state: "{{ item.state }}"
+        immediate: yes
+      loop: "{{ firewall_rules }}"
+
+    - name: Touching run file that ansible has ran here
+      become: true
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root

ansible/playbooks/tasks/grub.yml

@@ -1,54 +1,4 @@
 ---
-- name: Reset grub link if we are EFI
-  set_fact:
-    grub_config_path_link: "{{ grub_config_path_efi }}"
-  when:
-    - efi_installed.stat.isdir is defined
-    - efi_installed.stat.isdir
-    - grub_config_path_efi is defined
-  tags:
-    - efi
-
-- name: Create grub.d directory
-  file:
-    name: /etc/default/grub.d
-    owner: root
-    group: root
-    mode: '0755'
-    state: directory
-    recurse: true
-  tags:
-    - grub
-    - kernel
-    - harden
-
-- name: Append /etc/default/grub file
-  lineinfile:
-    path: /etc/default/grub
-    line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
-    state: present
-  tags:
-    - grub
-    - kernel
-    - harden
-
-- name: Command line defaults
-  copy:
-    dest: "/etc/default/grub.d/99-rocky.cfg"
-    owner: root
-    group: root
-    mode: '0644'
-    content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"'
-  tags:
-    - grub
-    - kernel
-    - harden
-
-- name: Rebuild grub
-  command: "/usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}"
-  register: grub_command_result
-  changed_when: "grub_command_result.rc == 0"
-  tags:
-    - grub
-    - kernel
-    - harden
+- name: Add kernel boot options to all kernels and default config
+  command: /usr/sbin/grubby --update-kernel=ALL --args "{{ grub_boot_options }}"
+  changed_when: "1 != 1"

ansible/playbooks/tasks/mantis.yml

@@ -32,6 +32,11 @@
     mode: '0644'
     remote_src: true
 
+- name: Generate crypto salt
+  shell: "set -o pipefail && cat /dev/urandom | head -c 64 | base64 --wrap=0"
+  changed_when: "1 != 1"
+  register: cryptosalt_string
+
 - name: Configure mantis
   template:
     src: "var/www/mantis/config/config_inc.php.j2"
@@ -40,6 +45,22 @@
     group: apache
     mode: '0640'
 
+- name: Deploy plugins from Mantis GitHub
+  git:
+    repo: "https://github.com/mantisbt-plugins/{{ item }}.git"
+    dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/{{ item }}"
+    update: true
+    version: master
+  with_items:
+    - Snippets
+
+- name: Deploy custom libravatar plugin
+  git:
+    repo: "https://github.com/nazunalika/mantisbt-libravatar.git"
+    dest: "/var/www/mantisbt-{{ mantis_version }}/plugins/Libravatar"
+    update: true
+    version: main
+
 - name: Configure httpd
   template:
     src: "etc/httpd/conf.d/mantis.conf.j2"
@@ -47,3 +68,25 @@
     owner: root
     group: root
     mode: '0644'
+
+- name: Database import template
+  template:
+    src: "tmp/mantis_import.sql.j2"
+    dest: "/tmp/mantis_import.sql.j2"
+    owner: root
+    group: root
+    mode: '0600'
+
+# We will need to generate this
+# name: Import database if required
+# community.general.postgresql_db:
+#   name: "{{ mantis_db_name }}"
+#   target: /tmp/mantis_import.sql
+#   owner: "{{ mantis_db_user }}"
+#   state: restore
+#   login_host: "{{ mantis_db_host }}"
+#   login_user: "{{ mantis_db_user }}"
+#   login_password: "{{ mantis_db_pass }}"
+
+- name: Patch up some pages
+  import_tasks: mantispatch.yml

ansible/playbooks/tasks/mantispatch.yml

@@ -0,0 +1,25 @@
+---
+# Patch up various pieces of mantis to customize it. We do not rely on local
+# bug tracker accounts. We are doing regex instead of just replacing the
+# file as a whole. Should make it easier to deal with upgrades in theory.
+- name: Change signup_page.php to Account Services
+  replace:
+    path: "/var/www/mantisbt-{{ mantis_version }}/{{ item }}"
+    regexp: 'signup_page.php'
+    replace: 'https://accounts.rockylinux.org'
+  with_items:
+    - core/print_api.php
+    - lost_pwd_page.php
+    - login_page.php
+
+- name: Change special signup_page.php reference
+  replace:
+    path: "/var/www/mantisbt-{{ mantis_version }}/core/layout_api.php"
+    regexp: "' . helper_mantis_url( 'signup_page.php' ) . '"
+    replace: 'https://accounts.rockylinux.org'
+
+- name: Remove LDAP from checks for signup button
+  lineinfile:
+    path: "/var/www/mantisbt-{{ mantis_version }}/login_page.php"
+    state: absent
+    regex: 'LDAP != config_get_global'

ansible/playbooks/tasks/noggin.yml

@@ -0,0 +1,88 @@
+---
+- name: Ensure python is installed
+  yum:
+    name:
+      - python3
+      - python3-pip
+    state: present
+
+- name: Ensure noggin user exists
+  user:
+    name: noggin
+    comment: "Noggin FAS"
+
+- name: Create noggin directory
+  file:
+    path: /opt/noggin
+    state: directory
+    mode: '0700'
+    owner: noggin
+    group: noggin
+
+- name: Deploy noggin
+  git:
+    repo: https://github.com/fedora-infra/noggin.git
+    dest: /opt/noggin/noggin
+    update: true
+    version: main
+  become: true
+  become_user: noggin
+
+- name: Noggin user must install poetry
+  pip:
+    name: poetry
+    executable: pip3
+  become: true
+  become_user: noggin
+
+- name: Remove any pycache
+  file:
+    path: "/home/noggin/.cache/pypoetry"
+    state: absent
+
+- name: Noggin installation
+  command: "/home/noggin/.local/bin/poetry install --no-dev --extras deploy"
+  become: true
+  become_user: noggin
+  changed_when: "1 != 1"
+  args:
+    chdir: "/opt/noggin/noggin"
+
+- name: Get the noggin poetry virtualenv
+  shell:
+    cmd: "poetry env list | awk '{print $1}'"
+    chdir: "/opt/noggin/noggin"
+  become: true
+  become_user: noggin
+  changed_when: "1 != 1"
+  register: virtualenv_location
+
+- name: Deploy start up script
+  template:
+    src: "opt/noggin/start_noggin.sh.j2"
+    dest: "/opt/noggin/start_noggin.sh"
+    mode: '0750'
+    user: noggin
+    group: noggin
+
+- name: Deploy systemd unit
+  copy:
+    src: "etc/systemd/system/noggin.service"
+    dest: "/etc/systemd/system/noggin.service"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Deploy noggin configuration
+  template:
+    src: "opt/noggin/noggin.cfg.j2"
+    dest: "/opt/noggin/noggin.cfg"
+    owner: noggin
+    group: noggin
+    mode: '0600'
+
+# The only way to run it properly, at least on EL8, is we need this line
+- name: Add missing create_app call
+  lineinfile:
+    path: "/opt/noggin/noggin/noggin/app.py"
+    line: "app = create_app()"

ansible/playbooks/tasks/repository.yml

@@ -0,0 +1,2 @@
+---
+# no tasks yet

ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb

@@ -136,3 +136,6 @@ gitlab_rails['db_password'] = '{{ gitlab_external_db_password }}'
 {% if gitlab_trusted_proxies %}
 gitlab_rails['trusted_proxies'] = '{{ gitlab_trusted_proxies | map("to_json") | join(", ") }}'
 {% endif %}
+
+gitlab_rails['gravatar_enabled'] = true
+gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"

ansible/playbooks/templates/opt/noggin/noggin.cfg

@@ -0,0 +1,23 @@
+TEMPLATES_AUTO_RELOAD = False
+FREEIPA_SERVERS = []
+FREEIPA_CACERT = '/etc/ipa/ca.crt'
+FREEIPA_ADMIN_USER = 'userman'
+FREEIPA_ADMIN_PASSWORD = '{{ rocky_ldap_userman_pw }}'
+THEME = "rocky"
+FERNET_SECRET = b'NOTASECRET='
+SECRET_KEY = b'NOTASECRET='
+SESSION_COOKIE_HTTPONLY = True
+SESSION_COOKIE_SECURE = True
+USER_DEFAULTS = {
+    "locale": "en-US",
+    "timezone": "UTC",
+    "status_note": "active",
+}
+REGISTRATION_OPEN = True
+ACTIVATION_TOKEN_EXPIRATION = 30
+PASSWORD_RESET_EXPIRATION = 10
+MAIL_DEFAULT_SENDER = "Account Services <identitymanagement@rockylinux.org>"
+MAIL_SUPPRESS_SEND = False
+AVATAR_SERVICE_URL = "https://seccdn.libravatar.org/"
+AVATAR_DEFAULT_TYPE = "retro"
+FEDORA_MESSAGING_ENABLED = False

ansible/playbooks/templates/opt/noggin/start_noggin.sh.j2

@@ -0,0 +1,14 @@
+#!/bin/bash
+export PATH=/home/noggin/.local/bin:/home/noggin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
+export NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg
+export FLASK_DEBUG=1
+export FLASK_APP=/opt/noggin/noggin/noggin/app.py
+source /home/noggin/.cache/pypoetry/virtualenvs/{{ virtualenv_location.stdout }}/bin/activate
+cd /opt/noggin/noggin
+#/home/noggin/.local/bin/poetry run flask run -h 0.0.0.0
+# --certfile=/etc/pki/tls/certs/noggin.crt \
+# --keyfile=/etc/pki/tls/private/noggin.key \
+gunicorn -w 3 \
+ --env NOGGIN_CONFIG_PATH=/opt/noggin/noggin.cfg \
+ --bind tcp://0.0.0.0:5000 \
+ noggin.app:app

ansible/playbooks/templates/tmp/mantis_import.sql.j2

@@ -0,0 +1 @@
+# Empty

ansible/playbooks/templates/var/www/mantis/config/config_inc.php.j2

@@ -1,5 +1,5 @@
 <?php
-$g_hostname               = 'build-a-box.labs.angelsofclockwork.net';
+$g_hostname               = '{{ mantis_db_host }}';
 $g_db_type                = 'pgsql';
 $g_database_name          = '{{ mantis_db_name }}';
 $g_db_username            = '{{ mantis_db_user }}';
@@ -7,13 +7,14 @@ $g_db_password            = '{{ mantis_db_pass }}';
 
 $g_default_timezone       = 'UTC';
 
-$g_crypto_master_salt     = 'DDQF2sdgdPycpzfWNSOt4KelQlz7h0kb9HHxaUFpYXk=';
+$g_crypto_master_salt     = '{{ cryptosalt_string.stdout }}';
 
 # Added
 $g_login_method          = 'LDAP';
 $g_ldap_server           = '{{ rocky_ipaserver_lb }}';
+$g_ldap_port             = '389';
 $g_ldap_root_dn          = '{{ rocky_ldap_user_basedn }}';
-$g_ldap_organization     = '(objectClass=posixAccount)';
+#$g_ldap_organization     = '(objectClass=posixAccount)';
 $g_ldap_protocol_version = 3;
 $g_ldap_network_timeout  = 30;
 $g_ldap_follow_referrals = ON;
@@ -32,9 +33,14 @@ $g_allow_file_upload     = ON;
 $g_file_upload_method    = DATABASE; # or DISK
 $g_dropzone_enabled      = ON;
 $g_show_realname         = ON;
+$g_show_avatar           = ON;
 $g_allowed_files         = 'log,patch,txt';
-$g_disallowed_files      = 'exe,tar,tgz,tar.gz,pl,sh';
+$g_disallowed_files      = 'exe,pl,sh,py,c,cpp,rar,zip,rpm';
 $g_window_title          = 'Rocky Bugzilla';
-$g_allow_signup          = OFF;
+$g_allow_signup          = ON;
 $g_allow_anonymous_login = ON;
 $g_anonymous_account     = 'anonymous';
+$g_enable_email_notification = ON;
+
+# Cookie problems
+$g_allow_permanent_cookie = OFF;

ansible/playbooks/vars/common.yml

@@ -9,3 +9,5 @@ rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}"
 rocky_ipaserver_lb: "ipa-lb.rockylinux.org"
 # This will need to be vaulted
 rocky_ldap_bind_pw: "{{ ipa_binder_password }}"
+rocky_ldap_userman_dn: "uid=userman,cn=users,cn=accounts,dc=rockylinux,dc=org"
+rocky_ldap_userman_pw: "{{ ipa_userman_password }}"

ansible/playbooks/vars/mantis.yml

@@ -1,7 +1,7 @@
 ---
 # mantis vars
-mantis_version: 2.24.2
-mantis_checksum: "sha256:c1b483c8395a0fb1249bcc50ada203db584d819f4f6f606b1d1eec42c5205cb8"
+mantis_version: 2.25.0
+mantis_checksum: "sha256:d8973d3677ecb2ccbfee95e2267b3128049fbdcc59aa1f007686a342d93a4c0a"
 mantis_pkg:
   - php
   - php-ldap
@@ -11,8 +11,21 @@ mantis_pkg:
   - php-mbstring
   - php-curl
   - openldap
-mantis_db_name: mantis
+  - php-json
+mantis_db_host: db.rockylinux.org
+mantis_db_name: mantisdb
 mantis_db_user: mantis
-#mantis_db_pass: ThisIsNotThePassword!
-mantis_binder_user: "uid=mantis_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
-#mantis_binder_pass: ThisIsNotThePassword!
+mantis_binder_user: "{{ rocky_ldap_bind_dn }}"
+mantis_binder_pass: "{{ rocky_ldap_bind_pw }}"
+
+# Vault
+# mantis_db_pass: ThisIsNotThePassword!
+
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: apache
+    key_location: "/etc/pki/tls/private/bugs.rockylinux.org.key"
+    cert_location: "/etc/pki/tls/certs/bugs.rockylinux.org.crt"
+    postcmd: "/bin/systemctl reload httpd"
+    cnames:
+      - "bugs.rockylinux.org"

ansible/playbooks/vars/wikijs.yml

@@ -0,0 +1,109 @@
+---
+# wikijs vars
+firewall_rules:
+  - port: 443/tcp
+    permanent: true
+    state: enabled
+  - port: 9100/tcp
+    permanent: true
+    state: enabled
+
+tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
+tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
+
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: nginx
+    key_location: "{{ tls_key }}"
+    cert_location: "{{ tls_cert }}"
+    postcmd: "/bin/systemctl reload nginx"
+
+wikijs_dbtype: postgres
+wikijs_db:
+  host: "db.rockylinux.org"
+  port: 5432
+  user: wikijs
+  password: " {{ _wikijs_db_rw_pass }} "
+  dbname: wikijs_db
+  ssl: true
+
+
+####################
+### NGINX CONFIG ###
+####################
+
+
+# no demo config/template
+nginx_config_html_demo_template_enable: false
+
+nginx_config_selinux: true
+nginx_config_selinux_enforcing: true
+
+nginx_config_start: true
+
+nginx_config_debug_output: true
+nginx_config_debug_tasks: true
+
+# nginx_config_cleanup: true
+
+nginx_config_http_template_enable: true
+nginx_config_main_template_enable: true
+
+nginx_config_http_template:
+  default:
+    template_file: http/default.conf.j2
+    conf_file_name: default.conf
+    conf_file_location: /etc/nginx/conf.d/
+    servers:
+      redirect_https:
+        listen:
+          v6:
+            ip: '[::]'  # Wrap in square brackets for IPv6 addresses
+            port: 80
+            opts: ['default_server']
+          v4:
+            ip: ''  # Wrap in square brackets for IPv6 addresses
+            port: 80
+            opts: ['default_server']
+        server_name: "{{ ansible_fqdn }}"
+        error_page: /usr/share/nginx/html
+        access_log:
+          - name: main
+            location: /var/log/nginx/access.log
+        error_log:
+          location: /var/log/nginx/error.log
+          level: warn
+        root: "{{ wikijs_dir }}"
+        https_redirect: $host
+      wikijs_server:
+        listen:
+          v6:
+            ip: '[::]'  # Wrap in square brackets for IPv6 addresses
+            port: 443
+            ssl: true
+            opts: ['http2', 'default_server']
+          v4:
+            ip: ''  # Wrap in square brackets for IPv6 addresses
+            port: 443
+            ssl: true
+            opts: ['http2', 'default_server']
+        ssl:
+          cert: "{{ tls_cert }}"
+          key: "{{ tls_key }}"
+        server_name: "{{ ansible_fqdn }}"
+        error_page: /usr/share/nginx/html
+        access_log:
+          - name: main
+            location: /var/log/nginx/access.log
+        error_log:
+          location: /var/log/nginx/error.log
+          level: warn
+        root: "{{ wikijs_dir }}"
+        web_server:
+          locations:
+            default:
+              location: /
+              custom_options:
+                - "proxy_pass http://localhost:3000/;"
+          http_demo_conf: false

ansible/roles/requirements.yml

@@ -3,7 +3,7 @@
 roles:
   - name: geerlingguy.mysql
   # monitoring
-  - name: cloudalchemy.node-exporter
+  - name: cloudalchemy.node_exporter
   - name: cloudalchemy.prometheus
   - name: cloudalchemy.alertmanager
   - name: cloudalchemy.grafana
@@ -30,6 +30,11 @@ roles:
   - name: rockylinux.matterbridge
     src: https://github.com/NeilHanlon/ansible-role-matterbridge
     version: master
+  - name: rockylinux.wikijs
+    src: https://git.rockylinux.org/infrastructure/public/ansible/ansible-role-wikijs.git
+    scm: git
+    version: develop
+  - name: riemers.gitlab-runner
 
 collections:
   # freeipa
@@ -43,6 +48,8 @@ collections:
   - name: netbox.netbox
   - name: community.aws
   - name: containers.podman
+  - name: nginxinc.nginx_core
+    version: 0.3.0
 # - name: rockylinux.taiga
 #   source: https://github.com/rocky-linux/taiga-ansible.git
 #   type: git