chore: remove old inventory for now and add vagrant

old inventory was never in use. Vagrant for local development

Vagrantfile

@@ -0,0 +1,73 @@
+Vagrant.configure("2") do |config|
+  # Disable default synced folder
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+  # DMZ - Traefik Reverse Proxy
+  config.vm.define "dmz" do |dmz|
+    dmz.vm.box = "debian/bookworm64"
+    dmz.vm.hostname = "dmz"
+    dmz.vm.network "private_network", ip: "192.168.56.10"
+    dmz.vm.network "forwarded_port", guest: 80, host: 8080
+    dmz.vm.network "forwarded_port", guest: 443, host: 8443
+
+    # Libvirt provider - much better performance than virtualbox
+    dmz.vm.provider "libvirt" do |lv|
+      lv.memory = 2048
+      lv.cpus = 2
+    end
+
+    # Provision dependencies
+    dmz.vm.provision "shell", inline: <<-SHELL
+      # Update system
+      apt-get update
+      apt-get install -y sudo python3 ca-certificates curl gnupg
+    SHELL
+  end
+
+  # Backend - Container Host
+  config.vm.define "backend" do |backend|
+    backend.vm.box = "debian/bookworm64"
+    backend.vm.hostname = "backend"
+    backend.vm.network "private_network", ip: "192.168.56.11"
+
+    # Libvirt provider - much better performance than virtualbox
+    backend.vm.provider "libvirt" do |lv|
+      lv.memory = 2048
+      lv.cpus = 2
+    end
+
+    # Provision dependencies
+    backend.vm.provision "shell", inline: <<-SHELL
+      # Update system
+      apt-get update
+      apt-get install -y sudo python3 ca-certificates curl gnupg
+    SHELL
+  end
+
+  # Backend2 - Second smaller Container Host for testing
+  config.vm.define "backend2" do |backend2|
+    backend2.vm.box = "debian/bookworm64"
+    backend2.vm.hostname = "backend2"
+    backend2.vm.network "private_network", ip: "192.168.56.12"
+
+    backend2.vm.provider "libvirt" do |lv|
+      lv.memory = 1024
+      lv.cpus = 1
+    end
+
+    # Provision dependencies
+    backend2.vm.provision "shell", inline: <<-SHELL
+      # Update system
+      apt-get update
+      apt-get install -y sudo python3 ca-certificates curl gnupg
+    SHELL
+
+    # Provision all VMs with Ansible after the last VM is up
+    backend2.vm.provision "ansible" do |ansible|
+      ansible.limit = "all"
+      ansible.playbook = "playbooks/site.yml"
+      ansible.inventory_path = "inventories/vagrant"
+      ansible.verbose = "v"
+    end
+  end
+end

ansible.cfg

@@ -1,3 +1,3 @@
 [defaults]
-collections_paths = ./collections
+collections_path = ./collections:~/.ansible/collections:/usr/share/ansible/collections
 remote_user = root

inventories/prod/group_vars/all_servers.yml

@@ -1,2 +0,0 @@
-docker_compose_base_dir: /srv/test-compose/
-docker_volume_base_dir: /srv/test-volume/

inventories/prod/group_vars/reverseproxy_servers_dmz.yml

@@ -1,6 +0,0 @@
----
-# DMZ reverse proxy - no local services, only proxies to backend services
-services: []
-
-use_static_services: true
-use_docker_provider: false

inventories/prod/hosts.ini

@@ -1,23 +0,0 @@
-[all_servers]
-172.16.9.88
-172.16.17.72
-172.16.17.73
-
-[reverseproxy_servers_dmz]
-172.16.9.88 ansible_port=2222
-
-[forgejo_servers]
-172.16.17.72
-
-[nextcloud_servers]
-172.16.17.73
-
-[reverseproxy_servers]
-172.16.17.72
-172.16.17.73
-
-[forgejo_runners]
-172.16.17.198
-
-[minio_storage]
-172.16.17.149

inventories/vagrant/group_vars/all.yml

@@ -0,0 +1,3 @@
+---
+# Variables for all hosts
+ansible_python_interpreter: /usr/bin/python3

inventories/vagrant/group_vars/traefik_servers_backend.yml

@@ -0,0 +1,10 @@
+---
+# Configuration for backend reverse proxy servers
+# These use Docker provider for local service discovery
+
+traefik_mode: backend
+use_ssl: true
+cert_mode: "selfsigned"
+enable_dashboard: true
+log_level: DEBUG
+traefik_network: proxy

inventories/vagrant/group_vars/traefik_servers_dmz.yml

@@ -0,0 +1,24 @@
+---
+# Configuration for DMZ reverse proxy servers
+# These are public-facing proxies that route traffic to backend servers
+
+traefik_mode: dmz
+use_ssl: true
+cert_mode: "selfsigned"  # Use 'acme' for production
+enable_dashboard: true
+log_level: DEBUG
+traefik_network: proxy
+
+# Backend servers to proxy (if empty, proxies to all backend_servers)
+# This allows multiple DMZ proxies to handle different backend servers
+# backend_servers_to_proxy:
+#   - backend1
+#   - backend2
+
+# ACME configuration (uncomment for production with cert_mode: acme)
+# ssl_email: "admin@example.com"
+# ssl_cert_resolver: "dns"
+# acme_dns_zone: "digitalboard._acme.digitalboard.ch."
+# acme_dns_nameserver: "192.168.1.1:53"
+# acme_tsig_key: "your-tsig-key-name"
+# acme_tsig_secret: "your-tsig-secret"

inventories/vagrant/host_vars/backend/keycloak.yml

@@ -0,0 +1 @@
+keycloak_admin_password: admin

inventories/vagrant/host_vars/backend/main.yml

@@ -0,0 +1,3 @@
+---
+# Backend server configuration
+# This server hosts application services that are exposed via the DMZ reverse proxy

inventories/vagrant/host_vars/backend/traefik.yml

@@ -0,0 +1,21 @@
+# Services to be exposed through the DMZ reverse proxy
+traefik_services:
+  - name: httpbin
+    domain: httpbin.local.test
+    port: 443
+    protocol: https
+  - name: keycloak
+    domain: keycloak.local.test
+    port: 443
+    protocol: https
+
+  # Example: Add more services as you deploy them
+  # - name: forgejo
+  #   domain: git.example.com
+  #   port: 3000
+  #   protocol: http
+
+  # - name: nextcloud
+  #   domain: cloud.example.com
+  #   port: 80
+  #   protocol: http

inventories/vagrant/host_vars/backend2/httbin.yml

@@ -0,0 +1,2 @@
+# Httpbin service configuration (overrides for this host)
+httpbin_domain: "httpbin-srv2.local.test"

inventories/vagrant/host_vars/backend2/main.yml

@@ -0,0 +1,3 @@
+---
+# Backend2 server configuration
+# This is a minimal test server for testing multi-backend routing

inventories/vagrant/host_vars/backend2/traefik.yml

@@ -0,0 +1,6 @@
+# Services to be exposed through the DMZ reverse proxy
+traefik_services:
+  - name: httpbin-srv2
+    domain: "{{ httpbin_domain }}"
+    port: 443
+    protocol: https

inventories/vagrant/host_vars/dmz/main.yml

@@ -0,0 +1,4 @@
+---
+# Host-specific variables for dmz
+# Example:
+# custom_var: value

inventories/vagrant/hosts.ini

@@ -0,0 +1,36 @@
+# This file defines the group structure for vagrant VMs
+# Fixed IPs are defined in the Vagrantfile
+# Additional host-specific variables should go in host_vars/
+# Group-specific variables should go in group_vars/
+
+[all_servers]
+dmz ansible_host=192.168.56.10 ansible_ssh_private_key_file=.vagrant/machines/dmz/libvirt/private_key ansible_user=vagrant
+backend ansible_host=192.168.56.11 ansible_ssh_private_key_file=.vagrant/machines/backend/libvirt/private_key ansible_user=vagrant
+backend2 ansible_host=192.168.56.12 ansible_ssh_private_key_file=.vagrant/machines/backend2/libvirt/private_key ansible_user=vagrant
+
+# Backend servers that host application services
+[backend_servers]
+backend
+backend2
+
+# Reverse proxy servers in DMZ (public-facing, file provider mode)
+[traefik_servers_dmz]
+dmz
+
+# Reverse proxy servers on backend (docker provider mode)
+[traefik_servers_backend]
+backend
+backend2
+
+# All reverse proxy servers
+[traefik_servers:children]
+traefik_servers_dmz
+traefik_servers_backend
+
+# Application servers
+[httpbin_servers]
+backend
+backend2
+
+[keycloak_servers]
+backend

playbooks/site.yml

@@ -5,26 +5,26 @@
   roles:
     - digitalboard.core.base
 
-- name: Configure reverse proxy on servers
+- name: Configure reverse proxy on application servers
-  hosts: reverseproxy_servers
+  hosts: traefik_servers_backend
   become: yes
   roles:
-    - digitalboard.core.reverseproxy
+    - digitalboard.core.traefik
 
-- name: Configure Forgejo servers
+- name: Deploy httpbin service
-  hosts: forgejo_servers
+  hosts: httpbin_servers
   become: yes
   roles:
-    - digitalboard.core.reverseproxy
+    - digitalboard.core.httpbin
 
-- name: Configure Nextcloud servers
+- name: Deploy keycloak service
-  hosts: nextcloud_servers
+  hosts: keycloak_servers
   become: yes
   roles:
-    - digitalboard.core.reverseproxy
+    - digitalboard.core.keycloak
 
 - name: Configure reverse proxy on DMZ servers
-  hosts: reverseproxy_servers_dmz
+  hosts: traefik_servers_dmz
   become: yes
   roles:
-    - digitalboard.core.reverseproxy
+    - digitalboard.core.traefik