From 3dfacd0822a313276dc5efd8433d19522056e341 Mon Sep 17 00:00:00 2001
From: dimti <demidov@dimti.ru>
Date: Mon, 10 Feb 2025 23:35:41 +0300
Subject: [PATCH] + refactored and solve some problems with mariadb and nginx
 playbook + apps playbooks - docker, caprover * simple refactore starter
 scripts + apt update debops playboook prepend launch by default * sury repo
 changed * database users locked to localhost only * phpmyadmin blowfish
 generate secret fix

---
 playbooks/apache-site.yml                          |  2 +-
 playbooks/apps/caprover.yml                        | 17 +++++++++++
 playbooks/apps/docker-debian.yml                   | 33 ++++++++++++++++++++
 playbooks/apps/docker-ubuntu.yml                   | 29 ++++++++++++++++++
 playbooks/debops/apt.yml                           | 22 ++++++++++++++
 playbooks/debops/mariadb-custom-db.yml             |  2 ++
 playbooks/debops/mariadb.yml                       |  2 ++
 playbooks/debops/mariadb_server.yml                | 17 ++++++++++-
 playbooks/debops/nginx.yml                         | 23 +++++++-------
 playbooks/debops/php-prod.yml                      |  8 ++---
 playbooks/debops/php-wp.yml                        | 10 +++----
 playbooks/debops/root_account.yml                  | 10 ++-----
 playbooks/nginx-only.yml                           |  1 +
 ...-db-site.yml => nginx-site-without-db-site.yml} |  1 +
 playbooks/nginx-site.yml                           |  3 ++
 playbooks/own/libgd3-fix-for-php8.yml              |  8 +++--
 playbooks/own/phpmyadmin-nginx-auth.yml            |  2 +-
 playbooks/own/phpmyadmin.yml                       | 15 +++++++++-
 playbooks/own/yadm-update.yml                      |  9 ++++++
 playbooks/own/yadm.yml                             | 34 +++++++++++++--------
 playbooks/root-account.yml                         |  1 +
 run-lxc-playbook.sh                                |  2 +-
 run-playbook.sh                                    | 35 ++++++++++++++--------
 run-site-playbook.sh                               |  2 +-
 vars/databases-example.yml                         |  4 ++-
 25 files changed, 228 insertions(+), 64 deletions(-)
 create mode 100644 playbooks/apps/caprover.yml
 create mode 100644 playbooks/apps/docker-debian.yml
 create mode 100644 playbooks/apps/docker-ubuntu.yml
 create mode 100644 playbooks/debops/apt.yml
 rename playbooks/{nginx-without-db-site.yml => nginx-site-without-db-site.yml} (93%)
 create mode 100644 playbooks/own/yadm-update.yml

diff --git a/playbooks/apache-site.yml b/playbooks/apache-site.yml
index 4ec6168..78f9c1d 100644
--- a/playbooks/apache-site.yml
+++ b/playbooks/apache-site.yml
@@ -1,5 +1,5 @@
 ---
-- import_playbook: own/apt-update.yml
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
diff --git a/playbooks/apps/caprover.yml b/playbooks/apps/caprover.yml
new file mode 100644
index 0000000..7f358f0
--- /dev/null
+++ b/playbooks/apps/caprover.yml
@@ -0,0 +1,17 @@
+---
+-   hosts: [ 'debian10' ]
+    tasks:
+        -   name: Configure Firewall
+            shell: |
+                ufw allow 80,443,3000,996,7946,4789,2377/tcp; ufw allow 7946,4789,2377/udp;
+
+        -   name: Install caprover
+            shell: |
+                docker run -p 80:80 -p 443:443 -p 3000:3000 -e ACCEPTED_TERMS=true -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover
+
+        -   name: "Install npm caprover package (after that use: caprover serversetup)"
+            shell: |
+                export NVM_DIR="$HOME/.nvm"
+                . "$NVM_DIR/nvm.sh"
+                . "$NVM_DIR/bash_completion"
+                npm install -g caprover
diff --git a/playbooks/apps/docker-debian.yml b/playbooks/apps/docker-debian.yml
new file mode 100644
index 0000000..de65fc9
--- /dev/null
+++ b/playbooks/apps/docker-debian.yml
@@ -0,0 +1,33 @@
+---
+-   hosts: [ 'debian10' ]
+    tasks:
+        -   name: Remove old packages
+            shell: |
+                for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
+                apt-get autoremove
+
+        -   name: Add APT repository
+            shell: |
+                # Add Docker's official GPG key:
+                apt-get update
+                apt-get install ca-certificates curl
+                install -m 0755 -d /etc/apt/keyrings
+                curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+                chmod a+r /etc/apt/keyrings/docker.asc
+                
+                # Add the repository to Apt sources:
+                echo \
+                    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+                    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+                    tee /etc/apt/sources.list.d/docker.list > /dev/null
+                
+                apt-get update
+
+        -   name: Install Docker
+            shell: |
+                apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+        -   name: Test hello-world
+            shell: |
+                docker run hello-world
+
diff --git a/playbooks/apps/docker-ubuntu.yml b/playbooks/apps/docker-ubuntu.yml
new file mode 100644
index 0000000..c54a04b
--- /dev/null
+++ b/playbooks/apps/docker-ubuntu.yml
@@ -0,0 +1,29 @@
+---
+-   hosts: [ 'debian10' ]
+    tasks:
+        -   name: Remove old packages
+            shell: |
+                for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
+                apt-get autoremove
+
+        -   name: Add APT repository
+            shell: |
+                apt-get update
+                apt-get install ca-certificates curl
+                install -m 0755 -d /etc/apt/keyrings
+                curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+                chmod a+r /etc/apt/keyrings/docker.asc
+                echo \
+                    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+                    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+                    tee /etc/apt/sources.list.d/docker.list > /dev/null
+                apt-get update
+
+        -   name: Install Docker
+            shell: |
+                apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+        -   name: Test hello-world
+            shell: |
+                docker run hello-world
+
diff --git a/playbooks/debops/apt.yml b/playbooks/debops/apt.yml
new file mode 100644
index 0000000..f8586a1
--- /dev/null
+++ b/playbooks/debops/apt.yml
@@ -0,0 +1,22 @@
+---
+
+- name: Manage Advanced Package Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  post_tasks:
+
+    - name: Upgrade
+      ansible.builtin.apt:
+        upgrade: True
+
+  roles:
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
diff --git a/playbooks/debops/mariadb-custom-db.yml b/playbooks/debops/mariadb-custom-db.yml
index 465e6b9..de3f8ca 100644
--- a/playbooks/debops/mariadb-custom-db.yml
+++ b/playbooks/debops/mariadb-custom-db.yml
@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
+
 - name: Manage MariaDB client
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]
diff --git a/playbooks/debops/mariadb.yml b/playbooks/debops/mariadb.yml
index 192ed3c..76c1545 100644
--- a/playbooks/debops/mariadb.yml
+++ b/playbooks/debops/mariadb.yml
@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
+
 - name: Manage MariaDB client
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]
diff --git a/playbooks/debops/mariadb_server.yml b/playbooks/debops/mariadb_server.yml
index 6f72209..57d756d 100644
--- a/playbooks/debops/mariadb_server.yml
+++ b/playbooks/debops/mariadb_server.yml
@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb_server/defaults/main.html
+
 - name: Manage MariaDB server
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]
@@ -14,7 +16,20 @@
     mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
                                 |d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
     mariadb_server__upstream_version: '11.2'
-    mariadb_server__bind_address: '0.0.0.0'
+    mariadb_server__bind_address: '127.0.0.1'
+    mariadb_server__mysqld_performance_options:
+      'innodb_buffer_pool_instances': '{{ ansible_processor_vcpus | d(1) }}'
+      'innodb_buffer_pool_size': '{{ (ansible_memtotal_mb / 2) | int }}M'
+      'innodb_log_file_size': '{{ (ansible_memtotal_mb / 2) / 4 | int }}M'
+      'query_cache_type': '1'
+      'query_cache_size': '1M'
+      'query_cache_limit': '10M'
+      'join_buffer_size': '1M'
+      'performance_schema': 'ON'
+      'skip-name-resolve': 'ON'
+#    mariadb_server__options:
+#      'query_cache_size': '1M'
+
 
   roles:
     - role: keyring
diff --git a/playbooks/debops/nginx.yml b/playbooks/debops/nginx.yml
index da8568c..05af210 100644
--- a/playbooks/debops/nginx.yml
+++ b/playbooks/debops/nginx.yml
@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/nginx/defaults/main.html
+
 - name: Manage nginx webserver
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]
@@ -25,41 +27,38 @@
     nginx_ocsp: False
     nginx_worker_processes: auto
     nginx_manage_ipv6only: False
+    nginx_default_name: 'welcome'
+    nginx_default_ssl_name: 'welcome'
     # TODO: Replace [::]:443 to 443 and [::]:80 to 80 in site nginx config
+    nginx_server_localhost:
+      enabled: False
+    nginx_listen_port: [ '80' ]
+    nginx_listen_ssl_port: [ '443' ]
     nginx__servers:
       - name: '{{ domain_name }}'
-
         type: php
-
         root: '/var/www/{{ site_name }}'
-
         public_dir_name: ''
-
         include_files_begin: '{{ nginx_includes_begin }}'
-
         options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
-
         location_list:
           - pattern: '/'
             locations:
               - pattern: '~ ^/.*-backend/'
                 options: |
-                  try_files /index.html @october
-                  set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock
-                  client_max_body_size 1000M
+                  try_files /index.html @october;
+                  set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;
+                  client_max_body_size 1000M;
             options: try_files /index.html @october;
           - pattern: '@october'
             options: rewrite ^/.*$ /index.php last;
           - pattern: '~* ^(?!/index).*\.php$'
             options: return 403;
-
         php_options: |
           fastcgi_read_timeout 3000;
         php_upstream: $upstream
-
         #location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
         php_location_script_name: ~ ^(?<script_name>/index\.php)
-
         #location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
         php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
 
diff --git a/playbooks/debops/php-prod.yml b/playbooks/debops/php-prod.yml
index 83c2f1c..7fbaf45 100644
--- a/playbooks/debops/php-prod.yml
+++ b/playbooks/debops/php-prod.yml
@@ -12,12 +12,10 @@
 
 
   vars:
-    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
-    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__sury_apt_key_id_map:
       'Debian':
         - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
-          repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+          repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
           state: '{{ "present" if php__sury|bool else "absent" }}'
 
         # Key replaced due to security concerns
@@ -25,8 +23,10 @@
         - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
           state: 'absent'
     php__sury_apt_repo_map:
-      'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+      'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
       'Ubuntu': 'ppa:ondrej/php'
+    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
+    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__base_packages:
       - unzip
       - git
diff --git a/playbooks/debops/php-wp.yml b/playbooks/debops/php-wp.yml
index 7f9dd40..80a6213 100644
--- a/playbooks/debops/php-wp.yml
+++ b/playbooks/debops/php-wp.yml
@@ -14,14 +14,10 @@
     - ./../../vars/php.yml
 
   vars:
-    php__sury: '{{ ansible_local.php.sury
-                   |d(ansible_distribution_release in [ "buster" ]) | bool }}'
-    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
-    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__sury_apt_key_id_map:
       'Debian':
         - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
-          repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+          repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
           state: '{{ "present" if php__sury|bool else "absent" }}'
 
         # Key replaced due to security concerns
@@ -29,8 +25,10 @@
         - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
           state: 'absent'
     php__sury_apt_repo_map:
-      'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+      'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
       'Ubuntu': 'ppa:ondrej/php'
+    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
+    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__base_packages:
       - unzip
       - git
diff --git a/playbooks/debops/root_account.yml b/playbooks/debops/root_account.yml
index 6640e4d..760392c 100644
--- a/playbooks/debops/root_account.yml
+++ b/playbooks/debops/root_account.yml
@@ -13,14 +13,8 @@
   vars:
     root_account__enabled: True
     root_account__password: False
-#    root_account__dotfiles_enabled: True
-#    root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
-
-  post_tasks:
-    - name: Tmux Plugins Manager
-      # Вообще это конструкция не нужна, так как tmux и сам все прекрасно умеет устанавливать, только если бы у него в этот момент была программа git
-      # Хотя нет, блин, нихрена он не умеет. Последнюю команду он почему не запускает: ~/.tmux/plugins/tpm/bin/install_plugins
-      shell: test -d ~/.tmux/plugins/tpm || git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
+    root_account__dotfiles_enabled: True
+    root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
 
   roles:
     - role: root_account
diff --git a/playbooks/nginx-only.yml b/playbooks/nginx-only.yml
index 7da7b91..372c6be 100644
--- a/playbooks/nginx-only.yml
+++ b/playbooks/nginx-only.yml
@@ -1,5 +1,6 @@
 ---
 - import_playbook: own/allow-releaseinfo-change.yml
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
diff --git a/playbooks/nginx-without-db-site.yml b/playbooks/nginx-site-without-db-site.yml
similarity index 93%
rename from playbooks/nginx-without-db-site.yml
rename to playbooks/nginx-site-without-db-site.yml
index 2b231dc..4095956 100644
--- a/playbooks/nginx-without-db-site.yml
+++ b/playbooks/nginx-site-without-db-site.yml
@@ -1,4 +1,5 @@
 ---
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
diff --git a/playbooks/nginx-site.yml b/playbooks/nginx-site.yml
index 2f11391..82a5452 100644
--- a/playbooks/nginx-site.yml
+++ b/playbooks/nginx-site.yml
@@ -1,4 +1,6 @@
 ---
+# https://docs.debops.org/en/stable-3.2/ansible/roles/apt/getting-started.html#example-playbook
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
@@ -6,6 +8,7 @@
 - import_playbook: debops/mariadb-custom-db.yml
 - import_playbook: debops/php-prod.yml
 - import_playbook: own/libgd3-fix-for-php8.yml
+  when: php_version is defined and php_version != '7.4'
 - import_playbook: debops/nginx.yml
 - import_playbook: debops/redis.yml
 - import_playbook: own/var-www-set-ownerships.yml
diff --git a/playbooks/own/libgd3-fix-for-php8.yml b/playbooks/own/libgd3-fix-for-php8.yml
index 3619a9f..25f6649 100644
--- a/playbooks/own/libgd3-fix-for-php8.yml
+++ b/playbooks/own/libgd3-fix-for-php8.yml
@@ -1,16 +1,18 @@
 ---
 - name: Solve problem with libgd3 for php-gd
   hosts: [ 'debian10' ]
-  when: (php_version != '7.4')
   vars_files:
     - ./../../vars/php.yml
   tasks:
-    - copy:
+    - name: Set pin for libgd3 package
+      copy:
         dest: '/etc/apt/preferences.d/libgd-pin100'
         content: |-
           Package: libgd3
           Pin-Priority: 100
-    - shell: |-
+
+    - name: Update apt cache policy and install libgd
+      shell: |-
         apt update
         apt install -t bullseye libgd3 -yy
         apt-cache policy libgd3
diff --git a/playbooks/own/phpmyadmin-nginx-auth.yml b/playbooks/own/phpmyadmin-nginx-auth.yml
index 6e48f56..095715d 100644
--- a/playbooks/own/phpmyadmin-nginx-auth.yml
+++ b/playbooks/own/phpmyadmin-nginx-auth.yml
@@ -22,7 +22,7 @@
         content: |-
           server {
               listen 80;
-              listen 443;
+              listen 443 ssl;
               ssl_certificate           /etc/pki/realms/domain/default.crt;
               ssl_certificate_key       /etc/pki/realms/domain/default.key;
               server_name pma.{{ domain_name }};
diff --git a/playbooks/own/phpmyadmin.yml b/playbooks/own/phpmyadmin.yml
index cadc8a2..ffddf48 100644
--- a/playbooks/own/phpmyadmin.yml
+++ b/playbooks/own/phpmyadmin.yml
@@ -9,6 +9,7 @@
 
   vars:
     - phpmyadmin_version: 5.2.1
+      # https://docs.ansible.com/ansible/latest/collections/community/general/random_string_lookup.html#keyword-parameters
     - blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
 
   tasks:
@@ -24,5 +25,17 @@
         mv phpMyAdmin-{{ phpmyadmin_version }}-all-languages phpmyadmin
         cd phpmyadmin
         cp config.sample.inc.php config.inc.php
-        sed -i "s|'blowfish_secret'] = ''|'blowfish_secret'] = '{{ blowfish_secret }}'|g" config.inc.php
         mkdir tmp && sudo chown :33 tmp && chmod g+w tmp
+
+    - name: 'Set cookie blowfish secret'
+      # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.html
+      replace:
+        path: /var/www/phpmyadmin/config.inc.php
+        regexp: "'blowfish_secret'] = ''"
+        replace: "'blowfish_secret'] = '{{ blowfish_secret | replace('\'', '\\\'') }}'\n\n$cfg['CookieSameSite'] = 'Lax';\n"
+
+    - name: 'Set MaxTableList'
+      replace:
+        path: /var/www/phpmyadmin/config.inc.php
+        regexp: "^//$cfg['MaxRows'](.*)"
+        replace: "//$cfg['MaxRows']\1\n\n$cfg['MaxTableList'] = 500;\n"
diff --git a/playbooks/own/yadm-update.yml b/playbooks/own/yadm-update.yml
new file mode 100644
index 0000000..b74bb85
--- /dev/null
+++ b/playbooks/own/yadm-update.yml
@@ -0,0 +1,9 @@
+---
+- hosts: ['debian10']
+  tasks:
+      - name: Update existing YADM install with remote ip-address plugin and replace own
+        shell: |
+            yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
+            rm -rf .tmux/plugins/tmux-ip-address
+            yadm pull
+            yadm checkout .
diff --git a/playbooks/own/yadm.yml b/playbooks/own/yadm.yml
index 6861d6b..d3564e1 100644
--- a/playbooks/own/yadm.yml
+++ b/playbooks/own/yadm.yml
@@ -1,30 +1,40 @@
 ---
 - hosts: [ 'debian10' ]
   tasks:
-    - name: Install yadm
-      become_user: root
-      shell: |
-        command -v yadm || curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
-
     - name: Install direnv
       become_user: root
       shell: |
-        command -v direnv || curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && chmod a+x /usr/local/bin/direnv
+        command -v direnv > /dev/null || {
+          curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && \
+          chmod a+x /usr/local/bin/direnv
+        }
 
     - name: Install Starship
       become_user: root
       shell: |
-        command -v starship || curl -sS https://starship.rs/install.sh | sh -s -- -f
+        command -v starship> /dev/null || {
+          curl -sS https://starship.rs/install.sh | sh -s -- -f
+        }
 
-    - name: Clone dotfiles repo
+    - name: Install with init or update yadm
+      become_user: root
       shell: |
-        yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout ./
+        command -v yadm && {
+          yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
+          rm -rf .tmux/plugins/tmux-ip-address
+          yadm pull && yadm checkout .
+        } || {
+          curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
+          yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .
+        }
 
       # For manual change: sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
     - name: 'Change character for non-root user'
-      become: false
       become_user: root
       shell: |
-          sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
+        HOME_USER=$(ls /home)
+        test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .'
+        test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'sed -i "s/#/\\$/g" ${HOME}/.config/starship.toml'
+        exit 0
       args:
-          executable: /bin/bash
+        executable: /bin/bash
diff --git a/playbooks/root-account.yml b/playbooks/root-account.yml
index e7ebf91..7c07432 100644
--- a/playbooks/root-account.yml
+++ b/playbooks/root-account.yml
@@ -1,5 +1,6 @@
 ---
 - import_playbook: own/locales.yml
+- import_playbook: debops/apt.yml
 - import_playbook: debops/tzdata.yml
 #- import_playbook: own/allow-releaseinfo-change.yml# Need only for debian10
 - import_playbook: debops/yadm.yml
diff --git a/run-lxc-playbook.sh b/run-lxc-playbook.sh
index b43cfb9..ee41679 100755
--- a/run-lxc-playbook.sh
+++ b/run-lxc-playbook.sh
@@ -50,7 +50,7 @@ if [[ -z "$force" ]]; then
   printf 'Launch ansible playbook:\n%s\n' "$COMMAND"
   read -p "Are you sure?  " -n 1 -r
   echo    # (optional) move to a new line
-  if [[ $REPLY =~ ^[Yy]$ ]]
+  if [[ $REPLY =~ ^[Yyн]$ ]]
   then
       /bin/bash -c "$COMMAND"
   fi
diff --git a/run-playbook.sh b/run-playbook.sh
index cb82564..9f0c91a 100755
--- a/run-playbook.sh
+++ b/run-playbook.sh
@@ -1,15 +1,26 @@
 #!/bin/bash
-SERVER=$1
-PLAYBOOK=$2
-USER=$3
-
-while [[ "$#" -gt 0 ]]; do
-    case $1 in
-        -f|--force) force=1; shift ;;
-    esac
-    shift
+SSH_PORT=22
+args=("$@")
+
+# Обработка опций
+for ((i=0; i<$#; i++)); do
+  if [ "${args[$i]}" == "-p" ]; then
+    SSH_PORT=${args[$i+1]}
+    unset 'args[i]'
+    unset 'args[i+1]'
+  fi
+  if [ "${args[$i]}" == "-f" ]; then
+    FORCE=1
+    unset 'args[i]'
+  fi
 done
 
+args=("${args[@]}")
+
+SERVER=${args[0]}
+PLAYBOOK=${args[1]}
+USER=${args[2]}
+
 usage() {
     echo "Usage: run-vps-playbook.sh server playbook [user]"
     echo "server - domain or ip address of the vps server"
@@ -34,17 +45,17 @@ if [[ -z "$USER" ]]; then
 fi
 
 COMMAND=$(cat <<EOF
-ansible-playbook -e "lxc_host=${SERVER}" -e "runner=normal" -e "ansible_user=${USER}"
+ansible-playbook -e "lxc_host=${SERVER}" -e "runner=normal" -e "ansible_user=${USER}" --ssh-common-args="-p $SSH_PORT"
 EOF
 )
 
 COMMAND="${COMMAND} ${PLAYBOOK}"
 
-if [[ -z "$force" ]]; then
+if [[ -z "$FORCE" ]]; then
   printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
   read -p "Are you sure?  " -n 1 -r
   echo    # (optional) move to a new line
-  if [[ $REPLY =~ ^[Yy]$ ]]
+  if [[ $REPLY =~ ^[Yyн]$ ]]
   then
       /bin/bash -c "${COMMAND}"
   fi
diff --git a/run-site-playbook.sh b/run-site-playbook.sh
index 05202e4..84bfac1 100755
--- a/run-site-playbook.sh
+++ b/run-site-playbook.sh
@@ -60,7 +60,7 @@ if [[ -z "$force" ]]; then
   printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
   read -p "Are you sure?  " -n 1 -r
   echo    # (optional) move to a new line
-  if [[ $REPLY =~ ^[Yy]$ ]]
+  if [[ $REPLY =~ ^[Yyн]$ ]]
   then
       /bin/bash -c "${COMMAND}"
   fi
diff --git a/vars/databases-example.yml b/vars/databases-example.yml
index 9380965..16df525 100644
--- a/vars/databases-example.yml
+++ b/vars/databases-example.yml
@@ -1,3 +1,5 @@
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults-detailed.html#mariadb-users
+
 mariadb__databases:
   - name: '{{ site_name }}'
     source: '{{ inventory_dir }}//data/db-dumps/{{ site_name }}.sql.bz2'
@@ -5,5 +7,5 @@ mariadb__databases:
 
 mariadb__users:
   - name: '{{ site_name }}'
-    host: '%'
+    host: 'localhost'
     database: '{{ site_name }}%'