From de2895c6d944e21eb104e0a0c6c9711c5d893cf8 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Tue, 11 Nov 2025 09:55:18 +0000
Subject: [PATCH 01/15] feat(saas): Add custom strategy the fork a catalog item
 and add customization

---
 ansible/playbooks/saas/image-forkable.yml     | 110 ++++++++++++++++++
 .../saas/roles/caddy/tasks/build.yml          |  12 +-
 .../saas/roles/caddy/templates/Dockerfile.j2  |   4 +
 ui/controllers/api.js                         |   3 +
 ui/index.js.map                               |  37 +++++-
 ui/public/forms/catalog.html                  |   7 +-
 ui/public/forms/catalogfork.html              |  99 ++++++++++++++++
 ui/public/forms/catalogs.html                 |  28 +++--
 ui/public/forms/variables.html                |   5 +-
 ui/schemas/catalogs.js                        |  66 ++++++++++-
 ui/views/index.html                           |   1 +
 11 files changed, 345 insertions(+), 27 deletions(-)
 create mode 100644 ansible/playbooks/saas/image-forkable.yml
 create mode 100644 ui/public/forms/catalogfork.html

diff --git a/ansible/playbooks/saas/image-forkable.yml b/ansible/playbooks/saas/image-forkable.yml
new file mode 100644
index 00000000..2d3d5b64
--- /dev/null
+++ b/ansible/playbooks/saas/image-forkable.yml
@@ -0,0 +1,110 @@
+---
+- name: Build a Docker image from a catalog item
+  hosts: "{{ hosts_limit | default('infrastructure') }}"
+  become: true
+  gather_facts: true
+  vars_prompt:
+    - name: catalog_id
+      prompt: "Catalog item ID"
+      private: false
+  vars:
+    build_work_dir: "/tmp/{{ catalog }}"
+    architecture_map:
+      amd64: amd64
+      x86_64: amd64
+      armv7l: arm
+      aarch64: arm64
+      arm64: arm64
+    upstream_default_arch: "{{ architecture_map[ansible_facts.architecture] }}"
+    download_dir: "{{ build_work_dir }}/download"
+    arch_dir: "{{ build_work_dir }}/{{ upstream_default_arch }}"
+    image_name2: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ image_name_manual }}:{{ image_version }}"
+    ui_url: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_URL') }}"
+    ui_user: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_USER') }}"
+    ui_password: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_PASSWORD') }}"
+
+  pre_tasks:
+    - name: Retrieve catalog item from UI
+      ansible.builtin.uri:
+        url: "{{ ui_url }}/api"
+        user: "{{ ui_user }}"
+        password: "{{ ui_password }}"
+        method: POST
+        body_format: json
+        body:
+          schema: "catalogs_read/{{ catalog_id }}"
+        force_basic_auth: true
+        status_code: 200
+      delegate_to: localhost
+      register: catalog_response
+      become: false
+
+    - name: Set catalog facts
+      ansible.builtin.set_fact:
+        catalog: "{{ catalog_response.json.origin | default(catalog_response.json.name) }}"
+        name: "{{ catalog_response.json.name }}"
+        dockerfile_root: "{{ catalog_response.json.dockerfile_root | default('') }}"
+        dockerfile_nonroot: "{{ catalog_response.json.dockerfile_nonroot | default('') }}"
+        image_name_manual: "{{ catalog_response.json.name | lower }}"
+
+    - name: Ensure temporary build directories exist
+      ansible.builtin.file:
+        path: "{{ arch_dir }}"
+        state: directory
+        mode: "0755"
+      loop:
+        - "{{ download_dir }}"
+        - "{{ arch_dir }}"
+
+  tasks:
+    - name: Build service-specific assets (e.g., compile, fetch deps)
+      ansible.builtin.include_role:
+        name: "{{ catalog }}"
+        tasks_from: build
+
+    - name: Build and push Docker image (single source of truth)
+      community.docker.docker_image_build:
+        name: "{{ image_name2 }}"
+        tag: latest
+        path: "{{ build_work_dir }}"
+        dockerfile: Dockerfile
+        labels: "{{ image_labels | default({}) }}"
+        rebuild: always
+        outputs:
+          - type: image
+            push: true
+      register: docker_build
+      when: image_build
+      notify: Cleanup build directory
+
+    - name: Update catalog item version on UI
+      ansible.builtin.uri:
+        url: "{{ ui_url }}/api"
+        user: "{{ ui_user }}"
+        password: "{{ ui_password }}"
+        method: POST
+        body_format: json
+        body:
+          schema: catalogs_create
+          data:
+            name: "{{ image_name_manual }}"
+            version: "{{ image_version }}"
+        force_basic_auth: true
+        status_code: 200
+      delegate_to: localhost
+      register: ui_update
+      failed_when: ui_update.status != 200
+      become: false
+
+  handlers:
+    - name: Cleanup build directory
+      ansible.builtin.file:
+        path: "{{ build_work_dir }}"
+        state: absent
+      listen: cleanup_build
+
+  post_tasks:
+    - name: Trigger cleanup on failure
+      ansible.builtin.meta: clear_host_errors
+      when: ansible_failed_result is defined
+      notify: Cleanup build directory
diff --git a/ansible/playbooks/saas/roles/caddy/tasks/build.yml b/ansible/playbooks/saas/roles/caddy/tasks/build.yml
index 10ddbe37..6a5094e3 100644
--- a/ansible/playbooks/saas/roles/caddy/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/caddy/tasks/build.yml
@@ -9,15 +9,9 @@
     image_labels: "{{ image.labels }}"
     image_build: "{{ image.build }}"
 
-- debug:
-    msg: 
-      - "{{ softwares }}"
-      - "{{ softwares[image.name] }}"
-      - "{{ image_version }}"
-
-- name: End playbook if no new version
-  ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+# - name: End playbook if no new version
+#   ansible.builtin.meta: end_host
+#   when: softwares[image.name] is defined and softwares[image.name].version == image_version
 
 - name: Download Github release
   ansible.builtin.get_url:
diff --git a/ansible/playbooks/saas/roles/caddy/templates/Dockerfile.j2 b/ansible/playbooks/saas/roles/caddy/templates/Dockerfile.j2
index a423587b..f21f7848 100644
--- a/ansible/playbooks/saas/roles/caddy/templates/Dockerfile.j2
+++ b/ansible/playbooks/saas/roles/caddy/templates/Dockerfile.j2
@@ -4,6 +4,8 @@ FROM {{ image.origin }}
 
 ARG TARGETARCH
 
+{{ dockerfile_root | default('') }}
+
 COPY ./${TARGETARCH}/caddy /usr/local/bin/caddy
 
 RUN addgroup caddy \
@@ -15,4 +17,6 @@ RUN mkdir -p /var/log/caddy /var/lib/caddy /etc/caddy \
 
 USER caddy
 
+{{ dockerfile_nonroot | default('') }}
+
 CMD ["caddy", "run"]
diff --git a/ui/controllers/api.js b/ui/controllers/api.js
index d75d2620..73247c4b 100644
--- a/ui/controllers/api.js
+++ b/ui/controllers/api.js
@@ -24,6 +24,9 @@ exports.install = function() {
 	ROUTE('+API    /api/       +catalogs_read/{id}         --> Catalogs/read');
 	ROUTE('+API    /api/       +catalogs_create            --> Catalogs/create');
 	ROUTE('+API    /api/       +catalogs_update/{id}       --> Catalogs/update');
+	ROUTE('+API    /api/       +catalogs_fork_create       --> Catalogs/fork_create');
+	ROUTE('+API    /api/       +catalogs_fork_update/{id}  --> Catalogs/fork_update');
+	ROUTE('+API    /api/       +catalogs_fork_remove       --> Catalogs/fork_remove');
 	ROUTE('+API    /api/       +catalogs_remove/{id}       --> Catalogs/remove');
 	ROUTE('+API    /api/       +catalogs_execute/{id}      --> Catalogs/execute');
 
diff --git a/ui/index.js.map b/ui/index.js.map
index aa87a415..76360003 100644
--- a/ui/index.js.map
+++ b/ui/index.js.map
@@ -106,7 +106,7 @@
 			"url": "/api/",
 			"auth": 1,
 			"id": "catalogs",
-			"name": " of catalog items"
+			"name": "List of catalog items"
 		},
 		{
 			"method": "API",
@@ -133,6 +133,30 @@
 			"input": "*alias:String, *description:String, documentation:String, *cron:Boolean, *crontab:String",
 			"name": "Update catalog item"
 		},
+		{
+			"method": "API",
+			"url": "/api/",
+			"auth": 1,
+			"id": "catalogs_fork_create",
+			"input": "*origin:String, *version:String, *suffix:String, *alias:String, *description:String, *cron:Boolean, *crontab:String, *dockerfile_root:String, *dockerfile_nonroot:String",
+			"name": "Fork catalog item"
+		},
+		{
+			"method": "API",
+			"url": "/api/",
+			"auth": 1,
+			"params": "id:string",
+			"id": "catalogs_fork_update",
+			"input": "*origin:String, *suffix:String, *alias:String, *description:String, *cron:Boolean, *crontab:String, *dockerfile_root:String, *dockerfile_nonroot:String",
+			"name": "Fork catalog item"
+		},
+		{
+			"method": "API",
+			"url": "/api/",
+			"auth": 1,
+			"id": "catalogs_fork_remove",
+			"error": "Action not found"
+		},
 		{
 			"method": "API",
 			"url": "/api/",
@@ -359,6 +383,17 @@
 			"input": "*name:String, *version:String",
 			"permissions": "catalogs"
 		},
+		{
+			"name": "Catalogs/fork_create",
+			"input": "*origin:String, *version:String, *suffix:String, *alias:String, *description:String, *cron:Boolean, *crontab:String, *dockerfile_root:String, *dockerfile_nonroot:String",
+			"permissions": "catalogs"
+		},
+		{
+			"name": "Catalogs/fork_update",
+			"params": "*id:UID",
+			"input": "*origin:String, *suffix:String, *alias:String, *description:String, *cron:Boolean, *crontab:String, *dockerfile_root:String, *dockerfile_nonroot:String",
+			"permissions": "catalogs"
+		},
 		{
 			"name": "Catalogs/read",
 			"params": "*id:UID",
diff --git a/ui/public/forms/catalog.html b/ui/public/forms/catalog.html
index 4cc89db6..9cb50129 100644
--- a/ui/public/forms/catalog.html
+++ b/ui/public/forms/catalog.html
@@ -1,4 +1,4 @@
-<ui-component name="miniform" path="common.form2" config="if:~PATH~;width:400;submit:?/submit;reload:?/reload;autofocus:1;icon:ti ti-folder;zindex:30" plugin="~PATH~" class="hidden">
+<ui-component name="miniform" path="common.form2" config="if:~PATH~;width:600;submit:?/submit;reload:?/reload;autofocus:1;icon:ti ti-folder;zindex:30" plugin="~PATH~" class="hidden">
 	<div class="padding">
 		<ui-bind path="?" config="template;show" class="block fs12 m">
 			<script type="text/html">
@@ -19,12 +19,9 @@
 					<ui-component name="input" path="?.description" config="required:1">@(Description)</ui-component>
 				</div>
 				<div class="m">
-					<ui-component name="input" path="?.version" config="disabled:true">@(Version)</ui-component>
+					<ui-component name="input" path="?.documentation" config="required:0">@(Documentation)</ui-component>
 				</div>
 			</div>
-			<div class="m">
-				<ui-component name="input" path="?.documentation" config="required:0">@(Documentation)</ui-component>
-			</div>
 		</div>
 	</div>
 	<hr class="nmt nmb" />
diff --git a/ui/public/forms/catalogfork.html b/ui/public/forms/catalogfork.html
new file mode 100644
index 00000000..3be40829
--- /dev/null
+++ b/ui/public/forms/catalogfork.html
@@ -0,0 +1,99 @@
+<ui-component name="miniform" path="common.form2" config="if:~PATH~;width:600;submit:?/submit;reload:?/reload;autofocus:1;icon:ti ti-code-branch;zindex:30" plugin="~PATH~" class="hidden">
+	<div class="padding">
+		<ui-bind path="?" config="template;show" class="block fs12 m">
+			<script type="text/html">
+				<div class="monospace">ID: <b>{{ value.id }}</b></div>
+			</script>
+		</ui-bind>
+		<ui-component name="tabs" path="?.tab" class="invisible">
+			<section data-id="default" title="Default" data-icon="ti ti-code-branch">
+			<div class="padding">
+				<div>
+					<div class="grid-2">
+						<div class="m">
+							<ui-component name="input" path="?.origin" config="required:1;dirsource:?.catalog_list">Origin</ui-component>
+						</div>
+						<div class="m">
+							<ui-component name="input" path="?.suffix" config="required:1">@(Suffix)</ui-component>
+						</div>
+					</div>
+					<div class="grid-2">
+						<div class="m">
+							<ui-component name="input" path="?.alias" config="required:1">@(Alias)</ui-component>
+						</div>
+						<div class="m">
+							<ui-component name="input" path="?.description" config="required:1">@(Description)</ui-component>
+						</div>
+					</div>
+				</div>
+			</div>
+			<hr class="nmt nmb" />
+			<div class="padding">
+				<div class="grid-2">
+					<div class="m">
+						<ui-component name="input" path="?.cron" config="type:checkbox" class="b">@(Periodic build)</ui-component>
+					</div>
+					<div class="m">
+						<ui-component name="input" path="?.crontab" config="required:1">@(Crontab)</ui-component>
+					</div>
+				</div>
+			</div>			
+			</section>
+			<section data-id="dockerfile" title="Dockerfile" data-icon="ti ti-docker">
+				<div class="padding">
+					<div>
+						<ui-component name="codemirror" path="?.dockerfile_root" config="type:htmlmixed;required:true;height:200">Add extra commands in your dockerfile as a root user</ui-component>
+					</div>
+					<div>
+						<ui-component name="codemirror" path="?.dockerfile_nonroot" config="type:htmlmixed;required:true;height:200">Add extra commands in your dockerfile as a non root user</ui-component>
+					</div>
+				</div>
+			</section>
+		</ui-component>
+	</div>
+	<nav>
+		<ui-component name="validate" path="?">
+			<button name="submit" disabled><i class="ti ti-check-circle"></i>@(SUBMIT)</button>
+			<button name="cancel">@(Close)</button>
+		</ui-component>
+	</nav>
+</ui-component>
+
+<script>
+	PLUGIN(function(exports) {
+
+		var caller;
+
+		exports.reload = function(header) {
+			var model = exports.model;
+			header.reconfigure({ title: model.id ? '@(Update catalog fork)' : '@(Add catalog fork)' });
+			caller = exports.caller;
+		};
+
+		exports.submit = function(hide) {
+			var form = exports.form;
+
+			console.log(form.origin);
+			const catalog_item = exports.model.catalog_list.find(item => item.id === form.origin);
+			console.log(catalog_item);
+			const payload = {
+				origin: catalog_item.name,
+				version: catalog_item.version,
+				suffix: form.suffix,
+				alias: form.alias,
+				description: form.description,
+				cron: form.cron,
+				crontab: form.crontab,
+				dockerfile_root: form.dockerfile_root,
+				dockerfile_nonroot: form.dockerfile_nonroot
+			};
+
+			exports.tapi('catalogs_fork_{0} ERROR'.format(form.id ? ('update/' + form.id) : 'create'), payload, function() {
+				hide();
+				CLRELOAD('cl');
+				SETTER('notify/success', '@(Done)');
+				caller.exec('refresh');
+			});
+		};
+	});
+</script>
\ No newline at end of file
diff --git a/ui/public/forms/catalogs.html b/ui/public/forms/catalogs.html
index 9a5fad84..e4088cc5 100644
--- a/ui/public/forms/catalogs.html
+++ b/ui/public/forms/catalogs.html
@@ -17,7 +17,7 @@
 <ui-component name="box" path="common.form" config="if:~PATH~;width:620;icon:ti ti-folders;title:@(Catalog);reload:?/reload;" class="hidden ~PATH~" plugin="~PATH~">
 	<nav>
 		<button class="exec" data-exec="?/settings"><i class="ti ti-config"></i>@(Settings)</button>
-		<button class="exec" data-exec="?/add"><i class="ti ti-plus-circle green"></i>@(Add)</button>
+		<button class="exec" data-exec="?/fork"><i class="ti ti-code-branch green"></i>@(Fork)</button>
 	</nav>
 	<ui-component name="textbox" path="?.search" config="type:search"></ui-component>
 	<ui-component name="searchdata" path="?.search" config="datasource:?.items;key:name;output:?.searchoutput">
@@ -25,17 +25,18 @@
 			<ui-bind path="?.searchoutput" config="track:id;template" class="meta listing">
 				<script type="text/html">
 				{{ foreach m in value }}
-					<figure data-alias="{{ m.alias }}" data-id="{{ m.id }}" class="exec items" data-exec="?/update">
+					<figure data-alias="{{ m.alias }}" data-id="{{ m.id }}" data-fork="{{ m.fork }}" class="exec items" data-exec="?/update">
 						<section>
 							<div class="buttons">
 								<span class="gray fs11 ml5">{{ m.version | empty }}</span>
+								<span class="exec"><span class="badge badge-small badge-green">{{ if m.fork }}<i class="ti ti-code-branch green">{{ else }}<i class="ti ti-code-branch grey"></i>{{ fi }}</i></span></span>
 								<span class="exec"><span class="badge badge-small badge-green">{{ if m.cron }}<i class="ti ti-clock orange">{{ else }}<i class="ti ti-clock grey"></i>{{ fi }}</i></span></span>
 								<span class="exec" data-exec="?/execute" data-prevent="true"><i class="ti ti-play green"></i></span>
 								<span class="exec version" data-exec="?/remove" data-prevent="true"><i class="ti ti-trash red"></i></span>
 							</div>
 							<div class="name">
 								<div class="picto">
-									<span><img src="/img/{{ m.name }}.png" width="15" heigth="15" /></span>
+									<span><img src="/img/{{ m.picto | def(m.name) }}.png" width="15" heigth="15" /></span>
 								</div>
 								{{ m.alias | empty(m.name) }}
 							</div>
@@ -68,12 +69,13 @@
 					settingsId: result.settingsId
 				};
 				exports.set(output);
+				SET('catalog_list', result.items);
 			});
 		};
 
-		exports.add = function() {
-			SET('formcatalog @default', {});
-			SET('common.form2', 'formcatalog');
+		exports.fork = function() {
+			SET('formcatalogfork @default', { tab: 'default', catalog_list: GET('catalog_list'), crontab: '* * * * *'});
+			SET('common.form2', 'formcatalogfork');
 		};
 
 		exports.settings = function(el) {
@@ -107,9 +109,19 @@
 
 		exports.update = function(el) {
 			var id = ATTRD(el);
+			var fork = ATTRD(el, 'fork');
 			exports.tapi('catalogs_read/{0} ERROR'.format(id), function(response) {
-				SET('formcatalog @reset @hideloading', response);
-				SET('common.form2', 'formcatalog');
+				if(fork){
+					response.tab = 'default';
+					response.catalog_list = GET('catalog_list');
+					
+					SET('formcatalogfork @reset @hideloading', response);
+					SET('common.form2', 'formcatalogfork');
+				}
+				else {
+					SET('formcatalog @reset @hideloading', response);
+					SET('common.form2', 'formcatalog');
+				}
 			});
 		};
 
diff --git a/ui/public/forms/variables.html b/ui/public/forms/variables.html
index 8b344864..5d6375c2 100644
--- a/ui/public/forms/variables.html
+++ b/ui/public/forms/variables.html
@@ -3,7 +3,7 @@
 	.CLASS figure:first-child { border-top: 0; }
 	.CLASS figure:first-child { margin-top: 0; }
 	.CLASS .buttons { float: right; padding-left: 10px; }
-	.CLASS .name { margin-right: 100px; }
+	.CLASS .name { margin-right: 100px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; max-width: 75ch; }
 	.CLASS .name > i { width: 12px; margin-right: 5px; text-align: center; }
 	.CLASS figure .name .description { margin-left: 9px; }
 	.CLASS .buttons span { line-height: 21px; margin:0px 2px 2px 2px ; border-radius: var(--radius); border: 0; margin: 0 5px; }
@@ -72,6 +72,9 @@
 				case 'variable':
 					return 'variables';
 					break;
+				case 'settings':
+					return 'cog orange';
+					break;
 			}
 		};
 
diff --git a/ui/schemas/catalogs.js b/ui/schemas/catalogs.js
index 1b2b4e35..078bf2ce 100644
--- a/ui/schemas/catalogs.js
+++ b/ui/schemas/catalogs.js
@@ -27,12 +27,12 @@ NEWSCHEMA('Catalogs', function(schema) {
 	});
 
 	schema.action('list', {
-		name: ' of catalog items',
+		name: 'List of catalog items',
 		permissions: 'catalogs',
 		action: async function($) {
 			const [catalogs, settings] = await Promise.all([
 				DATA.list('nosql/catalogs')
-					.fields('id,name,alias,description,version,cron,crontab')
+					.fields('id,name,origin,picto,suffix,alias,description,version,cron,crontab,fork')
 					.error('@(Error loading catalogs)')
 					.promise($),
 				DATA.read('nosql/variables')
@@ -55,6 +55,7 @@ NEWSCHEMA('Catalogs', function(schema) {
 		action: async function($, model) {
 			model.id = UID();
 			model.dtcreated = NOW;
+			model.fork = false;
 
 			const existing = await DATA.read('nosql/catalogs')
 				.where('name', model.name)
@@ -77,6 +78,64 @@ NEWSCHEMA('Catalogs', function(schema) {
 		}
 	});
 
+	schema.action('fork_create', {
+		name: 'Fork catalog item',
+		permissions: 'catalogs',
+		input: '*origin:String, *version:String, *suffix:String, *alias:String, *description:String, *cron:Boolean, *crontab:String, *dockerfile_root:String, *dockerfile_nonroot:String',
+		action: async function($, model) {
+
+			const name = '{0}-{1}'.format(model.origin, model.suffix);
+			const existing = await DATA.read('nosql/catalogs')
+				.where('name', model.name)
+				.where('suffix', model.suffix)
+				.promise($);
+
+			if (existing) {
+				$.invalid('Catalog item already exists');
+				return;
+			}
+
+			model.id = UID();
+			model.dtcreated = NOW;
+			model.fork = true;
+			model.name = name;
+			model.picto = model.origin;
+
+			await DATA.insert('nosql/catalogs', model)
+				.error('@(Error creating catalog)')
+				.promise($);
+			$.success();
+		}
+	});
+
+	schema.action('fork_update', {
+		name: 'Fork catalog item',
+		params: '*id:UID',
+		permissions: 'catalogs',
+		input: '*origin:String, *suffix:String, *alias:String, *description:String, *cron:Boolean, *crontab:String, *dockerfile_root:String, *dockerfile_nonroot:String',
+		action: async function($, model) {
+
+			await DATA.update('nosql/catalogs', {
+					name: '{0}-{1}'.format(model.origin, model.suffix),
+					origin: model.origin,
+					picto: model.origin,
+					suffix: model.suffix,
+					alias: model.alias,
+					description: model.description,
+					cron: model.cron,
+					crontab: model.crontab,
+					dockerfile_root: model.dockerfile_root,
+					dockerfile_nonroot: model.dockerfile_nonroot,
+					dtupdated: NOW
+				})
+				.id($.params.id)
+				.error('@(Error updating catalog)')
+				.promise($);
+			$.success();
+		}
+	});
+
+
 	schema.action('read', {
 		name: 'Read a catalog item',
 		params: '*id:UID',
@@ -161,7 +220,8 @@ NEWSCHEMA('Catalogs', function(schema) {
 			const payload = {
 				meta: { hosts: decrypted.instance },
 				type: 'saas-image',
-				catalog: item.name
+				catalog: item.name,
+				fork: item.fork
 			};
 
 			RESTBuilder.make(builder => {
diff --git a/ui/views/index.html b/ui/views/index.html
index 69549b56..3e5e4c07 100644
--- a/ui/views/index.html
+++ b/ui/views/index.html
@@ -40,6 +40,7 @@
 	<ui-component name="importer" path="common.form2" config="if:formvariable;url:/forms/variable.html"></ui-component>
 	<ui-component name="importer" path="common.form" config="if:formcatalogs;url:/forms/catalogs.html"></ui-component>
 	<ui-component name="importer" path="common.form2" config="if:formcatalog;url:/forms/catalog.html"></ui-component>
+	<ui-component name="importer" path="common.form2" config="if:formcatalogfork;url:/forms/catalogfork.html"></ui-component>
 	<ui-component name="importer" path="common.form" config="if:formsoftwares;url:/forms/softwares.html"></ui-component>
 	<ui-component name="importer" path="common.form2" config="if:formsoftware;url:/forms/software.html"></ui-component>
 	<ui-component name="importer" path="common.form" config="if:formusers;url:/forms/users.html"></ui-component>

From 623dc3c228369192b3397ba83cdfa26510754648 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Tue, 11 Nov 2025 17:52:54 +0100
Subject: [PATCH 02/15] refactor(ansible): replace path with build_work_dir for
 builds

---
 ansible/playbooks/saas/image.yml                       | 3 +--
 ansible/playbooks/saas/roles/adguard/tasks/build.yml   | 6 +++---
 ansible/playbooks/saas/roles/caddy/tasks/build.yml     | 2 +-
 ansible/playbooks/saas/roles/forgejo/tasks/build.yml   | 2 +-
 ansible/playbooks/saas/roles/kresus/tasks/build.yml    | 4 ++--
 ansible/playbooks/saas/roles/minio/tasks/build.yml     | 2 +-
 ansible/playbooks/saas/roles/nginx/tasks/build.yml     | 6 +++---
 ansible/playbooks/saas/roles/nodejs/tasks/build.yml    | 2 +-
 ansible/playbooks/saas/roles/phpfpm/tasks/build.yml    | 2 +-
 ansible/playbooks/saas/roles/wordpress/tasks/build.yml | 6 +++---
 10 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/ansible/playbooks/saas/image.yml b/ansible/playbooks/saas/image.yml
index 7b8fc85a..ea611359 100644
--- a/ansible/playbooks/saas/image.yml
+++ b/ansible/playbooks/saas/image.yml
@@ -16,7 +16,6 @@
       aarch64: arm64
       arm64: arm64
     upstream_default_arch: "{{ architecture_map[ansible_facts.architecture] }}"
-    path: "/tmp/{{ catalog }}"
 
   pre_tasks:
     - name: Create temporary build directory
@@ -46,7 +45,7 @@
           community.docker.docker_image_build:
             name: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ image_name }}:{{ image_version }}"
             tag: latest
-            path: "/tmp/{{ catalog }}"
+            path: "{{ build_work_dir }}"
             dockerfile: Dockerfile
             labels: "{{ image_labels }}"
             rebuild: always
diff --git a/ansible/playbooks/saas/roles/adguard/tasks/build.yml b/ansible/playbooks/saas/roles/adguard/tasks/build.yml
index 59dbe217..d0aa2857 100644
--- a/ansible/playbooks/saas/roles/adguard/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/adguard/tasks/build.yml
@@ -30,8 +30,8 @@
 
 - name: Copy binary in build directory
   ansible.builtin.copy:
-    src: "{{ path }}/download/AdGuardHome/{{ image.upstream.binary }}"
-    dest: "{{ path }}/{{ image.upstream.binary }}"
+    src: "{{ build_work_dir }}/download/AdGuardHome/{{ image.upstream.binary }}"
+    dest: "{{ build_work_dir }}/{{ image.upstream.binary }}"
     mode: '0755'
     remote_src: true
   when: download_result.changed
@@ -39,5 +39,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/caddy/tasks/build.yml b/ansible/playbooks/saas/roles/caddy/tasks/build.yml
index 6a5094e3..2047e74d 100644
--- a/ansible/playbooks/saas/roles/caddy/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/caddy/tasks/build.yml
@@ -38,5 +38,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/forgejo/tasks/build.yml b/ansible/playbooks/saas/roles/forgejo/tasks/build.yml
index 9ea08ee8..6a0303db 100644
--- a/ansible/playbooks/saas/roles/forgejo/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/forgejo/tasks/build.yml
@@ -31,5 +31,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/kresus/tasks/build.yml b/ansible/playbooks/saas/roles/kresus/tasks/build.yml
index 8fd0f814..00c1d0d2 100644
--- a/ansible/playbooks/saas/roles/kresus/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/kresus/tasks/build.yml
@@ -16,11 +16,11 @@
 - name: Copy config file
   ansible.builtin.copy:
     src: config.ini
-    dest: "{{ path }}/config.ini"
+    dest: "{{ build_work_dir }}/config.ini"
     mode: '0644'
 
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/minio/tasks/build.yml b/ansible/playbooks/saas/roles/minio/tasks/build.yml
index 23cc4525..11b4cc29 100644
--- a/ansible/playbooks/saas/roles/minio/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/minio/tasks/build.yml
@@ -31,5 +31,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/nginx/tasks/build.yml b/ansible/playbooks/saas/roles/nginx/tasks/build.yml
index 7eb8a83f..c24e904d 100644
--- a/ansible/playbooks/saas/roles/nginx/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/nginx/tasks/build.yml
@@ -18,7 +18,7 @@
 - name: Copy boilerplate configuration snippets files
   ansible.builtin.copy:
     src: nginx
-    dest: "{{ path }}/"
+    dest: "{{ build_work_dir }}/"
     owner: 'root'
     group: 'root'
     mode: 0644
@@ -26,7 +26,7 @@
 - name: Copy default index file
   ansible.builtin.copy:
     src: index.html
-    dest: "{{ path }}/index.html"
+    dest: "{{ build_work_dir }}/index.html"
     owner: 'root'
     group: 'root'
     mode: 0644
@@ -34,5 +34,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/nodejs/tasks/build.yml b/ansible/playbooks/saas/roles/nodejs/tasks/build.yml
index cb9e8347..24809656 100644
--- a/ansible/playbooks/saas/roles/nodejs/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/nodejs/tasks/build.yml
@@ -18,5 +18,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml b/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml
index cb9e8347..24809656 100644
--- a/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml
@@ -18,5 +18,5 @@
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
diff --git a/ansible/playbooks/saas/roles/wordpress/tasks/build.yml b/ansible/playbooks/saas/roles/wordpress/tasks/build.yml
index f02d47f4..88adfc97 100644
--- a/ansible/playbooks/saas/roles/wordpress/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/wordpress/tasks/build.yml
@@ -18,17 +18,17 @@
 - name: Download wp-cli
   ansible.builtin.get_url:
     url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
-    dest: "{{ path }}/wp-cli"
+    dest: "{{ build_work_dir }}/wp-cli"
     mode: '0755'
 
 - name: Copy dockerfile
   ansible.builtin.template:
     src: Dockerfile.j2
-    dest: "{{ path }}/Dockerfile"
+    dest: "{{ build_work_dir }}/Dockerfile"
     mode: '0644'
 
 - name: Copy php.ini
   ansible.builtin.template:
     src: php.ini
-    dest: "{{ path }}/php.ini"
+    dest: "{{ build_work_dir }}/php.ini"
     mode: '0644'

From 96708083aff226ba3ce69fbb002c02af0a14670d Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Fri, 14 Nov 2025 08:17:44 +0100
Subject: [PATCH 03/15] feat(catalog): add forkable support for SaaS images

Introduce a `forkable` flag in the catalog schema and UI, change the `saas-image` event payload to use `catalog_id` instead of the catalog name, and update all Ansible playbooks and roles to work with `image_definition` and the new flag. UI catalog selectors now filter only forkable items.
---
 ansible/playbooks/saas/image-forkable.yml     | 35 +++++++++----------
 ansible/playbooks/saas/image.yml              | 17 +++++----
 .../saas/roles/adguard/tasks/build.yml        | 34 ++++--------------
 .../roles/adguard/templates/Dockerfile.j2     |  8 ++++-
 .../saas/roles/adguard/vars/main.yml          |  1 +
 .../saas/roles/arangodb/tasks/build.yml       |  6 ++--
 .../saas/roles/caddy/tasks/build.yml          | 23 ++++--------
 .../playbooks/saas/roles/caddy/vars/main.yml  |  1 +
 .../saas/roles/code_server/tasks/build.yml    |  7 ++--
 .../saas/roles/code_server/tasks/main.yml     |  3 --
 .../saas/roles/code_server/vars/main.yml      |  1 +
 .../saas/roles/dolibarr/tasks/build.yml       |  6 ++--
 .../saas/roles/forgejo/tasks/build.yml        |  6 ++--
 .../saas/roles/forgejo/vars/main.yml          |  1 +
 .../saas/roles/freshrss/tasks/build.yml       |  6 ++--
 .../saas/roles/grafana/tasks/build.yml        |  6 ++--
 .../saas/roles/homeassistant/tasks/build.yml  |  6 ++--
 .../saas/roles/kresus/tasks/build.yml         |  6 ++--
 .../playbooks/saas/roles/kresus/vars/main.yml |  1 +
 .../saas/roles/litellm/tasks/build.yml        |  6 ++--
 .../playbooks/saas/roles/loki/tasks/build.yml |  6 ++--
 .../saas/roles/mariadb/tasks/build.yml        |  6 ++--
 .../saas/roles/milvus/tasks/build.yml         |  6 ++--
 .../saas/roles/mimir/tasks/build.yml          |  6 ++--
 .../saas/roles/minio/tasks/build.yml          |  6 ++--
 .../playbooks/saas/roles/minio/vars/main.yml  |  1 +
 .../saas/roles/mosquitto/tasks/build.yml      |  6 ++--
 .../saas/roles/nextcloud/tasks/build.yml      |  6 ++--
 .../saas/roles/nginx/tasks/build.yml          |  6 ++--
 .../saas/roles/nodejs/tasks/build.yml         |  6 ++--
 .../playbooks/saas/roles/nodejs/vars/main.yml |  1 +
 .../saas/roles/open-webui/tasks/build.yml     |  6 ++--
 .../saas/roles/phpfpm/tasks/build.yml         |  6 ++--
 .../playbooks/saas/roles/phpfpm/vars/main.yml |  1 +
 .../saas/roles/postgresql/tasks/build.yml     |  6 ++--
 .../saas/roles/registry/tasks/build.yml       |  6 ++--
 .../saas/roles/rocketchat/tasks/build.yml     |  6 ++--
 .../roles/simplestack_ansible/tasks/build.yml |  6 ++--
 .../saas/roles/simplestack_ui/tasks/build.yml |  6 ++--
 .../saas/roles/traefik/tasks/build.yml        |  6 ++--
 .../saas/roles/valkey/tasks/build.yml         |  6 ++--
 .../saas/roles/vector/tasks/build.yml         |  6 ++--
 .../playbooks/saas/roles/vllm/tasks/build.yml |  6 ++--
 .../saas/roles/wordpress/tasks/build.yml      |  2 +-
 .../saas/roles/wordpress/vars/main.yml        |  1 +
 .../saas/roles/zigbee2mqtt/tasks/build.yml    |  2 +-
 ansible/rulebook.yml                          |  4 +--
 ui/index.js.map                               |  4 +--
 ui/public/forms/catalogs.html                 |  5 +--
 ui/schemas/catalogs.js                        |  8 ++---
 ui/schemas/inventory.js                       |  4 +--
 51 files changed, 127 insertions(+), 206 deletions(-)

diff --git a/ansible/playbooks/saas/image-forkable.yml b/ansible/playbooks/saas/image-forkable.yml
index 2d3d5b64..9cbdd56b 100644
--- a/ansible/playbooks/saas/image-forkable.yml
+++ b/ansible/playbooks/saas/image-forkable.yml
@@ -1,5 +1,5 @@
 ---
-- name: Build a Docker image from a catalog item
+- name: Build a Docker image from a catalog id
   hosts: "{{ hosts_limit | default('infrastructure') }}"
   become: true
   gather_facts: true
@@ -8,17 +8,17 @@
       prompt: "Catalog item ID"
       private: false
   vars:
-    build_work_dir: "/tmp/{{ catalog }}"
     architecture_map:
       amd64: amd64
       x86_64: amd64
       armv7l: arm
       aarch64: arm64
       arm64: arm64
-    upstream_default_arch: "{{ architecture_map[ansible_facts.architecture] }}"
+    catalog: "{{ catalog_response.json.origin | default(catalog_response.json.name) }}"
+    build_work_dir: "/tmp/{{ catalog }}"
     download_dir: "{{ build_work_dir }}/download"
     arch_dir: "{{ build_work_dir }}/{{ upstream_default_arch }}"
-    image_name2: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ image_name_manual }}:{{ image_version }}"
+    upstream_default_arch: "{{ architecture_map[ansible_facts.architecture] }}"    
     ui_url: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_URL') }}"
     ui_user: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_USER') }}"
     ui_password: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_PASSWORD') }}"
@@ -39,17 +39,9 @@
       register: catalog_response
       become: false
 
-    - name: Set catalog facts
-      ansible.builtin.set_fact:
-        catalog: "{{ catalog_response.json.origin | default(catalog_response.json.name) }}"
-        name: "{{ catalog_response.json.name }}"
-        dockerfile_root: "{{ catalog_response.json.dockerfile_root | default('') }}"
-        dockerfile_nonroot: "{{ catalog_response.json.dockerfile_nonroot | default('') }}"
-        image_name_manual: "{{ catalog_response.json.name | lower }}"
-
     - name: Ensure temporary build directories exist
       ansible.builtin.file:
-        path: "{{ arch_dir }}"
+        path: "{{ item }}"
         state: directory
         mode: "0755"
       loop:
@@ -57,24 +49,28 @@
         - "{{ arch_dir }}"
 
   tasks:
-    - name: Build service-specific assets (e.g., compile, fetch deps)
+    - name: Build assets
       ansible.builtin.include_role:
         name: "{{ catalog }}"
         tasks_from: build
+      vars:
+        catalog_image_name: "{{ catalog_response.json.name }}"
+        dockerfile_root: "{{ catalog_response.json.dockerfile_root | default('') }}"
+        dockerfile_nonroot: "{{ catalog_response.json.dockerfile_nonroot | default('') }}"
 
-    - name: Build and push Docker image (single source of truth)
+    - name: Build and push Docker image
       community.docker.docker_image_build:
-        name: "{{ image_name2 }}"
+        name: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ catalog_response.json.name }}:{{ image_version }}"
         tag: latest
         path: "{{ build_work_dir }}"
         dockerfile: Dockerfile
-        labels: "{{ image_labels | default({}) }}"
+        labels: "{{ image_definition.labels | default({}) }}"
         rebuild: always
         outputs:
           - type: image
             push: true
       register: docker_build
-      when: image_build
+      when: image_definition.build
       notify: Cleanup build directory
 
     - name: Update catalog item version on UI
@@ -87,8 +83,9 @@
         body:
           schema: catalogs_create
           data:
-            name: "{{ image_name_manual }}"
+            name: "{{ catalog_response.json.name }}"
             version: "{{ image_version }}"
+            forkable: "{{ image_forkable | default(false) }}"
         force_basic_auth: true
         status_code: 200
       delegate_to: localhost
diff --git a/ansible/playbooks/saas/image.yml b/ansible/playbooks/saas/image.yml
index ea611359..8cbd717a 100644
--- a/ansible/playbooks/saas/image.yml
+++ b/ansible/playbooks/saas/image.yml
@@ -33,32 +33,31 @@
       ansible.builtin.include_role:
         name: "{{ catalog }}"
         tasks_from: build
+      vars:
+        catalog_image_name: "{{ catalog }}"
+        dockerfile_root: ""
+        dockerfile_nonroot: ""
 
     - name: Debug latest version
       ansible.builtin.debug:
         msg: "{{ image_version }}"
 
     - name: Build
-      when: image_build
+      when: image_definition.build
       block:
         - name: Build and publish image
           community.docker.docker_image_build:
-            name: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ image_name }}:{{ image_version }}"
+            name: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ image_definition.name }}:{{ image_version }}"
             tag: latest
             path: "{{ build_work_dir }}"
             dockerfile: Dockerfile
-            labels: "{{ image_labels }}"
+            labels: "{{ image_definition.labels }}"
             rebuild: always
             outputs:
               - type: image
                 push: true
           register: docker_image_build
 
-        - name: Debug
-          ansible.builtin.debug:
-            msg: "{{ docker_image_build }}"
-            verbosity: 1
-
     - name: Update catalog item version on UI
       ansible.builtin.uri:
         url: "{{ lookup('ansible.builtin.env', 'SIMPLE_STACK_UI_URL') }}/api"
@@ -69,7 +68,7 @@
         body:
           schema: catalogs_create
           data:
-            name: "{{ image_name }}"
+            name: "{{ image_definition.name }}"
             version: "{{ image_version }}"
         force_basic_auth: true
         status_code: 200
diff --git a/ansible/playbooks/saas/roles/adguard/tasks/build.yml b/ansible/playbooks/saas/roles/adguard/tasks/build.yml
index d0aa2857..f48c8f22 100644
--- a/ansible/playbooks/saas/roles/adguard/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/adguard/tasks/build.yml
@@ -5,36 +5,14 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
-
+    image_definition: "{{ image }}"
+    image_forkable: "{{ image.forkable }}"
+    upstream_file_url: "{{ upstream_file_url }}"
+    upstream_file_name: "{{ upstream_file_name }}"
+    
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
-
-- name: Download Github release
-  ansible.builtin.get_url:
-    url: "{{ upstream_file_url }}"
-    dest: "{{ build_work_dir }}/download/"
-    mode: '0644'
-    force: no
-  register: download_result
-
-- name: Unarchive GitHub release
-  ansible.builtin.unarchive:
-    src: "{{ build_work_dir }}/download/{{ upstream_file_name }}"
-    dest: "{{ build_work_dir }}/download"
-    remote_src: true
-  when: download_result.changed
-
-- name: Copy binary in build directory
-  ansible.builtin.copy:
-    src: "{{ build_work_dir }}/download/AdGuardHome/{{ image.upstream.binary }}"
-    dest: "{{ build_work_dir }}/{{ image.upstream.binary }}"
-    mode: '0755'
-    remote_src: true
-  when: download_result.changed
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Copy dockerfile
   ansible.builtin.template:
diff --git a/ansible/playbooks/saas/roles/adguard/templates/Dockerfile.j2 b/ansible/playbooks/saas/roles/adguard/templates/Dockerfile.j2
index 0db222df..38a548f7 100644
--- a/ansible/playbooks/saas/roles/adguard/templates/Dockerfile.j2
+++ b/ansible/playbooks/saas/roles/adguard/templates/Dockerfile.j2
@@ -4,7 +4,13 @@ FROM {{ image.origin }}
 
 ARG TARGETARCH
 
-COPY {{ image.upstream.binary }} /usr/local/bin/{{ image.upstream.binary }}
+RUN apk add wget
+
+RUN wget -O {{ upstream_file_name }} {{ upstream_file_url }} && \
+    tar xzf {{ upstream_file_name }} && \
+    mv AdGuardHome/AdGuardHome /usr/local/bin/AdGuardHome
+
+{{ dockerfile_root | default('') }}
 
 USER root
 
diff --git a/ansible/playbooks/saas/roles/adguard/vars/main.yml b/ansible/playbooks/saas/roles/adguard/vars/main.yml
index a3e74749..d339c322 100644
--- a/ansible/playbooks/saas/roles/adguard/vars/main.yml
+++ b/ansible/playbooks/saas/roles/adguard/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: false
   upstream:
     source: github
     user: AdguardTeam
diff --git a/ansible/playbooks/saas/roles/arangodb/tasks/build.yml b/ansible/playbooks/saas/roles/arangodb/tasks/build.yml
index d87dbb34..bcf1b930 100644
--- a/ansible/playbooks/saas/roles/arangodb/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/arangodb/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
\ No newline at end of file
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
\ No newline at end of file
diff --git a/ansible/playbooks/saas/roles/caddy/tasks/build.yml b/ansible/playbooks/saas/roles/caddy/tasks/build.yml
index 2047e74d..28013d4a 100644
--- a/ansible/playbooks/saas/roles/caddy/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/caddy/tasks/build.yml
@@ -5,28 +5,19 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
+    image_forkable: "{{ image.forkable }}"
 
-# - name: End playbook if no new version
-#   ansible.builtin.meta: end_host
-#   when: softwares[image.name] is defined and softwares[image.name].version == image_version
-
-- name: Download Github release
-  ansible.builtin.get_url:
-    url: "{{ upstream_file_url }}"
-    dest: "{{ build_work_dir }}/download/"
-    mode: '0644'
-    force: no
-  register: download_result
+- name: End playbook if no new version
+  ansible.builtin.meta: end_host
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Unarchive GitHub release
   ansible.builtin.unarchive:
-    src: "{{ build_work_dir }}/download/{{ upstream_file_name }}"
+    src: "{{ upstream_file_url }}"
     dest: "{{ build_work_dir }}/download"
     remote_src: true
-  when: download_result.changed
+  register: download_result
 
 - name: Find binary
   ansible.builtin.include_role:
diff --git a/ansible/playbooks/saas/roles/caddy/vars/main.yml b/ansible/playbooks/saas/roles/caddy/vars/main.yml
index e7f16afc..7eec9b26 100644
--- a/ansible/playbooks/saas/roles/caddy/vars/main.yml
+++ b/ansible/playbooks/saas/roles/caddy/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: false
   upstream:
     source: github
     user: caddyserver
diff --git a/ansible/playbooks/saas/roles/code_server/tasks/build.yml b/ansible/playbooks/saas/roles/code_server/tasks/build.yml
index 68406697..de163a2c 100644
--- a/ansible/playbooks/saas/roles/code_server/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/code_server/tasks/build.yml
@@ -5,10 +5,9 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
+    image_forkable: "{{ image.forkable }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/code_server/tasks/main.yml b/ansible/playbooks/saas/roles/code_server/tasks/main.yml
index 6759f4e1..04059eae 100644
--- a/ansible/playbooks/saas/roles/code_server/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/code_server/tasks/main.yml
@@ -15,9 +15,6 @@
     - "{{ software_path }}/home/coder/.ssh"
     - "{{ software_path }}/projects"
 
-- debug:
-    msg: "{{ size}}" 
-
 - name: Copy nomad job
   ansible.builtin.template:
     src: nomad.hcl
diff --git a/ansible/playbooks/saas/roles/code_server/vars/main.yml b/ansible/playbooks/saas/roles/code_server/vars/main.yml
index d7c45e2b..0aeaed2b 100644
--- a/ansible/playbooks/saas/roles/code_server/vars/main.yml
+++ b/ansible/playbooks/saas/roles/code_server/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: false
+  forkable: true
   upstream:
     source: github
     user: codercom
diff --git a/ansible/playbooks/saas/roles/dolibarr/tasks/build.yml b/ansible/playbooks/saas/roles/dolibarr/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/dolibarr/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/dolibarr/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/forgejo/tasks/build.yml b/ansible/playbooks/saas/roles/forgejo/tasks/build.yml
index 6a0303db..796ce846 100644
--- a/ansible/playbooks/saas/roles/forgejo/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/forgejo/tasks/build.yml
@@ -5,13 +5,11 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Download Github release
   ansible.builtin.get_url:
diff --git a/ansible/playbooks/saas/roles/forgejo/vars/main.yml b/ansible/playbooks/saas/roles/forgejo/vars/main.yml
index 7a7189ba..6dbb8af9 100644
--- a/ansible/playbooks/saas/roles/forgejo/vars/main.yml
+++ b/ansible/playbooks/saas/roles/forgejo/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: false
   upstream:
     source: codeberg
     user: forgejo
diff --git a/ansible/playbooks/saas/roles/freshrss/tasks/build.yml b/ansible/playbooks/saas/roles/freshrss/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/freshrss/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/freshrss/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/grafana/tasks/build.yml b/ansible/playbooks/saas/roles/grafana/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/grafana/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/grafana/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/homeassistant/tasks/build.yml b/ansible/playbooks/saas/roles/homeassistant/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/homeassistant/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/homeassistant/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/kresus/tasks/build.yml b/ansible/playbooks/saas/roles/kresus/tasks/build.yml
index 00c1d0d2..2208cecf 100644
--- a/ansible/playbooks/saas/roles/kresus/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/kresus/tasks/build.yml
@@ -5,13 +5,11 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Copy config file
   ansible.builtin.copy:
diff --git a/ansible/playbooks/saas/roles/kresus/vars/main.yml b/ansible/playbooks/saas/roles/kresus/vars/main.yml
index f4cc962b..8ae91103 100644
--- a/ansible/playbooks/saas/roles/kresus/vars/main.yml
+++ b/ansible/playbooks/saas/roles/kresus/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: false
   upstream:
     source: framagit
     user: kresusapp
diff --git a/ansible/playbooks/saas/roles/litellm/tasks/build.yml b/ansible/playbooks/saas/roles/litellm/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/litellm/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/litellm/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/loki/tasks/build.yml b/ansible/playbooks/saas/roles/loki/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/loki/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/loki/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/mariadb/tasks/build.yml b/ansible/playbooks/saas/roles/mariadb/tasks/build.yml
index 9ed68d21..a2675eb6 100644
--- a/ansible/playbooks/saas/roles/mariadb/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/mariadb/tasks/build.yml
@@ -2,10 +2,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ mariadb_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/milvus/tasks/build.yml b/ansible/playbooks/saas/roles/milvus/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/milvus/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/milvus/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/mimir/tasks/build.yml b/ansible/playbooks/saas/roles/mimir/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/mimir/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/mimir/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/minio/tasks/build.yml b/ansible/playbooks/saas/roles/minio/tasks/build.yml
index 11b4cc29..6d2745af 100644
--- a/ansible/playbooks/saas/roles/minio/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/minio/tasks/build.yml
@@ -5,13 +5,11 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Download latest release
   ansible.builtin.get_url:
diff --git a/ansible/playbooks/saas/roles/minio/vars/main.yml b/ansible/playbooks/saas/roles/minio/vars/main.yml
index 4eb222de..7431523b 100644
--- a/ansible/playbooks/saas/roles/minio/vars/main.yml
+++ b/ansible/playbooks/saas/roles/minio/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: false
   upstream:
     source: github
     user: minio
diff --git a/ansible/playbooks/saas/roles/mosquitto/tasks/build.yml b/ansible/playbooks/saas/roles/mosquitto/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/mosquitto/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/mosquitto/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/nextcloud/tasks/build.yml b/ansible/playbooks/saas/roles/nextcloud/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/nextcloud/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/nextcloud/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/nginx/tasks/build.yml b/ansible/playbooks/saas/roles/nginx/tasks/build.yml
index c24e904d..d199d571 100644
--- a/ansible/playbooks/saas/roles/nginx/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/nginx/tasks/build.yml
@@ -7,13 +7,11 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ (latest_version | split('-'))[0] }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Copy boilerplate configuration snippets files
   ansible.builtin.copy:
diff --git a/ansible/playbooks/saas/roles/nodejs/tasks/build.yml b/ansible/playbooks/saas/roles/nodejs/tasks/build.yml
index 24809656..be443eb3 100644
--- a/ansible/playbooks/saas/roles/nodejs/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/nodejs/tasks/build.yml
@@ -7,13 +7,11 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ (latest_version | split('-'))[0] }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Copy dockerfile
   ansible.builtin.template:
diff --git a/ansible/playbooks/saas/roles/nodejs/vars/main.yml b/ansible/playbooks/saas/roles/nodejs/vars/main.yml
index 30e63cdb..d7e17be5 100644
--- a/ansible/playbooks/saas/roles/nodejs/vars/main.yml
+++ b/ansible/playbooks/saas/roles/nodejs/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: true
   upstream:
     source: apk
     repository: main
diff --git a/ansible/playbooks/saas/roles/open-webui/tasks/build.yml b/ansible/playbooks/saas/roles/open-webui/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/open-webui/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/open-webui/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml b/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml
index 24809656..be443eb3 100644
--- a/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/phpfpm/tasks/build.yml
@@ -7,13 +7,11 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ (latest_version | split('-'))[0] }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Copy dockerfile
   ansible.builtin.template:
diff --git a/ansible/playbooks/saas/roles/phpfpm/vars/main.yml b/ansible/playbooks/saas/roles/phpfpm/vars/main.yml
index 08a5e218..00adc335 100644
--- a/ansible/playbooks/saas/roles/phpfpm/vars/main.yml
+++ b/ansible/playbooks/saas/roles/phpfpm/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: true
   upstream:
     source: apk
     repository: community
diff --git a/ansible/playbooks/saas/roles/postgresql/tasks/build.yml b/ansible/playbooks/saas/roles/postgresql/tasks/build.yml
index 416eb26b..350ed624 100644
--- a/ansible/playbooks/saas/roles/postgresql/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/postgresql/tasks/build.yml
@@ -2,10 +2,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "18.0"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/registry/tasks/build.yml b/ansible/playbooks/saas/roles/registry/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/registry/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/registry/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/rocketchat/tasks/build.yml b/ansible/playbooks/saas/roles/rocketchat/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/rocketchat/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/rocketchat/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/simplestack_ansible/tasks/build.yml b/ansible/playbooks/saas/roles/simplestack_ansible/tasks/build.yml
index 1f0c5e0c..efb0d7c9 100644
--- a/ansible/playbooks/saas/roles/simplestack_ansible/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/simplestack_ansible/tasks/build.yml
@@ -5,11 +5,9 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
diff --git a/ansible/playbooks/saas/roles/simplestack_ui/tasks/build.yml b/ansible/playbooks/saas/roles/simplestack_ui/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/simplestack_ui/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/simplestack_ui/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/traefik/tasks/build.yml b/ansible/playbooks/saas/roles/traefik/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/traefik/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/traefik/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/valkey/tasks/build.yml b/ansible/playbooks/saas/roles/valkey/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/valkey/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/valkey/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/vector/tasks/build.yml b/ansible/playbooks/saas/roles/vector/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/vector/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/vector/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/vllm/tasks/build.yml b/ansible/playbooks/saas/roles/vllm/tasks/build.yml
index 68406697..f1029407 100644
--- a/ansible/playbooks/saas/roles/vllm/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/vllm/tasks/build.yml
@@ -5,10 +5,8 @@
 - name: Set custom variables
   ansible.builtin.set_fact:
     image_version: "{{ latest_version }}"
-    image_name: "{{ image.name }}"
-    image_labels: "{{ image.labels }}"
-    image_build: "{{ image.build }}"
+    image_definition: "{{ image }}"
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/playbooks/saas/roles/wordpress/tasks/build.yml b/ansible/playbooks/saas/roles/wordpress/tasks/build.yml
index 88adfc97..89be0979 100644
--- a/ansible/playbooks/saas/roles/wordpress/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/wordpress/tasks/build.yml
@@ -13,7 +13,7 @@
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
 
 - name: Download wp-cli
   ansible.builtin.get_url:
diff --git a/ansible/playbooks/saas/roles/wordpress/vars/main.yml b/ansible/playbooks/saas/roles/wordpress/vars/main.yml
index 2a0d9134..3aa5fbe2 100644
--- a/ansible/playbooks/saas/roles/wordpress/vars/main.yml
+++ b/ansible/playbooks/saas/roles/wordpress/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 image:
   build: true
+  forkable: false
   upstream:
     source: apk
     repository: community
diff --git a/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/build.yml b/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/build.yml
index 68406697..5d53ad8d 100644
--- a/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/build.yml
+++ b/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/build.yml
@@ -11,4 +11,4 @@
 
 - name: End playbook if no new version
   ansible.builtin.meta: end_host
-  when: softwares[image.name] is defined and softwares[image.name].version == image_version
+  when: softwares[catalog_image_name] is defined and softwares[catalog_image_name].version == image_version
diff --git a/ansible/rulebook.yml b/ansible/rulebook.yml
index 4911df3f..9eb42898 100644
--- a/ansible/rulebook.yml
+++ b/ansible/rulebook.yml
@@ -79,10 +79,10 @@
       condition: event.payload.type == "saas-image"
       actions:
         - run_playbook:
-            name: playbooks/saas/image.yml
+            name: playbooks/saas/image-forkable.yml
             extra_vars:
               hosts_limit: "{{ event.payload.meta.hosts }}"
-              catalog: "{{ event.payload.catalog }}"
+              catalog_id: "{{ event.payload.catalog_id }}"
 
     - name: saas-operate
       condition: event.payload.type == "saas-operate"
diff --git a/ui/index.js.map b/ui/index.js.map
index 76360003..41feaf24 100644
--- a/ui/index.js.map
+++ b/ui/index.js.map
@@ -121,7 +121,7 @@
 			"url": "/api/",
 			"auth": 1,
 			"id": "catalogs_create",
-			"input": "*name:String, *version:String",
+			"input": "*name:String, *version:String, *forkable:Boolean",
 			"name": "Create catalog item"
 		},
 		{
@@ -380,7 +380,7 @@
 		},
 		{
 			"name": "Catalogs/create",
-			"input": "*name:String, *version:String",
+			"input": "*name:String, *version:String, *forkable:Boolean",
 			"permissions": "catalogs"
 		},
 		{
diff --git a/ui/public/forms/catalogs.html b/ui/public/forms/catalogs.html
index e4088cc5..9bdce250 100644
--- a/ui/public/forms/catalogs.html
+++ b/ui/public/forms/catalogs.html
@@ -74,7 +74,8 @@
 		};
 
 		exports.fork = function() {
-			SET('formcatalogfork @default', { tab: 'default', catalog_list: GET('catalog_list'), crontab: '* * * * *'});
+			const catalog_list = GET('catalog_list').filter(item => Boolean(item?.forkable));
+			SET('formcatalogfork @default', { tab: 'default', catalog_list: catalog_list, crontab: '* * * * *'});
 			SET('common.form2', 'formcatalogfork');
 		};
 
@@ -113,7 +114,7 @@
 			exports.tapi('catalogs_read/{0} ERROR'.format(id), function(response) {
 				if(fork){
 					response.tab = 'default';
-					response.catalog_list = GET('catalog_list');
+					response.catalog_list = GET('catalog_list').filter(item => Boolean(item?.forkable));
 					
 					SET('formcatalogfork @reset @hideloading', response);
 					SET('common.form2', 'formcatalogfork');
diff --git a/ui/schemas/catalogs.js b/ui/schemas/catalogs.js
index 078bf2ce..22f678ad 100644
--- a/ui/schemas/catalogs.js
+++ b/ui/schemas/catalogs.js
@@ -32,7 +32,7 @@ NEWSCHEMA('Catalogs', function(schema) {
 		action: async function($) {
 			const [catalogs, settings] = await Promise.all([
 				DATA.list('nosql/catalogs')
-					.fields('id,name,origin,picto,suffix,alias,description,version,cron,crontab,fork')
+					.fields('id,name,origin,picto,suffix,alias,description,version,cron,crontab,forkable,fork')
 					.error('@(Error loading catalogs)')
 					.promise($),
 				DATA.read('nosql/variables')
@@ -51,7 +51,7 @@ NEWSCHEMA('Catalogs', function(schema) {
 	schema.action('create', {
 		name: 'Create catalog item',
 		permissions: 'catalogs',
-		input: '*name:String, *version:String',
+		input: '*name:String, *version:String, *forkable:Boolean',
 		action: async function($, model) {
 			model.id = UID();
 			model.dtcreated = NOW;
@@ -68,6 +68,7 @@ NEWSCHEMA('Catalogs', function(schema) {
 			} else {
 				await DATA.update('nosql/catalogs', {
 						version: model.version,
+						forkable: model.forkable,
 						dtupdated: NOW
 					})
 					.id(existing.id)
@@ -220,8 +221,7 @@ NEWSCHEMA('Catalogs', function(schema) {
 			const payload = {
 				meta: { hosts: decrypted.instance },
 				type: 'saas-image',
-				catalog: item.name,
-				fork: item.fork
+				catalog_id: id
 			};
 
 			RESTBuilder.make(builder => {
diff --git a/ui/schemas/inventory.js b/ui/schemas/inventory.js
index ee6ff867..625a1517 100644
--- a/ui/schemas/inventory.js
+++ b/ui/schemas/inventory.js
@@ -63,12 +63,12 @@ NEWSCHEMA('Inventory', function (schema) {
 		}
 
 		const softwares = await DATA.find('nosql/catalogs')
-			.fields('name,version')
+			.fields('name,version,fork')
 			// .error('@(Error)')
 			.promise();
 
 		inventory.infrastructure.vars.softwares = softwares.reduce((acc, cur) => {
-			acc[cur.name] = { version: cur.version };
+			acc[cur.name] = { version: cur.version, fork: cur.fork || false };
 			return acc;
 		}, {});
 

From 222f88cd837a80a22264c5ee252f871f7aa36d94 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:22:31 +0100
Subject: [PATCH 04/15] build(ansible): add dnsutils to paas playbook
 dependencies

---
 ansible/playbooks/paas/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/playbooks/paas/main.yml b/ansible/playbooks/paas/main.yml
index b1c0b2e4..37711b31 100644
--- a/ansible/playbooks/paas/main.yml
+++ b/ansible/playbooks/paas/main.yml
@@ -27,6 +27,7 @@
           - unzip
           - make
           - jq
+          - dnsutils
 
         state: present
         install_recommends: false

From 5f57fb60775f990b5c0207c0d85cb50ffcc97be7 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:23:06 +0100
Subject: [PATCH 05/15] feat(nomad): extend TLS IP range to include 10.0.0.0/24

Rewrite `nomad_client_meta_list` as a map for readability and expand
`nomad_tls_ip_range` to cover both 192.168.0.0/24 and 10.0.0.0/24 networks.
---
 ansible/playbooks/paas/roles/nomad/defaults/main.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/ansible/playbooks/paas/roles/nomad/defaults/main.yml b/ansible/playbooks/paas/roles/nomad/defaults/main.yml
index 86c61ac5..2c06958d 100644
--- a/ansible/playbooks/paas/roles/nomad/defaults/main.yml
+++ b/ansible/playbooks/paas/roles/nomad/defaults/main.yml
@@ -146,10 +146,10 @@ nomad_client_host_network_cluster:
   name: cluster
   interface: "{{ nomad_cluster_bridge }}"
 
-nomad_client_meta_list: >-
-  {"arch": "{{ architecture_map[ansible_facts.architecture] }}",
-   "location": "{{ fact_instance.location }}",
-   "instance": "{{ inventory_hostname }}"}
+nomad_client_meta_list:
+  arch: "{{ architecture_map[ansible_facts.architecture] }}"
+  location: "{{ fact_instance.location }}"
+  instance: "{{ inventory_hostname }}"
 
 nomad_server_join: >-
   "{% if nomad_mode == 'single' %}127.0.0.1{% else %}{{ (groups[nomad_deploy_cluster_name] |
@@ -195,8 +195,7 @@ nomad_tls_ca_provider: ownca
 nomad_tls_host_certificate_dir: /etc/ssl/simplestack
 
 nomad_tls_common_name: nomad
-# IP range for 192.168.0.0/24 (all 256 addresses)
-nomad_tls_ip_range: "{{ range(0,256) | map('regex_replace', '^', 'IP:192.168.0.') | list | join(',') }}"
+nomad_tls_ip_range: "{{ ((range(0,256) | map('regex_replace', '^', 'IP:192.168.0.')) + (range(0,256) | map('regex_replace', '^', 'IP:10.0.0.')) ) | list | join(',') }}"
 nomad_tls_check_delay: "+2w"
 
 # TLS Server

From 511ecf6ed226acc9a00c27833c7a93390f5108e4 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:23:22 +0100
Subject: [PATCH 06/15] feat(nomad): allow both node roles for TLS cert copy

---
 ansible/playbooks/paas/roles/nomad/tasks/04_tls_certs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/playbooks/paas/roles/nomad/tasks/04_tls_certs.yml b/ansible/playbooks/paas/roles/nomad/tasks/04_tls_certs.yml
index 692a20e2..d09a3da5 100644
--- a/ansible/playbooks/paas/roles/nomad/tasks/04_tls_certs.yml
+++ b/ansible/playbooks/paas/roles/nomad/tasks/04_tls_certs.yml
@@ -60,7 +60,7 @@
       notify: Nomad_restart
 
 - name: Nomad | Copy certificate on client nodes
-  when: nomad_node_role in ['client']
+  when: nomad_node_role in ['client', 'both']
   block:
     - name: "Nomad | Check if TLS cert exists for Client"
       ansible.builtin.stat:

From 0c4ff38ffe13ad8587ebe87864d1afc7147329a4 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:23:35 +0100
Subject: [PATCH 07/15] style(nomad): add space in client meta conditional

---
 ansible/playbooks/paas/roles/nomad/templates/client.hcl.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/playbooks/paas/roles/nomad/templates/client.hcl.j2 b/ansible/playbooks/paas/roles/nomad/templates/client.hcl.j2
index a7db1122..7732ea2d 100644
--- a/ansible/playbooks/paas/roles/nomad/templates/client.hcl.j2
+++ b/ansible/playbooks/paas/roles/nomad/templates/client.hcl.j2
@@ -40,7 +40,7 @@ client {
     }
 {% endif %}
 
-{% if nomad_client_meta_list%}
+{% if nomad_client_meta_list %}
     meta = {
     {% for key, value in nomad_client_meta_list.items() %}
     "{{ key }}" = "{{ value }}"

From 1e2342bca2e839173fb92505f4318e03a74ad7e7 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:23:45 +0100
Subject: [PATCH 08/15] feat(nomad): add consul block to nomad.hcl template

---
 ansible/playbooks/paas/roles/nomad/templates/nomad.hcl.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ansible/playbooks/paas/roles/nomad/templates/nomad.hcl.j2 b/ansible/playbooks/paas/roles/nomad/templates/nomad.hcl.j2
index c67aa932..a222679b 100644
--- a/ansible/playbooks/paas/roles/nomad/templates/nomad.hcl.j2
+++ b/ansible/playbooks/paas/roles/nomad/templates/nomad.hcl.j2
@@ -30,6 +30,8 @@ log_rotate_max_files = {{ nomad_log_rotate_max_files }}
 leave_on_terminate = {{ nomad_leave_on_terminate | lower }}
 leave_on_interrupt = {{ nomad_leave_on_interrupt | lower }}
 
+consul {}
+
 tls {
     http = true
     rpc = true

From e5ee0f4e3129eb1f6263d1fe1fce96755f569549 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:24:02 +0100
Subject: [PATCH 09/15] feat(script_exporter): add aarch64 architecture mapping

Support aarch64 platform for script_exporter variables.
---
 ansible/playbooks/paas/roles/script_exporter/vars/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/playbooks/paas/roles/script_exporter/vars/main.yml b/ansible/playbooks/paas/roles/script_exporter/vars/main.yml
index 37966851..bf894c1f 100644
--- a/ansible/playbooks/paas/roles/script_exporter/vars/main.yml
+++ b/ansible/playbooks/paas/roles/script_exporter/vars/main.yml
@@ -22,3 +22,4 @@ script_exporter_scripts:
       armv7: armhf
       amd64: amd64
       x86_64: x86_64
+      aarch64: aarch64

From 2029cd5f11944b7a9af262e95217538e72962fa7 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:24:25 +0100
Subject: [PATCH 10/15] fix(prometheus): use hostvars IP for nomad server in
 prometheus

---
 .../paas/roles/prometheus/templates/config.j2  | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/ansible/playbooks/paas/roles/prometheus/templates/config.j2 b/ansible/playbooks/paas/roles/prometheus/templates/config.j2
index a4530264..1800f2ab 100644
--- a/ansible/playbooks/paas/roles/prometheus/templates/config.j2
+++ b/ansible/playbooks/paas/roles/prometheus/templates/config.j2
@@ -223,7 +223,7 @@ scrape_configs:
 
   - job_name: 'mimir_exporter'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -262,7 +262,7 @@ scrape_configs:
 
   - job_name: 'traefik'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -297,7 +297,7 @@ scrape_configs:
     metrics_path: /minio/v2/metrics/cluster
     scheme: http
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -324,7 +324,7 @@ scrape_configs:
 
   - job_name: 'caddy'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -356,7 +356,7 @@ scrape_configs:
 
   - job_name: 'vllm'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -388,7 +388,7 @@ scrape_configs:
 
   - job_name: 'mysql_exporter'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -419,7 +419,7 @@ scrape_configs:
 
   - job_name: 'nginx_exporter'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -450,7 +450,7 @@ scrape_configs:
 
   - job_name: 'phpfpm_exporter'
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true
@@ -484,7 +484,7 @@ scrape_configs:
     metrics_path: /api/prometheus
     scheme: http
     nomad_sd_configs:
-      - server: "https://{{ nomad_primary_master_address | default(inventory_hostname) }}:4646"
+      - server: "https://{{ nomad_primary_master_address | default(hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname].nomad_iface]['ipv4']['address']) }}:4646"
         region: "{{ fact_instance.region }}"
         tls_config:
           insecure_skip_verify: true

From f7a7e8c9d27dbe879b850e0e3df18ca949cd13b9 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:24:51 +0100
Subject: [PATCH 11/15] style(grafana): rename copy tasks for clarity

---
 ansible/playbooks/saas/roles/grafana/tasks/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ansible/playbooks/saas/roles/grafana/tasks/main.yml b/ansible/playbooks/saas/roles/grafana/tasks/main.yml
index 32f26abd..68f46d70 100644
--- a/ansible/playbooks/saas/roles/grafana/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/grafana/tasks/main.yml
@@ -10,7 +10,7 @@
     - "{{ software_path }}"
   delegate_to: "{{ software.instance }}"
 
-- name: Copy Grafana content files
+- name: Copy files
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: "{{ software_path }}/"
@@ -22,7 +22,7 @@
     - provisioning
   delegate_to: "{{ software.instance }}"
 
-- name: Copy Grafana content templates
+- name: Copy templates
   ansible.builtin.template:
     src: "provisioning/{{ item.path }}/{{ item.file }}.j2"
     dest: "{{ software_path }}/provisioning/{{ item.path }}/{{ item.file }}"

From f7478221090a6e2bb83868212fa88647d2f57c26 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:31:28 +0100
Subject: [PATCH 12/15] feat(mimir): add single-node deployment mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Introduce `mimir_install_node` variable to toggle between single‑node and multi‑node setups. Adjust Nomad job count, MinIO image reference, and template selection accordingly. Add `mimir.yaml-singlenode.j2` template for single‑node configuration.
---
 .../saas/roles/mimir/defaults/main.yml        |  1 +
 ...mimir.yaml.j2 => mimir.yaml-multinodes.j2} |  0
 .../mimir/templates/mimir.yaml-singlenode.j2  | 61 +++++++++++++++++++
 .../saas/roles/mimir/templates/nomad.hcl      | 11 ++--
 4 files changed, 67 insertions(+), 6 deletions(-)
 rename ansible/playbooks/saas/roles/mimir/templates/{mimir.yaml.j2 => mimir.yaml-multinodes.j2} (100%)
 create mode 100644 ansible/playbooks/saas/roles/mimir/templates/mimir.yaml-singlenode.j2

diff --git a/ansible/playbooks/saas/roles/mimir/defaults/main.yml b/ansible/playbooks/saas/roles/mimir/defaults/main.yml
index ed97d539..38eab856 100644
--- a/ansible/playbooks/saas/roles/mimir/defaults/main.yml
+++ b/ansible/playbooks/saas/roles/mimir/defaults/main.yml
@@ -1 +1,2 @@
 ---
+mimir_install_node: "{{ software.install_node |default('singlenode') }}"
\ No newline at end of file
diff --git a/ansible/playbooks/saas/roles/mimir/templates/mimir.yaml.j2 b/ansible/playbooks/saas/roles/mimir/templates/mimir.yaml-multinodes.j2
similarity index 100%
rename from ansible/playbooks/saas/roles/mimir/templates/mimir.yaml.j2
rename to ansible/playbooks/saas/roles/mimir/templates/mimir.yaml-multinodes.j2
diff --git a/ansible/playbooks/saas/roles/mimir/templates/mimir.yaml-singlenode.j2 b/ansible/playbooks/saas/roles/mimir/templates/mimir.yaml-singlenode.j2
new file mode 100644
index 00000000..d4af5d24
--- /dev/null
+++ b/ansible/playbooks/saas/roles/mimir/templates/mimir.yaml-singlenode.j2
@@ -0,0 +1,61 @@
+---
+target: all,alertmanager,overrides-exporter
+
+limits:
+  compactor_blocks_retention_period: 90d
+  # ingestion_rate: 20000
+  ingestion_burst_size: 40000
+  max_label_names_per_series: 100
+  max_label_value_length: 2048
+
+common:
+  storage:
+    backend: s3
+    s3:
+      endpoint: minio-{{ service_name }}.default.service.nomad:9000
+      access_key_id: "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='access_key_id', missing='error') }}"
+      secret_access_key: "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='secret_access_key', missing='error') }}"
+      insecure: true
+
+memberlist:
+  join_members: []
+
+blocks_storage:
+  s3:
+    bucket_name: mimir-blocks
+
+ruler:
+  alertmanager_url: http://127.0.0.1:8080/alertmanager
+  ring:
+    heartbeat_period: 2s
+    heartbeat_timeout: 10s
+    instance_addr: {% raw %}{{env "attr.unique.network.ip-address"}}{% endraw %}
+
+ruler_storage:
+  s3:
+    bucket_name: ruler
+
+alertmanager_storage:
+  s3:
+    bucket_name: mimir
+
+alertmanager:
+  fallback_config_file: /local/alertmanager-fallback-config.yaml
+  external_url: http://127.0.0.1:8080/alertmanager
+
+
+compactor:
+
+distributor: 
+  ring:
+    instance_addr: {% raw %}{{env "attr.unique.network.ip-address"}}{% endraw %}
+
+server:
+  log_level: warn
+
+ingester: 
+  ring:
+    replication_factor: 1
+
+usage_stats:
+  enabled: false
diff --git a/ansible/playbooks/saas/roles/mimir/templates/nomad.hcl b/ansible/playbooks/saas/roles/mimir/templates/nomad.hcl
index cfd71437..8c759b4f 100644
--- a/ansible/playbooks/saas/roles/mimir/templates/nomad.hcl
+++ b/ansible/playbooks/saas/roles/mimir/templates/nomad.hcl
@@ -50,7 +50,7 @@ job "{{ domain }}" {
       }
 
       config {
-        image = "minio/minio:{{ softwares.minio.version }}"
+        image = "{{ docker_private_registry.url_project | default(docker_private_registry.url) }}/minio:{{ softwares.minio.version }}"
         volumes = [
           "{{ software_path }}/data/minio:/data:rw"
         ]
@@ -68,7 +68,7 @@ job "{{ domain }}" {
   }
 
   group "{{ domain }}-mimir" {
-    count = 3
+    count = "{{ (mimir_install_node == 'singlenode') | ternary(1, 3) }}"
 
 {% if software.constraints is defined and software.constraints.distinct_hosts is defined %}
     constraint {
@@ -88,7 +88,6 @@ job "{{ domain }}" {
       }
       port "mimir_8080" {
         to = 8080
-        static = 8080
       }
     }
 
@@ -123,13 +122,13 @@ job "{{ domain }}" {
 
       config {
         image = "grafana/mimir:{{ softwares.mimir.version }}"
-        network_mode = "host"
+        # network_mode = "host"
         volumes = [
           "{{ software_path }}/mimir-${NOMAD_ALLOC_INDEX}:/data",
         ]
         args = [
           "-config.file=/local/mimir.yaml",
-          "-memberlist.join=dnssrv+mimir.default.service.nomad"
+          # "-memberlist.join=dnssrv+mimir.default.service.nomad"
         ]
         ports = ["mimir_7946", "mimir_9095", "mimir_8080"]
       }
@@ -138,7 +137,7 @@ job "{{ domain }}" {
         change_mode = "restart"
         destination = "local/mimir.yaml"
         data = <<EOH
-{{ lookup('ansible.builtin.template', 'templates/mimir.yaml.j2') }}
+{{ lookup('ansible.builtin.template', 'templates/mimir.yaml-' + mimir_install_node + '.j2') }}
   EOH
       }
 

From a6a1cf81d620c44122c285a6778b11e88bc05c8a Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:31:56 +0100
Subject: [PATCH 13/15] fix(zigbee2mqtt): use http port for zigbee2mqtt service

---
 ansible/playbooks/saas/roles/zigbee2mqtt/templates/nomad.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/playbooks/saas/roles/zigbee2mqtt/templates/nomad.hcl b/ansible/playbooks/saas/roles/zigbee2mqtt/templates/nomad.hcl
index 4cf709e6..1bfb7ec2 100644
--- a/ansible/playbooks/saas/roles/zigbee2mqtt/templates/nomad.hcl
+++ b/ansible/playbooks/saas/roles/zigbee2mqtt/templates/nomad.hcl
@@ -29,7 +29,7 @@ job "{{ domain }}" {
 
     service {
       name = "{{ service_name }}"
-      port = "zigbee2mqtt"
+      port = "http"
       provider = "nomad"
       tags = [
         {{ lookup('template', '../../traefik/templates/traefik_tag.j2') | indent(8) }}

From 27dc9107f6226a37d17493415d6c5a264b0c7ac3 Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:32:14 +0100
Subject: [PATCH 14/15] fix(ui): exclude secret variables from graph lookup

---
 ui/schemas/graphs.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ui/schemas/graphs.js b/ui/schemas/graphs.js
index c30e83d2..0e2661ca 100644
--- a/ui/schemas/graphs.js
+++ b/ui/schemas/graphs.js
@@ -98,6 +98,7 @@ NEWSCHEMA('Graphs', schema => {
 				const variable = await DATA
 					.read('nosql/variables')
 					.where('key', node.id)
+					.where('type', '!=', 'secret')
 					.promise($);
 
 				if (variable) {

From 5e7ef89194b9acc6ce8cf500c51bacd11b4c7a5a Mon Sep 17 00:00:00 2001
From: Mathieu Garcia <mgarcia@wiseflat.com>
Date: Sat, 15 Nov 2025 23:32:38 +0100
Subject: [PATCH 15/15] refactor(ui): remove debug log from infrastructures
 schema

---
 ui/schemas/infrastructures.js | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ui/schemas/infrastructures.js b/ui/schemas/infrastructures.js
index 02dd9383..6f06a136 100644
--- a/ui/schemas/infrastructures.js
+++ b/ui/schemas/infrastructures.js
@@ -56,8 +56,6 @@ NEWSCHEMA('Infrastructures', function (schema) {
 					}
 				}
 			}
-
-			console.log(instances);
 			$.callback(instances);
 		}
 	});