General

Most of our roles follow the same principles :

Limit the required configuration : most defaults trie to auto configure themselves

Auto generate password and other secrets when they are not defined

Handle upgrades : we don't only manage installations, but also upgrades of existing installations

Backup : during an upgrade, the previous installation will be backed up and archived so you can restore it in case something went wrong

Integrate with other roles with hooks : dumps are handled by droping hooks in /etc/backup/{pre,post}.d, which will be executed by the pre-backup command if you deploy the backuup role. Let's Encrypt certificates works the same way etc.

Keep softwares up to date : we try to maintain all the roles we're using up to date, and quickly update them when a new upstream version is released