feat: update README, update configuration files for improved validation

README.md

@@ -49,13 +49,13 @@ Update the inventory and variables first, especially:
 Run a syntax check:
 
 ```bash
-.venv/bin/ansible-playbook --syntax-check site.yml
+ansible-playbook --syntax-check site.yml
 ```
 
 Run the playbook:
 
 ```bash
-.venv/bin/ansible-playbook site.yml
+ansible-playbook site.yml
 ```
 
 ## Notes
@@ -63,3 +63,7 @@ Run the playbook:
 - nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk.
 - If you enable `certbot_manage_certificates`, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically.
 - ACME issuance is disabled by default through `certbot_manage_certificates: false` so the first provisioning run can complete before DNS and public reachability are finalized.
+
+## Future plans
+
+- [ ] Encryption for non-boot files with LUKS (/home, /srv, /var/lib/<my-services>).

group_vars/all/main.yml

@@ -11,6 +11,7 @@ base_packages_common:
   - rsync
   - ssl-cert
   - sudo
+  - unzip
 
 docker_enabled: true
 bun_enabled: true
@@ -215,7 +216,7 @@ mailserver:
   service_group: docker
   path: /srv/mail
   compose_project_name: mailserver
-  image: ghcr.io/docker-mailserver/docker-mailserver:latest
+  image: ghcr.io/docker-mailserver/docker-mailserver:v15.1.0
   hostname: mail.twirre.io
   env:
     ENABLE_SPAMASSASSIN: "0"

group_vars/all/vault.example.yml

@@ -16,7 +16,9 @@ vault_gitea_internal_token: REPLACE_ME
 vault_gitea_lfs_jwt_secret: REPLACE_ME
 
 vault_mailserver_accounts: |
-  # account@example.com|supersecret
+  # One account per line: email|{SCHEME}hashed-password
+  # Example:
+  # account@example.com|{SHA512-CRYPT}$6$example-salt$example-hash
 
 vault_twirre_io_env: {}
 vault_twirre_me_env: {}

site.yml

@@ -9,6 +9,11 @@
         that:
           - bun_apps is iterable
           - bun_apps | length > 0
+          - bun_apps | map(attribute='name') | select('string') | list | length == bun_apps | length
+          - bun_apps | map(attribute='repo') | select('string') | list | length == bun_apps | length
+          - bun_apps | map(attribute='path') | select('string') | list | length == bun_apps | length
+          - bun_apps | map(attribute='service_name') | select('string') | list | length == bun_apps | length
+          - bun_apps | map(attribute='entrypoint') | select('string') | list | length == bun_apps | length
         fail_msg: Define at least one Bun application in bun_apps.
       when: bun_enabled | bool
 
@@ -20,6 +25,15 @@
         fail_msg: WireGuard is enabled but the interface address or private key is missing.
       when: wireguard_enabled | bool
 
+    - name: Validate Gitea secrets when enabled
+      ansible.builtin.assert:
+        that:
+          - (vault_gitea_secret_key | default('')) | length > 0
+          - (vault_gitea_internal_token | default('')) | length > 0
+          - (vault_gitea_lfs_jwt_secret | default('')) | length > 0
+        fail_msg: Gitea is enabled but one or more required Vault secrets are missing.
+      when: gitea_enabled | bool
+
   roles:
     - role: base
     - role: ssh