diff --git a/README.md b/README.md index ba04f71..0e765c6 100644 --- a/README.md +++ b/README.md @@ -49,13 +49,13 @@ Update the inventory and variables first, especially: Run a syntax check: ```bash -.venv/bin/ansible-playbook --syntax-check site.yml +ansible-playbook --syntax-check site.yml ``` Run the playbook: ```bash -.venv/bin/ansible-playbook site.yml +ansible-playbook site.yml ``` ## Notes @@ -63,3 +63,7 @@ Run the playbook: - nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk. - If you enable `certbot_manage_certificates`, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically. - ACME issuance is disabled by default through `certbot_manage_certificates: false` so the first provisioning run can complete before DNS and public reachability are finalized. + +## Future plans + +- [ ] Encryption for non-boot files with LUKS (/home, /srv, /var/lib/). diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 487d732..dc78fa1 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -11,6 +11,7 @@ base_packages_common: - rsync - ssl-cert - sudo + - unzip docker_enabled: true bun_enabled: true @@ -215,7 +216,7 @@ mailserver: service_group: docker path: /srv/mail compose_project_name: mailserver - image: ghcr.io/docker-mailserver/docker-mailserver:latest + image: ghcr.io/docker-mailserver/docker-mailserver:v15.1.0 hostname: mail.twirre.io env: ENABLE_SPAMASSASSIN: "0" diff --git a/group_vars/all/vault.example.yml b/group_vars/all/vault.example.yml index 4e2546a..af5bdfc 100644 --- a/group_vars/all/vault.example.yml +++ b/group_vars/all/vault.example.yml @@ -16,7 +16,9 @@ vault_gitea_internal_token: REPLACE_ME vault_gitea_lfs_jwt_secret: REPLACE_ME vault_mailserver_accounts: | - # account@example.com|supersecret + # One account per line: email|{SCHEME}hashed-password + # Example: + # account@example.com|{SHA512-CRYPT}$6$example-salt$example-hash vault_twirre_io_env: {} vault_twirre_me_env: {} diff --git a/site.yml b/site.yml index 89274e9..3ba0c3a 100644 --- a/site.yml +++ b/site.yml @@ -9,6 +9,11 @@ that: - bun_apps is iterable - bun_apps | length > 0 + - bun_apps | map(attribute='name') | select('string') | list | length == bun_apps | length + - bun_apps | map(attribute='repo') | select('string') | list | length == bun_apps | length + - bun_apps | map(attribute='path') | select('string') | list | length == bun_apps | length + - bun_apps | map(attribute='service_name') | select('string') | list | length == bun_apps | length + - bun_apps | map(attribute='entrypoint') | select('string') | list | length == bun_apps | length fail_msg: Define at least one Bun application in bun_apps. when: bun_enabled | bool @@ -20,6 +25,15 @@ fail_msg: WireGuard is enabled but the interface address or private key is missing. when: wireguard_enabled | bool + - name: Validate Gitea secrets when enabled + ansible.builtin.assert: + that: + - (vault_gitea_secret_key | default('')) | length > 0 + - (vault_gitea_internal_token | default('')) | length > 0 + - (vault_gitea_lfs_jwt_secret | default('')) | length > 0 + fail_msg: Gitea is enabled but one or more required Vault secrets are missing. + when: gitea_enabled | bool + roles: - role: base - role: ssh