twirre/ansible-domo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: update README, update configuration files for improved validation

Browse Source
This commit is contained in:
Twirre Meulenbelt
2026-04-22 16:29:08 +02:00
parent 0d967909e7
commit 4aa98b5514
4 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -49,13 +49,13 @@ Update the inventory and variables first, especially:
Run a syntax check:
```bash
.venv/bin/ansible-playbook --syntax-check site.yml
ansible-playbook --syntax-check site.yml
```
Run the playbook:
```bash
.venv/bin/ansible-playbook site.yml
ansible-playbook site.yml
```
## Notes
@@ -63,3 +63,7 @@ Run the playbook:
- nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk.
- If you enable `certbot_manage_certificates`, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically.
- ACME issuance is disabled by default through `certbot_manage_certificates: false` so the first provisioning run can complete before DNS and public reachability are finalized.
## Future plans
- [ ] Encryption for non-boot files with LUKS (/home, /srv, /var/lib/<my-services>).

3
group_vars/all/main.yml
View File

@@ -11,6 +11,7 @@ base_packages_common:
- rsync
- ssl-cert
- sudo
- unzip
docker_enabled: true
bun_enabled: true
@@ -215,7 +216,7 @@ mailserver:
service_group: docker
path: /srv/mail
compose_project_name: mailserver
image: ghcr.io/docker-mailserver/docker-mailserver:latest
image: ghcr.io/docker-mailserver/docker-mailserver:v15.1.0
hostname: mail.twirre.io
env:
ENABLE_SPAMASSASSIN: "0"

4
group_vars/all/vault.example.yml
View File

@@ -16,7 +16,9 @@ vault_gitea_internal_token: REPLACE_ME
vault_gitea_lfs_jwt_secret: REPLACE_ME
vault_mailserver_accounts: |
# account@example.com|supersecret
# One account per line: email|{SCHEME}hashed-password
# Example:
# account@example.com|{SHA512-CRYPT}$6$example-salt$example-hash
vault_twirre_io_env: {}
vault_twirre_me_env: {}

14
site.yml
View File

@@ -9,6 +9,11 @@
that:
- bun_apps is iterable
- bun_apps | length > 0
- bun_apps | map(attribute='name') | select('string') | list | length == bun_apps | length
- bun_apps | map(attribute='repo') | select('string') | list | length == bun_apps | length
- bun_apps | map(attribute='path') | select('string') | list | length == bun_apps | length
- bun_apps | map(attribute='service_name') | select('string') | list | length == bun_apps | length
- bun_apps | map(attribute='entrypoint') | select('string') | list | length == bun_apps | length
fail_msg: Define at least one Bun application in bun_apps.
when: bun_enabled | bool
@@ -20,6 +25,15 @@
fail_msg: WireGuard is enabled but the interface address or private key is missing.
when: wireguard_enabled | bool
- name: Validate Gitea secrets when enabled
ansible.builtin.assert:
that:
- (vault_gitea_secret_key | default('')) | length > 0
- (vault_gitea_internal_token | default('')) | length > 0
- (vault_gitea_lfs_jwt_secret | default('')) | length > 0
fail_msg: Gitea is enabled but one or more required Vault secrets are missing.
when: gitea_enabled | bool
roles:
- role: base
- role: ssh