# Ansible Domo Going for an Esperanto naming theme. Portable Ansible provisioning for Twirre infrastructure. The current layout uses Ubuntu 24.04 package names, `/srv` for deployed services, `/etc` for config, and systemd-managed apps, so it will not work on Debian without adjustment. ## What this provisions - Base host packages, timezone, and static content roots - SSH admin users with key-based login - A dedicated `backupagent` user for rsync-based backups with restricted SSH settings and passwordless `sudo /usr/bin/rsync` - Docker from distro packages - Bun installed to `/opt/bun` with `/usr/local/bin/bun` - Two Bun app services: `twirre.io` and `twirre.me` - Gitea and Docker Mailserver as Compose stacks under `/srv` - nginx virtual hosts for the retained public domains - apt-based certbot with ACME webroot support - WireGuard with `wg-quick@wg0` enabled at boot - fail2ban with the audit-derived SSH jail settings ## Layout - `site.yml`: top-level playbook - `inventory/hosts.yml`: example inventory - `group_vars/all/main.yml`: shared variables and service declarations - `group_vars/all/vault.example.yml`: secrets shape to move into an encrypted Vault file - `roles/`: reusable server roles ## Secrets Create an encrypted Vault file at `group_vars/all/vault.yml` based on `group_vars/all/vault.example.yml`. The playbook will use Vault variables when present and otherwise fall back to safe placeholders for syntax checking. Example: ```bash ansible-vault create group_vars/all/vault.yml ``` ## Usage Update the inventory and variables first, especially: - `inventory/hosts.yml` - `group_vars/all/main.yml` - `group_vars/all/vault.yml` - repository URLs and domains for the Bun apps - `backupagent.authorized_keys` Run a syntax check: ```bash ansible-playbook --syntax-check site.yml ``` Run the playbook: ```bash ansible-playbook site.yml --ask-vault-pass ``` ## Notes - nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk. - If you enable `certbot_manage_certificates`, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically. - ACME issuance is disabled by default through `certbot_manage_certificates: false` so the first provisioning run can complete before DNS and public reachability are finalized. ## Manual post-provisioning steps - Set up ACME DNS records for the domains and enable `certbot_manage_certificates: true` before the next playbook run. - Restore backups for Gitea and Mailserver data. ## Future plans - [ ] Encryption for non-boot files with LUKS (/home, /srv, /var/lib/).