twirre/ansible-domo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
0d967909e791464ec5cd834df6f4687e52f15c94
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Twirre Meulenbelt 0d967909e7 feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
group_vars/all
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
inventory
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
roles
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
.gitignore
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
.python-version
feat: repo base
2026-04-15 12:49:04 +02:00
ansible.cfg
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
pyproject.toml
feat: repo base
2026-04-15 12:49:04 +02:00
README.md
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
site.yml
feat: full untested ansible setup
2026-04-22 12:22:58 +02:00
uv.lock
feat: repo base
2026-04-15 12:49:04 +02:00

README.md

Ansible Domo

Going for an Esperanto naming theme.

Portable Ansible provisioning for Twirre infrastructure. The current layout is built around Debian-family hosts, /srv for deployed services, /etc for config, and systemd-managed apps.

What this provisions

  • Base host packages, timezone, and static content roots
  • SSH admin users with key-based login
  • A dedicated backupagent user for rsync-based backups with restricted SSH settings and passwordless sudo /usr/bin/rsync
  • Docker from distro packages
  • Bun installed to /opt/bun with /usr/local/bin/bun
  • Two Bun app services: twirre.io and twirre.me
  • Gitea and Docker Mailserver as Compose stacks under /srv
  • nginx virtual hosts for the retained public domains
  • apt-based certbot with ACME webroot support
  • WireGuard with wg-quick@wg0 enabled at boot
  • fail2ban with the audit-derived SSH jail settings

Layout

  • site.yml: top-level playbook
  • inventory/hosts.yml: example inventory
  • group_vars/all/main.yml: shared variables and service declarations
  • group_vars/all/vault.example.yml: secrets shape to move into an encrypted Vault file
  • roles/: reusable server roles

Secrets

Create an encrypted Vault file at group_vars/all/vault.yml based on group_vars/all/vault.example.yml. The playbook will use Vault variables when present and otherwise fall back to safe placeholders for syntax checking.

Example:

ansible-vault create group_vars/all/vault.yml

Usage

Update the inventory and variables first, especially:

  • inventory/hosts.yml
  • group_vars/all/main.yml
  • group_vars/all/vault.yml
  • repository URLs and domains for the Bun apps
  • backupagent.authorized_keys

Run a syntax check:

.venv/bin/ansible-playbook --syntax-check site.yml

Run the playbook:

.venv/bin/ansible-playbook site.yml

Notes

  • nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk.
  • If you enable certbot_manage_certificates, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically.
  • ACME issuance is disabled by default through certbot_manage_certificates: false so the first provisioning run can complete before DNS and public reachability are finalized.
Reference in New Issue View Git Blame Copy Permalink
Description
Ansible stuff for Twirre, by Twirre.
Readme 75 KiB
Languages
Jinja 100%