twirre/ansible-domo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6939f40a9fd74413827f87677344a8f0d6966ef6
ansible-domo/README.md
Twirre Meulenbelt d8f4307969 fix: fixes for problems encountered during deployment
2026-04-22 18:29:36 +02:00

75 lines
2.6 KiB
Markdown
Raw Blame History

# Ansible Domo
Going for an Esperanto naming theme.
Portable Ansible provisioning for Twirre infrastructure. The current layout uses Ubuntu 24.04 package names, `/srv` for deployed services, `/etc` for config, and systemd-managed apps, so it will not work on Debian without adjustment.
## What this provisions
- Base host packages, timezone, and static content roots
- SSH admin users with key-based login
- A dedicated `backupagent` user for rsync-based backups with restricted SSH settings and passwordless `sudo /usr/bin/rsync`
- Docker from distro packages
- Bun installed to `/opt/bun` with `/usr/local/bin/bun`
- Two Bun app services: `twirre.io` and `twirre.me`
- Gitea and Docker Mailserver as Compose stacks under `/srv`
- nginx virtual hosts for the retained public domains
- apt-based certbot with ACME webroot support
- WireGuard with `wg-quick@wg0` enabled at boot
- fail2ban with the audit-derived SSH jail settings
## Layout
- `site.yml`: top-level playbook
- `inventory/hosts.yml`: example inventory
- `group_vars/all/main.yml`: shared variables and service declarations
- `group_vars/all/vault.example.yml`: secrets shape to move into an encrypted Vault file
- `roles/`: reusable server roles
## Secrets
Create an encrypted Vault file at `group_vars/all/vault.yml` based on `group_vars/all/vault.example.yml`. The playbook will use Vault variables when present and otherwise fall back to safe placeholders for syntax checking.
Example:
```bash
ansible-vault create group_vars/all/vault.yml
```
## Usage
Update the inventory and variables first, especially:
- `inventory/hosts.yml`
- `group_vars/all/main.yml`
- `group_vars/all/vault.yml`
- repository URLs and domains for the Bun apps
- `backupagent.authorized_keys`
Run a syntax check:
```bash
ansible-playbook --syntax-check site.yml
```
Run the playbook:
```bash
ansible-playbook site.yml --ask-vault-pass
```
## Notes
- nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk.
- If you enable `certbot_manage_certificates`, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically.
- ACME issuance is disabled by default through `certbot_manage_certificates: false` so the first provisioning run can complete before DNS and public reachability are finalized.
## Manual post-provisioning steps
- Set up ACME DNS records for the domains and enable `certbot_manage_certificates: true` before the next playbook run.
- Restore backups for Gitea and Mailserver data.
## Future plans
- [ ] Encryption for non-boot files with LUKS (/home, /srv, /var/lib/<my-services>).
Reference in New Issue View Git Blame Copy Permalink