twirre/ansible-domo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags
d8f4307969fbe8f9adb62bd6cd24847a732a1c3d
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Ansible Domo

Going for an Esperanto naming theme.

Portable Ansible provisioning for Twirre infrastructure. The current layout uses Ubuntu 24.04 package names, /srv for deployed services, /etc for config, and systemd-managed apps, so it will not work on Debian without adjustment.

What this provisions

  • Base host packages, timezone, and static content roots
  • SSH admin users with key-based login
  • A dedicated backupagent user for rsync-based backups with restricted SSH settings and passwordless sudo /usr/bin/rsync
  • Docker from distro packages
  • Bun installed to /opt/bun with /usr/local/bin/bun
  • Two Bun app services: twirre.io and twirre.me
  • Gitea and Docker Mailserver as Compose stacks under /srv
  • nginx virtual hosts for the retained public domains
  • apt-based certbot with ACME webroot support
  • WireGuard with wg-quick@wg0 enabled at boot
  • fail2ban with the audit-derived SSH jail settings

Layout

  • site.yml: top-level playbook
  • inventory/hosts.yml: example inventory
  • group_vars/all/main.yml: shared variables and service declarations
  • group_vars/all/vault.example.yml: secrets shape to move into an encrypted Vault file
  • roles/: reusable server roles

Secrets

Create an encrypted Vault file at group_vars/all/vault.yml based on group_vars/all/vault.example.yml. The playbook will use Vault variables when present and otherwise fall back to safe placeholders for syntax checking.

Example:

ansible-vault create group_vars/all/vault.yml

Usage

Update the inventory and variables first, especially:

  • inventory/hosts.yml
  • group_vars/all/main.yml
  • group_vars/all/vault.yml
  • repository URLs and domains for the Bun apps
  • backupagent.authorized_keys

Run a syntax check:

ansible-playbook --syntax-check site.yml

Run the playbook:

ansible-playbook site.yml --ask-vault-pass

Notes

  • nginx falls back to snakeoil certificates until a matching ACME certificate already exists on disk.
  • If you enable certbot_manage_certificates, run the playbook a second time after the first successful issuance so nginx can switch to the live certificates automatically.
  • ACME issuance is disabled by default through certbot_manage_certificates: false so the first provisioning run can complete before DNS and public reachability are finalized.

Manual post-provisioning steps

  • Set up ACME DNS records for the domains and enable certbot_manage_certificates: true before the next playbook run.
  • Restore backups for Gitea and Mailserver data.

Future plans

  • Encryption for non-boot files with LUKS (/home, /srv, /var/lib/).
Reference in New Issue View Git Blame Copy Permalink
Description
Ansible stuff for Twirre, by Twirre.
Readme 75 KiB
Languages
Jinja 100%