--- - hosts: all become: yes tags: [host] tasks: - include_role: { name: host } vars: ssh_pubkey_dir: "{{ playbook_dir }}/../../.ssh" - hosts: docker_hosts become: yes tags: [docker] tasks: - include_role: { name: docker } vars: registry_mirror_ip: "10.0.0.1" registry_mirrors: - upstream: docker.io mirror: "https://dockerhub.oci.code.tiararodney.com" - upstream: ghcr.io mirror: "https://ghcr.oci.code.tiararodney.com" - hosts: proxy become: yes tasks: - include_role: name: restic apply: { tags: [restic] } tags: [restic] vars: host_id: proxy - hosts: idp become: yes tasks: - include_role: name: restic apply: { tags: [restic] } tags: [restic] vars: host_id: idp - hosts: localhost connection: local gather_facts: false tags: [letsencrypt, apache] tasks: - name: Create letsencrypt certificate archive command: cmd: "tar czf /tmp/letsencrypt.tar.gz --dereference -C {{ (playbook_dir + '/../../letsencrypt') | realpath }} ." creates: /tmp/letsencrypt.tar.gz - hosts: wg_peers become: yes tags: [wireguard] tasks: - include_role: { name: wireguard } - include_role: { name: wireguard, tasks_from: generate-keys } - hosts: proxy become: yes tags: [wireguard] tasks: - name: Build WireGuard peer list set_fact: wg_peers: - public_key: "{{ hostvars[groups['idp'][0]]['wg_public_key'] }}" allowed_ips: "10.0.0.2/32" when: groups['idp'][0] in hostvars and 'wg_public_key' in hostvars[groups['idp'][0]] - name: Append client peers set_fact: wg_peers: "{{ wg_peers + wg_client_peers }}" when: wg_peers is defined - include_role: { name: wireguard, tasks_from: deploy-wireguard } vars: wg_address: "10.0.0.1/24" when: wg_peers is defined - name: Display proxy WireGuard public key debug: msg: "Proxy WG public key: {{ wg_public_key }}" when: wg_public_key is defined - hosts: idp become: yes tags: [wireguard] tasks: - name: Build WireGuard peer list set_fact: wg_peers: - public_key: "{{ hostvars[groups['proxy'][0]]['wg_public_key'] }}" allowed_ips: "10.0.0.1/32" endpoint: "{{ hostvars[groups['proxy'][0]]['wg_endpoint'] }}:51820" persistent_keepalive: true when: groups['proxy'][0] in hostvars and 'wg_public_key' in hostvars[groups['proxy'][0]] - name: Append client peers set_fact: wg_peers: "{{ wg_peers + wg_client_peers }}" when: wg_peers is defined - include_role: { name: wireguard, tasks_from: deploy-wireguard } vars: wg_address: "10.0.0.2/24" when: wg_peers is defined - hosts: proxy become: yes vars: chat_domain: chat.tiararodney.com authentik_url: https://accounts.tiararodney.com authentik_internal_url: http://10.0.0.2:9000 tasks: - include_role: name: host tasks_from: setup-swap apply: { tags: [host, swap] } tags: [host, swap] - name: Ensure accounts.tiararodney.com resolves to localhost for mod_auth_openidc tags: [apache, bugzilla] lineinfile: path: /etc/hosts regexp: "accounts\\.tiararodney\\.com" line: "127.0.0.1 accounts.tiararodney.com" - include_role: name: dnsmasq apply: { tags: [dnsmasq] } tags: [dnsmasq] vars: dns_records: - { domain: tiararodney.com, ip: "10.0.0.1" } - include_role: name: apache apply: { tags: [apache] } tags: [apache] vars: letsencrypt_archive: /tmp/letsencrypt.tar.gz - include_role: name: docker_registry apply: { tags: [docker-registry] } tags: [docker-registry] vars: hostname: dockerhub.oci.code.tiararodney.com - include_role: name: docker_registry apply: { tags: [docker-registry] } tags: [docker-registry] vars: hostname: ghcr.oci.code.tiararodney.com install_dir: /opt/docker-registry-ghcr port: 5051 remote_url: "https://ghcr.io" - include_role: name: restic tasks_from: restore-restic apply: { tags: [registry-restore, never] } tags: [registry-restore, never] vars: host_id: proxy restore_include: /var/backups/docker-registry - include_role: name: docker_registry tasks_from: restore-registry apply: { tags: [registry-restore, never] } tags: [registry-restore, never] - include_role: name: apache tasks_from: deploy-static-site apply: { tags: [blog] } tags: [blog] vars: name: blog server_name: blog.tiararodney.com document_root: /var/www/blog.tiararodney.com ssl_cert: "{{ ssl_cert_tiararodney }}" ssl_key: "{{ ssl_key_tiararodney }}" - include_role: name: apache tasks_from: deploy-static-site apply: { tags: [spec] } tags: [spec] vars: name: spec server_name: specs.code.tiararodney.com document_root: /var/www/specs.code.tiararodney.com directory_index: "README.html README.md README.txt" ssl_cert: "{{ ssl_cert_tiararodney }}" ssl_key: "{{ ssl_key_tiararodney }}" - include_role: name: kellnr apply: { tags: [kellnr] } tags: [kellnr] vars: version: "6.0.0-rc.2" hostname: crates.code.tiararodney.com admin_pwd: "{{ vault_kellnr_admin_pwd }}" - include_role: name: devpi apply: { tags: [devpi] } tags: [devpi] vars: hostname: pypi.code.tiararodney.com - include_role: name: prosody apply: { tags: [prosody] } tags: [prosody] vars: version: "13.0" domain: "{{ chat_domain }}" admin_jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}" bind_address: "10.0.0.1" ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem oauth_client_id: "{{ vault_xmpp_oauth_client_id }}" oauth_userinfo_url: "{{ authentik_internal_url }}/application/o/userinfo/" oauth_ropc_client_id: "{{ vault_xmpp_ropc_client_id }}" oauth_ropc_client_secret: "{{ vault_xmpp_ropc_client_secret }}" oauth_token_url: "{{ authentik_internal_url }}/application/o/token/" session_timeout: 1800 smtp_host: "{{ vault_prosody_smtp_hostname }}" smtp_username: "{{ vault_prosody_smtp_username }}" smtp_password: "{{ vault_prosody_smtp_password }}" default_contacts: - jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}" name: Tiara - include_role: name: conversejs apply: { tags: [conversejs] } tags: [conversejs] vars: version: "12.0.0" domain: "{{ chat_domain }}" oauth_client_id: "{{ vault_xmpp_oauth_client_id }}" oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/" oauth_token_url: "{{ authentik_url }}/application/o/token/" - include_role: name: apache tasks_from: deploy-reverse-proxy apply: { tags: [prosody, xmpp-upload] } tags: [prosody, xmpp-upload] vars: vhost_name: xmpp-upload server_name: "upload.{{ chat_domain }}" ssl_cert: "{{ ssl_cert_tiararodney }}" ssl_key: "{{ ssl_key_tiararodney }}" backend_port: 5280 - include_role: name: comentario apply: { tags: [comentario] } tags: [comentario] vars: version: "latest" domain: comments.tiararodney.com oauth_issuer_url: "{{ authentik_url }}/application/o/comentario" oauth_client_id: "{{ vault_comentario_oauth_client_id }}" oauth_client_secret: "{{ vault_comentario_oauth_client_secret }}" smtp_host: "{{ vault_comentario_smtp_hostname }}" smtp_username: "{{ vault_comentario_smtp_username }}" smtp_password: "{{ vault_comentario_smtp_password }}" - include_role: name: bugzilla apply: { tags: [bugzilla] } tags: [bugzilla] vars: version: "5.0.4.1" domain: bugs.code.tiararodney.com db_password: "{{ vault_bugzilla_db_password }}" admin_email: "me@tiararodney.com" admin_pwd: "{{ vault_bugzilla_admin_pwd }}" oauth_issuer_url: "{{ authentik_url }}/application/o/bugs" oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/" oauth_token_url: "{{ authentik_url }}/application/o/token/" oauth_userinfo_url: "{{ authentik_url }}/application/o/userinfo/" oauth_jwks_url: "{{ authentik_url }}/application/o/bugs/jwks/" oauth_client_id: "{{ vault_bugzilla_oauth_client_id }}" oauth_client_secret: "{{ vault_bugzilla_oauth_client_secret }}" oauth_crypto_passphrase: "{{ vault_bugzilla_oidc_passphrase }}" smtp_host: "{{ vault_bugzilla_smtp_hostname }}" smtp_username: "{{ vault_bugzilla_smtp_username }}" smtp_password: "{{ vault_bugzilla_smtp_password }}" - include_role: name: apache tasks_from: deploy-reverse-proxy apply: { tags: [authentik] } tags: [authentik] vars: vhost_name: accounts server_name: accounts.tiararodney.com ssl_cert: "{{ ssl_cert_tiararodney }}" ssl_key: "{{ ssl_key_tiararodney }}" backend_host: "10.0.0.2" backend_port: 9000 websocket: true restricted_locations: - path: "/if/admin/" allowed_ips: ["10.0.0.0/24"] - hosts: idp become: yes tags: [authentik] tasks: - include_role: name: host tasks_from: setup-zram apply: { tags: [host, swap, zram] } tags: [host, swap, zram] - include_role: { name: authentik } vars: version: "2026.2.1" domain: "accounts.tiararodney.com" pg_password: "{{ vault_pg_password }}" secret_key: "{{ vault_secret_key }}" bind_address: "10.0.0.2" smtp_host: "{{ vault_authentik_smtp_hostname }}" smtp_username: "{{ vault_authentik_smtp_username }}" smtp_password: "{{ vault_authentik_smtp_password }}" oauth_applications: - name: Chat slug: chat client_type: public client_id: "{{ vault_xmpp_oauth_client_id }}" redirect_uris: - "https://chat.tiararodney.com/" - name: Chat XMPP slug: chat-xmpp client_id: "{{ vault_xmpp_ropc_client_id }}" client_secret: "{{ vault_xmpp_ropc_client_secret }}" redirect_uris: - "https://chat.tiararodney.com/" - name: Comments slug: comments client_id: "{{ vault_comentario_oauth_client_id }}" client_secret: "{{ vault_comentario_oauth_client_secret }}" redirect_uris: - "https://comments.tiararodney.com/api/oauth/oidc/callback/authentik" - name: Bugs slug: bugs client_id: "{{ vault_bugzilla_oauth_client_id }}" client_secret: "{{ vault_bugzilla_oauth_client_secret }}" redirect_uris: - "https://bugs.code.tiararodney.com/oidc-callback" social_login_sources: - name: Google Account slug: google provider_type: google client_id: "{{ vault_social_google_client_id }}" client_secret: "{{ vault_social_google_client_secret }}" - name: Microsoft Account slug: microsoft provider_type: entraid client_id: "{{ vault_social_microsoft_client_id }}" client_secret: "{{ vault_social_microsoft_client_secret }}" - name: Apple ID slug: apple provider_type: apple client_id: "{{ vault_social_apple_client_id }}" client_secret: "{{ vault_social_apple_client_secret }}" - name: Facebook Account slug: facebook provider_type: facebook client_id: "{{ vault_social_facebook_client_id }}" client_secret: "{{ vault_social_facebook_client_secret }}" - name: X (formerly Twitter) Account slug: twitter provider_type: twitter client_id: "{{ vault_social_twitter_client_id }}" client_secret: "{{ vault_social_twitter_client_secret }}" - hosts: proxy become: yes tasks: - name: Trigger registry backups tags: [registry-backup, never] command: "{{ item }}" loop: - /etc/restic/pre-backup.d/docker-registry.sh - /etc/restic/pre-backup.d/docker-registry-ghcr.sh