blumeops/ansible/playbooks/indri.yml

---
- name: Configure indri
  hosts: indri

  # Fetch 1Password credentials upfront to minimize prompts
  # Each role also fetches its own credentials (with 'when: <var> is not defined')
  # so they still work when running with --tags
  pre_tasks:
    - name: Fetch borgmatic database password
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/db-password"
      delegate_to: localhost
      register: _borgmatic_db_pw
      changed_when: false
      no_log: true
      check_mode: false
      tags: [borgmatic]

    - name: Set borgmatic database password fact
      ansible.builtin.set_fact:
        borgmatic_db_password: "{{ _borgmatic_db_pw.stdout }}"
      no_log: true
      tags: [borgmatic]

    - name: Fetch BorgBase SSH private key
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/noiobufntsxyzageu7mvlp2nbe/ssh-private-key"
      delegate_to: localhost
      register: _borgbase_ssh_key
      changed_when: false
      no_log: true
      check_mode: false
      tags: [borgmatic]

    - name: Set BorgBase SSH key fact
      ansible.builtin.set_fact:
        borgbase_ssh_private_key: "{{ _borgbase_ssh_key.stdout }}"
      no_log: true
      tags: [borgmatic]

    # Forgejo secrets
    - name: Fetch forgejo LFS JWT secret
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/lfs-jwt-secret"
      delegate_to: localhost
      register: _forgejo_lfs_jwt
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo]

    - name: Fetch forgejo internal token
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/internal-token"
      delegate_to: localhost
      register: _forgejo_internal_token
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo]

    - name: Fetch forgejo OAuth2 JWT secret
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/oauth2-jwt-secret"
      delegate_to: localhost
      register: _forgejo_oauth2_jwt
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo]

    - name: Set forgejo secrets facts
      ansible.builtin.set_fact:
        forgejo_lfs_jwt_secret: "{{ _forgejo_lfs_jwt.stdout }}"
        forgejo_internal_token: "{{ _forgejo_internal_token.stdout }}"
        forgejo_oauth2_jwt_secret: "{{ _forgejo_oauth2_jwt.stdout }}"
      no_log: true
      tags: [forgejo]

    # Forgejo Actions secrets (synced to Forgejo via API)
    - name: Fetch Forgejo API token
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token"
      delegate_to: localhost
      register: _forgejo_api_token
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo_actions_secrets]

    - name: Fetch ArgoCD auth token for Forgejo Actions
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/argocd_token"
      delegate_to: localhost
      register: _forgejo_argocd_token
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo_actions_secrets]

    - name: Fetch Fly.io deploy token for Forgejo Actions
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/on5slfaygtdjrxmdwezyhfmqsq/deploy-token"
      delegate_to: localhost
      register: _fly_deploy_token
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo_actions_secrets]

    - name: Fetch Zot CI API key for Forgejo Actions
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/zot-ci-api"
      delegate_to: localhost
      register: _zot_ci_api_key
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo_actions_secrets]

    - name: Set Forgejo Actions secrets facts
      ansible.builtin.set_fact:
        forgejo_api_token: "{{ _forgejo_api_token.stdout }}"
        forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}"
        forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}"
        forgejo_secret_zot_ci_api_key: "{{ _zot_ci_api_key.stdout }}"
      no_log: true
      tags: [forgejo_actions_secrets]

    # Zot OIDC client secret
    - name: Fetch zot OIDC client secret
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/zot-client-secret"
      delegate_to: localhost
      register: _zot_oidc_secret
      changed_when: false
      no_log: true
      check_mode: false
      tags: [zot]

    - name: Set zot OIDC client secret fact
      ansible.builtin.set_fact:
        zot_oidc_client_secret: "{{ _zot_oidc_secret.stdout }}"
      no_log: true
      tags: [zot]

    # Caddy Gandi token for ACME DNS-01 challenges
    - name: Fetch Gandi PAT for Caddy
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat"
      delegate_to: localhost
      register: _caddy_gandi_token
      changed_when: false
      no_log: true
      check_mode: false
      tags: [caddy]

    - name: Set Caddy Gandi token fact
      ansible.builtin.set_fact:
        caddy_gandi_token: "{{ _caddy_gandi_token.stdout }}"
      no_log: true
      tags: [caddy]

    # Jellyfin SSO client secret
    - name: Fetch Jellyfin OIDC client secret
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/jellyfin-client-secret"
      delegate_to: localhost
      register: _jellyfin_oidc_secret
      changed_when: false
      no_log: true
      check_mode: false
      tags: [jellyfin]

    - name: Set Jellyfin OIDC client secret fact
      ansible.builtin.set_fact:
        jellyfin_sso_client_secret: "{{ _jellyfin_oidc_secret.stdout }}"
      no_log: true
      tags: [jellyfin]

    # Jellyfin API key for metrics collection
    - name: Fetch Jellyfin API key
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential"
      delegate_to: localhost
      register: _jellyfin_metrics_api_key
      changed_when: false
      no_log: true
      check_mode: false
      tags: [jellyfin_metrics]

    - name: Set Jellyfin API key fact
      ansible.builtin.set_fact:
        jellyfin_metrics_api_key: "{{ _jellyfin_metrics_api_key.stdout }}"
      no_log: true
      tags: [jellyfin_metrics]

    # Forgejo API token for metrics collection
    - name: Fetch Forgejo API token for metrics
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token"
      delegate_to: localhost
      register: _forgejo_metrics_api_token
      changed_when: false
      no_log: true
      check_mode: false
      tags: [forgejo_metrics]

    - name: Set Forgejo metrics API token fact
      ansible.builtin.set_fact:
        forgejo_metrics_api_key: "{{ _forgejo_metrics_api_token.stdout }}"
      no_log: true
      tags: [forgejo_metrics]

    # Devpi root password (PyPI mirror admin)
    - name: Fetch devpi root password
      ansible.builtin.command:
        cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/kyhzfifryqnuk7jeyibmmjvxxm/add more/root password"
      delegate_to: localhost
      register: _devpi_root_password
      changed_when: false
      no_log: true
      check_mode: false
      tags: [devpi]

    - name: Set devpi root password fact
      ansible.builtin.set_fact:
        devpi_root_password: "{{ _devpi_root_password.stdout }}"
      no_log: true
      tags: [devpi]

  roles:
    - role: alloy
      tags: alloy
    - role: borgmatic
      tags: borgmatic
    - role: borgmatic_metrics
      tags: borgmatic_metrics
    - role: forgejo
      tags: forgejo
    - role: forgejo_actions_secrets
      tags: forgejo_actions_secrets
    - role: zot
      tags: zot
    - role: zot_metrics
      tags: zot_metrics
    - role: devpi
      tags: devpi
    - role: minikube
      tags: minikube
    - role: minikube_metrics
      tags: minikube_metrics
    - role: jellyfin
      tags: jellyfin
    - role: jellyfin_metrics
      tags: jellyfin_metrics
    - role: forgejo_metrics
      tags: forgejo_metrics
    - role: cv
      tags: cv
    - role: docs
      tags: docs
    - role: heph
      tags: heph
    - role: caddy
      tags: caddy