--- - name: Configure indri hosts: indri # Fetch 1Password credentials upfront to minimize prompts # Each role also fetches its own credentials (with 'when: is not defined') # so they still work when running with --tags pre_tasks: - name: Fetch borgmatic database password ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/db-password" delegate_to: localhost register: _borgmatic_db_pw changed_when: false no_log: true check_mode: false tags: [borgmatic] - name: Set borgmatic database password fact ansible.builtin.set_fact: borgmatic_db_password: "{{ _borgmatic_db_pw.stdout }}" no_log: true tags: [borgmatic] - name: Fetch BorgBase SSH private key ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/noiobufntsxyzageu7mvlp2nbe/ssh-private-key" delegate_to: localhost register: _borgbase_ssh_key changed_when: false no_log: true check_mode: false tags: [borgmatic] - name: Set BorgBase SSH key fact ansible.builtin.set_fact: borgbase_ssh_private_key: "{{ _borgbase_ssh_key.stdout }}" no_log: true tags: [borgmatic] # Forgejo secrets - name: Fetch forgejo LFS JWT secret ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/lfs-jwt-secret" delegate_to: localhost register: _forgejo_lfs_jwt changed_when: false no_log: true check_mode: false tags: [forgejo] - name: Fetch forgejo internal token ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/internal-token" delegate_to: localhost register: _forgejo_internal_token changed_when: false no_log: true check_mode: false tags: [forgejo] - name: Fetch forgejo OAuth2 JWT secret ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/oauth2-jwt-secret" delegate_to: localhost register: _forgejo_oauth2_jwt changed_when: false no_log: true check_mode: false tags: [forgejo] - name: Set forgejo secrets facts ansible.builtin.set_fact: forgejo_lfs_jwt_secret: "{{ _forgejo_lfs_jwt.stdout }}" forgejo_internal_token: "{{ _forgejo_internal_token.stdout }}" forgejo_oauth2_jwt_secret: "{{ _forgejo_oauth2_jwt.stdout }}" no_log: true tags: [forgejo] # Forgejo Actions secrets (synced to Forgejo via API) - name: Fetch Forgejo API token ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token" delegate_to: localhost register: _forgejo_api_token changed_when: false no_log: true check_mode: false tags: [forgejo_actions_secrets] - name: Fetch ArgoCD auth token for Forgejo Actions ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/argocd_token" delegate_to: localhost register: _forgejo_argocd_token changed_when: false no_log: true check_mode: false tags: [forgejo_actions_secrets] - name: Fetch Fly.io deploy token for Forgejo Actions ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/on5slfaygtdjrxmdwezyhfmqsq/deploy-token" delegate_to: localhost register: _fly_deploy_token changed_when: false no_log: true check_mode: false tags: [forgejo_actions_secrets] - name: Fetch Zot CI API key for Forgejo Actions ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/zot-ci-api" delegate_to: localhost register: _zot_ci_api_key changed_when: false no_log: true check_mode: false tags: [forgejo_actions_secrets] - name: Set Forgejo Actions secrets facts ansible.builtin.set_fact: forgejo_api_token: "{{ _forgejo_api_token.stdout }}" forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}" forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}" forgejo_secret_zot_ci_api_key: "{{ _zot_ci_api_key.stdout }}" no_log: true tags: [forgejo_actions_secrets] # Zot OIDC client secret - name: Fetch zot OIDC client secret ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/zot-client-secret" delegate_to: localhost register: _zot_oidc_secret changed_when: false no_log: true check_mode: false tags: [zot] - name: Set zot OIDC client secret fact ansible.builtin.set_fact: zot_oidc_client_secret: "{{ _zot_oidc_secret.stdout }}" no_log: true tags: [zot] # Caddy Gandi token for ACME DNS-01 challenges - name: Fetch Gandi PAT for Caddy ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat" delegate_to: localhost register: _caddy_gandi_token changed_when: false no_log: true check_mode: false tags: [caddy] - name: Set Caddy Gandi token fact ansible.builtin.set_fact: caddy_gandi_token: "{{ _caddy_gandi_token.stdout }}" no_log: true tags: [caddy] # Jellyfin SSO client secret - name: Fetch Jellyfin OIDC client secret ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/jellyfin-client-secret" delegate_to: localhost register: _jellyfin_oidc_secret changed_when: false no_log: true check_mode: false tags: [jellyfin] - name: Set Jellyfin OIDC client secret fact ansible.builtin.set_fact: jellyfin_sso_client_secret: "{{ _jellyfin_oidc_secret.stdout }}" no_log: true tags: [jellyfin] # Jellyfin API key for metrics collection - name: Fetch Jellyfin API key ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential" delegate_to: localhost register: _jellyfin_metrics_api_key changed_when: false no_log: true check_mode: false tags: [jellyfin_metrics] - name: Set Jellyfin API key fact ansible.builtin.set_fact: jellyfin_metrics_api_key: "{{ _jellyfin_metrics_api_key.stdout }}" no_log: true tags: [jellyfin_metrics] # Forgejo API token for metrics collection - name: Fetch Forgejo API token for metrics ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token" delegate_to: localhost register: _forgejo_metrics_api_token changed_when: false no_log: true check_mode: false tags: [forgejo_metrics] - name: Set Forgejo metrics API token fact ansible.builtin.set_fact: forgejo_metrics_api_key: "{{ _forgejo_metrics_api_token.stdout }}" no_log: true tags: [forgejo_metrics] # Devpi root password (PyPI mirror admin) - name: Fetch devpi root password ansible.builtin.command: cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/kyhzfifryqnuk7jeyibmmjvxxm/add more/root password" delegate_to: localhost register: _devpi_root_password changed_when: false no_log: true check_mode: false tags: [devpi] - name: Set devpi root password fact ansible.builtin.set_fact: devpi_root_password: "{{ _devpi_root_password.stdout }}" no_log: true tags: [devpi] roles: - role: alloy tags: alloy - role: borgmatic tags: borgmatic - role: borgmatic_metrics tags: borgmatic_metrics - role: forgejo tags: forgejo - role: forgejo_actions_secrets tags: forgejo_actions_secrets - role: zot tags: zot - role: zot_metrics tags: zot_metrics - role: devpi tags: devpi - role: minikube tags: minikube - role: minikube_metrics tags: minikube_metrics - role: jellyfin tags: jellyfin - role: jellyfin_metrics tags: jellyfin_metrics - role: forgejo_metrics tags: forgejo_metrics - role: cv tags: cv - role: docs tags: docs - role: heph tags: heph - role: caddy tags: caddy