Erich Blume
d99c962fe1
Deploy hephd --mode server on indri as a self-updating LaunchAgent managed by Ansible (ansible/roles/heph, tag heph), making indri the canonical heph hub for the hub-and-spoke task/context system. - Server mode on 0.0.0.0:8787, self-update every 10 minutes (cargo install from the public forge URL; ~/.cargo/bin on the agent PATH). - heph-pwa shell served via --web-root straight from a version-pinned checkout, TLS-terminated at heph.ops.eblu.me through Caddy (new caddy_services entry). - New Authentik device-code (RFC 8628) OIDC app 'heph' (public client) plus a default-device-code-flow bound to the default brand's flow_device_code. - Docs: new services/hephaestus.md service card (incl. Path A seeding runbook and the gilbert spoke caveat), indri.md service list, changelog fragment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
266 lines
8.4 KiB
YAML
266 lines
8.4 KiB
YAML
---
|
|
- name: Configure indri
|
|
hosts: indri
|
|
|
|
# Fetch 1Password credentials upfront to minimize prompts
|
|
# Each role also fetches its own credentials (with 'when: <var> is not defined')
|
|
# so they still work when running with --tags
|
|
pre_tasks:
|
|
- name: Fetch borgmatic database password
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/db-password"
|
|
delegate_to: localhost
|
|
register: _borgmatic_db_pw
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [borgmatic]
|
|
|
|
- name: Set borgmatic database password fact
|
|
ansible.builtin.set_fact:
|
|
borgmatic_db_password: "{{ _borgmatic_db_pw.stdout }}"
|
|
no_log: true
|
|
tags: [borgmatic]
|
|
|
|
- name: Fetch BorgBase SSH private key
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/noiobufntsxyzageu7mvlp2nbe/ssh-private-key"
|
|
delegate_to: localhost
|
|
register: _borgbase_ssh_key
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [borgmatic]
|
|
|
|
- name: Set BorgBase SSH key fact
|
|
ansible.builtin.set_fact:
|
|
borgbase_ssh_private_key: "{{ _borgbase_ssh_key.stdout }}"
|
|
no_log: true
|
|
tags: [borgmatic]
|
|
|
|
# Forgejo secrets
|
|
- name: Fetch forgejo LFS JWT secret
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/lfs-jwt-secret"
|
|
delegate_to: localhost
|
|
register: _forgejo_lfs_jwt
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo]
|
|
|
|
- name: Fetch forgejo internal token
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/internal-token"
|
|
delegate_to: localhost
|
|
register: _forgejo_internal_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo]
|
|
|
|
- name: Fetch forgejo OAuth2 JWT secret
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/oauth2-jwt-secret"
|
|
delegate_to: localhost
|
|
register: _forgejo_oauth2_jwt
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo]
|
|
|
|
- name: Set forgejo secrets facts
|
|
ansible.builtin.set_fact:
|
|
forgejo_lfs_jwt_secret: "{{ _forgejo_lfs_jwt.stdout }}"
|
|
forgejo_internal_token: "{{ _forgejo_internal_token.stdout }}"
|
|
forgejo_oauth2_jwt_secret: "{{ _forgejo_oauth2_jwt.stdout }}"
|
|
no_log: true
|
|
tags: [forgejo]
|
|
|
|
# Forgejo Actions secrets (synced to Forgejo via API)
|
|
- name: Fetch Forgejo API token
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token"
|
|
delegate_to: localhost
|
|
register: _forgejo_api_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Fetch ArgoCD auth token for Forgejo Actions
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/argocd_token"
|
|
delegate_to: localhost
|
|
register: _forgejo_argocd_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Fetch Fly.io deploy token for Forgejo Actions
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/on5slfaygtdjrxmdwezyhfmqsq/deploy-token"
|
|
delegate_to: localhost
|
|
register: _fly_deploy_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Fetch Zot CI API key for Forgejo Actions
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/zot-ci-api"
|
|
delegate_to: localhost
|
|
register: _zot_ci_api_key
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Set Forgejo Actions secrets facts
|
|
ansible.builtin.set_fact:
|
|
forgejo_api_token: "{{ _forgejo_api_token.stdout }}"
|
|
forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}"
|
|
forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}"
|
|
forgejo_secret_zot_ci_api_key: "{{ _zot_ci_api_key.stdout }}"
|
|
no_log: true
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
# Zot OIDC client secret
|
|
- name: Fetch zot OIDC client secret
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/zot-client-secret"
|
|
delegate_to: localhost
|
|
register: _zot_oidc_secret
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [zot]
|
|
|
|
- name: Set zot OIDC client secret fact
|
|
ansible.builtin.set_fact:
|
|
zot_oidc_client_secret: "{{ _zot_oidc_secret.stdout }}"
|
|
no_log: true
|
|
tags: [zot]
|
|
|
|
# Caddy Gandi token for ACME DNS-01 challenges
|
|
- name: Fetch Gandi PAT for Caddy
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat"
|
|
delegate_to: localhost
|
|
register: _caddy_gandi_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [caddy]
|
|
|
|
- name: Set Caddy Gandi token fact
|
|
ansible.builtin.set_fact:
|
|
caddy_gandi_token: "{{ _caddy_gandi_token.stdout }}"
|
|
no_log: true
|
|
tags: [caddy]
|
|
|
|
# Jellyfin SSO client secret
|
|
- name: Fetch Jellyfin OIDC client secret
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/oor7os5kapczgpbwv7obkca4y4/jellyfin-client-secret"
|
|
delegate_to: localhost
|
|
register: _jellyfin_oidc_secret
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [jellyfin]
|
|
|
|
- name: Set Jellyfin OIDC client secret fact
|
|
ansible.builtin.set_fact:
|
|
jellyfin_sso_client_secret: "{{ _jellyfin_oidc_secret.stdout }}"
|
|
no_log: true
|
|
tags: [jellyfin]
|
|
|
|
# Jellyfin API key for metrics collection
|
|
- name: Fetch Jellyfin API key
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/ceywxkcd3z7najsy2nmmbs2vke/credential"
|
|
delegate_to: localhost
|
|
register: _jellyfin_metrics_api_key
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [jellyfin_metrics]
|
|
|
|
- name: Set Jellyfin API key fact
|
|
ansible.builtin.set_fact:
|
|
jellyfin_metrics_api_key: "{{ _jellyfin_metrics_api_key.stdout }}"
|
|
no_log: true
|
|
tags: [jellyfin_metrics]
|
|
|
|
# Forgejo API token for metrics collection
|
|
- name: Fetch Forgejo API token for metrics
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/w3663ffnvkewbftncqxtcpeavy/api-token"
|
|
delegate_to: localhost
|
|
register: _forgejo_metrics_api_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_metrics]
|
|
|
|
- name: Set Forgejo metrics API token fact
|
|
ansible.builtin.set_fact:
|
|
forgejo_metrics_api_key: "{{ _forgejo_metrics_api_token.stdout }}"
|
|
no_log: true
|
|
tags: [forgejo_metrics]
|
|
|
|
# Devpi root password (PyPI mirror admin)
|
|
- name: Fetch devpi root password
|
|
ansible.builtin.command:
|
|
cmd: op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/kyhzfifryqnuk7jeyibmmjvxxm/add more/root password"
|
|
delegate_to: localhost
|
|
register: _devpi_root_password
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [devpi]
|
|
|
|
- name: Set devpi root password fact
|
|
ansible.builtin.set_fact:
|
|
devpi_root_password: "{{ _devpi_root_password.stdout }}"
|
|
no_log: true
|
|
tags: [devpi]
|
|
|
|
roles:
|
|
- role: alloy
|
|
tags: alloy
|
|
- role: borgmatic
|
|
tags: borgmatic
|
|
- role: borgmatic_metrics
|
|
tags: borgmatic_metrics
|
|
- role: forgejo
|
|
tags: forgejo
|
|
- role: forgejo_actions_secrets
|
|
tags: forgejo_actions_secrets
|
|
- role: zot
|
|
tags: zot
|
|
- role: zot_metrics
|
|
tags: zot_metrics
|
|
- role: devpi
|
|
tags: devpi
|
|
- role: minikube
|
|
tags: minikube
|
|
- role: minikube_metrics
|
|
tags: minikube_metrics
|
|
- role: jellyfin
|
|
tags: jellyfin
|
|
- role: jellyfin_metrics
|
|
tags: jellyfin_metrics
|
|
- role: forgejo_metrics
|
|
tags: forgejo_metrics
|
|
- role: cv
|
|
tags: cv
|
|
- role: docs
|
|
tags: docs
|
|
- role: heph
|
|
tags: heph
|
|
- role: caddy
|
|
tags: caddy
|