linderhof/playbooks/deploy.yml

---
# Full first-time deployment — provisions and deploys everything in one shot.
# Usage: ansible-playbook playbooks/deploy.yml
#
# Prerequisites:
#   1. run setup.sh and review config.yml, vault.yml, dns.yml
#   2. if enable_restic: run storage_box.yml first so storagebox.yml exists
#      before this playbook starts (Ansible loads group_vars at startup)
#
# This playbook is intended for initial deployments only. After the first run,
# bootstrap will fail (root SSH is disabled) — use site.yml for subsequent deploys.
#
# dkim_sync.yml is intentionally excluded: it requires the mail server to be
# fully running and keys generated. Run it manually after confirming mail is up:
#   ansible-playbook playbooks/dkim_sync.yml

- import_playbook: provision.yml
- import_playbook: dns.yml

# Refresh inventory so the newly provisioned server IP is visible to subsequent plays
- name: Refresh inventory
  hosts: localhost
  connection: local
  gather_facts: false
  tasks:
    - meta: refresh_inventory

- import_playbook: bootstrap.yml
- import_playbook: site.yml
Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`---`
			`# Full first-time deployment — provisions and deploys everything in one shot.`
			`# Usage: ansible-playbook playbooks/deploy.yml`
			`#`
Fix storage_box SSH key installation and deploy ordering - Always run install-ssh-key (drop unreliable sftp idempotency check that was bypassed by SSH agent forwarding) - Use sshpass -e (env var) instead of -p to avoid shell quoting issues with special characters in passwords - Add -o IdentitiesOnly=yes to prevent agent keys interfering - Add reachable_externally: true to access_settings (was being reset to false on every run) - Remove storage_box.yml from deploy.yml chain — Ansible loads group_vars at startup so storagebox.yml must exist before deploy.yml - Document storage_box.yml as a prerequisite step in README, CLAUDE.md, and setup.sh next steps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 21:14:45 -07:00			`# Prerequisites:`
			`# 1. run setup.sh and review config.yml, vault.yml, dns.yml`
			`# 2. if enable_restic: run storage_box.yml first so storagebox.yml exists`
			`# before this playbook starts (Ansible loads group_vars at startup)`
Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`#`
			`# This playbook is intended for initial deployments only. After the first run,`
			`# bootstrap will fail (root SSH is disabled) — use site.yml for subsequent deploys.`
			`#`
			`# dkim_sync.yml is intentionally excluded: it requires the mail server to be`
			`# fully running and keys generated. Run it manually after confirming mail is up:`
			`# ansible-playbook playbooks/dkim_sync.yml`

			`- import_playbook: provision.yml`
			`- import_playbook: dns.yml`

			`# Refresh inventory so the newly provisioned server IP is visible to subsequent plays`
			`- name: Refresh inventory`
			`hosts: localhost`
			`connection: local`
			`gather_facts: false`
			`tasks:`
			`- meta: refresh_inventory`

			`- import_playbook: bootstrap.yml`
			`- import_playbook: site.yml`