linderhof/playbooks/deploy.yml

---
# Full first-time deployment — provisions and deploys everything in one shot.
# Usage: ansible-playbook playbooks/deploy.yml
#
# Prerequisites: run setup.sh first, then review config.yml, vault.yml, dns.yml
#
# This playbook is intended for initial deployments only. After the first run,
# bootstrap will fail (root SSH is disabled) — use site.yml for subsequent deploys.
#
# dkim_sync.yml is intentionally excluded: it requires the mail server to be
# fully running and keys generated. Run it manually after confirming mail is up:
#   ansible-playbook playbooks/dkim_sync.yml

- import_playbook: provision.yml
- import_playbook: dns.yml
- import_playbook: storage_box.yml

# Refresh inventory so the newly provisioned server IP is visible to subsequent plays
- name: Refresh inventory
  hosts: localhost
  connection: local
  gather_facts: false
  tasks:
    - meta: refresh_inventory

- import_playbook: bootstrap.yml
- import_playbook: site.yml
Add storage_box playbook and fix HCLOUD_TOKEN extraction - Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-01 17:43:14 -07:00			`---`
			`# Full first-time deployment — provisions and deploys everything in one shot.`
			`# Usage: ansible-playbook playbooks/deploy.yml`
			`#`
			`# Prerequisites: run setup.sh first, then review config.yml, vault.yml, dns.yml`
			`#`
			`# This playbook is intended for initial deployments only. After the first run,`
			`# bootstrap will fail (root SSH is disabled) — use site.yml for subsequent deploys.`
			`#`
			`# dkim_sync.yml is intentionally excluded: it requires the mail server to be`
			`# fully running and keys generated. Run it manually after confirming mail is up:`
			`# ansible-playbook playbooks/dkim_sync.yml`

			`- import_playbook: provision.yml`
			`- import_playbook: dns.yml`
			`- import_playbook: storage_box.yml`

			`# Refresh inventory so the newly provisioned server IP is visible to subsequent plays`
			`- name: Refresh inventory`
			`hosts: localhost`
			`connection: local`
			`gather_facts: false`
			`tasks:`
			`- meta: refresh_inventory`

			`- import_playbook: bootstrap.yml`
			`- import_playbook: site.yml`