Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 00:51:16 -07:00 · 2026-02-28 00:51:16 -07:00 · b38cd94fc8
commit b38cd94fc8
parent 75891c3271
23 changed files with 400 additions and 307 deletions
--- a/inventory/group_vars/all/vault.yml.setup
+++ b/inventory/group_vars/all/vault.yml.setup
@ -6,6 +6,10 @@
 # Edit with: ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml
 # ============================================================

+# system
+root_password: "$root_password"
+admin_password: "$admin_password"
+
 # hetzner
 hcloud_token: "$hcloud_token"

@ -33,6 +37,10 @@ grafana_admin_password: "$grafana_admin_password"
 # token generated with: openssl rand -base64 32
 tuwunel_registration_token: "$tuwunel_registration_token"

+# radicale
+# password generated with: openssl rand -base64 32
+radicale_password: "$radicale_password"
+
 # goaccess
 # password generated with: openssl rand -base64 32
 goaccess_password: "$goaccess_password"
@ -47,9 +55,8 @@ restic_password: "$restic_password"
 # fail2ban (optional — IPs/CIDRs to whitelist)
 # fail2ban_ignoreip: "your-home-ip/32"

-# DKIM public keys — one entry per domain
-# Retrieve after first mail deployment:
+# DKIM public keys — add after first mail deployment:
 #   docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub
 # Format: "v=DKIM1; k=rsa; p=<base64 public key>"
-dkim_keys:
-  $domain: ""
+# dkim_keys:
+#   $domain: "v=DKIM1; k=rsa; p=..."