Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 00:51:16 -07:00 · 2026-02-28 00:51:16 -07:00 · b38cd94fc8
commit b38cd94fc8
parent 75891c3271
23 changed files with 400 additions and 307 deletions
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@ -2,6 +2,8 @@
 - name: Bootstrap Ubuntu server
  hosts: all
  become: true
+  vars:
+    ansible_user: root

  pre_tasks:
    - name: Ensure apt cache is up to date
@ -14,16 +16,32 @@
      timezone:
        name: "{{ timezone }}"

+    - name: Set root password
+      ansible.builtin.user:
+        name: root
+        password: "{{ root_password | password_hash('sha512') }}"
+
    - name: Create admin user
-      user:
+      ansible.builtin.user:
        name: "{{ admin_user }}"
+        password: "{{ admin_password | password_hash('sha512') }}"
        groups: sudo
        shell: "{{ admin_shell }}"
        append: true
        create_home: true

+    - name: Grant admin user passwordless sudo
+      lineinfile:
+        path: /etc/sudoers.d/{{ admin_user }}
+        line: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
+        create: true
+        mode: "0440"
+        validate: visudo -cf %s
+
+    # BUG: ansible.posix.authorized_key emits a deprecation warning — this is a known upstream bug:
+    # https://github.com/ansible-collections/ansible.posix/issues/695
    - name: Authorize SSH key for admin user
-      authorized_key:
+      ansible.posix.authorized_key:
        user: "{{ admin_user }}"
        key: "{{ admin_ssh_key }}"