Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 00:51:16 -07:00 · 2026-02-28 00:51:16 -07:00 · b38cd94fc8
commit b38cd94fc8
parent 75891c3271
23 changed files with 400 additions and 307 deletions
--- a/roles/mail/tasks/aliases.yml
+++ b/roles/mail/tasks/aliases.yml
@ -1,8 +1,10 @@
 # read-only docker exec always reports changed; changed_when: false suppresses spurious output
+# failed_when: false — postfix-virtual.cf may not exist on first run
 - name: List existing mail aliases
  command: docker exec mailserver setup alias list
  register: mail_alias_list
  changed_when: false
+  failed_when: false
  tags:
    - users

--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@ -92,15 +92,32 @@
    name: certbot
    state: present

+- name: Check if mail TLS certificate already exists
+  ansible.builtin.stat:
+    path: /etc/letsencrypt/live/{{ mail_hostname }}/fullchain.pem
+  register: mail_cert
+
+- name: Stop Caddy to free port 80 for certbot
+  community.docker.docker_compose_v2:
+    project_src: /srv/caddy
+    state: stopped
+  when: not mail_cert.stat.exists
+
 - name: Obtain a Let's Encrypt certificate for {{ mail_hostname }}
  command: >
    certbot certonly --standalone
    -d {{ mail_hostname }}
    --non-interactive --agree-tos -m postmaster@{{ domain }}
-  args:
-    creates: /etc/letsencrypt/live/{{ mail_hostname }}/fullchain.pem
+  when: not mail_cert.stat.exists
  tags: config

+- name: Restart Caddy after certbot
+  community.docker.docker_compose_v2:
+    project_src: /srv/caddy
+    state: present
+    build: never
+  when: not mail_cert.stat.exists
+
 - name: Deploy mail compose file
  template:
    src: compose.yml.j2
@ -126,6 +143,17 @@
  notify: Restart mailserver
  tags: config

+- name: Seed mail accounts into postfix-accounts.cf before first start
+  ansible.builtin.shell: |
+    grep -qF "{{ item.address }}" /srv/mail/config/postfix-accounts.cf 2>/dev/null && exit 0
+    hash=$(openssl passwd -6 {{ item.password | quote }})
+    printf '%s|{SHA512-CRYPT}%s\n' "{{ item.address }}" "${hash}" >> /srv/mail/config/postfix-accounts.cf
+  loop: "{{ mail_users }}"
+  no_log: true
+  args:
+    executable: /bin/bash
+  tags: users
+
 - name: Start mailserver
  community.docker.docker_compose_v2:
    project_src: /srv/mail
--- a/roles/mail/tasks/users.yml
+++ b/roles/mail/tasks/users.yml
@ -1,8 +1,10 @@
 # read-only docker exec always reports changed; changed_when: false suppresses spurious output
+# failed_when: false — postfix-accounts.cf may not exist on first run (seeded separately)
 - name: Check if mail user exists
  command: docker exec mailserver setup email list
  register: mail_user_list
  changed_when: false
+  failed_when: false
  tags:
    - users