opennomad/linderhof
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add storage_box playbook and fix HCLOUD_TOKEN extraction

Browse source 
- Add storage_box role: generates SSH key pair, creates Hetzner Storage
  Box with known password, installs public key via install-ssh-key,
  writes storagebox.yml to stack config. Idempotent: skips key install
  if SSH key auth already works.
- Add deploy.yml: one-shot playbook chaining provision → dns →
  storage_box → bootstrap → site for fresh deployments
- Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from
  vault YAML values
- Add restic_storagebox_password to vault template and setup.sh prompt
- Add sshpass to README prerequisites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Matthias Johnson 2026-03-01 17:43:14 -07:00
parent 203bd5bf6e
commit db70b4ba06
13 changed files with 218 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

12
CLAUDE.md
View file

@ -37,17 +37,23 @@ Note: Inventory and vault password are set via `ANSIBLE_INVENTORY` and `ANSIBLE_
**Deployment Pattern:** Each service is deployed to `/srv/<service>/` on the target host with a `compose.yml` and environment files.
**Standalone Playbooks** (not in `site.yml`):
- `deploy.yml` - Full first-time deployment (chains provision → dns → storage_box → bootstrap → site)
- `provision.yml` - Provision a cloud VM (Hetzner)
- `dns.yml` - Manage DNS zones/records via Hetzner DNS API
- `bootstrap.yml` - First-time server setup (run once as root before site.yml)
- `dkim_sync.yml` - Fetch DKIM keys from mailserver and publish to DNS (run once after first mail deploy)
- `storage_box.yml` - Create/configure a Hetzner Storage Box for restic backups (run once before enabling restic)
**Full deployment order** (fresh server):
1. `deploy.yml` - runs all steps below in one shot (first-time only — bootstrap connects as root)
2. `dkim_sync.yml` - generate DKIM keys, write to stack config, publish to DNS (run once after mail is up)
**What `deploy.yml` runs internally:**
1. `provision.yml` - create server, auto-writes IP to hosts.yml and config.yml
2. `dns.yml` - create DNS records
3. `bootstrap.yml` - users, SSH hardening, packages, Docker (connects as root)
4. `site.yml` - deploy all services
5. `dkim_sync.yml` - generate DKIM keys, write to stack config, publish to DNS
3. `storage_box.yml` - generate SSH key, configure storage box, writes storagebox.yml to stack config
4. `bootstrap.yml` - users, SSH hardening, packages, Docker (connects as root)
5. `site.yml` - deploy all services
**Playbook Execution Order** (via `site.yml`):
1. networks.yml - Pre-create all Docker networks (must run before any service)