Add storage_box playbook and fix HCLOUD_TOKEN extraction
- Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
203bd5bf6e
commit
db70b4ba06
13 changed files with 218 additions and 18 deletions
20
setup.sh
20
setup.sh
|
|
@ -101,7 +101,12 @@ if [[ -z "$hcloud_token" ]]; then
|
|||
warn "no Hetzner token provided — add it to vault.yml manually if needed"
|
||||
fi
|
||||
|
||||
export admin_user server_name server_ip domain hcloud_token
|
||||
echo
|
||||
info "configure restic backups (optional — leave blank to skip)"
|
||||
prompt restic_storagebox_name "Storage box name" "${server_name}-backup"
|
||||
prompt_secret restic_storagebox_password "Storage box password (leave blank to skip)"
|
||||
|
||||
export admin_user server_name server_ip domain hcloud_token restic_storagebox_name restic_storagebox_password
|
||||
export ssh_key_pub="${ssh_key_path}.pub"
|
||||
|
||||
echo
|
||||
|
|
@ -118,7 +123,7 @@ info "generating secrets..."
|
|||
export root_password admin_password
|
||||
export admin_mail_password notifications_mail_password git_mail_password
|
||||
export grafana_admin_password rspamd_web_password goaccess_password rainloop_admin_password radicale_password
|
||||
export tuwunel_registration_token restic_password
|
||||
export tuwunel_registration_token restic_password restic_storagebox_password
|
||||
export forgejo_secret_key forgejo_internal_token forgejo_jwt_secret
|
||||
|
||||
root_password=$(openssl rand -base64 32)
|
||||
|
|
@ -176,7 +181,7 @@ if [[ -f "$CONFIG" ]]; then
|
|||
warn "config.yml already exists — skipping (not overwriting)"
|
||||
else
|
||||
info "writing config.yml..."
|
||||
envsubst '$admin_user $server_name $server_ip $domain $ssh_key_pub $stack_name' \
|
||||
envsubst '$admin_user $server_name $server_ip $domain $ssh_key_pub $stack_name $restic_storagebox_name' \
|
||||
< "$TEMPLATES/config.yml.setup" > "$CONFIG"
|
||||
ok "config.yml created"
|
||||
fi
|
||||
|
|
@ -242,8 +247,7 @@ echo "Next steps:"
|
|||
echo " 1. Review $CONFIG"
|
||||
echo " 2. Review $VAULT (ansible-vault edit)"
|
||||
echo " 3. Review $DNS_CONFIG"
|
||||
echo " 4. Provision a server: ansible-playbook playbooks/provision.yml"
|
||||
echo " 5. Update DNS: ansible-playbook playbooks/dns.yml"
|
||||
echo " 6. Bootstrap server: ansible-playbook playbooks/site.yml --tags bootstrap"
|
||||
echo " 7. Deploy: ansible-playbook playbooks/site.yml"
|
||||
echo " 8. Sync DKIM keys to DNS: ansible-playbook playbooks/dkim_sync.yml"
|
||||
echo " 4. Deploy: ansible-playbook playbooks/deploy.yml"
|
||||
echo ""
|
||||
echo " If mail is enabled, sync DKIM keys once the server is up:"
|
||||
echo " ansible-playbook playbooks/dkim_sync.yml"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue