Deduplicate nearly identical init logic from backend.yml and
backend_sftp.yml into init.yml. Also fixes missing set -euo pipefail
in the sftp backend variant.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Always run install-ssh-key (drop unreliable sftp idempotency check
that was bypassed by SSH agent forwarding)
- Use sshpass -e (env var) instead of -p to avoid shell quoting issues
with special characters in passwords
- Add -o IdentitiesOnly=yes to prevent agent keys interfering
- Add reachable_externally: true to access_settings (was being reset
to false on every run)
- Remove storage_box.yml from deploy.yml chain — Ansible loads
group_vars at startup so storagebox.yml must exist before deploy.yml
- Document storage_box.yml as a prerequisite step in README, CLAUDE.md,
and setup.sh next steps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add default landing page (roles/caddy/templates/index.html.j2) deployed
to empty caddy sites; adapted from YC/coming-soon by Steven Tang (MIT),
with site domain and powered-by footer linking to codeberg.org/opennomad/linderhof
- Apply hcloud_labels to all Hetzner cloud and DNS resources; default to {}
in role defaults for stacks without the variable defined
- Fix setup.sh: export stack_name so envsubst substitutes it in config.yml
- Add Codeberg repo link to README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add dkim_sync.yml: generates DKIM keys for all mail_domains, writes
keys to stack config (group_vars/all/dkim.yml), and publishes
mail._domainkey TXT records via dns.yml — replaces manual vault editing
- Remove dkim_keys from vault.yml.setup (public keys don't need encryption)
- Add hcloud_labels to config.yml.setup and apply to server + SSH key in
provision role, enabling project-level tagging of Hetzner resources
- Fix setup.sh next steps: add missing bootstrap step, replace manual DKIM
instructions with dkim_sync.yml
- Update CLAUDE.md and README.md accordingly
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's
requirement for at least one account on first boot
- Add failed_when: false to mail user/alias list tasks (files don't exist
on first run)
- Add forgejo_runner_version (was undefined); default to 12
- Create /srv/forgejo/data/gitea/conf before deploying app.ini
- Decouple goaccess sync from restic: new enable_goaccess_sync flag with
its own goaccess_sync_* variables
- Move Docker installation to bootstrap exclusively; rename docker.yml to
networks.yml (runs docker_network role only)
- Add radicale_password to vault template and setup.sh
- Fix goaccess sync tasks gated on enable_goaccess_sync
- Add upstream bug comment to authorized_key deprecation warning
- Update CLAUDE.md and README.md throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
