opennomad/linderhof
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linderhof/inventory/group_vars/all/vault.yml.setup
Matthias Johnson db70b4ba06 Add storage_box playbook and fix HCLOUD_TOKEN extraction 
- Add storage_box role: generates SSH key pair, creates Hetzner Storage
  Box with known password, installs public key via install-ssh-key,
  writes storagebox.yml to stack config. Idempotent: skips key install
  if SSH key auth already works.
- Add deploy.yml: one-shot playbook chaining provision → dns →
  storage_box → bootstrap → site for fresh deployments
- Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from
  vault YAML values
- Add restic_storagebox_password to vault template and setup.sh prompt
- Add sshpass to README prerequisites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-01 17:43:14 -07:00

57 lines
1.7 KiB
Text
Raw Blame History

---
# ============================================================
# Linderhof Secrets
# ============================================================
# Generated by setup.sh
# Edit with: ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml
# ============================================================
# system
root_password: "$root_password"
admin_password: "$admin_password"
# hetzner
hcloud_token: "$hcloud_token"
# mail
# passwords generated with: openssl rand -base64 32
mail_passwords:
$admin_user@$domain: "$admin_mail_password"
git@$domain: "$git_mail_password"
notifications@$domain: "$notifications_mail_password"
rspamd_web_password: "$rspamd_web_password"
rainloop_admin_password: "$rainloop_admin_password"
# forgejo
# keys generated with: openssl rand -hex 32
forgejo_secret_key: "$forgejo_secret_key"
forgejo_internal_token: "$forgejo_internal_token"
forgejo_jwt_secret: "$forgejo_jwt_secret"
forgejo_smtp_password: "$notifications_mail_password"
# monitoring
# password generated with: openssl rand -base64 32
grafana_admin_password: "$grafana_admin_password"
# tuwunel
# token generated with: openssl rand -base64 32
tuwunel_registration_token: "$tuwunel_registration_token"
# radicale
# password generated with: openssl rand -base64 32
radicale_password: "$radicale_password"
# goaccess
# password generated with: openssl rand -base64 32
goaccess_password: "$goaccess_password"
# diun (uses the notifications mail account)
diun_email_password: "$notifications_mail_password"
# restic
# password generated with: openssl rand -base64 32
restic_password: "$restic_password"
restic_storagebox_password: "$restic_storagebox_password"
# fail2ban (optional — IPs/CIDRs to whitelist)
# fail2ban_ignoreip: "your-home-ip/32"
Reference in a new issue View git blame Copy permalink