max/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
489 commits 2 branches 0 tags 1.2 MiB
  • Jinja 88.2%
  • Go Template 7.3%
  • Dockerfile 2.4%
  • Makefile 2.1%
Find a file
Exact
maxice8 aa068529af
All checks were successful
Gitleaks Security Audit / Gitleaks Scan (push) Successful in 7s
Details
Ansible Lint / lint (push) Successful in 29s
Details
refactor(roles): remove OAuth2-Proxy support, as we use Pomerium
2026-06-09 00:06:12 -03:00
.forgejo/workflows workflow: check leaked secrets with gitleaks 2026-01-13 22:10:32 -03:00
group_vars refactor(roles): remove OAuth2-Proxy support, as we use Pomerium 2026-06-09 00:06:12 -03:00
host_vars feat(roles): add Pomerium role 2026-06-09 00:06:12 -03:00
roles refactor(roles): remove OAuth2-Proxy support, as we use Pomerium 2026-06-09 00:06:12 -03:00
.ansible-lint ansible-lint: fix 2026-04-05 21:18:20 -03:00
.gitignore update .gitignore 2026-03-30 18:10:05 -03:00
.sops.yaml sops: also match group_vars 2026-04-05 20:55:31 -03:00
ansible.cfg meta: improve sops integration and deal with ansible warnings 2026-04-02 03:18:22 -03:00
config.bu.tmpl fcos: enable serial console for access through VPS Hoster's terminal feature 2026-04-02 08:14:08 -03:00
example.env fcos: enable ipv6 2026-04-01 03:22:56 -03:00
inventory.yaml refactor(roles): remove OAuth2-Proxy support, as we use Pomerium 2026-06-09 00:06:12 -03:00
Makefile fcos: use sops 2026-03-30 18:10:05 -03:00
README.md tsidp: remove 2026-04-05 21:13:21 -03:00
requirements.in add requirements.in and requirements.txt 2026-03-12 03:12:38 -03:00
requirements.txt chore: update requirements.txt 2026-05-11 13:32:47 -03:00
ryuu.env fcos: enable ipv6 2026-04-01 03:22:56 -03:00
server.yaml meta: improve sops integration and deal with ansible warnings 2026-04-02 03:18:22 -03:00
TODO update TODO 2026-01-02 14:34:47 -03:00

README.md

Ansible playbook

Requirements

Ansible

A requirements.txt is provided to install dependencies, we recommend uv.

uv pip install -r requirements.txt

Podman (if using Butane)

We use podman to run a butane container instead of having it in system, so podman is required if using Butane config.

Age + SOPS

Age and Sops are used to encrypt configuration files, use your system package manager to install them.

# Arch Linux
pacman -S age sops

Configuration

We use encrypted configuration files in the following formats:

  • group_vars/servers.sops.yaml for cluster-wide Ansible configuration (see group_vars/example.sops.yaml)
  • host_vars/$HOSTNAME.sops.yaml for node-specific Ansible configuration (see host_vars/example.sops.yaml)
  • $HOSTNAME.env for Butane configuration (see example.env)
cp group_vars/example.sops.yaml group_vars/servers.sops.yaml
cp host_vars/example.sops.yaml host_vars/ryuu.sops.yaml
cp example.env ryuu.env

Encrypting

Ansible and Butane read from encrypted files instead of local configuration so we need to generate a key with age and then encrypt them with sops

Generate key

Generate a key file, this file should NEVER be commited to git, save it to a secure password manager, if you clone this repo on a new machine copy it over so you can decrypt the configuration you encrypted.

age-keygen -o .age-key.txt

Configure .sops.yml

Replace the age section in .sops.yaml so it encrypts with your public key, you can get the public key after generating your key with grep "public key:" .age-key.txt.

Encrypt the files

With all setup you can encrypt both files

sops -e -i group_vars/servers.sops.yaml
sops -e -i host_vars/ryuu.sops.yaml
sops -e -i ryuu.env

Note: If you need to edit these files in the future, do not use cat or nano directly. Instead, use SOPS to decrypt and open them in your default editor on the fly: sops group_vars/servers.sops.yaml sops host_vars/ryuu.sops.yaml

Deploying

There are 2 separate deployments, butane, and ansible.

Butane

A Makefile is provided that generates an ignition file by decrypting the configuration, replacing it in the template butane and then converting the butane configuration to an ignition file that can then be with coreos-installer to install Fedora CoreOS on a machine.

make ryuu

Ansible

The Ansible deployment is done after a machine can be accessed through SSH (normally by doing the Butane deployment first) to make the deployment of all the apps/services.

# Deploy to 'ryuu' with diffs (-D) enabled
uv run ansible-playbook -i inventory.yaml server.yaml -D -l ryuu