Infrastructure

Prerequisites

Before running the playbook for the first time, ensure certbot is installed and you have generated a wildcard Let's Encrypt certificate for the main domain on the host machine. (If the certificate doesn't exist yet, Ansible will generate a temporary self-signed certificate so HAProxy can start).

sudo dnf install -y epel-release certbot
# Run certbot dns challenge to get wildcard certs
sudo certbot certonly --manual --preferred-challenges dns -d "*.romanilin.is" -d "romanilin.is"

Deployment

sudo dnf install -y ansible-core git
ansible-galaxy collection install ansible.posix community.general
git clone <your-git-repo>
cd infrastructure

# Run the playbook
ansible-playbook site.yaml --ask-vault-pass --ask-become-pass

Reading Secrets

# Example: read the DKIM key from the mail container
sudo machinectl shell mail /bin/cat /etc/opendkim/keys/romanilin.is/default.txt