# Infrastructure

## Prerequisites

Before running the playbook for the first time, ensure `certbot` is installed and you have generated a wildcard Let's Encrypt certificate for the main domain on the host machine. (If the certificate doesn't exist yet, Ansible will generate a temporary self-signed certificate so HAProxy can start).

```bash
sudo dnf install -y epel-release certbot
# Run certbot dns challenge to get wildcard certs
sudo certbot certonly --manual --preferred-challenges dns -d "*.romanilin.is" -d "romanilin.is"
```

## Deployment

```bash
sudo dnf install -y ansible-core git
ansible-galaxy collection install ansible.posix community.general
git clone <your-git-repo>
cd infrastructure

# Run the playbook
ansible-playbook site.yaml --ask-vault-pass --ask-become-pass
```

## Reading Secrets

```bash
# Example: read the DKIM key from the mail container
sudo machinectl shell mail /bin/cat /etc/opendkim/keys/romanilin.is/default.txt
```