Lets the user play be targeted with --tags users while still running
by default when no tags are passed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Carry forward the local-account rename from the direct edit on
initial_setup.yml into the new canonical users list.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move the canonical user list to group_vars/all/users.yml so both
setup_linux.yml (renamed from initial_setup.yml) and the
initial_install users role consume the same source of truth.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds an opt-in (tags: never,hostname) play that sets the system
hostname to inventory_hostname, and fills in both real authorized
keys for the hellsos user.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tagged never,dockhand_install so it only runs when explicitly requested.
Installs docker.io + docker-compose-v2, templates a compose file for
fnsys/dockhand:latest at /docker/dockhand, and wires a oneshot systemd
unit that brings the stack up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
borg_passphrase is required (Semaphore secret, same across hosts).
The role writes it to /etc/borgmatic/passphrase (0600 root) and
configures borgmatic to use BORG_PASSCOMMAND=cat /etc/borgmatic/passphrase,
and runs `borg init --encryption=repokey-blake2` with BORG_PASSPHRASE in
the env. no_log on the tasks that touch the passphrase.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The URI was wrong — BorgWarehouse uses a single shared SSH user
(`borgwarehouse`) and routes by the repo id in the path, so the form
is `ssh://<borgSshHost>/./<repo.id>` (not per-repo user with /./repos).
Role now also trusts the borg server's SSH host key in root's
known_hosts and runs `borg init --encryption=none` (idempotent — treats
"already exists" as success) so first backups don't need manual prep.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
backup role now logs into borgcontroller and creates (or looks up) a
repository with alias=inventory_hostname, registering root's pubkey and
the requested storageSize. The resulting SSH URI is injected into the
borgmatic config so each host gets a remote-managed repo without manual
config.
backup_hosts entries gain a `storage_size_gb` field (stripped before
templating) and lose the manual `repositories` entry — the role fills it.
borgcontroller_{username,password} are expected from Semaphore secrets.
Also gitignores .claude/ local state.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The role now ensures the systemd timer is running (so backups actually
fire on the schedule borgmatic ships by default) and generates an
ed25519 key for root that can be authorized on the remote borg server.
Also adds a testipaclient entry to backup_hosts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Borgmatic backup role driven by per-host config in group_vars/all/backup.yml
- manage_ssh_keys role with add/remove paths; remove_ssh_key_playbook.yml uses it
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jakub
