| 1 | --- |
| 2 | # SPDX-License-Identifier: AGPL-3.0-or-later |
| 3 | # |
| 4 | # shithub site.yml — top-level provisioning play. |
| 5 | # |
| 6 | # Run: `ansible-playbook -i inventory/production deploy/ansible/site.yml` |
| 7 | # |
| 8 | # Roles run in dependency order: base hardening first, then the data |
| 9 | # layer (postgres + block-volume mounts), then the network surface |
| 10 | # (caddy, sshd via shithubd role), then operator plumbing |
| 11 | # (wireguard mesh + backup cron + monitoring-client). |
| 12 | # |
| 13 | # Idempotent: re-running converges to the desired state. Secrets are |
| 14 | # pulled from sops-encrypted files (or 1Password CLI in dev) — never |
| 15 | # in plaintext under deploy/. |
| 16 | |
| 17 | - hosts: all |
| 18 | become: yes |
| 19 | gather_facts: yes |
| 20 | roles: |
| 21 | - role: base |
| 22 | - role: postgres |
| 23 | tags: [db, postgres] |
| 24 | - role: shithubd |
| 25 | tags: [app, shithubd] |
| 26 | - role: shithubd-runner |
| 27 | tags: [app, shithubd-runner, actions-runner] |
| 28 | when: shithub_runner_enabled | default(false) | bool |
| 29 | - role: caddy |
| 30 | tags: [edge, caddy] |
| 31 | - role: wireguard |
| 32 | tags: [net, wireguard] |
| 33 | - role: backup |
| 34 | tags: [backup, ops] |
| 35 | - role: monitoring-client |
| 36 | tags: [monitoring, ops] |
| 37 |