From d7f75c04da928e544a34f25a1d5cd156e4bab752 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Thu, 22 Jan 2026 17:32:39 +0100 Subject: [PATCH 1/4] chore(traefik): rename variables for clarity --- .../group_vars/traefik_servers_backend.yml | 8 +++--- .../group_vars/traefik_servers_dmz.yml | 26 +++++++++---------- .../vagrant/host_vars/backend/traefik.yml | 8 +++--- .../vagrant/host_vars/backend2/traefik.yml | 4 +-- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/inventories/vagrant/group_vars/traefik_servers_backend.yml b/inventories/vagrant/group_vars/traefik_servers_backend.yml index 70c5e8f..c28eb89 100644 --- a/inventories/vagrant/group_vars/traefik_servers_backend.yml +++ b/inventories/vagrant/group_vars/traefik_servers_backend.yml @@ -3,8 +3,8 @@ # These use Docker provider for local service discovery traefik_mode: backend -use_ssl: true -cert_mode: "selfsigned" -enable_dashboard: true -log_level: DEBUG +traefik_use_ssl: true +traefik_cert_mode: "selfsigned" +traefik_enable_dashboard: true +traefik_log_level: DEBUG traefik_network: proxy \ No newline at end of file diff --git a/inventories/vagrant/group_vars/traefik_servers_dmz.yml b/inventories/vagrant/group_vars/traefik_servers_dmz.yml index b46126a..fdc8e48 100644 --- a/inventories/vagrant/group_vars/traefik_servers_dmz.yml +++ b/inventories/vagrant/group_vars/traefik_servers_dmz.yml @@ -3,23 +3,23 @@ # These are public-facing proxies that route traffic to backend servers traefik_mode: dmz -use_ssl: true -cert_mode: "selfsigned" # Use 'acme' for production -enable_dashboard: true -dashboard_domain: "traefik.dmz.local.test" -log_level: DEBUG +traefik_use_ssl: true +traefik_cert_mode: "selfsigned" # Use 'acme' for production +traefik_enable_dashboard: true +traefik_dashboard_domain: "traefik.dmz.local.test" +traefik_log_level: DEBUG traefik_network: proxy # Backend servers to proxy (if empty, proxies to all backend_servers) # This allows multiple DMZ proxies to handle different backend servers -# backend_servers_to_proxy: +# traefik_backend_servers_to_proxy: # - backend1 # - backend2 -# ACME configuration (uncomment for production with cert_mode: acme) -# ssl_email: "admin@example.com" -# ssl_cert_resolver: "dns" -# acme_dns_zone: "digitalboard._acme.digitalboard.ch." -# acme_dns_nameserver: "192.168.1.1:53" -# acme_tsig_key: "your-tsig-key-name" -# acme_tsig_secret: "your-tsig-secret" \ No newline at end of file +# ACME configuration (uncomment for production with traefik_cert_mode: acme) +# traefik_ssl_email: "admin@example.com" +# traefik_ssl_cert_resolver: "dns" +# traefik_acme_dns_zone: "digitalboard._acme.digitalboard.ch." +# traefik_acme_dns_nameserver: "192.168.1.1:53" +# traefik_acme_tsig_key: "your-tsig-key-name" +# traefik_acme_tsig_secret: "your-tsig-secret" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index d4928df..5aa720e 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -1,5 +1,5 @@ # Services to be exposed through the DMZ reverse proxy -traefik_services: +traefik_dmz_exposed_services: - name: httpbin domain: httpbin.local.test port: 443 @@ -35,7 +35,7 @@ traefik_services: # port: 80 # protocol: http -use_ssl: false # disable SSL redirect for vagrant +traefik_use_ssl: false # disable SSL redirect for vagrant -use_ssl_dashboard: true # still use SSL for dashboard -dashboard_domain: "traefik.backend.local.test" \ No newline at end of file +traefik_use_ssl_dashboard: true # still use SSL for dashboard +traefik_dashboard_domain: "traefik.backend.local.test" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend2/traefik.yml b/inventories/vagrant/host_vars/backend2/traefik.yml index 6837810..56ee12b 100644 --- a/inventories/vagrant/host_vars/backend2/traefik.yml +++ b/inventories/vagrant/host_vars/backend2/traefik.yml @@ -1,8 +1,8 @@ # Services to be exposed through the DMZ reverse proxy -traefik_services: +traefik_dmz_exposed_services: - name: httpbin-srv2 domain: "{{ httpbin_domain }}" port: 443 protocol: https -dashboard_domain: "traefik.backend2.local.test" \ No newline at end of file +traefik_dashboard_domain: "traefik.backend2.local.test" \ No newline at end of file From b94c066996e36990d247ac145e09f564bf9389ca Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Thu, 22 Jan 2026 17:33:14 +0100 Subject: [PATCH 2/4] chore: add .vagrant folder to .gitignore --- .gitignore | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.gitignore b/.gitignore index 72d385d..9dd7ed4 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,37 @@ /.idea/ # Ansible /collections/ansible_collections/ +/.vagrant/bundler/global.sol +/.vagrant/machines/backend/libvirt/action_provision +/.vagrant/machines/backend/libvirt/box_meta +/.vagrant/machines/backend/libvirt/created_networks +/.vagrant/machines/backend/libvirt/creator_uid +/.vagrant/machines/backend/libvirt/id +/.vagrant/machines/backend/libvirt/index_uuid +/.vagrant/machines/backend/libvirt/private_key +/.vagrant/machines/backend/libvirt/synced_folders +/.vagrant/machines/backend/libvirt/vagrant_cwd +/.vagrant/machines/backend2/libvirt/action_provision +/.vagrant/machines/backend2/libvirt/box_meta +/.vagrant/machines/backend2/libvirt/created_networks +/.vagrant/machines/backend2/libvirt/creator_uid +/.vagrant/machines/backend2/libvirt/id +/.vagrant/machines/backend2/libvirt/index_uuid +/.vagrant/machines/backend2/libvirt/private_key +/.vagrant/machines/backend2/libvirt/synced_folders +/.vagrant/machines/backend2/libvirt/vagrant_cwd +/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8080-192.168.121.139_80.log +/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8443-192.168.121.139_443.log +/.vagrant/machines/dmz/libvirt/pids/ssh_8080.pid +/.vagrant/machines/dmz/libvirt/pids/ssh_8443.pid +/.vagrant/machines/dmz/libvirt/action_provision +/.vagrant/machines/dmz/libvirt/box_meta +/.vagrant/machines/dmz/libvirt/created_networks +/.vagrant/machines/dmz/libvirt/creator_uid +/.vagrant/machines/dmz/libvirt/id +/.vagrant/machines/dmz/libvirt/index_uuid +/.vagrant/machines/dmz/libvirt/private_key +/.vagrant/machines/dmz/libvirt/synced_folders +/.vagrant/machines/dmz/libvirt/vagrant_cwd +/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory +/.vagrant/rgloader/loader.rb From 495b61c1d15a59cccdd0bec89b00710849541f75 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 23 Jan 2026 10:41:30 +0100 Subject: [PATCH 3/4] chore: switch to yaml inventory waaaay better readability --- inventories/vagrant/hosts.ini | 45 ------------------------- inventories/vagrant/hosts.yml | 62 +++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 45 deletions(-) delete mode 100644 inventories/vagrant/hosts.ini create mode 100644 inventories/vagrant/hosts.yml diff --git a/inventories/vagrant/hosts.ini b/inventories/vagrant/hosts.ini deleted file mode 100644 index fcea02f..0000000 --- a/inventories/vagrant/hosts.ini +++ /dev/null @@ -1,45 +0,0 @@ -# This file defines the group structure for vagrant VMs -# Fixed IPs are defined in the Vagrantfile -# Additional host-specific variables should go in host_vars/ -# Group-specific variables should go in group_vars/ - -[all_servers] -dmz ansible_host=192.168.56.10 ansible_ssh_private_key_file=.vagrant/machines/dmz/libvirt/private_key ansible_user=vagrant -backend ansible_host=192.168.56.11 ansible_ssh_private_key_file=.vagrant/machines/backend/libvirt/private_key ansible_user=vagrant -backend2 ansible_host=192.168.56.12 ansible_ssh_private_key_file=.vagrant/machines/backend2/libvirt/private_key ansible_user=vagrant - -# Backend servers that host application services -[backend_servers] -backend -backend2 - -# Reverse proxy servers in DMZ (public-facing, file provider mode) -[traefik_servers_dmz] -dmz - -# Reverse proxy servers on backend (docker provider mode) -[traefik_servers_backend] -backend -backend2 - -# All reverse proxy servers -[traefik_servers:children] -traefik_servers_dmz -traefik_servers_backend - -# Application servers -[httpbin_servers] -backend -backend2 - -[keycloak_servers] -backend - -[authentik_servers] -backend - -[garage_servers] -backend - -[nextcloud_servers] -backend \ No newline at end of file diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml new file mode 100644 index 0000000..e3bf998 --- /dev/null +++ b/inventories/vagrant/hosts.yml @@ -0,0 +1,62 @@ +--- +all: + children: + all_servers: + hosts: + dmz: + ansible_host: 192.168.56.10 + ansible_ssh_private_key_file: .vagrant/machines/dmz/libvirt/private_key + ansible_user: vagrant + backend: + ansible_host: 192.168.56.11 + ansible_ssh_private_key_file: .vagrant/machines/backend/libvirt/private_key + ansible_user: vagrant + backend2: + ansible_host: 192.168.56.12 + ansible_ssh_private_key_file: .vagrant/machines/backend2/libvirt/private_key + ansible_user: vagrant + + # Backend servers that host application services + backend_servers: + hosts: + backend: + backend2: + + # Reverse proxy servers + traefik_servers: + children: + traefik_servers_dmz: + traefik_servers_backend: + + # DMZ reverse proxy (public-facing, file provider mode) + traefik_servers_dmz: + hosts: + dmz: + + # Backend reverse proxy (docker provider mode) + traefik_servers_backend: + hosts: + backend: + backend2: + + # Application servers + httpbin_servers: + hosts: + backend: + backend2: + + keycloak_servers: + hosts: + backend: + + authentik_servers: + hosts: + backend: + + garage_servers: + hosts: + backend: + + nextcloud_servers: + hosts: + backend: \ No newline at end of file From 75be32d8d0acf1a6078dcfb120685090176a84f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20W=C3=BCst?= Date: Thu, 22 Jan 2026 14:53:21 +0100 Subject: [PATCH 4/4] chore: Deploy Homarr Service --- inventories/vagrant/host_vars/backend/homarr.yml | 11 +++++++++++ inventories/vagrant/host_vars/backend/traefik.yml | 4 ++++ inventories/vagrant/hosts.yml | 4 ++++ playbooks/site.yml | 6 ++++++ 4 files changed, 25 insertions(+) create mode 100644 inventories/vagrant/host_vars/backend/homarr.yml diff --git a/inventories/vagrant/host_vars/backend/homarr.yml b/inventories/vagrant/host_vars/backend/homarr.yml new file mode 100644 index 0000000..6244c57 --- /dev/null +++ b/inventories/vagrant/host_vars/backend/homarr.yml @@ -0,0 +1,11 @@ +homarr_domain: "home.local.test" + +homarr_secret_dir: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}" +homarr_secret_file: "homarr_secret_encryption_key" +homarr_secret_length: 64 + +homarr_secret_encryption_key: >- + {{ lookup('ansible.builtin.password', + homarr_secret_dir ~ '/' ~ homarr_secret_file, + length=homarr_secret_length, + chars='hexdigits') }} diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index 5aa720e..3e1e5b7 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -24,6 +24,10 @@ traefik_dmz_exposed_services: domain: authentik.local.test port: 443 protocol: https + - name: homarr + domain: home.local.test + port: 443 + protocol: https # Example: Add more services as you deploy them # - name: forgejo # domain: git.example.com diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index e3bf998..5f438b8 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -58,5 +58,9 @@ all: backend: nextcloud_servers: + hosts: + backend: + + homarr_servers: hosts: backend: \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index ffbb9c4..8749439 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -41,6 +41,12 @@ roles: - digitalboard.core.authentik +- name: Deploy homarr service + hosts: homarr_servers + become: yes + roles: + - digitalboard.core.homarr + - name: Configure reverse proxy on DMZ servers hosts: traefik_servers_dmz become: yes