ansible/deploy.yml

---

- name: mount rw
  hosts:
    - pikvm
  become: true
  pre_tasks:
    - name: mount rw
      command: /usr/local/bin/rw

- name: basic roles
  hosts:
    - caladan
    - fugu
    - narwhal
    - snitch
    - suricata
    # - pikvm
  become: true
  roles:
    - repos
    - basic

- name: cryptoraid
  hosts:
    - suricata
  become: true
  roles:
    - cryptoraid
  tags: raid

- name: mounts
  hosts:
    - suricata
  become: true
  roles:
    - mounts

- name: usercfg
  hosts:
    - suricata
  become: true
  roles:
    - usercfg

- name: lbu.conf
  hosts:
    - suricata
  become: true
  roles:
    - lbu_conf
  tags: lbu_conf

- name: common roles
  hosts:
    - caladan
    - fugu
    - narwhal
    - snitch
    - suricata
    # - pikvm
  become: true
  roles:
    - users
    - sshd
  vars:
    users:
      - rilla
      - ansible
      - btrbk
      - builder
      - gopass
      - woodpecker

- name: quality of life tools
  hosts:
    - caladan
    - fugu
    - narwhal
    - suricata
  become: true
  roles:
    - quality_of_life

- name: pi_fan_hwpwm
  hosts:
    - suricata
  become: true
  roles:
    - pi_fan_hwpwm

- name: docker
  hosts:
    - caladan
    - narwhal
  become: true
  roles:
    - docker

- name: podman
  hosts:
    - suricata
  become: true
  roles:
    - podman
  tags: podman

- name: wifi setup
  hosts: snitch
  become: true
  roles:
    - wifi

- name: btrbk
  hosts:
    - narwhal
    - suricata
  become: true
  roles:
    - btrbk
  tags: btrbk

- name: caladan-specific things
  hosts: caladan
  become: true
  roles:
    - tinyproxy

#- name: k3s
#  hosts:
#    - suricata
#  become: true
#  roles:
#    - k3s
#  tags: k3s

- name: wireguard
  hosts:
    - caladan
    - fugu
  become: true
  roles:
    - wireguard

- name: setup gopass
  become: true
  hosts:
    - caladan
    - fugu
    - narwhal
    # - pikvm
  roles:
    - gopass

- name: setup DAGs
  become: true
  hosts:
    - pikvm
  roles:
    - dags
  tags: dags

- name: set up pikvm's ssl certs
  hosts:
    - pikvm
  become: true
  vars:
    domain: monotremata.xyz

- name: lbu commit
  hosts:
    - snitch
    - suricata
  become: true
  tags: lbu
  post_tasks:
    - name: lbu commit
      # I use the shell module instead of the lbu one because the lbu module
      # doesn't seem to work with encryption
      shell:
        cmd: lbu commit
      environment:
        PASSWORD: '{{ lbu_password }}'
      when: ansible_distribution == "Alpine" and alpine_mode in ["diskless", "data"]

- name: mount ro
  hosts:
    - pikvm
  become: true
  post_tasks:
    - name: mount ro
      command: /usr/local/bin/ro

# todo:
# setup-apkcache to use /media/mmcblk0p2