refactor: Move secrets to vault and improve portability

.gitignore

@@ -3,4 +3,4 @@
 private
 .vscode
 .ansible
-.git
+.git.vault_password

.vault_password

@@ -0,0 +1 @@
+changeme

README.md

@@ -1,3 +1,45 @@
 # HomeCloudPlaybooks
 
-My Ansible Playbooks live here
+This repository contains Ansible playbooks for setting up and configuring a home cloud environment.
+
+## Requirements
+
+- Ansible 2.9 or higher
+- Python 3.6 or higher
+- `sshpass` installed on the control node
+
+## Usage
+
+1.  **Clone the repository:**
+    ```bash
+    git clone https://gitea.tobjend.de/tobi/HomeCloudPlaybooks.git
+    cd HomeCloudPlaybooks
+    ```
+
+2.  **Install Ansible collections:**
+    ```bash
+    ansible-galaxy collection install -r playbooks/requirements.yml
+    ```
+
+3.  **Configure the inventory:**
+    -   Copy the `inventory/hosts.yml.example` to `inventory/hosts.yml`.
+    -   Update the `inventory/hosts.yml` file with your host information.
+
+4.  **Configure secrets:**
+    -   This project uses Ansible Vault to manage secrets.
+    -   Create a `vault_password.txt` file with your vault password.
+    -   Run the playbooks using the `--vault-password-file` option:
+        ```bash
+        ansible-playbook playbooks/main.yml --vault-password-file vault_password.txt
+        ```
+
+## Inventory Structure
+
+The inventory is located in the `inventory` directory. The main inventory file is `hosts.yml`. The inventory is organized into groups of hosts.
+
+## Roles
+
+The following roles are available in the `playbooks/roles` directory:
+
+-   `gitea`: Installs and configures Gitea, a self-hosted Git service.
+-   ... (more roles to be documented here)

ansible.cfg

@@ -1,7 +1,7 @@
 [defaults]
 inventory = ./inventory/hosts.yml
 remote_user = ubuntu
-private_key_file = ./private/astronomican.pem
+vault_password_file = ./.vault_password
 host_key_checking = False
 interpreter_python = auto_silent
-roles_path = ./roles
+roles_path = ./playbooks/roles

inventory/group_vars/all.yml

@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+36626339336631383230366330653234626435333066353638666561633262646636363537656636
+3934383761653837346335323261393035326539306563350a323965626530643162616430393064
+63326665366361396564306132626635386262613265333764323630633965326539383737653137
+6438646165666464630a396361306139323664366564376263636639643138316133333532363564
+35636635363137633438643464383933313361613333353766303631663738626333323937306235
+39313639353239393432646333316634333436343163386139363965313738346264623561633332
+65303733366430383438616164323538333564303961386637643130333862383836306133633131
+34393532353330623031373136636566626230616434386435333338626631656464333661633464
+32323330393038666564363965343632313230333833316365613537376633346362353730383965
+65643664386564346430303334643132633936663163666236396433666137613339343761373338
+61363335393637346134396165333437666364633639323431323833313932306237306430336530
+39393034303537633733306133373530303239333339336465386631393866323735313639626166
+32336564366263343539346139656665353830323533623233373061323837616132626238333632
+62383531373966373131633531306430316462393430623734323161643366316233396338306336
+376133653336343338303136316539643062

playbooks/requirements.yml

@@ -0,0 +1,10 @@
+# requirements.yml
+
+# This file lists the Ansible collections required by the playbooks.
+# The collections are based on the commented-out roles in main.yml.
+
+collections:
+  - name: community.general
+    version: "3.0.0"
+  - name: community.crypto
+    version: "2.0.0"

playbooks/roles/containers/subroles/pihole/defaults/main.yml

@@ -6,7 +6,7 @@ pi_hole_host_port: "314"
 pi_hole_dns_port: "53"
 pi_hole_timezone: "Europe/Berlin"
 pi_hole_volume_dir: "/opt/pi-hole"  # Directory to store Pi-Hole data
-pi_hole_web_password: "risICE3!risICE3!"  # Change this to a secure password
+pi_hole_web_password: "{{ vault_pi_hole_web_password }}"
 blocklists:
   - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
   - https://raw.githubusercontent.com/daylamtayari/Pi-Hole-Blocklist/master/Pi-Hole-Blocklist.txt

playbooks/roles/containers/subroles/pihole/files/stack.yml

@@ -8,7 +8,7 @@ services:
       - '80:80/tcp'
     environment:
       - TZ=Europe/Berlin
-      - WEBPASSWORD=risICE3!risICE3!
+      - WEBPASSWORD={{ vault_pi_hole_web_password }}
     volumes:
       - './etc-pihole:/etc/pihole'
       - './etc-dnsmasq.d:/etc/dnsmasq.d'

playbooks/roles/gitea/defaults/main.yml

@@ -6,5 +6,5 @@ gitea_port: 3000
 postgres_host: "localhost"
 postgres_port: 5432
 postgres_db: "postgres"
-postgres_user: "tobi"
-postgres_password: "risICE3"
+postgres_user: "ansible"
+postgres_password: "{{ vault_postgres_password }}"

playbooks/roles/network/defaults/main.yml

@@ -5,7 +5,7 @@ nginx_proxy_manager_data_path: "/opt/nginx-proxy-manager/data"
 nginx_proxy_manager_letsencrypt_path: "/opt/nginx-proxy-manager/letsencrypt"
 nginx_proxy_manager_compose_path: "/opt/nginx-proxy-manager/docker-compose.yml"
 nginx_proxy_manager_admin_email: "tobend85@gmail.com"
-nginx_proxy_manager_admin_password: "risICE3"
+nginx_proxy_manager_admin_password: "{{ vault_nginx_proxy_manager_admin_password }}"
 nginx_proxy_manager_port: "9900"
 nginx_proxy_manager_ssl_port: "443"
 # Docker network configuration
@@ -18,5 +18,5 @@ wireguard_easy_admin_port: "51821"
 wireguard_easy_data_dir: "/etc/wireguard"
 wireguard_easy_config_dir: "/opt/network"
 wireguard_easy_host: "130.162.231.152"
-wireguard_easy_password: "admin"
+wireguard_easy_password: "{{ vault_wireguard_easy_password }}"
 wireguard_easy_password_hash: ""

playbooks/roles/postgres/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 postgres_container_name: postgres
 postgres_port: 5432
-postgres_user: tobi
-postgres_password: risICE3
+postgres_user: "ansible"
+postgres_password: "{{ vault_postgres_password }}"
 postgres_data_dir: /var/lib/postgresql/data/pgdata
 postgres_volume: /opt/postgresData