feat(offsite): *.askari.wingu.me wildcard + offsite.yml (docker_host + reverse_proxy)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 17:39:44 +02:00 · 2026-06-14 17:39:44 +02:00 · 9c169561d7
commit 9c169561d7
parent 1ee343dfca
2 changed files with 14 additions and 0 deletions
--- a/inventories/production/group_vars/all/public_dns.yml
+++ b/inventories/production/group_vars/all/public_dns.yml
@ -13,6 +13,9 @@ public_dns__records:
  # askari (off-site host, TF-provisioned M2) — public A so it's reachable by name +
  # for future ACME on *.askari.wingu.me. Mesh/LAN-only home services never appear here.
  - {record: askari, type: A, values: ["77.42.120.136"], ttl: 1800}
+  # Wildcard for askari's services (test/netbird/...) → same host; Caddy gets a
+  # *.askari.wingu.me cert via DNS-01 (M4a).
+  - {record: "*.askari", type: A, values: ["77.42.120.136"], ttl: 1800}

 # Absent — Gandi's auto-seeded defaults we don't want (purged once, idempotent thereafter).
 public_dns__absent:
--- a/playbooks/offsite.yml
+++ b/playbooks/offsite.yml
@ -0,0 +1,11 @@
+---
+# offsite.yml — off-site hosts (askari): Docker engine + the Caddy reverse proxy.
+# NetBird (M4b) appends to this play. Run: make deploy PLAYBOOK=offsite LIMIT=askari
+- name: Configure off-site hosts
+  hosts: offsite_hosts
+  become: true
+  roles:
+    - role: docker_host
+      tags: [docker_host]
+    - role: reverse_proxy
+      tags: [reverse_proxy]