diff --git a/inventories/production/group_vars/all/public_dns.yml b/inventories/production/group_vars/all/public_dns.yml index c0e8016..5d9ce02 100644 --- a/inventories/production/group_vars/all/public_dns.yml +++ b/inventories/production/group_vars/all/public_dns.yml @@ -13,6 +13,9 @@ public_dns__records: # askari (off-site host, TF-provisioned M2) — public A so it's reachable by name + # for future ACME on *.askari.wingu.me. Mesh/LAN-only home services never appear here. - {record: askari, type: A, values: ["77.42.120.136"], ttl: 1800} + # Wildcard for askari's services (test/netbird/...) → same host; Caddy gets a + # *.askari.wingu.me cert via DNS-01 (M4a). + - {record: "*.askari", type: A, values: ["77.42.120.136"], ttl: 1800} # Absent — Gandi's auto-seeded defaults we don't want (purged once, idempotent thereafter). public_dns__absent: diff --git a/playbooks/offsite.yml b/playbooks/offsite.yml new file mode 100644 index 0000000..e8899f5 --- /dev/null +++ b/playbooks/offsite.yml @@ -0,0 +1,11 @@ +--- +# offsite.yml — off-site hosts (askari): Docker engine + the Caddy reverse proxy. +# NetBird (M4b) appends to this play. Run: make deploy PLAYBOOK=offsite LIMIT=askari +- name: Configure off-site hosts + hosts: offsite_hosts + become: true + roles: + - role: docker_host + tags: [docker_host] + - role: reverse_proxy + tags: [reverse_proxy]