# playbooks/

Top-level orchestration playbooks. No inline vars — configuration comes from
`group_vars/` / `host_vars/` (see CLAUDE.md).

- `site.yml` — full standard state: applies `base` to all hosts and `docker_host`
  to docker hosts. **Note:** `base` is only partially built (its `firewall` +
  `hardening` concerns) and the cluster has no docker hosts yet, so this is
  incomplete — see `STATUS.md`.
- `workstation.yml` — applies the `dev_env` role (interactive developer environment)
  to the `control` group; built and applied to `ubongo` (see `STATUS.md`).
- `dns.yml` — manages the public DNS zone (wingu.me) at Gandi LiveDNS via the
  `public_dns` role; runs from the control node against an external API.
- `offsite.yml` — off-site hosts (`askari`): `docker_host` (Docker engine) +
  `reverse_proxy` (Caddy). NetBird coordinator appended in M4b.
- `bootstrap.yml` — first-run setup for a host that may not have Python yet;
  self-contained (does not depend on the roles).

Run via `make check PLAYBOOK=<name>` then `make deploy PLAYBOOK=<name>`.