Add ansible vault and jinja templates (#10)

.gitignore

@@ -1,4 +1,3 @@
 .idea
-secrets.yml
 venv
 stack.env

.vault-pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# fetch vault password from bitwarden. We assume there is an item called "homelab-vault" that contains the password
+password="$(bw list items | jq -r 'map(select(.name == "homelab-vault"))[0].login.password')"
+echo "${password}"

ansible.cfg

@@ -1,3 +1,4 @@
 [defaults]
 default_module_path=library
 inventory=hosts.ini
+vault_password_file=.vault-pass

roles/setup_docker/.travis.yml

@@ -1,29 +0,0 @@
----
-language: python
-python: "2.7"
-
-# Use the new container infrastructure
-sudo: false
-
-# Install ansible
-addons:
-  apt:
-    packages:
-    - python-pip
-
-install:
-  # Install ansible
-  - pip install ansible
-
-  # Check ansible version
-  - ansible --version
-
-  # Create ansible.cfg with correct roles_path
-  - printf '[defaults]\nroles_path=../' >ansible.cfg
-
-script:
-  # Basic role syntax check
-  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
-
-notifications:
-  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/setup_docker/.yamllint

@@ -1,33 +0,0 @@
----
-# Based on ansible-lint config
-extends: default
-
-rules:
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  colons:
-    max-spaces-after: -1
-    level: error
-  commas:
-    max-spaces-after: -1
-    level: error
-  comments: disable
-  comments-indentation: disable
-  document-start: disable
-  empty-lines:
-    max: 3
-    level: error
-  hyphens:
-    level: error
-  indentation: disable
-  key-duplicates: enable
-  line-length: disable
-  new-line-at-end-of-file: disable
-  new-lines:
-    type: unix
-  trailing-spaces: disable
-  truthy: disable

roles/setup_docker/README.md

@@ -1,38 +0,0 @@
-Role Name
-=========
-
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
-
-Role Variables
---------------
-
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
-
-Dependencies
-------------
-
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
-
-License
--------
-
-BSD
-
-Author Information
-------------------
-
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/setup_docker/defaults/main.yml

@@ -1 +0,0 @@
----

roles/setup_docker/handlers/main.yml

@@ -1,2 +0,0 @@
----
-# handlers file for setup_docker

roles/setup_docker/molecule/default/converge.yml

@@ -1,7 +0,0 @@
----
-- name: Converge
-  hosts: all
-  tasks:
-    - name: "Include chatton.setup_docker"
-      include_role:
-        name: "chatton.setup_docker"

roles/setup_docker/molecule/default/molecule.yml

@@ -1,29 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-platforms:
-  - name: instance
-    image: geerlingguy/docker-debian10-ansible:latest
-    privileged: true
-    pre_build_image: true
-provisioner:
-  name: ansible
-verifier:
-  name: ansible
-scenario:
-  test_sequence:
-#    - dependency
-#    - lint
-#    - cleanup
-    - destroy
-    - syntax
-    - create
-#    - prepare
-    - converge
-    - idempotence
-#    - side_effect
-    - verify
-#    - cleanup
-    - destroy

roles/setup_docker/molecule/default/verify.yml

@@ -1,10 +0,0 @@
----
-# This is an example playbook to execute Ansible tests.
-
-- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-  - name: Example assertion
-    ansible.builtin.assert:
-      that: true

roles/setup_docker/tasks/main.yml

@@ -42,4 +42,4 @@
 - name: Ensure docker is started
   service:
     name: docker
-    state: started
+    state: started

roles/setup_docker/tests/inventory

@@ -1,2 +0,0 @@
-localhost
-

roles/setup_docker/tests/test.yml

@@ -1,5 +0,0 @@
----
-- hosts: localhost
-  remote_user: root
-  roles:
-    - setup_docker

roles/setup_docker/vars/main.yml

@@ -1,2 +0,0 @@
----
-# vars file for setup_docker

roles/setup_hosted_services/defaults/main-vault.yml

@@ -0,0 +1,31 @@
+$ANSIBLE_VAULT;1.1;AES256
+61663635393234373338643564313337353832313533656466623266303965326333353663353336
+3431663531363464626562383135393830353339323764370a303031353864633834346539363832
+33313832616138386365353966333137363937663736306261346136646565653936646332626135
+3538356635613735380a666336356139656466306432636466653630633762323133333936353133
+31616437663332653134363630363961303132653064666436383864613835353437336637353265
+63653963306338363730346139383636643033353835346134363231326264666461303134353432
+62396237316261383061383566616433303833613561383638663361363963326463656461346537
+62383761386266316664666432316664646562316565333330373264373535393035303466613536
+61633565663237373734653062333564653964366234333035393937613139313930363936323963
+31623166313564616362303230386466653831393438616166353666653536393231613565656461
+35313239363563323434626561336363353137643361376437363736613263303738333462323538
+32343230663033646437343937613633623663333339313037393661313938346232346535663935
+30663631326431663838356131346530643930663633306233633135646665313264633436336665
+63626532343763633936313264613836353437356233396161616362323837376166313438353131
+62613064393362616430313935646662316239333332393036303766373837343338623036316539
+34643639666237356536666562376664376637643430663930353337623037373133663961633961
+38623863626265363661333132656662613337613939656365353734326463373833323332323463
+35356334326239313661626462376666626435313565306366333062393433323734326563616261
+65646130626234333039646136646463393365643833306562343165613766636133373463333465
+38316538383964343164323238356461643632346365646536356265353933336466613838623335
+34663630633062346562653964613831333165386538353636313565343536666465366438303136
+65663336303239636239626662323730383834376436636562333164396631323035333862393832
+63646364343564383235376137303031653163393966656264646338366163633931613437393830
+33643935353965393661323837646437306364396633636335346361316339326432306363376432
+66333637336636396536656237623232326539326264363033393334616235626463623435373763
+65396162336430336666373233636138363666613235323565336334353231613263383564633663
+35653433383936623638393032363935666134323833306563393266663933653261383061303036
+37393065643766643336616465663631316130653365366666613333363638663631303363636431
+34333435616435386261383865356166396666633737613763303165396365616635346534616131
+3437323335316432396363353138333163613830623165666666

roles/setup_hosted_services/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-docker_compose_directory: /etc/docker-compose
 services:
   - name: gitea
   - name: mealie
@@ -15,21 +14,35 @@ services:
   - name: mariadb
   - name: photoprism
 
+# any additional docker networks that should be created
 docker_networks:
-  - nextcloud_net
+  - mariadb_net
 
-aws_s3:
+qnap:
-  s3_url: "l8x8.ie11.idrivee2-6.com"
+  # path on qnap where downloads go
-  aws_access_key: "nyNMQ3fRMSV0bA1xw5uV"
+  downloads_dir: /mnt/ssd0/downloads
-  region: "us-east-1"
+  # path on qnap where plex transcoding happens
-  bucket: "backups"
+  transcoding_dir: /mnt/ssd0/transcoding
+  # path on qnap where movies are stored
+  movies_dir: /mnt/test/media/movies
+  # path on qnap where tv shows are stored
+  tv_dir: /mnt/test/media/tv
+  # path on qnap where docker compose files are stored
+  docker_compose_directory: /etc/docker-compose
+  # path on qnap where backups are stored
+  backups_dir: /mnt/test/backups
 
+# dashy related config
 dashy:
   destination_dir: /etc/config/dashy
   destination_file: dashy-config.yml
   source_file: dashboards/dashy-config.yml
 
+# olivetin related config
 olivetin:
   destination_dir: /etc/config/olivetin
   destination_file: config.yml
   source_file: olivetin/config.yml
+
+extra_hosts:
+  - "qnap:192.168.178.42"

roles/setup_hosted_services/molecule/default/converge.yml

@@ -1,7 +0,0 @@
----
-- name: Converge
-  hosts: all
-  tasks:
-    - name: "Include chatton.setup_hosted_services"
-      include_role:
-        name: "chatton.setup_hosted_services"

roles/setup_hosted_services/molecule/default/molecule.yml

@@ -1,29 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-platforms:
-  - name: instance
-    image: geerlingguy/docker-debian10-ansible:latest
-    privileged: true
-    pre_build_image: true
-provisioner:
-  name: ansible
-verifier:
-  name: ansible
-scenario:
-  test_sequence:
-    #    - dependency
-    #    - lint
-    #    - cleanup
-    - destroy
-    - syntax
-    - create
-    #    - prepare
-    - converge
-    - idempotence
-    #    - side_effect
-    - verify
-    #    - cleanup
-    - destroy

roles/setup_hosted_services/molecule/default/verify.yml

@@ -1,10 +0,0 @@
----
-# This is an example playbook to execute Ansible tests.
-
-- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-  - name: Example assertion
-    ansible.builtin.assert:
-      that: true

roles/setup_hosted_services/tasks/main.yml

@@ -1,3 +1,7 @@
+---
+- name: Include all defaults
+  include_vars: defaults/main-vault.yml
+
 - name: Docker | Pull images
   docker_image:
     name: "{{item}}"
@@ -8,21 +12,15 @@
 
 - name: Docker Compose | Create a directory if it does not exist
   file:
-    path: "{{docker_compose_directory}}/{{item.name}}"
+    path: "{{qnap.docker_compose_directory}}/{{item.name}}"
     state: directory
     mode: '0755'
   with_items: "{{services}}"
 
-- name: Docker Compose | Copy Docker Compose Files
+- name: Docker Compose | Template Docker Compose Files
-  copy:
+  template:
-    src: "{{item.name}}/docker-compose.yml"
+    src: "{{item.name}}.j2"
-    dest: "{{docker_compose_directory}}/{{item.name}}/docker-compose.yml"
+    dest: "{{qnap.docker_compose_directory}}/{{item.name}}/docker-compose.yml"
-  with_items: "{{services}}"
-
-- name: Docker Compose | Copy Stack Env File
-  copy:
-    src: "{{item.name}}/stack.env"
-    dest: "{{docker_compose_directory}}/{{item.name}}/stack.env"
   with_items: "{{services}}"
 
 
@@ -66,7 +64,7 @@
   environment:
     EXISTING_VOLUMES: "{{ find_volumes.results | map(attribute='stdout_lines') | list | flatten }}"
     SERVICES: "{{ services }}"
-    DOCKER_COMPOSE_DIR: "{{docker_compose_directory}}"
+    DOCKER_COMPOSE_DIR: "{{qnap.docker_compose_directory}}"
   args:
     executable: python3
   register: python_output
@@ -87,11 +85,11 @@
       - /tmp:/tmp # temp s3 archive goes here
     env:
       AWS_ACCESS_KEY_ID: "{{aws_s3.aws_access_key}}"
-      AWS_SECRET_ACCESS_KEY: "{{aws_s3_secrets.aws_secret_key}}"
+      AWS_SECRET_ACCESS_KEY: "{{aws_s3.aws_secret_key}}"
       AWS_DEFAULT_REGION: "{{aws_s3.region}}"
       AWS_BUCKET: "{{aws_s3.bucket}}"
       AWS_ENDPOINT: "{{aws_s3.s3_url}}"
-  with_items: "{{ python_output.stdout_lines  }}"
+  with_items: "{{ python_output.stdout_lines }}"
 
 - name: Docker | Create required docker networks
   docker_network:
@@ -102,7 +100,7 @@
   portainer:
     username: admin
     password: "{{portainer.password}}"
-    docker_compose_file_path: "{{docker_compose_directory}}/{{ item.name }}/docker-compose.yml"
+    docker_compose_file_path: "{{qnap.docker_compose_directory}}/{{ item.name }}/docker-compose.yml"
-    env_file_path: "{{docker_compose_directory}}/{{ item.name }}/stack.env"
+    env_file_path: "{{qnap.docker_compose_directory}}/{{ item.name }}/stack.env"
     stack_name: "{{ item.name }}"
   with_items: "{{services}}"

roles/setup_hosted_services/templates/dashboards.j2

@@ -1,3 +1,4 @@
+---
 version: '3.5'
 services:
   dash-dot:
@@ -35,8 +36,7 @@ services:
       retries: 3
       start_period: 40s
 
-    extra_hosts:
+    extra_hosts: {{ extra_hosts }}
-      - "qnap:192.168.178.42"
 
   glances:
     image: nicolargo/glances:latest-alpine

roles/setup_hosted_services/templates/docker-volume-backup.j2

@@ -1,3 +1,4 @@
+---
 # https://app.idrivee2.com/region/IE/buckets/backups/object-storage
 version: "3"
 services:
@@ -16,14 +17,13 @@ services:
       - --modes
       - "filesystem,s3"
     environment:
-      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+      AWS_ACCESS_KEY_ID: {{ docker_volume_backup.aws_access_key_id }}
-      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
+      AWS_SECRET_ACCESS_KEY: {{ docker_volume_backup.aws_secret_access_key }}
-      AWS_DEFAULT_REGION: ${AWS_DEFAULT_REGION}
+      AWS_DEFAULT_REGION: {{ docker_volume_backup.aws_default_region }}
-      AWS_BUCKET: ${AWS_BUCKET}
+      AWS_BUCKET: {{ docker_volume_backup.aws_bucket }}
-      AWS_ENDPOINT: ${AWS_ENDPOINT}
+      AWS_ENDPOINT: {{ docker_volume_backup.aws_endpoint }}
 
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - /mnt/hdds/backups:/backups
+      - {{qnap.backups_dir}}:/backups
       - /tmp:/tmp
-

roles/setup_hosted_services/templates/gitea.j2

@@ -1,3 +1,4 @@
+---
 version: "3"
 
 services:

roles/setup_hosted_services/templates/linkding.j2

@@ -1,3 +1,4 @@
+---
 version: '3'
 services:
   linkding:

roles/setup_hosted_services/templates/mariadb.j2

@@ -1,3 +1,4 @@
+---
 version: '3.1'
 services:
   mariadb:
@@ -13,7 +14,7 @@ services:
       - data:/var/lib/mysql
       - config:/etc/mysql/conf.d
     environment:
-      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+      - MYSQL_ROOT_PASSWORD={{ mariadb.mysql_root_password }}
 
   adminer:
     restart: unless-stopped
@@ -30,5 +31,5 @@ volumes:
 
 networks:
   default:
-    name: nextcloud_net
+    name: mariadb_net
-    external: true
+    external: true

roles/setup_hosted_services/templates/nextcloud.j2

@@ -1,3 +1,4 @@
+---
 version: '3.2'
 services:
   nextcloud:
@@ -15,5 +16,5 @@ volumes:
 
 networks:
   default:
-    name: nextcloud_net
+    name: mariadb_net
     external: true

roles/setup_hosted_services/templates/nginx-proxy-manager.j2

@@ -1,3 +1,4 @@
+---
 version: "3"
 services:
   nginx-proxy-manager:

roles/setup_hosted_services/templates/olivetin.j2

@@ -1,3 +1,4 @@
+---
 version: "3.8"
 services:
   olivetin:

roles/setup_hosted_services/templates/overseerr.j2

@@ -1,3 +1,4 @@
+---
 version: "3"
 services:
   overseerr:

roles/setup_hosted_services/templates/photoprism.j2

@@ -1,3 +1,4 @@
+---
 version: '3.5'
 services:
   photoprism:
@@ -10,7 +11,7 @@ services:
     ports:
       - "2342:2342" # HTTP port (host:container)
     environment:
-      PHOTOPRISM_ADMIN_PASSWORD: ${PHOTOPRISM_ADMIN_PASSWORD}        # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
+      PHOTOPRISM_ADMIN_PASSWORD: {{ photoprism.admin_password }}        # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
       PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
       PHOTOPRISM_SITE_URL: "http://localhost:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
       PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
@@ -33,7 +34,7 @@ services:
       PHOTOPRISM_DATABASE_SERVER: "mariadb:3306"     # MariaDB or MySQL database server (hostname:port)
       PHOTOPRISM_DATABASE_NAME: "photoprism"         # MariaDB or MySQL database schema name
       PHOTOPRISM_DATABASE_USER: "photoprism"         # MariaDB or MySQL database user name
-      PHOTOPRISM_DATABASE_PASSWORD: ${PHOTOPRISM_DATABASE_PASSWORD}       # MariaDB or MySQL database user password
+      PHOTOPRISM_DATABASE_PASSWORD: {{ photoprism.database_password }}         # MariaDB or MySQL database user password
       PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
       PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
       PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
@@ -49,5 +50,5 @@ services:
 
 networks:
   default:
-    name: nextcloud_net
+    name: mariadb_net
     external: true

roles/setup_hosted_services/templates/plex.j2

@@ -15,9 +15,9 @@ services:
       - VERSION=docker
     volumes:
       - config:/config
-      - /mnt/hdds/media/tv:/tv
+      - {{ qnap.tv_dir }}:/tv
-      - /mnt/hdds/media/movies:/movies
+      - {{ qnap.movies_dir }}:/movies
-      - /mnt/ssd0/transcoding:/transcoding
+      - {{ qnap.transcoding_dir }}:/transcoding
     restart: unless-stopped
     devices:
       - /dev/dri:/dev/dri
@@ -39,4 +39,4 @@ services:
 
 volumes:
   config:
-  tautulli_config:
+  tautulli_config:

roles/setup_hosted_services/templates/uptime-kuma.j2

@@ -1,5 +1,5 @@
+---
 version: '3.3'
-
 services:
   uptime-kuma:
     labels:

roles/setup_hosted_services/templates/vpn-stack.j2

@@ -1,14 +1,15 @@
+---
 version: "3"
 services:
   surfshark:
     image: ilteoood/docker-surfshark
     container_name: surfshark
     environment:
-      - SURFSHARK_USER=${SURFSHARK_USER}
+      - SURFSHARK_USER={{ vpn.surfshark_username }}
-      - SURFSHARK_PASSWORD=${SURFSHARK_PASSWORD}
+      - SURFSHARK_PASSWORD={{ vpn.surfshark_password }}
       # must specify LAN_NETWORK otherwise you will not be able
       # to access ports which are exposed here.
-      - LAN_NETWORK=${LAN_NETWORK}
+      - LAN_NETWORK={{ vpn.lan_network }}
     cap_add:
       - NET_ADMIN
     devices:
@@ -45,8 +46,8 @@ services:
       - TZ=Europe/London
       - WEBUI_PORT=15000
     volumes:
-      - "qbittorrent_config:/config"
+      - qbittorrent_config:/config
-      - "/mnt/ssd0/downloads:/downloads"
+      - {{ qnap.downloads_dir }}:/downloads
     restart: unless-stopped
 
   radarr:
@@ -62,9 +63,9 @@ services:
       - PGID=1000
       - TZ=Europe/London
     volumes:
-      - "radarr_config:/config"
+      - radarr_config:/config
-      - "/mnt/hdds/media/movies:/movies"
+      - {{ qnap.movies_dir }}:/movies
-      - "/mnt/ssd0/downloads:/downloads"
+      - {{ qnap.downloads_dir }}:/downloads
     restart: unless-stopped
 
   sonarr:
@@ -80,9 +81,9 @@ services:
       - PGID=1000
       - TZ=Europe/London
     volumes:
-      - "sonarr_config:/config"
+      - sonarr_config:/config
-      - "/mnt/hdds/media/tv:/tv"
+      - {{ qnap.tv_dir }}:/tv
-      - "/mnt/ssd0/downloads:/downloads"
+      - {{ qnap.downloads_dir }}:/downloads
     restart: unless-stopped
 
   jackett:
@@ -99,12 +100,12 @@ services:
       - TZ=Europe/London
       - AUTO_UPDATE=true
     volumes:
-      - "jackett_config:/config"
+      - jackett_config:/config
-      - "/mnt/ssd0/downloads:/downloads"
+      - {{ qnap.downloads_dir }}:/downloads
     restart: unless-stopped
 
 volumes:
   qbittorrent_config:
   radarr_config:
   sonarr_config:
-  jackett_config:
+  jackett_config:

roles/setup_hosted_services/tests/inventory

@@ -1,2 +0,0 @@
-localhost
-

roles/setup_hosted_services/tests/test.yml

@@ -1,5 +0,0 @@
----
-- hosts: localhost
-  remote_user: root
-  roles:
-    - setup_hosted_services

roles/setup_hosted_services/vars/main.yml

@@ -1,2 +1,2 @@
 ---
-# vars file for setup_hosted_services
+# vars file for setup_hosted_services

roles/setup_portainer/defaults/main.yml

@@ -1,7 +1,2 @@
 ---
 docker_compose_directory: /etc/docker-compose/portainer
-aws_s3:
-  s3_url: "l8x8.ie11.idrivee2-6.com"
-  aws_access_key: "nyNMQ3fRMSV0bA1xw5uV"
-  region: "us-east-1"
-  bucket: "backups"

roles/setup_portainer/files/docker-compose.yml

@@ -1,3 +1,4 @@
+---
 version: '3.2'
 services:
   portainer:

roles/setup_portainer/molecule/default/converge.yml

@@ -1,7 +0,0 @@
----
-- name: Converge
-  hosts: all
-  tasks:
-    - name: "Include chatton.setup_portainer"
-      include_role:
-        name: "chatton.setup_portainer"

roles/setup_portainer/molecule/default/molecule.yml

@@ -1,29 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-platforms:
-  - name: instance
-    image: geerlingguy/docker-debian10-ansible:latest
-    privileged: true
-    pre_build_image: true
-provisioner:
-  name: ansible
-verifier:
-  name: ansible
-scenario:
-  test_sequence:
-    #    - dependency
-    #    - lint
-    #    - cleanup
-    - destroy
-    - syntax
-    - create
-    #    - prepare
-    - converge
-    - idempotence
-    #    - side_effect
-    - verify
-    #    - cleanup
-    - destroy

roles/setup_portainer/molecule/default/verify.yml

@@ -1,10 +0,0 @@
----
-# This is an example playbook to execute Ansible tests.
-
-- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-  - name: Example assertion
-    ansible.builtin.assert:
-      that: true

roles/setup_portainer/tasks/main.yml

@@ -36,7 +36,7 @@
       - /tmp:/tmp # temp s3 archive goes here
     env:
       AWS_ACCESS_KEY_ID: "{{aws_s3.aws_access_key}}"
-      AWS_SECRET_ACCESS_KEY: "{{aws_s3_secrets.aws_secret_key}}"
+      AWS_SECRET_ACCESS_KEY: "{{aws_s3.aws_secret_key}}"
       AWS_DEFAULT_REGION: "{{aws_s3.region}}"
       AWS_BUCKET: "{{aws_s3.bucket}}"
       AWS_ENDPOINT: "{{aws_s3.s3_url}}"

secrets-example.yml

@@ -1,4 +0,0 @@
-portainer:
-  password: ""
-aws_s3_secrets:
-  aws_secret_key: ""

secrets-vault-example.yml

@@ -0,0 +1,8 @@
+portainer:
+  password: ""
+aws_s3:
+  s3_url: ""
+  aws_access_key: ""
+  region: ""
+  bucket: ""
+  aws_secret_key: ""

secrets-vault.yml

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+61363762386463363239383863386334663239316431656632363337383662393836666161383866
+6632613662396362326535343637653038303132346236660a646133323461333133623663363936
+66303762383261386437653030343465336463383561623661623837316337303032323364303763
+3836333231663065390a363833626265636665333431616364613736366339633231346630663664
+65313366366532363266373530623938366435303734356139303635393731623866343733663864
+34306363313964393965303632366265376136343964626562653866633233333762366132336663
+34343962363263373662626534396535356533323931316535303366346233306565353032643636
+35653135663936636632656535306562636461366133343963666462396364613434356439313364
+37376565646232346634313166306263653361633136383061353831383061376335323330366431
+38623938633236326539633334303835343662373461313738333531653763623835383431343332
+64613362396138643036643762643030636332663632376438393664623434646562396431333166
+63636132346565323434663063366631373162623863343564326465613936663533303135383637
+65366531316630353565396537656561643162616339616439666662316437366165393361363432
+37633137643837656238613738666634663162636532336530636231363135383965323833323333
+39306165356564633032333135383366356163343530393833373666636134386166653333613161
+36383039346531643134396432643738623862353338363737343134353033663636353762353561
+3936

setup-homelab.yml

@@ -2,10 +2,15 @@
 - hosts: servers
   become: true
   vars_files:
-    - secrets.yml
+    - secrets-vault.yml
   roles:
     - role: 'roles/setup_users'
+      tags: ["users"]
     - role: 'roles/setup_samba'
+      tags: ["samba"]
     - role: 'roles/setup_docker'
+      tags: ["docker"]
     - role: 'roles/setup_portainer'
+      tags: ["portainer"]
     - role: 'roles/setup_hosted_services'
+      tags: ["services"]