--- # ============================================================================ # Semaphore configuration-as-code # ============================================================================ # Drives a freshly-deployed Semaphore instance into its desired state via # the Semaphore REST API. Idempotent: every object is checked first; only # missing ones are created. Existing objects are left alone. # # Loaded from group_vars/all/semaphore.yml so that the configuration is # version-controlled in the homelab repo and survives a wipe-and-redeploy # of the Semaphore VM. # ============================================================================ # --------------------------------------------------------------------------- # API connection (defaults to the local Traefik-fronted service-name URL). # Override semaphore_api_url to point at a specific instance if needed. # --------------------------------------------------------------------------- semaphore_api_url: "https://semaphore.local.mk-labs.cloud/api" semaphore_api_validate_certs: true semaphore_api_token: "{{ vault_semaphore_api_token }}" # Feature flag — keeps day1_deploy_semaphore.yml deploy-only by default. # Set true to also run the configuration pass. semaphore_configure: false # --------------------------------------------------------------------------- # Declarative configuration of the Semaphore instance. # --------------------------------------------------------------------------- # # Top-level shape: # # semaphore_config: # project: single dict — the lab uses one project ("mk-labs") # keys: list of credentials Semaphore stores # repositories: git repos Semaphore can clone # inventories: Ansible inventories from those repos # environments: env-var bundles # templates: task templates that tie everything together # # Each list element has a unique "name" used as the natural identity key. # --------------------------------------------------------------------------- semaphore_config: project: name: mk-labs alert: false max_parallel_tasks: 0 # 0 = unlimited keys: # The ansible-vault password. login_password type with empty login # — only the password field is consumed by Semaphore at runtime. - name: ansible-vault-pass type: login_password login: "" password: "{{ vault_ansible_vault_password }}" # SSH key for the gitea deploy access (clone the homelab repo). - name: gitea-deploy type: ssh ssh_login: git ssh_private_key: "{{ vault_gitea_deploy_key }}" # SSH key for the universal automation account 'wed' — pre-baked in # every mk-labs VM template. This is the canonical user Semaphore # uses to reach the fleet. - name: wed-ssh type: ssh ssh_login: wed ssh_private_key: "{{ vault_wed_ssh_private_key }}" # SSH key Semaphore can use to reach the fleet as jarvis (admin # account provisioned by linux-baseline). Retained for jobs that # specifically need jarvis-level access; the default is wed-ssh. - name: jarvis-ssh type: ssh ssh_login: jarvis ssh_private_key: "{{ vault_jarvis_ssh_private_key }}" repositories: - name: homelab git_url: "ssh://git@gitea.mk-labs.cloud:2221/rblundon/homelab.git" git_branch: main ssh_key: gitea-deploy inventories: - name: production type: file inventory_file: ansible/inventory.yml repository: homelab # wed is the universal automation account pre-baked in every VM # template. Semaphore uses it for fleet-wide jobs. ssh_key: wed-ssh # become_key is Semaphore's sudo PASSWORD slot, not a second SSH # key. wed has passwordless sudo on every host, so reference the # built-in "None" key. (Semaphore rejects an SSH-type key here.) become_key: None environments: - name: default env: ANSIBLE_HOST_KEY_CHECKING: "False" ANSIBLE_FORCE_COLOR: "True" # Semaphore runs ansible-playbook from the playbook's directory # (ansible/playbooks/), which doesn't pick up ansible.cfg from # the parent ansible/ dir. Point roles_path at the canonical # location relative to that working directory. ANSIBLE_ROLES_PATH: "../roles" templates: - name: "day0_linux_baseline" description: "Apply the mk-labs Linux baseline to one or more hosts." app: ansible playbook: ansible/playbooks/day0_linux_baseline.yml inventory: production repository: homelab environment: default vault_password: ansible-vault-pass arguments: '["--diff"]' survey_vars: - name: target title: "Target host or group" description: "Inventory target (e.g. figment, semaphore_server, all)" required: true type: TextVar default_value: "all" - name: "day1_deploy_semaphore" description: "Re-deploy Semaphore + PostgreSQL on figment." app: ansible playbook: ansible/playbooks/day1_deploy_semaphore.yml inventory: production repository: homelab environment: default vault_password: ansible-vault-pass arguments: '["--diff"]' - name: "day0_linux_baseline_check" description: "Dry-run the baseline — shows diffs, applies nothing." app: ansible playbook: ansible/playbooks/day0_linux_baseline.yml inventory: production repository: homelab environment: default vault_password: ansible-vault-pass arguments: '["--check","--diff"]' survey_vars: - name: target title: "Target host or group" description: "Inventory target (e.g. figment, semaphore_server, all)" required: true type: TextVar default_value: "all"