Ansible
Host-level configuration management — the layer between cloud infrastructure (pulumi) and containerized workloads (argocd). The primary playbook is ansible/playbooks/indri.yml (targets indri); separate playbooks exist for ringtail and sifaka.
CLI Patterns
# Full provisioning
mise run provision-indri
# Specific role only
mise run provision-indri -- --tags caddy
# Dry run (preview changes)
mise run provision-indri -- --check --diffOther hosts have their own playbooks:
# Ringtail (NixOS, k3s)
mise run provision-ringtail
# Sifaka (Synology NAS exporters)
mise run provision-sifakaAvailable Roles
| Role | Purpose | Service |
|---|---|---|
| alloy | Observability collector | alloy |
| borgmatic | Backup automation | borgmatic |
| borgmatic_metrics | Backup metrics exporter | borgmatic |
| caddy | Reverse proxy & TLS | routing |
| forgejo | Git forge | forgejo |
| forgejo_actions_secrets | CI/CD secrets for Forgejo Actions | forgejo |
| forgejo_metrics | Forge metrics exporter | forgejo |
| jellyfin | Media server | jellyfin |
| jellyfin_metrics | Media metrics exporter | jellyfin |
| minikube | Kubernetes cluster | cluster |
| minikube_metrics | Cluster metrics | cluster |
| zot | Container registry | zot |
| zot_metrics | Registry metrics | zot |
Role Structure
Each role follows Ansible conventions:
ansible/roles/<role>/
├── defaults/main.yml # Default variables
├── tasks/main.yml # Task definitions
├── handlers/main.yml # Handlers (restarts, etc.)
├── templates/ # Jinja2 templates
└── files/ # Static files
Secrets
Roles that need secrets use 1Password via the playbook’s pre_tasks. Secrets are gathered at playbook start and passed to roles as variables.
Related
- indri — Primary managed host
- ringtail — NixOS host managed by its own playbook
- sifaka — Synology NAS managed by its own playbook
- observability — Metrics collection