justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/infra/ansible/playbooks/site.yml
justin 4dc5690666 infra: codify the email-campaign pipeline in Ansible (new mail-pipeline role) 
The entire outbound campaign pipeline lived ONLY on the host and was never in
IaC -- a fresh rebuild would have silently shipped NO campaigns, NO IP warmup/
ramp, and NO bounce processing. New mail-pipeline role + deploy-mail-pipeline.yml
playbook deploy it from the canonical repo copies:

  cron.d (infra/cron/):
    - pw-trucking-campaign-builder, pw-ifta-campaign, pw-ucr-campaign
    - pw-hc-campaign, pw-hc-nppes, pw-hc-refresh
    - pw-mta-warmup, pw-listmonk-rampcap, pw-hc-rampcap
    - pw-ip-rehab, pw-warmup-tg-alert
  helper scripts (-> /usr/local/bin):
    - pw-mta-warmup, pw-listmonk-rampcap, pw-hc-rampcap, pw-warmup-tg-alert
    - postfix-bounce-notify.sh, postfix-hc-bounce-notify.sh, listmonk-bounce-sync.py
  systemd services:
    - pw-bounce-watcher.service (was missing from repo), pw-hc-bounce-watcher.service

Also creates the deploy-owned {{project_dir}}/logs dir (deploy can't write
/var/log, so a missing dir made cron redirects fail). Added the 6 cron.d files
that existed only on the host, the trucking bounce-watcher unit, and synced
infra/cron/pw-hc-refresh to the live version (revalidation download + enrich
steps). Role wired into site.yml after the mail (OpenDKIM) role.

Part of the email-deliverability incident hardening.
2026-06-17 20:26:01 -05:00

40 lines
1.3 KiB
YAML
Raw Blame History

---
# Performance West — Full Stack Provisioning
# Provisions a fresh Debian 13 server from scratch.
#
# Usage:
# ansible-playbook playbooks/site.yml -i inventory/hosts.yml --ask-vault-pass
#
# Roles run in order:
# common — packages, deploy user, SSH hardening, UFW
# docker — Docker CE + compose plugin + performancewest.service systemd unit
# postgresql — API PostgreSQL + backup cron + migrations
# app — Express API container
# site — Astro static site container
# erpnext — ERPNext CRM + workers + scheduler (custom image with frappe_crypto + frappe_adyen)
# minio — MinIO object storage + bucket creation
# workers — Python job server + Ollama LLM
# shkeeper — k3s + Helm + SHKeeper (crypto payments: BTC/ETH/USDC/Polygon/TRX/BNB/LTC)
# mail — OpenDKIM signing for outbound Postfix mail (incl. Listmonk campaigns)
# mail-pipeline — campaign cron builders + IP warmup/ramp + bounce watchers
# nginx — nginx + certbot TLS for all domains + fail2ban
- name: Provision Performance West server
hosts: pw
become: true
roles:
- common
- docker
- postgresql
- app
- site
- erpnext
- minio
- workers
- worker-crons
- shkeeper
- mail
- mail-pipeline
- nginx
- monitoring
- security-updates
Reference in a new issue View git blame Copy permalink