Add Ansible playbook for on-server deploy

Self-contained playbook intended to be run locally on the target
server, where this repo is already cloned (typically at
/var/www/e-auth). No SSH / inventory needed — hosts: localhost
with connection: local.

What it does:
- Installs Docker Engine + compose plugin from the official repo
  (idempotent, no-op if already present).
- Ensures /etc/caddy/site exists and templates the vhost file at
  /etc/caddy/site/e-auth.conf with the Cloudflare DNS-01 token for
  caddy-dns/cloudflare, reverse-proxying to 127.0.0.1:9450.
- Validates the Caddy config and reloads the service on change.
- Runs `docker compose pull` and `docker compose up -d` from the
  repo root.

Assumes Caddy is already installed with the caddy-dns/cloudflare
plugin and loads per-site files from /etc/caddy/site/*.conf.

Usage (on the server):
  cd /var/www/e-auth/ansible && ansible-playbook deploy.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ansible/deploy.yml

@@ -0,0 +1,165 @@
+---
+# =============================================================
+# ecosplay-auth deploy playbook (local execution on the server)
+#
+# Assumes:
+#   - This repo is cloned at {{ deploy_dir }} (default /var/www/e-auth)
+#     and the playbook is invoked from inside ansible/.
+#   - Caddy is already installed on the server with the
+#     caddy-dns/cloudflare plugin and loads per-site files from
+#     /etc/caddy/site/*.conf.
+#   - The user running `ansible-playbook` has passwordless sudo.
+#
+# Usage:
+#   cd /var/www/e-auth/ansible
+#   ansible-playbook deploy.yml
+# =============================================================
+
+- name: Deploy ecosplay-auth (Keycloak + Caddy vhost)
+  hosts: localhost
+  connection: local
+  become: true
+  gather_facts: true
+
+  vars:
+    # Root of the repo (the parent of the ansible/ directory).
+    deploy_dir: "{{ playbook_dir | dirname }}"
+
+  tasks:
+
+    # ---------------------------------------------------------
+    # System prerequisites
+    # ---------------------------------------------------------
+    - name: Install base packages
+      ansible.builtin.apt:
+        name:
+          - ca-certificates
+          - curl
+          - gnupg
+          - python3-apt
+          - rsync
+        update_cache: yes
+        state: present
+
+    # ---------------------------------------------------------
+    # Docker Engine + compose plugin (idempotent)
+    # ---------------------------------------------------------
+    - name: Ensure /etc/apt/keyrings exists
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        mode: "0755"
+
+    - name: Add Docker GPG key
+      ansible.builtin.get_url:
+        url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
+        dest: /etc/apt/keyrings/docker.asc
+        mode: "0644"
+
+    - name: Add Docker apt repository
+      ansible.builtin.apt_repository:
+        repo: >-
+          deb [arch={{ ansible_architecture |
+                       replace('x86_64', 'amd64') |
+                       replace('aarch64', 'arm64') }}
+          signed-by=/etc/apt/keyrings/docker.asc]
+          https://download.docker.com/linux/{{ ansible_distribution | lower }}
+          {{ ansible_distribution_release }} stable
+        state: present
+        filename: docker
+        update_cache: yes
+
+    - name: Install Docker Engine + compose plugin
+      ansible.builtin.apt:
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+        state: present
+
+    - name: Ensure Docker service is running
+      ansible.builtin.systemd:
+        name: docker
+        state: started
+        enabled: yes
+
+    # ---------------------------------------------------------
+    # Repo files (already present at {{ deploy_dir }})
+    # ---------------------------------------------------------
+    - name: Ensure deploy directory exists
+      ansible.builtin.file:
+        path: "{{ deploy_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Ensure init/sync.sh is executable
+      ansible.builtin.file:
+        path: "{{ deploy_dir }}/init/sync.sh"
+        mode: "0755"
+
+    # ---------------------------------------------------------
+    # Caddy vhost for auth.e-cosplay.fr
+    # ---------------------------------------------------------
+    - name: Ensure /etc/caddy/site directory exists
+      ansible.builtin.file:
+        path: /etc/caddy/site
+        state: directory
+        mode: "0755"
+        owner: root
+        group: root
+
+    - name: Ensure /var/log/caddy directory exists
+      ansible.builtin.file:
+        path: /var/log/caddy
+        state: directory
+        mode: "0755"
+        owner: caddy
+        group: caddy
+      ignore_errors: true
+
+    - name: Deploy Caddy vhost for {{ auth_domain }}
+      ansible.builtin.template:
+        src: e-auth.conf.j2
+        dest: "{{ caddy_site_file }}"
+        mode: "0644"
+        owner: root
+        group: root
+      notify: Reload caddy
+
+    - name: Validate Caddy configuration
+      ansible.builtin.command: caddy validate --config /etc/caddy/Caddyfile
+      register: caddy_validate
+      changed_when: false
+      failed_when: caddy_validate.rc != 0
+
+    # ---------------------------------------------------------
+    # Bring up the docker-compose stack
+    # ---------------------------------------------------------
+    - name: Pull docker images
+      ansible.builtin.command: docker compose pull
+      args:
+        chdir: "{{ deploy_dir }}"
+      changed_when: false
+
+    - name: Start docker-compose stack
+      ansible.builtin.command: docker compose up -d --remove-orphans
+      args:
+        chdir: "{{ deploy_dir }}"
+      register: compose_up
+      changed_when: >-
+        'Started' in (compose_up.stderr | default(''))
+        or 'Created' in (compose_up.stderr | default(''))
+        or 'Recreated' in (compose_up.stderr | default(''))
+
+    - name: Show compose output
+      ansible.builtin.debug:
+        var: compose_up.stderr_lines
+      when: compose_up.stderr_lines is defined
+
+  handlers:
+    - name: Reload caddy
+      ansible.builtin.systemd:
+        name: caddy
+        state: reloaded

ansible/group_vars/all.yml

@@ -0,0 +1,14 @@
+---
+# ecosplay-auth deploy vars
+
+deploy_dir: /var/www/e-auth
+auth_domain: auth.e-cosplay.fr
+keycloak_local_port: 9450
+
+# Caddy (assumed already installed with the caddy-dns/cloudflare plugin
+# and configured to load per-site files from /etc/caddy/site/*.conf)
+caddy_site_file: /etc/caddy/site/e-auth.conf
+
+# Cloudflare API token consumed by the caddy-dns/cloudflare plugin
+# for the ACME DNS-01 challenge.
+cloudflare_token: cfat_rIHZqzCm9GKK3xVnQDNGfu6J91TseIDdTKeuWSFUdf6ccd31

ansible/templates/e-auth.conf.j2

@@ -0,0 +1,19 @@
+# Managed by Ansible - ecosplay-auth
+# Reverse proxy for {{ auth_domain }} -> local Keycloak container on :{{ keycloak_local_port }}
+
+{{ auth_domain }} {
+    tls {
+        dns cloudflare {{ cloudflare_token }}
+    }
+
+    encode gzip zstd
+
+    reverse_proxy 127.0.0.1:{{ keycloak_local_port }}
+
+    log {
+        output file /var/log/caddy/{{ auth_domain }}.log {
+            roll_size 10mb
+            roll_keep 10
+        }
+    }
+}