YardmasterYardmaster Docs

Quickstart

Requirements

Ansible on the PATH: ansible-playbook and ansible-inventory. Nothing else for the default SQLite setup. Go 1.26 to build from source, or use the container image.

Run the server

go build -o yardmaster .
YARDMASTER_ENCRYPTION_KEY=change-me YARDMASTER_ENCRYPTION_SALT=change-me-too \
  ./yardmaster serve --addr :8080 --db yardmaster.db

The key and salt together seal stored credentials at rest with argon2id and AES-256-GCM. Without both the server still runs, but credential features stay off. Keep the salt stable across restarts or existing credentials cannot be decrypted.

Open http://localhost:8080 for the web UI, or use the API directly.

Submit a run

curl -X POST localhost:8080/runs \
  -d '{"playbook": "site.yml", "inventory": "hosts.ini"}'

The response carries a run id. Fetch its status, its structured events, or its log:

curl localhost:8080/runs/<id>
curl localhost:8080/runs/<id>/events
curl localhost:8080/runs/<id>/logs

Add "shards": 4 to the body to split the run across four slices of the inventory, balanced by each host's measured duration in recent runs.

Add a worker

Point a worker at the same database and it competes for queued runs:

YARDMASTER_ENCRYPTION_KEY=change-me YARDMASTER_ENCRYPTION_SALT=change-me-too \
  ./yardmaster worker --db yardmaster.db --name laptop

For more than one machine, use a PostgreSQL DSN as the --db value on every process.

Lock down the API

Creating the first token turns on authentication. Until then the API is open so a fresh install works immediately.

./yardmaster token new --db yardmaster.db --name ci

Create user accounts with roles for sign-in:

YARDMASTER_PASSWORD=secret ./yardmaster user new operator-jane --role operator --db yardmaster.db

Run with Docker

export YARDMASTER_ENCRYPTION_KEY=change-me
export YARDMASTER_ENCRYPTION_SALT=change-me-too
docker compose up --build

This starts a server, a PostgreSQL database, and a worker. The server listens on port 8080. Set YARDMASTER_PORT to change the host port.

Set up a production server

For a real install, init generates the encryption key and salt, creates the first admin account, and writes a config file in one step. It can also write a systemd unit:

./yardmaster init --db yardmaster.db --config yardmaster.env --systemd yardmaster.service

It prints the admin password once, so save it. Move the unit into place and start it:

sudo cp yardmaster.service /etc/systemd/system/yardmaster.service
sudo systemctl enable --now yardmaster

Serve HTTPS directly, with no reverse proxy in front, by pointing the server at a certificate and key:

./yardmaster serve --db yardmaster.db --tls-cert tls.crt --tls-key tls.key

Run on Kubernetes

Yardmaster needs no operator. A Helm chart installs the server and a worker as ordinary pods sharing a database:

helm install yardmaster ./deploy/helm/yardmaster

Try the demo

To look around without setting anything up, run the seeded demo. It fills a fresh database with sample projects, templates, inventories, and real runs, including a flaky host, a split, and a pipeline, then serves it read-only so it is safe to expose:

./yardmaster demo --addr :8080

Or with Docker: docker compose --profile demo up --build.