diff --git a/.ruby-version b/.ruby-version
new file mode 100644
index 0000000..a3ec5a4
--- /dev/null
+++ b/.ruby-version
@@ -0,0 +1 @@
+3.2
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..998dc09
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gem "rake"
diff --git a/Gemfile.lock b/Gemfile.lock
new file mode 100644
index 0000000..eb7649c
--- /dev/null
+++ b/Gemfile.lock
@@ -0,0 +1,13 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    rake (13.0.6)
+
+PLATFORMS
+  arm64-darwin-22
+
+DEPENDENCIES
+  rake
+
+BUNDLED WITH
+   2.4.1
diff --git a/lotus-land-story/.gitignore b/lotus-land-story/.gitignore
new file mode 100644
index 0000000..342875a
--- /dev/null
+++ b/lotus-land-story/.gitignore
@@ -0,0 +1,2 @@
+terraform.tfvars
+vars.yml
diff --git a/lotus-land-story/Rakefile b/lotus-land-story/Rakefile
new file mode 100644
index 0000000..3fec8ad
--- /dev/null
+++ b/lotus-land-story/Rakefile
@@ -0,0 +1,25 @@
+require "yaml"
+
+DOMAIN = ENV.fetch("LOTUS_LAND_STORY_DOMAIN")
+
+task terraform: "terraform.tfvars" do
+  sh "terraform apply"
+end
+
+task ansible: "vars.yml" do
+  sh "ansible-playbook main.yml"
+end
+
+task "terraform.tfvars" do |t|
+  File.write(t.name, "domain = \"#{DOMAIN}\"")
+end
+
+task "vars.yml" do |t|
+  miniflux_password = `op read op://Private/Miniflux/password`.strip
+  File.write(t.name, YAML.dump({
+    "domain" => DOMAIN,
+    "miniflux_password" => miniflux_password,
+  }))
+end
+
+task default: %i[ terraform ansible ]
diff --git a/lotus-land-story/main.yml b/lotus-land-story/main.yml
index f43ec6f..261afe3 100644
--- a/lotus-land-story/main.yml
+++ b/lotus-land-story/main.yml
@@ -1,12 +1,9 @@
 - name: Set up lotus-land-story
   hosts: lotus-land-story
+  vars_files:
+    - vars.yml
   tasks:
 
-    - name: Set facts from environment variables
-      ansible.builtin.set_fact:
-        domain: "{{ lookup('ansible.builtin.env', 'TF_VAR_domain') }}"
-        miniflux_password: "{{ lookup('ansible.builtin.env', 'MINIFLUX_PASSWORD') }}"
-
     # https://wiki.debian.org/PostgreSql
     - name: Install postgres
       ansible.builtin.apt:
@@ -21,10 +18,11 @@
         line: /dev/disk/by-id/scsi-0Linode_Volume_lotus-land-story /mnt/lotus-land-story ext4 defaults,noatime,nofail 0 2
         state: present
     - name: Make /mnt/lotus-land-story/postgresql
-      file:
+      ansible.builtin.file:
         path: /mnt/lotus-land-story/postgresql
         state: directory
         owner: postgres
+        mode: "0755"
     - name: Set data directory to volume
       ansible.builtin.lineinfile:
         dest: "/etc/postgresql/13/main/postgresql.conf"
@@ -53,23 +51,27 @@
               - gnupg
             state: present
         - name: Make /etc/apt/keyrings
-          file:
+          ansible.builtin.file:
             path: /etc/apt/keyrings
             state: directory
-            mode: 0755
+            mode: "0755"
         - name: Download Docker GPG key
-          ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
           args:
             creates: /etc/apt/keyrings/docker.gpg
         - name: Get architecture
-          command: dpkg --print-architecture
+          ansible.builtin.command: dpkg --print-architecture
           register: arch
+          changed_when: arch.rc != 0
         - name: Set up docker repository
           ansible.builtin.template:
             src: templates/docker.list
             dest: /etc/apt/sources.list.d/docker.list
+            mode: "0644"
         - name: Install docker
-          apt:
+          ansible.builtin.apt:
             pkg:
               - docker-ce
               - docker-ce-cli
@@ -84,8 +86,11 @@
       block:
 
         - name: Get docker0 IP address
-          ansible.builtin.shell: ip -4 -o addr show docker0 | awk '{print $4}'
+          ansible.builtin.shell: ip -4 -o addr show docker0 | awk '{print $4}' # noqa: risky-shell-pipe
+          vars:
+            executable: /usr/bin/bash
           register: docker_ip
+          changed_when: docker_ip.rc != 0
         - name: Listen on docker0 interface
           ansible.builtin.lineinfile:
             dest: "/etc/postgresql/13/main/conf.d/listen.conf"
@@ -93,6 +98,7 @@
             line: "listen_addresses='localhost,{{ docker_ip.stdout | ansible.utils.ipaddr('address') }}'"
             state: present
             create: true
+            mode: "0644"
           notify: Restart postgres
 
     - name: Set up postgres for miniflux
@@ -147,17 +153,19 @@
                 - "host.docker.internal:host-gateway"
 
     - name: Make /mnt/lotus-land-story/caddy
-      file:
+      ansible.builtin.file:
         path: /mnt/lotus-land-story/{{ item }}
         state: directory
+        mode: "0755"
       loop:
-         - caddy
-         - caddy/data
-         - caddy/config
+        - caddy
+        - caddy/data
+        - caddy/config
     - name: Set up Caddyfile
       ansible.builtin.template:
         src: templates/Caddyfile
         dest: /mnt/lotus-land-story/caddy/Caddyfile
+        mode: "0644"
     - name: Run caddy
       community.docker.docker_compose:
         project_name: caddy
@@ -182,3 +190,5 @@
       ansible.builtin.service:
         name: postgresql
         state: restarted
+
+# vim: ft=yaml.ansible