homeserver/group_vars/all.yml

---
  ### wird in vielen Rollen verwendet
  ssh_public_key_mg: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
  empfaenger_mail: michael.grote@posteo.de
  file_header: |
    #----------------------------------------------------------------#
    #              This file is managed with ansible!                #
    #----------------------------------------------------------------#
  ### mgrote.restic
  restic_user: root
  restic_group: restic
  restic_conf_dir: /etc/restic
  restic_exclude: |
        ._*
        desktop.ini
        .Trash-*
        **/**cache***/**
        **/**Cache***/**
        **/**AppData***/**
        # https://github.com/restic/restic/issues/1005
        # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
  restic_mount_timeout: "10 min"
  restic_failure_delay: "30 s"
  restic_schedule: "0/6:00" # alle 6 Stunden
  restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
  restic_repository: "//fileserver2.grote.lan/restic"
  restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
  restic_mount_user: restic
  restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
  restic_fail_mail: "{{ empfaenger_mail }}"
  ### mgrote.user
  users:
    - username: mg
      password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
      update_password: on_create
      groups: ssh, sudo
      state: present
      public_ssh_key: "{{ ssh_public_key_mg }}"
      allow_sudo: true
      allow_passwordless_sudo: true
    - username: ansible-user
      password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
      update_password: on_create
      groups: ssh, sudo
      state: present
      public_ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
      allow_sudo: true
      allow_passwordless_sudo: true
  ### mgrote.munin-node
  munin_node_bind_host: "0.0.0.0"
  munin_node_bind_port: "4949"
  munin_node_allowed_cidrs: [192.168.2.0/24]
  munin_node_disabled_plugins:
    - name: meminfo # zu hohe last
    - name: hddtemp2 # ersetzt durch hddtemp_smartctl
    - name: ntp # verursacht zu viele dns ptr request
    - name: hddtempd # ersetzt durch hddtemp_smartctl
  munin_node_plugins:
    - name: timesync
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/timesync_status
    - name: systemd_status
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
    - name: systemd_mem
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
      config: |
        [systemd_mem]
        env.all_services true
    - name: lvm_
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
      config: |
        [lvm_*]
        user root
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
  ### mgrote.dotfiles
  dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
  dotfiles_repo_path: /home/mg/dotfiles
  dotfiles_files:
    - repo_path: "{{ dotfiles_repo_path}}/.vimrc"
      local_path: "/home/mg/.vimrc"
    - repo_path: "{{ dotfiles_repo_path}}/.tmux.conf"
      local_path: "/home/mg/.tmux.conf"
    - repo_path: "{{ dotfiles_repo_path}}/.gitconfig"
      local_path: "/home/mg/.gitconfig"
  dotfiles_owner: mg
  ### jnv.unattended_upgrades
  unattended_mail: "{{ empfaenger_mail }}"
  unattended_mail_only_on_error: true
  unattended_syslog_enable: true
  unattended_origins_patterns:
    - 'origin=Ubuntu,archive=${distro_codename}-security'
    - 'o=Ubuntu,a=${distro_codename}-updates'
  ### mgrote.systemd-timesyncd
  ntp_timesyncd_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
  ntp_timesyncd_servers: # welche Server sollen befragt werden
    - 192.168.2.1
  ntp_chrony_logging: false # logging an/aus
  ### mgrote.postfix
  postfix_absender_mailadresse: info@mgrote.net
  postfix_absender_passwort: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
  postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24"
  postfix_mail_nach_cronjob: false
  postfix_smtp_server: smtp.strato.de
  postfix_smtp_server_port: 587
  postfix_smtp_use_tls: "yes"
  ### mgrote.apt_manage_sources
  manage_sources_apt_proxy: "acng.grote.lan:9999"
  ### mgrote.tmux
  tmux_conf_destination: "/home/mg/.tmux.conf"
  tmux_bashrc_destination: "/home/mg/.bashrc"
  tmux_standardsession_name: "default"
  ### mgrote.fail2ban
  f2b_bantime: 300
  f2b_findtime: 300
  f2b_maxretry: 5
  f2b_destemail: "{{ empfaenger_mail }}"
  f2b_sender: "{{ postfix_absender_mailadresse }}"
  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 0.0.0.0/0
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.0/24
  ufw_default_incoming_policy: deny
  ufw_default_outgoing_policy: allow
  ### mgrote.apt_manage_packages
  apt_packages_common:
    - locales
    - python3
    - build-essential
    - htop
    - git
    - dnsutils
    - mc
    - cifs-utils
    - haveged #https://www.linux-magazin.de/ausgaben/2011/09/einfuehrung2/
    - ca-certificates
    - netdiscover
    - tree
    - curl
    - whois
    - logrotate
    - ncdu
    - net-tools
    - apt-transport-https
    - neofetch
    - moreutils
    - acl
    - vim
    - rsync
    - at
    - ripgrep
    - iotop
    - pwgen
  apt_packages_physical:
    - hddtemp
    - ipmitool
    - s-tui
    - smartmontools
    - lm-sensors
    - ethtool
  apt_packages_vm:
    - qemu-guest-agent
    - open-vm-tools
  apt_packages_absent:
    - nano
    - ubuntu-advantage-tools
  apt_packages_internet:
    - https://git.mgrote.net/mg/bash-helper-scripts-mgrote/raw/branch/master/output/bash-helper-scripts-mgrote-latest.deb



  # Ansible Variablen
  ### User
  ansible_user: "ansible-user"
  ### SSH
  ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
  ### python3
  # https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
  ansible_python_interpreter: "/usr/bin/python3"

  # Ansible Plugin Variablen
  ### Keepass
  # https://github.com/viczem/ansible-keepass
  keepass_dbx: "./keepass_db.kdbx"
  keepass_psw: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62383737623066396239383336646164616537646630653964313532383130343533346561633039
          3437306134656535353438666165376332633064383135650a636537626662656130376537633164
          61613132326536666466636632363866393066656236303766333338356337396338376266346631
          6364336331623539300a313562303161373631613734313938346666376239613333333363376236
          38363035376662353135333332363431343833656666643036326234656166643531