2020-08-19 12:29:49 +02:00
---
2023-10-25 22:26:17 +02:00
### wird in vielen Rollen verwendet
2024-11-10 15:56:59 +01:00
no_debug : true # when set to true "no_log" is also set to true
2023-12-06 13:20:12 +01:00
ansible_facts_parallel : true
2023-10-25 22:26:17 +02:00
ssh_public_key_mg : ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
2023-11-03 11:59:01 +01:00
my_mail : michael.grote@posteo.de
2023-10-25 22:26:17 +02:00
file_header : |
#----------------------------------------------------------------#
# This file is managed with ansible! #
#----------------------------------------------------------------#
2024-09-12 10:28:47 +02:00
# für Zugriff auf nicht öffentliche git.mgrote.net-Repos
ansible_forgejo_user : svc_ansible
2024-11-10 15:44:41 +01:00
ansible_forgejo_user_pass : "{{ lookup('viczem.keepass.keepass', 'forgejo/user_setup_forgejo_user_pass', 'password') }}" # user ist dem Repo als "Collaborator" + "RO" hinzugefügt worden
2023-10-31 11:37:50 +01:00
2023-12-04 14:43:04 +01:00
### mgrote_user_setup
dotfiles :
- user : mg
home : /home/mg
- user : root
home : /root
dotfiles_repo_url : https://git.mgrote.net/mg/dotfiles
2024-09-12 10:28:47 +02:00
dotfiles_vim_vundle_repo_url : "https://{{ ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@git.mgrote.net/mirrors/Vundle.vim.git"
2023-11-24 14:11:59 +01:00
### mgrote_netplan
netplan_configure : true
2023-11-29 21:15:50 +01:00
### mgrote_user
2023-10-25 22:26:17 +02:00
users :
- username : mg
2024-07-09 17:35:56 +02:00
password : "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
2023-10-25 22:26:17 +02:00
update_password : always
2024-10-08 17:02:29 +02:00
groups :
- ssh
- sudo
2023-10-25 22:26:17 +02:00
state : present
public_ssh_key : "{{ ssh_public_key_mg }}"
allow_sudo : true
allow_passwordless_sudo : true
- username : ansible-user
2024-07-09 17:35:56 +02:00
password : "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
2023-10-25 22:26:17 +02:00
update_password : always
2024-10-08 17:02:29 +02:00
groups :
- ssh
- sudo
2023-10-25 22:26:17 +02:00
state : present
2024-10-23 20:16:30 +02:00
public_ssh_key : ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE
2023-10-25 22:26:17 +02:00
allow_sudo : true
allow_passwordless_sudo : true
2023-07-05 11:47:57 +02:00
2024-06-05 10:40:01 +02:00
### hifis_unattended_upgrades
2023-10-31 11:37:50 +01:00
unattended_mail : "{{ my_mail }}"
2023-10-25 22:26:17 +02:00
unattended_mail_only_on_error : true
unattended_syslog_enable : true
2024-06-05 10:40:01 +02:00
unattended_package_blacklist : [ libzfs4linux, libzpool5linux, zfs-initramfs, zfs-zed, zfsutils-linux]
2023-10-25 22:26:17 +02:00
unattended_origins_patterns :
- 'origin=Ubuntu,archive=${distro_codename}-security'
- 'o=Ubuntu,a=${distro_codename}-updates'
2023-10-31 11:37:50 +01:00
2023-11-29 21:15:50 +01:00
### mgrote_ntp_chrony_client
2023-10-25 22:26:17 +02:00
ntp_chrony_timezone : "Europe/Berlin" # Zeitzone in der sich der Computer befindet
ntp_chrony_driftfile_directory : "/var/lib/chrony" # Ordner für das driftfile
ntp_chrony_servers : # welche Server sollen befragt werden
2023-11-01 12:20:29 +01:00
- address : 192.168 .2 .1
2023-10-25 22:26:17 +02:00
options : iburst #optionaler parameter
ntp_chrony_user : _chrony # Nutzer + Gruppe für den Dienst
ntp_chrony_group : _chrony # Nutzer + Gruppe für den Dienst
ntp_chrony_logging : false
2023-07-05 15:30:24 +02:00
2023-11-29 21:15:50 +01:00
### mgrote_postfix
2023-11-25 19:08:24 +01:00
postfix_smtp_server : docker10.mgrote.net
2023-10-31 11:37:50 +01:00
postfix_smtp_server_port : 1025
2023-11-29 21:15:50 +01:00
### mgrote_fail2ban
2023-10-25 22:26:17 +02:00
f2b_bantime : 300
f2b_findtime : 300
f2b_maxretry : 5
2023-10-31 11:37:50 +01:00
f2b_destemail : "{{ my_mail }}"
f2b_sender : info@mgrote.net
2023-10-25 22:26:17 +02:00
### oefenweb.ufw
ufw_rules :
- rule : allow
to_port : 22
protocol : tcp
comment : 'ssh'
from_ip : 0.0 .0 .0 /0
2024-02-15 13:52:00 +01:00
- rule : allow
to_port : 4949
protocol : tcp
comment : 'munin'
from_ip : 192.168 .2 .0 /24
2023-10-25 22:26:17 +02:00
ufw_default_incoming_policy : deny
ufw_default_outgoing_policy : allow
2023-10-31 11:37:50 +01:00
2024-05-25 20:58:07 +02:00
### mgrote_restic
restic_exclude : |
._*
desktop.ini
.Trash-*
**/**cache***/**
**/**Cache***/**
**/**AppData***/**
restic_folders_to_backup : "/usr/local /etc /root /home"
restic_repository : "//fileserver3.mgrote.net/restic"
restic_fail_mail : michael.grote@posteo.de
2024-07-09 17:35:56 +02:00
restic_repository_password : "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
2024-11-10 15:44:41 +01:00
restic_mount_password : "{{ lookup('viczem.keepass.keepass', 'fileserver/fileserver_smb_user_restic', 'password') }}" #gitleaks:allow
2024-05-25 20:58:07 +02:00
restic_mount_user : restic
2024-05-27 08:10:33 +02:00
restic_schedule : "*-*-* 4:00:00"
2024-05-25 20:58:07 +02:00
2023-11-29 21:15:50 +01:00
### mgrote_apt_manage_packages
2023-10-25 22:26:17 +02:00
apt_packages_common :
- locales
- python3
- build-essential
- htop
- git
- dnsutils
- mc
- cifs-utils
- haveged #https://www.linux-magazin.de/ausgaben/2011/09/einfuehrung2/
- ca-certificates
- netdiscover
- tree
- curl
- whois
- logrotate
- ncdu
- net-tools
- apt-transport-https
- moreutils
- acl
- vim
- rsync
- at
- ripgrep
- iotop
- pwgen
- keychain
2024-02-15 13:52:00 +01:00
- bc
- jq
2023-10-25 22:26:17 +02:00
apt_packages_physical :
- s-tui
- smartmontools
- lm-sensors
- ethtool
2024-05-27 11:00:22 +02:00
- fwupd
2023-10-25 22:26:17 +02:00
apt_packages_vm :
- qemu-guest-agent
- open-vm-tools
apt_packages_absent :
- nano
- snapd
- ubuntu-advantage-tools
2024-05-27 11:00:22 +02:00
- neofetch
2024-07-23 18:58:28 +02:00
- graphviz
2024-09-12 10:28:47 +02:00
- ubuntu-pro-client
2020-11-05 17:16:30 +01:00
2023-11-29 21:15:50 +01:00
### mgrote_zfs_sanoid
2023-10-25 22:26:17 +02:00
sanoid_templates :
- name : '31tage'
keep_hourly : '24' # Aufheben (Stunde)
keep_daily : '31' # Aufheben (Tage)
keep_monthly : '3' # Aufheben (Monate)
keep_yearly : '0' # Aufheben (Jahre)
frequently : '16' # Aufheben (Minuten)
frequent_period : '15' # Intervall (alle 5 Minuten)
autosnap : 'yes' # Automatisches erstellen von Snapshots
autoprune : 'yes'
- name : '14tage'
keep_hourly : '24'
keep_daily : '14'
keep_monthly : '0'
keep_yearly : '0'
frequently : '16'
frequent_period : '15'
autosnap : 'yes'
autoprune : 'yes'
2024-11-08 12:43:55 +01:00
- name : '7tage'
2023-10-25 22:26:17 +02:00
keep_hourly : '24'
keep_daily : '7'
keep_monthly : '0'
keep_yearly : '0'
frequently : '16'
frequent_period : '15'
autosnap : 'yes'
autoprune : 'yes'
- name : '3monate'
keep_hourly : '24'
keep_daily : '7'
keep_monthly : '3'
keep_yearly : '0'
frequently : '16'
frequent_period : '15'
autosnap : 'yes'
autoprune : 'yes'
- name : 'pve3tage'
keep_hourly : '72'
keep_daily : '5'
keep_monthly : '0'
keep_yearly : '0'
frequently : '16'
frequent_period : '15'
autosnap : 'yes'
autoprune : 'yes'
2021-02-07 12:46:03 +01:00
2024-02-15 13:52:00 +01:00
### mgrote_munin_node
2024-09-12 10:28:47 +02:00
munin_node_plugins_repo_user : "{{ ansible_forgejo_user }}"
munin_node_plugins_repo_user_pass : "{{ ansible_forgejo_user_pass }}"
2024-02-15 13:52:00 +01:00
munin_node_bind_host : "0.0.0.0"
munin_node_bind_port : "4949"
munin_node_allowed_cidrs : [ 192.168 .2 .0 /24]
munin_node_disabled_plugins :
2024-07-31 12:17:30 +02:00
- meminfo # zu hohe last
- hddtemp2 # ersetzt durch hddtemp_smartctl
- ntp # verursacht zu viele dns ptr request
- hddtempd # ersetzt durch hddtemp_smartctl
- squid_cache # proxmox
- squid_objectsize # proxmox
- squid_requests # proxmox
- squid_traffic # proxmox
- timesync
- docker_volumesize2
2024-08-02 16:55:59 +02:00
- docker_multi
2024-08-12 23:46:08 +02:00
2024-02-15 13:52:00 +01:00
munin_node_plugins :
- name : chrony
2024-04-04 09:48:09 +02:00
src : https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
2024-02-15 13:52:00 +01:00
- name : systemd_status
2024-04-04 09:48:09 +02:00
src : https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
2024-02-15 13:52:00 +01:00
- name : systemd_mem
2024-04-04 09:48:09 +02:00
src : https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
2024-02-15 13:52:00 +01:00
config : |
[ systemd_mem]
env.all_services true
- name : lvm_
2024-04-04 09:48:09 +02:00
src : https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
2024-02-15 13:52:00 +01:00
config : |
[ lvm_*]
user root
- name : fail2ban
src : https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
config : |
[ fail2ban]
env.client /usr/bin/fail2ban-client
env.config_dir /etc/fail2ban
user root
2024-10-31 12:01:46 +01:00
### mgrote_sync (für pbs + pve)
rsync_mirror_user_group : "{{ rsync_mirror_user }}"
rsync_mirror_user : rsync_mirror
rsync_mirror_bw_limit : "4m" # 4 Megabytes
2024-11-03 20:16:30 +01:00
rsync_mirror_timer : '*-*-* 0/8:5:0' # alle 8 h
2024-10-31 12:01:46 +01:00
rsync_mirror_private_key : "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_private_key', 'notes') }}"
rsync_mirror_public_key : "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_public_key', 'notes') }}"
2023-10-25 22:26:17 +02:00
# Ansible Variablen
### User
ansible_user : "ansible-user"
### SSH
ansible_ssh_common_args : "'-o StrictHostKeyChecking=no'"
### python3
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
ansible_python_interpreter : "/usr/bin/python3"
2020-08-19 12:29:49 +02:00
2023-10-25 22:26:17 +02:00
# Ansible Plugin Variablen
### Keepass
# https://github.com/viczem/ansible-keepass
keepass_dbx : "./keepass_db.kdbx"
keepass_psw : !vault |
$ANSIBLE_VAULT;1.1;AES256
2024-11-10 15:44:41 +01:00
35333563623630373138383563343432333866623533343766646165363261656439653861613336
6632626438396538316565343061393735383836633631620a653832333936313166316436613237
38616366623862306534313038343132613832633162303965313138383232383065336231643030
3862333162643436360a396162303433306138643863333461383737656538636463336533613630
64383631396664636139393932386239656636366337346163643430353838653166393030323132
34623439323063336438663031303638303735353735316238616633343833616461363561666338
36616565393333303935343961386130353435373830383865613133663538633338303762643935
37626537396238386365
# in "ansible-vault" steht das Vault-Secret um die Variablen "keepass_psw" zu entschlüsseln,
# das entschlüsselte Secret ist gleich dem KeepassPW