---
### mrlesmithjr.manage_lvm
lvm_groups:
  - vgname: vg_docker
    disks:
      - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
    create: true
    lvnames:
      - lvname: lv_docker
        size: +100%FREE
        create: true
        filesystem: xfs
        mount: true
        mntp: /var/lib/docker
manage_lvm: true
pvresize_to_max: true

### geerlingguy.pip
pip_package: python3-pip
pip_install_packages:
  - name: docker # für munin-plugin docker_

### mgrote.apt_manage_packages
apt_packages_extra:
  - libnet-dns-perl # für munin: dnsresponse_*

### mgrote_user
users:
  - username: mg
    password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
    update_password: always
    groups:
      - ssh
      - sudo
      - docker
    state: present
    public_ssh_key: "{{ ssh_public_key_mg }}"
    allow_sudo: true
    allow_passwordless_sudo: true
  - username: docker-user
    password: "{{ lookup('viczem.keepass.keepass', 'docker-user_linux_password_hash', 'password') }}"
    update_password: always
    groups:
      - ssh
      - sudo
      - docker
    state: present
    allow_sudo: true
    allow_passwordless_sudo: true
    uid: "5000"
  - username: ansible-user
    password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
    update_password: always
    groups:
      - ssh
      - sudo
    state: present
    public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
    allow_sudo: true
    allow_passwordless_sudo: true

### geerlingguy.docker
docker_users:
  - mg
  - docker-user
docker_install_compose: true
docker_add_repo: false # erstelle kein Repo-Eintrag unter /etc/apt/sources.list.d/, steht explizit unter "repos_override", wird nur zum installieren benötigt

### mgrote_docker-compose-deploy
docker_compose_base_dir: /home/docker-user

### mgrote_apt_manage_sources
repos_override: # mit docker-repos
  - deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} main restricted"
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates main restricted"
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} universe"
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates universe"
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} multiverse"
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates multiverse"
  - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-backports main restricted universe multiverse"
  - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted"
  - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe"
  - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security multiverse"

### mgrote_systemd_resolved
systemd_resolved_nameserver: 192.168.2.37

### mgrote_restic
restic_folders_to_backup: "/usr/local /etc /root /home /var/lib/docker"

### mgrote_munin_node
munin_node_plugin_timeout: 120 # in sec, docker_multi braucht länger
munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
munin_node_plugins:
  - name: systemd_status
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
  - name: systemd_mem
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
    config: |
      [systemd_mem]
      env.all_services true
  - name: lvm_
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
    config: |
      [lvm_*]
      user root
  - name: fail2ban
    src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
    config: |
      [fail2ban]
      env.client /usr/bin/fail2ban-client
      env.config_dir /etc/fail2ban
      user root
  - name: chrony
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
  - name: docker_volumesize
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
  - name: docker_containers
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
    config: |
      [docker_*]
      group docker
      env.DOCKER_HOST unix://run/docker.sock
      env.EXCLUDE_CONTAINER_NAME wp
  - name: docker_cpu
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
  - name: docker_images
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
  - name: docker_memory
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
  - name: docker_network
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
  - name: docker_status
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
  - name: docker_volumes
    src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_

### oefenweb.ufw
ufw_rules:
  - rule: allow
    to_port: 22
    protocol: tcp
    comment: 'ssh'
    from_ip: 0.0.0.0/0
  - rule: allow
    to_port: 4949
    protocol: tcp
    comment: 'munin'
    from_ip: 192.168.2.0/24
  - rule: allow
    from_ip: 192.168.0.0/16
    comment: 'docker networks'
  - rule: allow
    from_ip: 172.0.0.0/8
    comment: 'docker networks'