---
  ### geerlingguy.nfs
  nfs_exports:
    - /srv/nfs 192.168.2.42(rw,no_subtree_check,no_root_squash) #k3s1
  nfs_port: 33333


  ### mgrote.munin-node
  munin_node_plugins:
    - name: timesync
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/timesync_status
    - name: systemd_status
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
    - name: systemd_mem
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
      config: |
        [systemd_mem]
        env.all_services true
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
    - name: nfsd4
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/nsfd4
    - name: nfsd
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/nfsd
  munin_node_disabled_plugins:
    - name: lvm_
  ### mgrote.restic
  restic_folders_to_backup: "/ /srv/nfs" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben


  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 0.0.0.0/0
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
      # k3s1
    - rule: allow
      from_ip: 192.168.2.42
      comment: 'nfs'
      to_port: 2049
    - rule: allow
      from_ip: 192.168.2.42
      comment: 'nfs'
      to_port: 111
    - rule: allow
      from_ip: 192.168.2.42
      comment: 'nfs'
      to_port: "{{ nfs_port }}"