---
### wird in vielen Rollen verwendet
no_debug: true # when set to true "no_log" is also set to true
ansible_facts_parallel: true
ssh_public_key_mg: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
my_mail: michael.grote@posteo.de
file_header: |
#----------------------------------------------------------------#
# This file is managed with ansible! #
#----------------------------------------------------------------#
# für Zugriff auf nicht öffentliche git.mgrote.net-Repos
ansible_forgejo_user: svc_ansible
ansible_forgejo_user_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/user_setup_forgejo_user_pass', 'password') }}" # user ist dem Repo als "Collaborator" + "RO" hinzugefügt worden
### mgrote_user_setup
dotfiles:
- user: mg
home: /home/mg
- user: root
home: /root
dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
dotfiles_vim_vundle_repo_url: "https://{{ ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@git.mgrote.net/mirrors/Vundle.vim.git"
### mgrote_netplan
netplan_configure: true
### mgrote_user
users:
- username: mg
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups:
- ssh
- sudo
state: present
public_ssh_key: "{{ ssh_public_key_mg }}"
allow_sudo: true
allow_passwordless_sudo: true
- username: ansible-user
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups:
- ssh
- sudo
state: present
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE
allow_sudo: true
allow_passwordless_sudo: true
### hifis_unattended_upgrades
unattended_mail: "{{ my_mail }}"
unattended_mail_only_on_error: true
unattended_syslog_enable: true
unattended_package_blacklist: [libzfs4linux, libzpool5linux, zfs-initramfs, zfs-zed, zfsutils-linux]
unattended_origins_patterns:
- 'origin=Ubuntu,archive=${distro_codename}-security'
- 'o=Ubuntu,a=${distro_codename}-updates'
### mgrote_ntp_chrony_client
ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
ntp_chrony_servers: # welche Server sollen befragt werden
- address: 192.168.2.1
options: iburst #optionaler parameter
ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
ntp_chrony_logging: false
### mgrote_postfix
postfix_smtp_server: docker10.mgrote.net
postfix_smtp_server_port: 1025
### mgrote_fail2ban
f2b_bantime: 300
f2b_findtime: 300
f2b_maxretry: 5
f2b_destemail: "{{ my_mail }}"
f2b_sender: info@mgrote.net
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 0.0.0.0/0
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.0/24
ufw_default_incoming_policy: deny
ufw_default_outgoing_policy: allow
### mgrote_restic
restic_exclude: |
._*
desktop.ini
.Trash-*
**/**cache***/**
**/**Cache***/**
**/**AppData***/**
restic_folders_to_backup: "/usr/local /etc /root /home"
restic_repository: "//fileserver3.mgrote.net/restic"
restic_fail_mail: michael.grote@posteo.de
restic_repository_password: "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
restic_mount_password: "{{ lookup('viczem.keepass.keepass', 'fileserver/fileserver_smb_user_restic', 'password') }}" #gitleaks:allow
restic_mount_user: restic
restic_schedule: "*-*-* 4:00:00"
### mgrote_apt_manage_packages
apt_packages_common:
- locales
- python3
- build-essential
- htop
- git
- dnsutils
- mc
- cifs-utils
- haveged #https://www.linux-magazin.de/ausgaben/2011/09/einfuehrung2/
- ca-certificates
- netdiscover
- tree
- curl
- whois
- logrotate
- ncdu
- net-tools
- apt-transport-https
- moreutils
- acl
- vim
- rsync
- at
- ripgrep
- iotop
- pwgen
- keychain
- bc
- jq
apt_packages_physical:
- s-tui
- smartmontools
- lm-sensors
- ethtool
- fwupd
apt_packages_vm:
- qemu-guest-agent
- open-vm-tools
apt_packages_absent:
- nano
- snapd
- ubuntu-advantage-tools
- neofetch
- graphviz
- ubuntu-pro-client
### mgrote_zfs_sanoid
sanoid_templates:
- name: '31tage'
keep_hourly: '24' # Aufheben (Stunde)
keep_daily: '31' # Aufheben (Tage)
keep_monthly: '3' # Aufheben (Monate)
keep_yearly: '0' # Aufheben (Jahre)
frequently: '16' # Aufheben (Minuten)
frequent_period: '15' # Intervall (alle 5 Minuten)
autosnap: 'yes' # Automatisches erstellen von Snapshots
autoprune: 'yes'
- name: '14tage'
keep_hourly: '24'
keep_daily: '14'
keep_monthly: '0'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
- name: '7tage'
keep_hourly: '24'
keep_daily: '7'
keep_monthly: '0'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
- name: '3monate'
keep_hourly: '24'
keep_daily: '7'
keep_monthly: '3'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
- name: 'pve3tage'
keep_hourly: '72'
keep_daily: '5'
keep_monthly: '0'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
### mgrote_munin_node
munin_node_plugins_repo_user: "{{ ansible_forgejo_user }}"
munin_node_plugins_repo_user_pass: "{{ ansible_forgejo_user_pass }}"
munin_node_bind_host: "0.0.0.0"
munin_node_bind_port: "4949"
munin_node_allowed_cidrs: [192.168.2.0/24]
munin_node_disabled_plugins:
- meminfo # zu hohe last
- hddtemp2 # ersetzt durch hddtemp_smartctl
- ntp # verursacht zu viele dns ptr request
- hddtempd # ersetzt durch hddtemp_smartctl
- squid_cache # proxmox
- squid_objectsize # proxmox
- squid_requests # proxmox
- squid_traffic # proxmox
- timesync
- docker_volumesize2
- docker_multi
munin_node_plugins:
- name: chrony
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
- name: systemd_status
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
- name: systemd_mem
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
config: |
[systemd_mem]
env.all_services true
- name: lvm_
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
config: |
[lvm_*]
user root
- name: fail2ban
src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
config: |
[fail2ban]
env.client /usr/bin/fail2ban-client
env.config_dir /etc/fail2ban
user root
### mgrote_sync (für pbs + pve)
rsync_mirror_user_group: "{{ rsync_mirror_user }}"
rsync_mirror_user: rsync_mirror
rsync_mirror_bw_limit: "4m" # 4 Megabytes
rsync_mirror_timer: '*-*-* 0/8:5:0' # alle 8 h
rsync_mirror_private_key: "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_private_key', 'notes') }}"
rsync_mirror_public_key: "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_public_key', 'notes') }}"
# Ansible Variablen
### User
ansible_user: "ansible-user"
### SSH
ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
### python3
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
ansible_python_interpreter: "/usr/bin/python3"
# Ansible Plugin Variablen
### Keepass
# https://github.com/viczem/ansible-keepass
keepass_dbx: "./keepass_db.kdbx"
keepass_psw: !vault |
$ANSIBLE_VAULT;1.1;AES256
35333563623630373138383563343432333866623533343766646165363261656439653861613336
6632626438396538316565343061393735383836633631620a653832333936313166316436613237
38616366623862306534313038343132613832633162303965313138383232383065336231643030
3862333162643436360a396162303433306138643863333461383737656538636463336533613630
64383631396664636139393932386239656636366337346163643430353838653166393030323132
34623439323063336438663031303638303735353735316238616633343833616461363561666338
36616565393333303935343961386130353435373830383865613133663538633338303762643935
37626537396238386365
# in "ansible-vault" steht das Vault-Secret um die Variablen "keepass_psw" zu entschlüsseln,
# das entschlüsselte Secret ist gleich dem KeepassPW