---
  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 0.0.0.0/0
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 192.168.2.144/24
    - rule: allow
      to_port: 53
      comment: 'dns'
      from_ip: 0.0.0.0/0
  ### mgrote.restic
  restic_repository: "//192.168.2.36/restic"
  ### mgrote.systemd-timesyncd
  ntp_timesyncd_servers: # weil pihole den fqdn nicht auflösen kann
    - address: pool.ntp.org
      options: iburst #optionaler parameter
  ### mgrote.apt_manage_sources
  # wird leer gesetzt da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann
  manage_sources_apt_proxy: ""
  ### geerlingguy.munin-node
  munin_node_plugins:
    - name: timesync
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/timesync_status
    - name: systemd_status
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
    - name: lvm_
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
      config: |
        [lvm_*]
        user root
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
    - name: dnsmasq
      src: https://git.mgrote.net/mg/mirror-dnsmasq-munin/raw/branch/master/dnsmasq
      config: |
        [dnsmasq]
        env.logfile {{ dnsmasq_logfile }}
        user root
    - name: dnsresponse_192.168.2.1
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
    - name: dnsresponse_127.0.0.1
      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
      config: |
        [dnsresponse_*]
        env.site www.heise.de
        env.times 20
  ### mgrote.dnsmasq
  # Welche DNS-Server soll dnsmasq anfragen?
  dnsmasq_resolver:
    - 9.9.9.9
    - 1.1.1.1
  dnsmasq_log_queries: true # has to be true for munin
  dnsmasq_logfile: /var/log/dnsmasq.log
  dnsmasq_blocklists:
    - name: sysctl.org
      state: present
      url: http://sysctl.org/cameleon/hosts
    - name: StevenBlack.1
      state: present
      url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
    - name: StevenBlack.2
      state: present
      url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
    - name: adaway.org
      state: present
      url: https://adaway.org/hosts.txt
    - name: StevenBlack.3
      state: present
      url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
    - name: developerdan.1
      state: present
      url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
    - name: developerdan.2
      state: present
      url: https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
  dnsmasq_cache_size: 10000
  dnsmasq_port: 53
  dnsmasq_never_forward_domain: grote.lan
  ### mgrote.apt_manage_packages
  apt_packages_extra:
    - libnet-dns-perl # für munin: dnsresponse_*