---
### Allgemein
kubeconfig: /etc/rancher/k3s/k3s.yaml

### mgrote.restic
restic_folders_to_backup: "/ /var" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files

### oefenweb.ufw
ufw_rules:
  - rule: allow
    comment: 'k3s - alles offen'
    from_ip: 0.0.0.0/0

### pyratlabs.k3s
k3s_state: installed
k3s_release_version: v1.25.11+k3s1
k3s_airgap: false
k3s_config_file: /etc/rancher/k3s/config.yaml
k3s_build_cluster: true
k3s_install_dir: /usr/local/bin
k3s_etcd_datastore: true
k3s_become: true
k3s_use_experimental: true
k3s_debug: false
k3s_server:
  # siehe https://docs.k3s.io/reference/server-config
  # cli parameter OHNE -- am anfang
  write-kubeconfig-mode: '644'
  cluster-cidr: "10.42.0.0/16"
  service-cidr: "10.43.0.0/16"
  disable:
    - traefik
    - local-storage # disables local-path-provisioner
    - disable-helm-controller # https://fluxcd.io/flux/cheatsheets/troubleshooting/

### mgrote.fluxcd
flux_repo_host: gitea.grote.lan
flux_repo_host_port: 2222
flux_repo_branch: master
flux_repo_url_complete: "ssh://gitea@{{ flux_repo_host }}:{{ flux_repo_host_port }}/mg/manifests.git"
flux_install_host: k3s4.grote.lan
flux_homedir: /home/flux
flux_path_ssh_dir: /home/flux/.ssh
flux_user_group: flux
flux_user: flux
flux_download_url: https://github.com/fluxcd/flux2/releases/download/v2.0.1/flux_2.0.1_linux_amd64.tar.gz # updaten
flux_path_bin: /usr/local/sbin
flux_path_ssh_id_file: id_rsa
flux_ssh_key_format: ed25519
flux_sync_interval: 1m

### mgrote.apt_manage_packages
apt_packages_extra:
  - nfs-common # für nfs-subdir-external-provisioner

### mgrote.sealed-secrets
sealed_secrets_homedir: /home/sealed_secrets
sealed_secrets_user_group: sealed_secrets
sealed_secrets_user: sealed_secrets
kubeseal_download_url: "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz" #updaten
kubeseal_path_bin: /usr/local/sbin
sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}"