--- ### wird in vielen Rollen verwendet no_debug: true # when set to true "no_log" is also set to true ansible_facts_parallel: true ssh_public_key_mg: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3 my_mail: michael.grote@posteo.de file_header: | #----------------------------------------------------------------# # This file is managed with ansible! # #----------------------------------------------------------------# # für Zugriff auf nicht öffentliche git.mgrote.net-Repos ansible_forgejo_user: svc_ansible ansible_forgejo_user_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/user_setup_forgejo_user_pass', 'password') }}" # user ist dem Repo als "Collaborator" + "RO" hinzugefügt worden ### mgrote_user_setup dotfiles: - user: mg home: /home/mg - user: root home: /root dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles dotfiles_vim_vundle_repo_url: "https://{{ ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@git.mgrote.net/mirrors/Vundle.vim.git" ### mgrote_netplan netplan_configure: true ### mgrote_user users: - username: mg password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}" update_password: always groups: - ssh - sudo state: present public_ssh_key: "{{ ssh_public_key_mg }}" allow_sudo: true allow_passwordless_sudo: true - username: ansible-user password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}" update_password: always groups: - ssh - sudo state: present public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE allow_sudo: true allow_passwordless_sudo: true ### hifis_unattended_upgrades unattended_mail: "{{ my_mail }}" unattended_mail_only_on_error: true unattended_syslog_enable: true unattended_package_blacklist: [libzfs4linux, libzpool5linux, zfs-initramfs, zfs-zed, zfsutils-linux] unattended_origins_patterns: - 'origin=Ubuntu,archive=${distro_codename}-security' - 'o=Ubuntu,a=${distro_codename}-updates' ### mgrote_ntp_chrony_client ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile ntp_chrony_servers: # welche Server sollen befragt werden - address: 192.168.2.1 options: iburst #optionaler parameter ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst ntp_chrony_logging: false ### mgrote_postfix postfix_smtp_server: docker10.mgrote.net postfix_smtp_server_port: 1025 ### mgrote_fail2ban f2b_bantime: 300 f2b_findtime: 300 f2b_maxretry: 5 f2b_destemail: "{{ my_mail }}" f2b_sender: info@mgrote.net ### oefenweb.ufw ufw_rules: - rule: allow to_port: 22 protocol: tcp comment: 'ssh' from_ip: 0.0.0.0/0 - rule: allow to_port: 4949 protocol: tcp comment: 'munin' from_ip: 192.168.2.0/24 ufw_default_incoming_policy: deny ufw_default_outgoing_policy: allow ### mgrote_restic restic_exclude: | ._* desktop.ini .Trash-* **/**cache***/** **/**Cache***/** **/**AppData***/** restic_folders_to_backup: "/usr/local /etc /root /home" restic_repository: "//fileserver3.mgrote.net/restic" restic_fail_mail: "{{ my_mail }}" restic_repository_password: "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}" restic_mount_password: "{{ lookup('viczem.keepass.keepass', 'fileserver/fileserver_smb_user_restic', 'password') }}" #gitleaks:allow restic_mount_user: restic restic_schedule: "*-*-* 4:00:00" ### mgrote_apt_manage_packages apt_packages_common: - locales - python3 - build-essential - htop - git - dnsutils - mc - cifs-utils - haveged #https://www.linux-magazin.de/ausgaben/2011/09/einfuehrung2/ - ca-certificates - netdiscover - tree - curl - whois - logrotate - ncdu - net-tools - apt-transport-https - moreutils - acl - vim - rsync - at - ripgrep - iotop - pwgen - keychain - bc - jq apt_packages_physical: - s-tui - smartmontools - lm-sensors - ethtool - fwupd apt_packages_vm: - qemu-guest-agent - open-vm-tools apt_packages_absent: - nano - snapd - ubuntu-advantage-tools - neofetch - graphviz - ubuntu-pro-client ### mgrote_zfs_sanoid sanoid_templates: - name: '31tage' keep_hourly: '24' # Aufheben (Stunde) keep_daily: '31' # Aufheben (Tage) keep_monthly: '3' # Aufheben (Monate) keep_yearly: '0' # Aufheben (Jahre) frequently: '16' # Aufheben (Minuten) frequent_period: '15' # Intervall (alle 5 Minuten) autosnap: 'yes' # Automatisches erstellen von Snapshots autoprune: 'yes' - name: '14tage' keep_hourly: '24' keep_daily: '14' keep_monthly: '0' keep_yearly: '0' frequently: '16' frequent_period: '15' autosnap: 'yes' autoprune: 'yes' - name: '7tage' keep_hourly: '24' keep_daily: '7' keep_monthly: '0' keep_yearly: '0' frequently: '16' frequent_period: '15' autosnap: 'yes' autoprune: 'yes' - name: '3monate' keep_hourly: '24' keep_daily: '7' keep_monthly: '3' keep_yearly: '0' frequently: '16' frequent_period: '15' autosnap: 'yes' autoprune: 'yes' - name: 'pve3tage' keep_hourly: '72' keep_daily: '5' keep_monthly: '0' keep_yearly: '0' frequently: '16' frequent_period: '15' autosnap: 'yes' autoprune: 'yes' ### mgrote_munin_node munin_node_plugins_repo_user: "{{ ansible_forgejo_user }}" munin_node_plugins_repo_user_pass: "{{ ansible_forgejo_user_pass }}" munin_node_bind_host: "0.0.0.0" munin_node_bind_port: "4949" munin_node_allowed_cidrs: [192.168.2.0/24] munin_node_disabled_plugins: - meminfo # zu hohe last - hddtemp2 # ersetzt durch hddtemp_smartctl - ntp # verursacht zu viele dns ptr request - hddtempd # ersetzt durch hddtemp_smartctl - squid_cache # proxmox - squid_objectsize # proxmox - squid_requests # proxmox - squid_traffic # proxmox - timesync - docker_volumesize2 - docker_multi munin_node_plugins: - name: chrony src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: systemd_status src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true - name: lvm_ src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_ config: | [lvm_*] user root - name: fail2ban src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban config: | [fail2ban] env.client /usr/bin/fail2ban-client env.config_dir /etc/fail2ban user root ### mgrote_sync (für pbs + pve) rsync_mirror_user_group: "{{ rsync_mirror_user }}" rsync_mirror_user: rsync_mirror rsync_mirror_bw_limit: "4m" # 4 Megabytes rsync_mirror_timer: '*-*-* 0/8:5:0' # alle 8 h rsync_mirror_private_key: "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_private_key', 'notes') }}" rsync_mirror_public_key: "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_public_key', 'notes') }}" # Ansible Variablen ### User ansible_user: "ansible-user" ### SSH ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'" ### python3 # https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html ansible_python_interpreter: "/usr/bin/python3" # Ansible Plugin Variablen ### Keepass # https://github.com/viczem/ansible-keepass keepass_dbx: "./keepass_db.kdbx" keepass_psw: !vault | $ANSIBLE_VAULT;1.1;AES256 35333563623630373138383563343432333866623533343766646165363261656439653861613336 6632626438396538316565343061393735383836633631620a653832333936313166316436613237 38616366623862306534313038343132613832633162303965313138383232383065336231643030 3862333162643436360a396162303433306138643863333461383737656538636463336533613630 64383631396664636139393932386239656636366337346163643430353838653166393030323132 34623439323063336438663031303638303735353735316238616633343833616461363561666338 36616565393333303935343961386130353435373830383865613133663538633338303762643935 37626537396238386365 # in "ansible-vault" steht das Vault-Secret um die Variablen "keepass_psw" zu entschlüsseln, # das entschlüsselte Secret ist gleich dem KeepassPW