170 lines
6.1 KiB
YAML
170 lines
6.1 KiB
YAML
---
|
|
### mgrote_minio_configure
|
|
minio_url: https://s3.mgrote.net
|
|
minio_root_access_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_access_key', 'password') }}"
|
|
minio_root_secret_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_secret_key', 'password') }}"
|
|
minio_users:
|
|
- name: testuser
|
|
secret: "{{ lookup('viczem.keepass.keepass', 'minio/minio_testuser_secret_key', 'password') }}"
|
|
state: present
|
|
policy: testbucket_rw
|
|
minio_buckets:
|
|
- name: testbucket
|
|
state: present
|
|
|
|
### mrlesmithjr.manage_lvm
|
|
lvm_groups:
|
|
- vgname: vg_docker
|
|
disks:
|
|
- /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
|
|
create: true
|
|
lvnames:
|
|
- lvname: lv_docker
|
|
size: +100%FREE
|
|
create: true
|
|
filesystem: xfs
|
|
mount: true
|
|
mntp: /var/lib/docker
|
|
manage_lvm: true
|
|
pvresize_to_max: true
|
|
|
|
### geerlingguy.pip
|
|
pip_package: python3-pip
|
|
pip_install_packages:
|
|
- name: docker # für munin-plugin docker_
|
|
- name: minio # für ansible-minio_configure-Rolle
|
|
|
|
### mgrote.apt_manage_packages
|
|
apt_packages_extra:
|
|
- libnet-dns-perl # für munin: dnsresponse_*
|
|
|
|
### mgrote_user
|
|
users:
|
|
- username: mg
|
|
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
|
|
update_password: always
|
|
groups:
|
|
- ssh
|
|
- sudo
|
|
- docker
|
|
state: present
|
|
public_ssh_key: "{{ ssh_public_key_mg }}"
|
|
allow_sudo: true
|
|
allow_passwordless_sudo: true
|
|
- username: docker-user
|
|
password: "{{ lookup('viczem.keepass.keepass', 'docker-user_linux_password_hash', 'password') }}"
|
|
update_password: always
|
|
groups:
|
|
- ssh
|
|
- sudo
|
|
- docker
|
|
state: present
|
|
allow_sudo: true
|
|
allow_passwordless_sudo: true
|
|
uid: "5000"
|
|
- username: ansible-user
|
|
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
|
|
update_password: always
|
|
groups:
|
|
- ssh
|
|
- sudo
|
|
state: present
|
|
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
|
|
allow_sudo: true
|
|
allow_passwordless_sudo: true
|
|
|
|
### geerlingguy.docker
|
|
docker_users:
|
|
- mg
|
|
- docker-user
|
|
docker_install_compose: true
|
|
docker_add_repo: false # erstelle kein Repo-Eintrag unter /etc/apt/sources.list.d/, steht explizit unter "repos_override", wird nur zum installieren benötigt
|
|
|
|
### mgrote_docker-compose-deploy
|
|
docker_compose_base_dir: /home/docker-user
|
|
|
|
### mgrote_apt_manage_sources
|
|
repos_override: # mit docker-repos
|
|
- deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} main restricted"
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates main restricted"
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} universe"
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates universe"
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} multiverse"
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates multiverse"
|
|
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-backports main restricted universe multiverse"
|
|
- "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted"
|
|
- "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe"
|
|
- "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security multiverse"
|
|
|
|
### mgrote_systemd_resolved
|
|
systemd_resolved_nameserver: 192.168.2.37
|
|
|
|
### mgrote_restic
|
|
restic_folders_to_backup: "/usr/local /etc /root /home /var/lib/docker"
|
|
|
|
### mgrote_munin_node
|
|
munin_node_plugin_timeout: 120 # in sec, docker_multi braucht länger
|
|
munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
|
|
munin_node_plugins:
|
|
- name: systemd_status
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
|
- name: systemd_mem
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
|
config: |
|
|
[systemd_mem]
|
|
env.all_services true
|
|
- name: lvm_
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
|
|
config: |
|
|
[lvm_*]
|
|
user root
|
|
- name: fail2ban
|
|
src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
|
|
config: |
|
|
[fail2ban]
|
|
env.client /usr/bin/fail2ban-client
|
|
env.config_dir /etc/fail2ban
|
|
user root
|
|
- name: chrony
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
|
- name: docker_volumesize
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
|
|
- name: docker_containers
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
config: |
|
|
[docker_*]
|
|
group docker
|
|
env.DOCKER_HOST unix://run/docker.sock
|
|
env.EXCLUDE_CONTAINER_NAME wp
|
|
- name: docker_cpu
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
- name: docker_images
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
- name: docker_memory
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
- name: docker_network
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
- name: docker_status
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
- name: docker_volumes
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
|
|
|
|
### oefenweb.ufw
|
|
ufw_rules:
|
|
- rule: allow
|
|
to_port: 22
|
|
protocol: tcp
|
|
comment: 'ssh'
|
|
from_ip: 0.0.0.0/0
|
|
- rule: allow
|
|
to_port: 4949
|
|
protocol: tcp
|
|
comment: 'munin'
|
|
from_ip: 192.168.2.0/24
|
|
- rule: allow
|
|
from_ip: 192.168.0.0/16
|
|
comment: 'docker networks'
|
|
- rule: allow
|
|
from_ip: 172.0.0.0/8
|
|
comment: 'docker networks'
|