mg
416c36f97c
motd unit house plugins vereinheitlicht aufräumen user vereinheitlicht samba users aufgeräumt aussortiert apc pwr systemd plugin kvm plugins lvm plguin acng plugin munin user chrony fur alle gruppe playbook docker vars playbook firewall munin für alle Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#116 Co-Authored-By: mg <mg@noreply.git.mgrote.net> Co-Committed-By: mg <mg@noreply.git.mgrote.net>
243 lines
9 KiB
YAML
243 lines
9 KiB
YAML
---
|
|
### wird in vielen Rollen verwendet
|
|
empfaenger_mail: michael.grote@posteo.de
|
|
file_header: |
|
|
#----------------------------------------------------------------#
|
|
# This file is managed with ansible! #
|
|
#----------------------------------------------------------------#
|
|
### geerlingguy.munin-node
|
|
munin_node_bind_host: "0.0.0.0"
|
|
munin_node_bind_port: "4949"
|
|
munin_node_allowed_cidrs: [192.168.2.0/24]
|
|
munin_node_remove_plugins:
|
|
- name: meminfo # zu hohe last
|
|
- name: hddtemp2 # ersetzt durch hddtemp_smartctl
|
|
- name: squid_cache
|
|
- name: squid_objectsize
|
|
- name: squid_requests
|
|
- name: squid_traffic
|
|
- name: nfsd
|
|
- name: samba
|
|
- name: nfsd4
|
|
- name: ntp # verursacht zu viele dns ptr request
|
|
- name: cronjobs
|
|
- name: hddtempd # ersetzt durch hddtemp_smartctl
|
|
- name: ipmi_power # für pve2, leeres diagramm
|
|
- name: fail2ban
|
|
- name: fail2ban_
|
|
- name: apcupsd_pct
|
|
- name: kvm_io
|
|
- name: kvm_cpu
|
|
- name: docker_mem
|
|
- name: docker_cpu
|
|
munin_node_plugins:
|
|
- name: chrony
|
|
- name: systemd_status
|
|
- name: lvm_
|
|
munin_node_install_plugins: # in eigenes Repo gesichert
|
|
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/chrony
|
|
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/lvm_
|
|
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/systemd_status
|
|
munin_node_config: {
|
|
"lvm_": {
|
|
"user munin"
|
|
}
|
|
}
|
|
|
|
### mgrote.dotfiles
|
|
dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
|
|
dotfiles_repo_path: /home/mg/dotfiles
|
|
dotfiles_files:
|
|
- repo_path: "{{ dotfiles_repo_path}}/.vimrc"
|
|
local_path: "/home/mg/.vimrc"
|
|
- repo_path: "{{ dotfiles_repo_path}}/.tmux.conf"
|
|
local_path: "/home/mg/.tmux.conf"
|
|
- repo_path: "{{ dotfiles_repo_path}}/.gitconfig"
|
|
local_path: "/home/mg/.gitconfig"
|
|
- repo_path: "{{ dotfiles_repo_path}}/.bash_aliases"
|
|
local_path: "/home/mg/.bash_aliases"
|
|
dotfiles_dirs:
|
|
- path: /home/mg/.config/i3
|
|
- path: /home/mg/.config/polybar
|
|
dotfiles_owner: mg
|
|
### jnv.unattended_upgrades
|
|
unattended_mail: "{{ empfaenger_mail }}"
|
|
unattended_mail_only_on_error: true
|
|
unattended_syslog_enable: true
|
|
unattended_origins_patterns:
|
|
- 'origin=Ubuntu,archive=${distro_codename}-security'
|
|
- 'o=Ubuntu,a=${distro_codename}-updates'
|
|
### mgrote.ntp_chrony_server
|
|
ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
|
|
ntp_chrony_servers: # welche Server sollen befragt werden
|
|
- address: ntp-server.grote.lan
|
|
options: iburst #optionaler parameter
|
|
ntp_chrony_logging: false # logging an/aus
|
|
### mgrote.postfix
|
|
postfix_absender_mailadresse: info@mgrote.net
|
|
postfix_absender_passwort: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
|
|
postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24"
|
|
postfix_mail_nach_cronjob: false
|
|
postfix_smtp_server: smtp.strato.de
|
|
postfix_smtp_server_port: 587
|
|
postfix_smtp_use_tls: "yes"
|
|
### mgrote.apt_manage_sources
|
|
manage_sources_apt_proxy_url: "acng.grote.lan:9999/"
|
|
### mgrote.restic
|
|
restic_folders_to_backup: "/usr/local /etc /root /home"
|
|
restic_cron_hours: "19"
|
|
restic_repository: "//fileserver2.grote.lan/backup/restic"
|
|
restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
|
|
restic_mount: "/mnt/restic"
|
|
restic_mount_user: restic
|
|
restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
|
|
restic_exclude: |
|
|
._*
|
|
desktop.ini
|
|
.Trash-*
|
|
**/**cache***/**
|
|
**/**Cache***/**
|
|
**/**AppData***/**
|
|
### mgrote.tmux
|
|
tmux_conf_destination: "/home/mg/.tmux.conf"
|
|
tmux_bashrc_destination: "/home/mg/.bashrc"
|
|
tmux_standardsession_name: "default"
|
|
### mgrote.fail2ban
|
|
f2b_bantime: 300
|
|
f2b_findtime: 300
|
|
f2b_maxretry: 5
|
|
f2b_destemail: "{{ empfaenger_mail }}"
|
|
f2b_sender: "{{ postfix_absender_mailadresse }}"
|
|
### oefenweb.ufw
|
|
ufw_rules:
|
|
- rule: allow
|
|
to_port: 22
|
|
protocol: tcp
|
|
comment: 'ssh'
|
|
from_ip: 192.168.2.0/24
|
|
- rule: allow
|
|
to_port: 4949
|
|
protocol: tcp
|
|
comment: 'munin'
|
|
from_ip: 192.168.2.144/24
|
|
ufw_default_incoming_policy: deny
|
|
ufw_default_outgoing_policy: allow
|
|
### ryandaniels.create_users
|
|
users:
|
|
- username: mg
|
|
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
|
|
update_password: on_create
|
|
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAp7z2WWUS626wY4laQJNGVYs5uOowrSOjd9RLsoPV5GWU46lsD+Q7CblqcBflvkzFiU16bzI0QZcQ9YP5M5LcYreCqCIq2HdeA4/hgIhlBGAzgp4mK8gZsEoCd2rs5888RA8T/oGnAoP0FXBegm2XmXTmt3826ZZUektCanSipMzrT3XUDZDnf1sTY60Fu8GK4hcRIFI7spM0u9upCYXVOrygBmoBQ5GlOyGEPyXs1Am/PERcVZFUPS0mGJ0COVCgEOaVvM8kEn5dK/QpmKqE8OMBsRdQ51pj9BMLNz/0IRnF6OxHDfEyLuqNPZuuBZc+/pULaZefCgjKGL1zXIFFlw== #generieren: ssh-keygen -o; für putty ändern https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/ggcs/Change_private_key_format_for_Putty/Change_private_key_format_for_Putty.html#section2
|
|
use_sudo: yes
|
|
use_sudo_nopass: yes
|
|
user_state: present
|
|
groups: ssh, sudo, docker
|
|
servers:
|
|
- production
|
|
- test
|
|
- laptop
|
|
- username: munin
|
|
password: "{{ lookup('keepass', 'munin_linux_password_hash', 'password') }}"
|
|
update_password: always
|
|
use_sudo: yes
|
|
use_sudo_nopass: yes
|
|
user_state: present
|
|
groups: root, docker
|
|
servers:
|
|
- production
|
|
- username: root
|
|
password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
|
|
update_password: on_create
|
|
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAp7z2WWUS626wY4laQJNGVYs5uOowrSOjd9RLsoPV5GWU46lsD+Q7CblqcBflvkzFiU16bzI0QZcQ9YP5M5LcYreCqCIq2HdeA4/hgIhlBGAzgp4mK8gZsEoCd2rs5888RA8T/oGnAoP0FXBegm2XmXTmt3826ZZUektCanSipMzrT3XUDZDnf1sTY60Fu8GK4hcRIFI7spM0u9upCYXVOrygBmoBQ5GlOyGEPyXs1Am/PERcVZFUPS0mGJ0COVCgEOaVvM8kEn5dK/QpmKqE8OMBsRdQ51pj9BMLNz/0IRnF6OxHDfEyLuqNPZuuBZc+/pULaZefCgjKGL1zXIFFlw== #generieren: ssh-keygen -o; für putty ändern https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/ggcs/Change_private_key_format_for_Putty/Change_private_key_format_for_Putty.html#section2
|
|
use_sudo: yes
|
|
use_sudo_nopass: yes
|
|
user_state: present
|
|
groups: ssh, sudo
|
|
servers:
|
|
- proxmox
|
|
- username: ansible-user
|
|
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
|
|
update_password: on_create
|
|
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyqs0OE5RVqs6tIzyuGQWvq/OVDa/tfdSEqMIwcthFt+pwCCjpqtNc8L8FSXgphSwuNosFakqhMLDFD3pmII+t61NRExsoR3nGTDuCAQnTvTKXTEfhnunN3pwgXWVTI68j9pRzmSy+hMkSFbgN9EGMSXxGcNunY7ewS3ZkVe08SWFpiX9giYq6uiOiMHsZKdcP6s2QRXUhZlTx2cOc/9gJ5lD82EUXQRZzT6ww2xVrceIW9c3CZFmSmYWxvrR7dPcHrke90FPPd5WhU+Anz++6GsT6+OhZTk+uQnBHllFXn9NoFQIEUDO4zV+gFXITaAbTkLAcCwuKB2QcDZ6C2mhf ansible-generated on ansible-v2
|
|
use_sudo: yes
|
|
use_sudo_nopass: yes
|
|
user_state: present
|
|
groups: ssh, sudo
|
|
servers:
|
|
- production
|
|
- test
|
|
- laptop
|
|
### mgrote.apt_install_packages
|
|
programs_common:
|
|
- locales
|
|
- python3
|
|
- build-essential
|
|
- htop
|
|
- git
|
|
- dnsutils
|
|
- nano
|
|
- mc
|
|
- cifs-utils
|
|
- ca-certificates
|
|
- netdiscover
|
|
- tree
|
|
- curl
|
|
- whois
|
|
- logrotate
|
|
- ncdu
|
|
- net-tools
|
|
- apt-transport-https
|
|
- neofetch
|
|
- moreutils
|
|
- ntpdate
|
|
- acl
|
|
- vim
|
|
- rsync
|
|
- at
|
|
programs_only_physical:
|
|
- hddtemp
|
|
- ipmitool
|
|
- s-tui
|
|
- smartmontools
|
|
- lm-sensors
|
|
- ethtool
|
|
programs_only_vms:
|
|
- qemu-guest-agent
|
|
- open-vm-tools
|
|
|
|
### mgrote.apcupsd
|
|
apcupsd_master_onbatterydelay: 10
|
|
apcupsd_master_batterylevel_for_shutdown: 50
|
|
apcupsd_master_minutes_for_shutdown: 10
|
|
apcupsd_master_nologon_when_active: disable
|
|
apcupsd_slave_onbatterydelay: 10
|
|
apcupsd_slave_batterylevel_for_shutdown: 50
|
|
apcupsd_slave_minutes_for_shutdown: 10
|
|
apcupsd_slave_nologon_when_active: disable
|
|
apcupsd_nis_master: on
|
|
apcupsd_nis_master_listen_ip: 0.0.0.0
|
|
apcupsd_nis_master_listen_port: 3551
|
|
apcupsd_ups_name: APC-BX950U-GR
|
|
|
|
|
|
# Ansible Variablen
|
|
### User
|
|
ansible_user: "ansible-user"
|
|
### SSH
|
|
ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
|
|
### python3
|
|
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
|
|
ansible_python_interpreter: "/usr/bin/python3"
|
|
|
|
# Ansible Plugin Variablen
|
|
### Keepass
|
|
# https://github.com/viczem/ansible-keepass
|
|
keepass_dbx: "./keepass_db.kdbx"
|
|
keepass_psw: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
62383737623066396239383336646164616537646630653964313532383130343533346561633039
|
|
3437306134656535353438666165376332633064383135650a636537626662656130376537633164
|
|
61613132326536666466636632363866393066656236303766333338356337396338376266346631
|
|
6364336331623539300a313562303161373631613734313938346666376239613333333363376236
|
|
38363035376662353135333332363431343833656666643036326234656166643531
|