homeserver/group_vars/all.yml
Michael Grote d34e5394d8
Some checks failed
ansible-lint / gitleaks (pull_request) Successful in 4s
ansible-lint / Ansible Lint (pull_request) Failing after 45s
ff
2024-09-23 22:06:51 +02:00

287 lines
8.5 KiB
YAML

---
### wird in vielen Rollen verwendet
ansible_facts_parallel: true
ssh_public_key_mg: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
my_mail: michael.grote@posteo.de
file_header: |
#----------------------------------------------------------------#
# This file is managed with ansible! #
#----------------------------------------------------------------#
# für Zugriff auf nicht öffentliche git.mgrote.net-Repos
ansible_forgejo_user: svc_ansible
ansible_forgejo_user_pass: "{{ lookup('viczem.keepass.keepass', 'user_setup_forgejo_user_pass', 'password') }}" # User ist dem Repo als "Collaborator" + "RO" hinzugefügt worden
### patrickjahns.promtail
promtail_version: "3.0.0" # TODO renovate
promtail_loki_server_url: "http://docker10.mgrote.net:3100" # TODO passt das für blocky?
promtail_user_additional_groups: root
promtail_config_expand_env: true
promtail_extra_args:
promtail_config_scrape_configs:
- job_name: system
static_configs:
- targets:
- localhost
labels:
host: ${hostname}
job: varlogs
__path__: /var/log/**/**
# TODO add docker
### mgrote_user_setup
dotfiles:
- user: mg
home: /home/mg
- user: root
home: /root
dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
dotfiles_vim_vundle_repo_url: "https://{{ ansible_forgejo_user | urlencode }}:{{ ansible_forgejo_user_pass | urlencode }}@git.mgrote.net/mirrors/Vundle.vim.git"
### mgrote_netplan
netplan_configure: true
### mgrote_user
users:
- username: mg
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
public_ssh_key: "{{ ssh_public_key_mg }}"
allow_sudo: true
allow_passwordless_sudo: true
- username: ansible-user
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
allow_sudo: true
allow_passwordless_sudo: true
### hifis_unattended_upgrades
unattended_mail: "{{ my_mail }}"
unattended_mail_only_on_error: true
unattended_syslog_enable: true
unattended_package_blacklist: [libzfs4linux, libzpool5linux, zfs-initramfs, zfs-zed, zfsutils-linux]
unattended_origins_patterns:
- 'origin=Ubuntu,archive=${distro_codename}-security'
- 'o=Ubuntu,a=${distro_codename}-updates'
### mgrote_ntp_chrony_client
ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
ntp_chrony_servers: # welche Server sollen befragt werden
- address: 192.168.2.1
options: iburst #optionaler parameter
ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
ntp_chrony_logging: false
### mgrote_postfix
postfix_smtp_server: docker10.mgrote.net
postfix_smtp_server_port: 1025
### mgrote_fail2ban
f2b_bantime: 300
f2b_findtime: 300
f2b_maxretry: 5
f2b_destemail: "{{ my_mail }}"
f2b_sender: info@mgrote.net
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 0.0.0.0/0
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.0/24
- rule: allow
to_port: 9080
protocol: tcp
comment: 'promtail'
from_ip: 192.168.2.0/24
ufw_default_incoming_policy: deny
ufw_default_outgoing_policy: allow
### mgrote_restic
restic_exclude: |
._*
desktop.ini
.Trash-*
**/**cache***/**
**/**Cache***/**
**/**AppData***/**
restic_folders_to_backup: "/usr/local /etc /root /home"
restic_repository: "//fileserver3.mgrote.net/restic"
restic_fail_mail: michael.grote@posteo.de
restic_repository_password: "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
restic_mount_password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_restic', 'password') }}" #gitleaks:allow
restic_mount_user: restic
restic_schedule: "*-*-* 4:00:00"
### mgrote_apt_manage_packages
apt_packages_common:
- locales
- python3
- build-essential
- htop
- git
- dnsutils
- mc
- cifs-utils
- haveged #https://www.linux-magazin.de/ausgaben/2011/09/einfuehrung2/
- ca-certificates
- netdiscover
- tree
- curl
- whois
- logrotate
- ncdu
- net-tools
- apt-transport-https
- moreutils
- acl
- vim
- rsync
- at
- ripgrep
- iotop
- pwgen
- keychain
- bc
- jq
apt_packages_physical:
- s-tui
- smartmontools
- lm-sensors
- ethtool
- fwupd
apt_packages_vm:
- qemu-guest-agent
- open-vm-tools
apt_packages_absent:
- nano
- snapd
- ubuntu-advantage-tools
- neofetch
- graphviz
- ubuntu-pro-client
### mgrote_zfs_sanoid
sanoid_templates:
- name: '31tage'
keep_hourly: '24' # Aufheben (Stunde)
keep_daily: '31' # Aufheben (Tage)
keep_monthly: '3' # Aufheben (Monate)
keep_yearly: '0' # Aufheben (Jahre)
frequently: '16' # Aufheben (Minuten)
frequent_period: '15' # Intervall (alle 5 Minuten)
autosnap: 'yes' # Automatisches erstellen von Snapshots
autoprune: 'yes'
- name: '14tage'
keep_hourly: '24'
keep_daily: '14'
keep_monthly: '0'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
- name: '3tage'
keep_hourly: '24'
keep_daily: '7'
keep_monthly: '0'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
- name: '3monate'
keep_hourly: '24'
keep_daily: '7'
keep_monthly: '3'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
- name: 'pve3tage'
keep_hourly: '72'
keep_daily: '5'
keep_monthly: '0'
keep_yearly: '0'
frequently: '16'
frequent_period: '15'
autosnap: 'yes'
autoprune: 'yes'
### mgrote_zfs_sanoid
sanoid_deb_url: http://docker10.mgrote.net:3344/sanoid_v2.2.0.deb
### mgrote_munin_node
munin_node_plugins_repo_user: "{{ ansible_forgejo_user }}"
munin_node_plugins_repo_user_pass: "{{ ansible_forgejo_user_pass }}"
munin_node_bind_host: "0.0.0.0"
munin_node_bind_port: "4949"
munin_node_allowed_cidrs: [192.168.2.0/24]
munin_node_disabled_plugins:
- meminfo # zu hohe last
- hddtemp2 # ersetzt durch hddtemp_smartctl
- ntp # verursacht zu viele dns ptr request
- hddtempd # ersetzt durch hddtemp_smartctl
- squid_cache # proxmox
- squid_objectsize # proxmox
- squid_requests # proxmox
- squid_traffic # proxmox
- timesync
- docker_volumesize2
- docker_multi
munin_node_plugins:
- name: chrony
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
- name: systemd_status
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
- name: systemd_mem
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
config: |
[systemd_mem]
env.all_services true
- name: lvm_
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
config: |
[lvm_*]
user root
- name: fail2ban
src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
config: |
[fail2ban]
env.client /usr/bin/fail2ban-client
env.config_dir /etc/fail2ban
user root
# Ansible Variablen
### User
ansible_user: "ansible-user"
### SSH
ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
### python3
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
ansible_python_interpreter: "/usr/bin/python3"
# Ansible Plugin Variablen
### Keepass
# https://github.com/viczem/ansible-keepass
keepass_dbx: "./keepass_db.kdbx"
keepass_psw: !vault |
$ANSIBLE_VAULT;1.1;AES256
62383737623066396239383336646164616537646630653964313532383130343533346561633039
3437306134656535353438666165376332633064383135650a636537626662656130376537633164
61613132326536666466636632363866393066656236303766333338356337396338376266346631
6364336331623539300a313562303161373631613734313938346666376239613333333363376236
38363035376662353135333332363431343833656666643036326234656166643531