285 lines
8.6 KiB
YAML
285 lines
8.6 KiB
YAML
---
|
|
### wird in vielen Rollen verwendet
|
|
no_debug: true # when set to true "no_log" is also set to true
|
|
ansible_facts_parallel: true
|
|
ssh_public_key_mg: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKL8opSQ0rWVw9uCfbuiqmXq188OP4xh66MBTO3zV5jo heimserver_mg_v3
|
|
my_mail: michael.grote@posteo.de
|
|
file_header: |
|
|
#----------------------------------------------------------------#
|
|
# This file is managed with ansible! #
|
|
#----------------------------------------------------------------#
|
|
# für Zugriff auf nicht öffentliche git.mgrote.net-Repos
|
|
ansible_forgejo_user: svc_ansible
|
|
ansible_forgejo_user_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo/user_setup_forgejo_user_pass', 'password') }}" # user ist dem Repo als "Collaborator" + "RO" hinzugefügt worden
|
|
|
|
### mgrote_user_setup
|
|
dotfiles:
|
|
- user: mg
|
|
home: /home/mg
|
|
- user: root
|
|
home: /root
|
|
dotfiles_repo_url: "https://git.mgrote.net/mg/dotfiles"
|
|
dotfiles_vim_vundle_repo_url: "https://git.mgrote.net/mirrors/Vundle.vim.git"
|
|
|
|
### mgrote_netplan
|
|
netplan_configure: true
|
|
|
|
### mgrote_user
|
|
users:
|
|
- username: mg
|
|
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
|
|
update_password: always
|
|
groups:
|
|
- ssh
|
|
- sudo
|
|
state: present
|
|
public_ssh_key: "{{ ssh_public_key_mg }}"
|
|
allow_sudo: true
|
|
allow_passwordless_sudo: true
|
|
- username: ansible-user
|
|
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
|
|
update_password: always
|
|
groups:
|
|
- ssh
|
|
- sudo
|
|
state: present
|
|
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE
|
|
allow_sudo: true
|
|
allow_passwordless_sudo: true
|
|
|
|
### hifis_unattended_upgrades
|
|
unattended_mail: "{{ my_mail }}"
|
|
unattended_mail_only_on_error: true
|
|
unattended_syslog_enable: true
|
|
unattended_package_blacklist: [libzfs4linux, libzpool5linux, zfs-initramfs, zfs-zed, zfsutils-linux]
|
|
unattended_origins_patterns:
|
|
- 'origin=Ubuntu,archive=${distro_codename}-security'
|
|
- 'o=Ubuntu,a=${distro_codename}-updates'
|
|
|
|
### mgrote_ntp_chrony_client
|
|
ntp_chrony_timezone: "Europe/Berlin" # Zeitzone in der sich der Computer befindet
|
|
ntp_chrony_driftfile_directory: "/var/lib/chrony" # Ordner für das driftfile
|
|
ntp_chrony_servers: # welche Server sollen befragt werden
|
|
- address: 192.168.2.1
|
|
options: iburst #optionaler parameter
|
|
ntp_chrony_user: _chrony # Nutzer + Gruppe für den Dienst
|
|
ntp_chrony_group: _chrony # Nutzer + Gruppe für den Dienst
|
|
ntp_chrony_logging: false
|
|
|
|
### mgrote_postfix
|
|
postfix_smtp_server: docker10.mgrote.net
|
|
postfix_smtp_server_port: 1025
|
|
|
|
### mgrote_fail2ban
|
|
f2b_bantime: 300
|
|
f2b_findtime: 300
|
|
f2b_maxretry: 5
|
|
f2b_destemail: "{{ my_mail }}"
|
|
f2b_sender: info@mgrote.net
|
|
|
|
### oefenweb.ufw
|
|
ufw_rules:
|
|
- rule: allow
|
|
to_port: 22
|
|
protocol: tcp
|
|
comment: 'ssh'
|
|
from_ip: 0.0.0.0/0
|
|
- rule: allow
|
|
to_port: 4949
|
|
protocol: tcp
|
|
comment: 'munin'
|
|
from_ip: 192.168.2.0/24
|
|
ufw_default_incoming_policy: deny
|
|
ufw_default_outgoing_policy: allow
|
|
|
|
### mgrote_restic
|
|
restic_exclude: |
|
|
._*
|
|
desktop.ini
|
|
.Trash-*
|
|
**/**cache***/**
|
|
**/**Cache***/**
|
|
**/**AppData***/**
|
|
restic_folders_to_backup: "/usr/local /etc /root /home"
|
|
restic_repository: "//fileserver3.mgrote.net/restic"
|
|
restic_fail_mail: "{{ my_mail }}"
|
|
restic_repository_password: "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
|
|
restic_mount_password: "{{ lookup('viczem.keepass.keepass', 'fileserver/fileserver_smb_user_restic', 'password') }}" #gitleaks:allow
|
|
restic_mount_user: restic
|
|
restic_schedule: "*-*-* 4:00:00"
|
|
|
|
### mgrote_apt_manage_packages
|
|
apt_packages_common:
|
|
- locales
|
|
- wget
|
|
- python3
|
|
- build-essential
|
|
- htop
|
|
- git
|
|
- dnsutils
|
|
- mc
|
|
- cifs-utils
|
|
- haveged #https://www.linux-magazin.de/ausgaben/2011/09/einfuehrung2/
|
|
- ca-certificates
|
|
- netdiscover
|
|
- tree
|
|
- curl
|
|
- whois
|
|
- logrotate
|
|
- ncdu
|
|
- net-tools
|
|
- apt-transport-https
|
|
- moreutils
|
|
- acl
|
|
- vim
|
|
- rsync
|
|
- at
|
|
- ripgrep
|
|
- iotop
|
|
- pwgen
|
|
- keychain
|
|
- bc
|
|
- jq
|
|
apt_packages_physical:
|
|
- s-tui
|
|
- smartmontools
|
|
- lm-sensors
|
|
- ethtool
|
|
- fwupd
|
|
apt_packages_vm:
|
|
- qemu-guest-agent
|
|
- open-vm-tools
|
|
apt_packages_absent:
|
|
- nano
|
|
- snapd
|
|
- ubuntu-advantage-tools
|
|
- neofetch
|
|
- graphviz
|
|
- ubuntu-pro-client
|
|
|
|
### mgrote_zfs_sanoid
|
|
sanoid_templates:
|
|
- name: '31tage'
|
|
keep_hourly: '24' # Aufheben (Stunde)
|
|
keep_daily: '31' # Aufheben (Tage)
|
|
keep_monthly: '3' # Aufheben (Monate)
|
|
keep_yearly: '0' # Aufheben (Jahre)
|
|
frequently: '16' # Aufheben (Minuten)
|
|
frequent_period: '15' # Intervall (alle 5 Minuten)
|
|
autosnap: 'yes' # Automatisches erstellen von Snapshots
|
|
autoprune: 'yes'
|
|
- name: '14tage'
|
|
keep_hourly: '24'
|
|
keep_daily: '14'
|
|
keep_monthly: '0'
|
|
keep_yearly: '0'
|
|
frequently: '16'
|
|
frequent_period: '15'
|
|
autosnap: 'yes'
|
|
autoprune: 'yes'
|
|
- name: '7tage'
|
|
keep_hourly: '24'
|
|
keep_daily: '7'
|
|
keep_monthly: '0'
|
|
keep_yearly: '0'
|
|
frequently: '16'
|
|
frequent_period: '15'
|
|
autosnap: 'yes'
|
|
autoprune: 'yes'
|
|
- name: '3monate'
|
|
keep_hourly: '24'
|
|
keep_daily: '7'
|
|
keep_monthly: '3'
|
|
keep_yearly: '0'
|
|
frequently: '16'
|
|
frequent_period: '15'
|
|
autosnap: 'yes'
|
|
autoprune: 'yes'
|
|
- name: 'pve3tage'
|
|
keep_hourly: '72'
|
|
keep_daily: '5'
|
|
keep_monthly: '0'
|
|
keep_yearly: '0'
|
|
frequently: '16'
|
|
frequent_period: '15'
|
|
autosnap: 'yes'
|
|
autoprune: 'yes'
|
|
|
|
### mgrote_munin_node
|
|
munin_node_plugins_repo_user: "{{ ansible_forgejo_user }}"
|
|
munin_node_plugins_repo_user_pass: "{{ ansible_forgejo_user_pass }}"
|
|
munin_node_bind_host: "0.0.0.0"
|
|
munin_node_bind_port: "4949"
|
|
munin_node_allowed_cidrs: [192.168.2.0/24]
|
|
munin_node_disabled_plugins:
|
|
- meminfo # zu hohe last
|
|
- hddtemp2 # ersetzt durch hddtemp_smartctl
|
|
- ntp # verursacht zu viele dns ptr request
|
|
- hddtempd # ersetzt durch hddtemp_smartctl
|
|
- squid_cache # proxmox
|
|
- squid_objectsize # proxmox
|
|
- squid_requests # proxmox
|
|
- squid_traffic # proxmox
|
|
- timesync
|
|
- docker_volumesize2
|
|
- cpu_by_group
|
|
- docker_multi
|
|
|
|
munin_node_plugins:
|
|
- name: chrony
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
|
|
- name: systemd_status
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
|
|
- name: systemd_mem
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
|
|
config: |
|
|
[systemd_mem]
|
|
env.all_services true
|
|
- name: lvm_
|
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
|
|
config: |
|
|
[lvm_*]
|
|
user root
|
|
- name: fail2ban
|
|
src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
|
|
config: |
|
|
[fail2ban]
|
|
env.client /usr/bin/fail2ban-client
|
|
env.config_dir /etc/fail2ban
|
|
user root
|
|
|
|
### mgrote_sync (für pbs + pve)
|
|
rsync_mirror_user_group: "{{ rsync_mirror_user }}"
|
|
rsync_mirror_user: rsync_mirror
|
|
rsync_mirror_bw_limit: "4m" # 4 Megabytes
|
|
rsync_mirror_timer: '*-*-* 0/8:5:0' # alle 8 h
|
|
|
|
rsync_mirror_private_key: "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_private_key', 'notes') }}"
|
|
rsync_mirror_public_key: "{{ lookup('viczem.keepass.keepass', 'rsync_mirror_public_key', 'notes') }}"
|
|
|
|
# Ansible Variablen
|
|
### User
|
|
ansible_user: "ansible-user"
|
|
### SSH
|
|
ansible_ssh_common_args: "'-o StrictHostKeyChecking=no'"
|
|
### python3
|
|
# https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
|
|
ansible_python_interpreter: "/usr/bin/python3"
|
|
|
|
# Ansible Plugin Variablen
|
|
### Keepass
|
|
# https://github.com/viczem/ansible-keepass
|
|
keepass_dbx: "./keepass_db.kdbx"
|
|
keepass_psw: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
35333563623630373138383563343432333866623533343766646165363261656439653861613336
|
|
6632626438396538316565343061393735383836633631620a653832333936313166316436613237
|
|
38616366623862306534313038343132613832633162303965313138383232383065336231643030
|
|
3862333162643436360a396162303433306138643863333461383737656538636463336533613630
|
|
64383631396664636139393932386239656636366337346163643430353838653166393030323132
|
|
34623439323063336438663031303638303735353735316238616633343833616461363561666338
|
|
36616565393333303935343961386130353435373830383865613133663538633338303762643935
|
|
37626537396238386365
|
|
|
|
# in "ansible-vault" steht das Vault-Secret um die Variablen "keepass_psw" zu entschlüsseln,
|
|
# das entschlüsselte Secret ist gleich dem KeepassPW
|