homeserver-ansible/group_vars/all/vars.yml

# Do not edit this directly.
#
# Use
#  group_vars/inventory_name/vars.yml
#  host_vars/your_hostname/vars.yml
# for plaintext variables.
#
# For secrets, use the same paths with vault.yml instead of vars.yml.

### Misc settings

# Email address for Let's Encrypt and DNS
email: dogeystamp@disroot.org

# Could be sudo instead
escalation_method: doas

sshd_port: 2500

# Username for the priviledged user
admin_username: maestro

# Username for unpriviledged user
username: dogeystamp

# Create an SFTP read-only user (leave blank to disable)
sftp_ro_username: dogeystamp-mobile

# Git repos (could be localhost if Gitea is installed)
dots_repo: http://localhost:3000/dogeystamp/dots.git
site_repo: http://localhost:3000/dogeystamp/wb4.git

# Drive with all the data stored on it (should be separate from OS drive)
# This is the raw partition, and not the mapped crypt device
secondary_disk: /dev/sda1

# Drive for backups (also separate from OS drive)
# This is the raw partition, and not the mapped crypt device
backup_disk: /dev/sda2

# Title used for the static website generator
web_name: dogeystamp

# Web root for nginx and other applications
webroot: /srv/http

# Data root
dataroot: /var/www/data

# Extra packages
util_pack:
  - neovim
  - neofetch
  - fish
  - htop
  - tmux
  - git
  - cronie
  - progress
  - rsync
  - man-db



### Network settings (nameserver, address, etc.)

domain: d.nerdpol.ovh

# Forward DNS queries to
dns_forward: 1.1.1.1

# Local IP address subnet
local_subnet: 192.168.0.0/24

# CIDR prefix
subnet_prefix: /24
  
# Static address of the server (locally)
# Preferably have another one to SSH into with Ansible, as we change the IP midway
# in connection.yml
local_ip: 192.168.0.3

# Gateway address (this is your router's IP)
gateway: 192.168.0.1

# Connection interface for static IP
interface: eth0

# Email to send renewal notices to
acme_email: "{{ email }}"

# ACME directory to use
# acme_dir: "https://acme-v02.api.letsencrypt.org/directory"
acme_dir: "https://acme.zerossl.com/v2/DV90"

# Algorithm for ACME External Account Binding
acme_eab_alg: HS256



### Mediawiki farm variables

# Internal names for the wikis, used for filenames and URLs
wiki_names:
  - wiki
  - rw



### Placeholders for secret vault (change these in host_vars/your_hostname/vault.yml)

ddclient_pass: "secret"

# Gitea secrets
lfs_jwt_secret: "secret"
jwt_secret: "secret"

# Mediawiki secrets
wgUpgradeKey: "secret"
# This should have the same amount of elements as wiki_names.
wgSecretKey:
  - "wiki_secret"
  - "rw_secret"

# Matrix Synapse secrets
registration_shared_secret: "secret"
macaroon_secret_key: "secret"
form_secret: "secret"

# Coturn secrets
coturn_secret_key: "secret"

# SSL ACME External Account Binding secrets (optional: required for some CAs)
acme_eab_kid: "secret"
acme_eab_key: "secret"



### Role switches

# Setup AUR helper yay
enable_aur: yes

# Dotfile deployment
enable_dotfiles: yes

# LUKS crypto and filesystem mounts
enable_filesystems: yes

# Deploy script to facilitate backups
enable_backup: yes

# Firewall (UFW)
enable_firewall: yes

# Use NetworkManager to configure a proper static IP address in LAN
enable_connection: yes

# Dynamic DNS client
enable_ddclient: yes

# Nameserver (if you can't do NAT hairpinning)
enable_nameserver: yes

# SSL ACME (Let's Encrypt)
enable_ssl: yes

# nginx: necessary for gitea, synapse, wiki, and website.
enable_webserver: yes

# Git server
enable_gitea: yes

# Matrix server
enable_synapse: yes

# TURN server for Matrix VoIP
enable_coturn: yes

# MediaWiki
enable_wiki: yes

# Navidrome (music server)
enable_navidrome: yes

# Personal website
enable_website: yes

# SFTP read-only user
enable_sftpr: yes

# Mailserver (local only)
enable_mail: yes