274 lines
5.5 KiB
YAML
274 lines
5.5 KiB
YAML
# Do not edit this directly.
|
|
#
|
|
# Use
|
|
# group_vars/inventory_name/vars.yml
|
|
# host_vars/your_hostname/vars.yml
|
|
# for plaintext variables.
|
|
#
|
|
# For secrets, use the same paths with vault.yml instead of vars.yml.
|
|
|
|
### Misc settings
|
|
|
|
# Could be sudo instead
|
|
escalation_method: doas
|
|
|
|
sshd_port: 2500
|
|
|
|
# Username for the priviledged user
|
|
admin_username: maestro
|
|
|
|
# Username for unpriviledged user
|
|
username: dogeystamp
|
|
|
|
# Create an SFTP read-only user (leave blank to disable)
|
|
sftp_ro_username: dogeystamp-mobile
|
|
|
|
# Git repos (could be localhost if Gitea is installed)
|
|
dots_repo: http://localhost:3000/dogeystamp/dots.git
|
|
site_repo: http://localhost:3000/dogeystamp/wb4.git
|
|
|
|
# Drive with all the data stored on it (should be separate from OS drive)
|
|
# This is the raw partition, and not the mapped crypt device
|
|
secondary_disk: /dev/sda1
|
|
|
|
# Drive for backups (also separate from OS drive)
|
|
# This is the raw partition, and not the mapped crypt device
|
|
backup_disk: /dev/sda2
|
|
|
|
# Title used for the static website generator
|
|
web_name: dogeystamp
|
|
|
|
# Web root for nginx and other applications
|
|
webroot: /srv/http
|
|
|
|
# Data root
|
|
dataroot: /var/www/data
|
|
|
|
# Extra packages
|
|
util_pack:
|
|
- neovim
|
|
- neofetch
|
|
- fish
|
|
- htop
|
|
- tmux
|
|
- git
|
|
- cronie
|
|
- progress
|
|
- rsync
|
|
- man-db
|
|
|
|
|
|
|
|
### Network settings (nameserver, address, etc.)
|
|
|
|
# Domain to send dynamic DNS updates to
|
|
dyndns_domain: d.nerdpol.ovh
|
|
|
|
# Domain actually used for the site (this will be set up to forward to dyndns_domain)
|
|
# Set this to the same as dyndns_domain if your registrar supports dynamic DNS natively
|
|
domain: dogeystamp.com
|
|
|
|
# Forward DNS queries to
|
|
dns_forward: 1.1.1.1
|
|
|
|
# Local IP address subnet
|
|
local_subnet: 192.168.0.0/24
|
|
|
|
# CIDR prefix
|
|
subnet_prefix: /24
|
|
|
|
# Static address of the server (locally)
|
|
# Preferably have another one to SSH into with Ansible, as we change the IP midway
|
|
# in connection.yml
|
|
local_ip: 192.168.0.3
|
|
|
|
# Gateway address (this is your router's IP)
|
|
gateway: 192.168.0.1
|
|
|
|
# Connection interface for static IP
|
|
interface: eth0
|
|
|
|
|
|
# Settings for templates in templates/srv_conf/ and service configs
|
|
nginx_services:
|
|
wiki:
|
|
path: "/"
|
|
navidrome:
|
|
path: "/"
|
|
gitea:
|
|
path: "/"
|
|
synapse:
|
|
# Synapse does not support a prefix path.
|
|
max_body_size: 50M
|
|
website:
|
|
path: "/"
|
|
|
|
|
|
# List of nginx server blocks
|
|
|
|
# domain is the domain this server block listens to
|
|
# ssl_cert is the name of the SSL certificate and key (see roles/networking/ssl)
|
|
# listens sets the ports the block will listen to
|
|
# services is a list of services (templates/srv_conf/) to place in this domain
|
|
|
|
# Ensure no two services have the same location (domain and path)
|
|
|
|
default_listens:
|
|
- "443 ssl http2"
|
|
- "[::]:443 ssl http2"
|
|
|
|
server_blocks:
|
|
wiki:
|
|
domain: "wiki.{{ domain }}"
|
|
ssl_cert: "{{ domain }}"
|
|
listens: "{{ default_listens }}"
|
|
services:
|
|
- wiki
|
|
|
|
navidrome:
|
|
domain: "mus.{{ domain }}"
|
|
ssl_cert: "{{ domain }}"
|
|
listens: "{{ default_listens }}"
|
|
services:
|
|
- navidrome
|
|
|
|
gitea:
|
|
domain: "git.{{ domain }}"
|
|
ssl_cert: "{{ domain }}"
|
|
listens: "{{ default_listens }}"
|
|
services:
|
|
- gitea
|
|
|
|
synapse:
|
|
domain: "m.{{ domain }}"
|
|
ssl_cert: "{{ domain }}"
|
|
listens:
|
|
- "443 ssl http2"
|
|
- "[::]:443 ssl http2"
|
|
- "8448 ssl http2 default_server"
|
|
- "[::]:8448 ssl http2 default_server"
|
|
services:
|
|
- synapse
|
|
|
|
website:
|
|
domain: "www.{{ domain }}"
|
|
ssl_cert: "{{ domain }}"
|
|
listens: "{{ default_listens }}"
|
|
services:
|
|
- website
|
|
|
|
redirect:
|
|
domain: "{{ dyndns_domain }}"
|
|
ssl_cert: "{{ dyndns_domain }}"
|
|
listens: "{{ default_listens }}"
|
|
services:
|
|
- redirect
|
|
|
|
# Settings for other services not handled by nginx
|
|
service_info:
|
|
coturn:
|
|
domain: "stun.{{ domain }}"
|
|
ssl_cert: "stun.{{ domain }}"
|
|
|
|
|
|
### Mediawiki farm variables
|
|
|
|
# Internal names for the wikis, used for filenames and URLs
|
|
wiki_names:
|
|
- bepp
|
|
- rw
|
|
|
|
|
|
|
|
### Placeholders for secret vault (change these in host_vars/your_hostname/vault.yml)
|
|
|
|
ddclient_pass: "secret"
|
|
|
|
# Gitea secrets
|
|
lfs_jwt_secret: "secret"
|
|
jwt_secret: "secret"
|
|
|
|
# Mediawiki secrets
|
|
wgUpgradeKey: "secret"
|
|
# This should have the same amount of elements as wiki_names.
|
|
wgSecretKey:
|
|
- "wiki_secret"
|
|
- "rw_secret"
|
|
|
|
# Matrix Synapse secrets
|
|
registration_shared_secret: "secret"
|
|
macaroon_secret_key: "secret"
|
|
form_secret: "secret"
|
|
|
|
# Coturn secrets
|
|
coturn_secret_key: "secret"
|
|
|
|
# SSL ACME External Account Binding secrets (optional: required for some CAs)
|
|
|
|
# ZeroSSL
|
|
zerossl_acme_eab_kid: "secret"
|
|
zerossl_acme_eab_key: "secret"
|
|
# If you have a different email for ZeroSSL
|
|
zerossl_email: "you@example.com"
|
|
|
|
# Email address for ACME and DNS
|
|
email: me@example.com
|
|
|
|
|
|
|
|
### Role switches
|
|
|
|
# Setup AUR helper yay
|
|
enable_aur: yes
|
|
|
|
# Dotfile deployment
|
|
enable_dotfiles: yes
|
|
|
|
# LUKS crypto and filesystem mounts
|
|
enable_filesystems: yes
|
|
|
|
# Deploy script to facilitate backups
|
|
enable_backup: yes
|
|
|
|
# Firewall (UFW)
|
|
enable_firewall: yes
|
|
|
|
# Use NetworkManager to configure a proper static IP address in LAN
|
|
enable_connection: yes
|
|
|
|
# Dynamic DNS client
|
|
enable_ddclient: yes
|
|
|
|
# Nameserver (if you can't do NAT hairpinning)
|
|
enable_nameserver: yes
|
|
|
|
# SSL ACME (Let's Encrypt)
|
|
enable_ssl: yes
|
|
|
|
# nginx: necessary for gitea, synapse, wiki, and website.
|
|
enable_webserver: yes
|
|
|
|
# Git server
|
|
enable_gitea: yes
|
|
|
|
# Matrix server
|
|
enable_synapse: yes
|
|
|
|
# TURN server for Matrix VoIP
|
|
enable_coturn: yes
|
|
|
|
# MediaWiki
|
|
enable_wiki: yes
|
|
|
|
# Navidrome (music server)
|
|
enable_navidrome: yes
|
|
|
|
# Personal website
|
|
enable_website: yes
|
|
|
|
# SFTP read-only user
|
|
enable_sftpr: yes
|
|
|
|
# Mailserver (local only)
|
|
enable_mail: yes
|