You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
4.6 KiB
YAML
124 lines
4.6 KiB
YAML
---
|
|
|
|
TIMEZONE: "Europe/Berlin"
|
|
|
|
local_user: "{{ lookup('env','USER') }}"
|
|
|
|
global_username: zocker
|
|
global_admin_mail: felix.stupp@outlook.com
|
|
|
|
ansible_user: "{{ global_username }}"
|
|
|
|
ansible_become: yes
|
|
ansible_become_pass: "{{ zocker_password }}"
|
|
|
|
default_tg_monitor_recipient_id: "{{ zocker_telegram_id }}"
|
|
|
|
zocker_authorized_keys_url: "https://git.banananet.work/zocker.keys"
|
|
|
|
update_scripts_directory: "/root/update"
|
|
|
|
backup_gpg_fingerprint: "73D09948B2392D688A45DC8393E1BD26F6B02FB7"
|
|
backups_to_keep: 1
|
|
backups_directory: "/backups"
|
|
backups_files_directory: "{{ backups_directory }}/files"
|
|
backups_mysql_database_directory: "{{ backups_directory }}/mysql_databases"
|
|
backup_scripts_directory: "/root/backup"
|
|
backup_files_scripts_directory: "{{ backup_scripts_directory }}/files"
|
|
backup_mysql_database_scripts_directory: "{{ backup_scripts_directory }}/mysql_databases"
|
|
|
|
# Enabling "debug mode" allows deploying an debug / transitional instance besides another with the same base configuration
|
|
# The debug instance is reachable by using the same domain but prefixed with global_dns_debug_prefix
|
|
# Prevents overwriting of original's instance DNS config until debug mode is disabled
|
|
# If debug mode is disabled, the compatibility to the "debug domain" will be lost and the original's instance DNS config will be overwritten
|
|
# Other variables will need to be adjusted if both instances run on the same server
|
|
is_debug_instance: no
|
|
has_debug_instance: "{{ is_debug_instance }}"
|
|
delete_debug_dns_entries: "{{ not has_debug_instance }}"
|
|
debug_domain: "debug-instance.{{ domain }}" # used if is_debug_instance / on "debug mode", should only prefix domain
|
|
effective_domain: "{{ is_debug_instance | ternary(debug_domain, domain) }}"
|
|
|
|
global_local_user: "{{ lookup('env', 'USER') }}"
|
|
|
|
global_deployment_directory: "/ansible"
|
|
global_configuration_environment_directory: "{{ global_deployment_directory }}/configurations"
|
|
global_helper_directory: "{{ global_deployment_directory }}/helpers"
|
|
global_webservers_directory: "/var/webservers"
|
|
global_socket_directory: "/var/run"
|
|
|
|
global_credentials_directory: "credentials"
|
|
global_public_key_directory: "public_keys"
|
|
|
|
global_dns_list_directory: "{{ global_public_key_directory }}/dns"
|
|
global_dns_session_key_name: "local-ddns"
|
|
global_dns_session_key_path: "/var/run/named/session.key"
|
|
global_dns_session_key_algorithm: "hmac-sha512"
|
|
global_dns_update_key_algorithm: "ED25519"
|
|
global_dns_ttl: "{{ 60 * 60 }}" # default if omitted in all cases
|
|
global_dns_debug_ttl: "{{ 60 }}" # mostly used if has_debug_instance to allow short transfer times
|
|
|
|
global_ssh_key_directory: "{{ global_public_key_directory }}/ssh"
|
|
global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts"
|
|
|
|
global_validate_shell_script: "/usr/bin/shellcheck %s" # TODO add "--format="
|
|
global_validate_sshd_config: "/usr/sbin/sshd -t -f %s"
|
|
global_validate_sudoers_file: "/usr/sbin/visudo -c -f %s"
|
|
|
|
global_wireguard_private_directory: "{{ global_credentials_directory }}/wireguard"
|
|
global_wireguard_public_directory: "{{ global_public_key_directory }}/wireguard/keys"
|
|
global_wireguard_peers_directory: "{{ global_public_key_directory }}/wireguard/peers"
|
|
|
|
nginx_status_page_acl: |
|
|
allow 127.0.0.0/8;
|
|
allow ::1;
|
|
allow {{ ansible_default_ipv4.address }};
|
|
allow {{ ansible_default_ipv6.address }};
|
|
allow {{ global_wireguard_ipv4_range }};
|
|
deny all;
|
|
|
|
phpfpm_status_page_path: "/.well-known/php-fpm-status"
|
|
|
|
ssh_host_key_types:
|
|
- ed25519
|
|
- rsa
|
|
|
|
# (Backend) Port Mappings
|
|
|
|
backend_smtp_port: 12891
|
|
backend_imap_port: 12892
|
|
|
|
# OS-specific Default Configuration
|
|
|
|
debian_repository_mirror: "http://deb.debian.org/debian/"
|
|
debian_repository_use_sources: yes
|
|
|
|
raspbian_repository_mirror: "http://raspbian.raspberrypi.org/raspbian/"
|
|
raspbian_archive_repository_mirror: "http://archive.raspberrypi.org/debian/"
|
|
raspbian_repository_use_sources: yes
|
|
|
|
# Application configurations
|
|
|
|
global_dns_upstream_servers:
|
|
# Quad9 DNS with DNSSEC support, without EDNS
|
|
- "9.9.9.9"
|
|
- "149.112.112.112"
|
|
- "2620:fe::fe"
|
|
- "2620:fe::9"
|
|
|
|
global_ip_discover_url: "https://keys.banananet.work/ping"
|
|
global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discover/register_pass chars=digits,ascii_letters length=256') }}"
|
|
|
|
global_wireguard_port: 51820
|
|
global_wireguard_ipv4_subnet: 22
|
|
global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}"
|
|
global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}"
|
|
# TODO Wireguard IPv6 Support
|
|
|
|
global_systemd_journal_max_storage: 1G
|
|
|
|
# Miscellaneous
|
|
|
|
## IP Blocklist
|
|
|
|
global_ip_blocklist: "{{ (lookup('file', 'misc/blocklists/ipv4.txt')).split('\n') }}"
|