22 files changed, 92 insertions, 1 deletions

diff --git a/vars/common b/vars/common
index 18d0e52..92a0c96 100644
--- a/vars/common
+++ b/vars/common
@@ -3,6 +3,7 @@
 site=myhomelab
 domain=idm.example.com
 email_domain=example.com
+turn_domain=turn.example.com
 locale=en_US.UTF-8
 ntp_pools='pool.ntp.org'
 root_password=changeme
@@ -21,6 +22,8 @@ idm2      2   5.6.7.8"
 
 reverse_dns_zones="0.168.192.in-addr.arpa  12.11.10.in-addr.arpa"
 
+kerberized_cidrs=192.168.0.0/24
+
 rspamd_privkey='changeme with: rspamadm keypair'
 rspamd_pubkey='changeme with: rspamadm keypair'
 rspamd_ro_password='changeme'
@@ -46,6 +49,8 @@ krb5_renew_lifetime=7d
 nslcd_min_uid=1000
 nscd_ttl=600
 nscd_negative_ttl=20
+prosody_username='s-prosody'
+prosody_uid=20005
 rspamd_port=11334
 ssh_authzkeys_uid=789
 ssh_authzkeys_username=sshkeys
@@ -53,7 +58,7 @@ tcp_buffer_size=2097152  # suitable for 1 GigE
 
 nginx_nofile=2048
 nginx_worker_connections=768
-if $(( nproc > 4 )); then
+if (( nproc > 4 )); then
   nginx_worker_processes=4
 else
   nginx_worker_processes=$nproc
diff --git a/vars/hostclass/asterisk_server b/vars/hostclass/asterisk_server
new file mode 100644
index 0000000..daf5fa6
--- /dev/null
+++ b/vars/hostclass/asterisk_server
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+asterisk_rtp_port_start=10000
+asterisk_rtp_port_end=10999
+
+allowed_tcp_ports='ssh sip sip-tls'
+allowed_udp_ports="ssh sip sip-tls ${asterisk_rtp_port_start}:${asterisk_rtp_port_end}"
+
+acme=true
+acme_standalone=true
diff --git a/vars/hostclass/authoritative_nameserver b/vars/hostclass/authoritative_nameserver
new file mode 100644
index 0000000..a421b7c
--- /dev/null
+++ b/vars/hostclass/authoritative_nameserver
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+allowed_tcp_ports='ssh domain'
+allowed_udp_ports='domain'
diff --git a/vars/hostclass/bitwarden_server b/vars/hostclass/bitwarden_server
new file mode 100644
index 0000000..5ae7588
--- /dev/null
+++ b/vars/hostclass/bitwarden_server
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+allowed_tcp_ports="ssh http https"
diff --git a/vars/hostclass/dav_server b/vars/hostclass/dav_server
new file mode 100644
index 0000000..2a4b250
--- /dev/null
+++ b/vars/hostclass/dav_server
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+allowed_tcp_ports='ssh http https'
+nginx_gssapi=true
diff --git a/vars/hostclass/pkg_repository b/vars/hostclass/pkg_repository
index dbd49a7..4752685 100644
--- a/vars/hostclass/pkg_repository
+++ b/vars/hostclass/pkg_repository
@@ -1,3 +1,4 @@
 #!/bin/sh
 
 allowed_tcp_ports='ssh http'
+nginx_redirect=false
diff --git a/vars/hostclass/postgresql_server b/vars/hostclass/postgresql_server
new file mode 100644
index 0000000..500e59b
--- /dev/null
+++ b/vars/hostclass/postgresql_server
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+allowed_tcp_ports='ssh postgresql'
diff --git a/vars/hostclass/public_webserver b/vars/hostclass/public_webserver
new file mode 100644
index 0000000..b6a9c9d
--- /dev/null
+++ b/vars/hostclass/public_webserver
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+allowed_tcp_ports='ssh http https'
+acme=true
+nginx_public=true
diff --git a/vars/hostclass/ttrss_server b/vars/hostclass/ttrss_server
new file mode 100644
index 0000000..2a4b250
--- /dev/null
+++ b/vars/hostclass/ttrss_server
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+allowed_tcp_ports='ssh http https'
+nginx_gssapi=true
diff --git a/vars/hostclass/turn_server b/vars/hostclass/turn_server
new file mode 100644
index 0000000..06cc6ae
--- /dev/null
+++ b/vars/hostclass/turn_server
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+coturn_listen_port=3478
+coturn_min_port=49152
+coturn_max_port=65535
+
+allowed_tcp_ports="ssh ${coturn_listen_port}"
+allowed_udp_ports="${coturn_listen_port} ${coturn_min_port}:${coturn_max_port}"
diff --git a/vars/hostclass/xmpp_server b/vars/hostclass/xmpp_server
new file mode 100644
index 0000000..204d1ba
--- /dev/null
+++ b/vars/hostclass/xmpp_server
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+acme=true
+allowed_tcp_ports='ssh http https xmpp-client xmpp-server'
+nginx_public=true
diff --git a/vars/hostclass/znc_server b/vars/hostclass/znc_server
new file mode 100644
index 0000000..7e6ad77
--- /dev/null
+++ b/vars/hostclass/znc_server
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+znc_irc_port=6697
+allowed_tcp_ports="ssh http https ${znc_irc_port}"
diff --git a/vars/hostname/bitwarden1 b/vars/hostname/bitwarden1
new file mode 100644
index 0000000..659336e
--- /dev/null
+++ b/vars/hostname/bitwarden1
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cnames=bitwarden
+vaultwarden_fqdn="bitwarden.${domain}"
diff --git a/vars/hostname/dav1 b/vars/hostname/dav1
new file mode 100644
index 0000000..cab4c08
--- /dev/null
+++ b/vars/hostname/dav1
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cnames=dav
diff --git a/vars/hostname/ns1 b/vars/hostname/ns1
new file mode 100644
index 0000000..cb59104
--- /dev/null
+++ b/vars/hostname/ns1
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cnames=ns
diff --git a/vars/hostname/pbx1 b/vars/hostname/pbx1
new file mode 100644
index 0000000..4931dd6
--- /dev/null
+++ b/vars/hostname/pbx1
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cnames=pbx
diff --git a/vars/hostname/postgres1 b/vars/hostname/postgres1
new file mode 100644
index 0000000..a38ba94
--- /dev/null
+++ b/vars/hostname/postgres1
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+memsize=$(( 8 * 1024 * 1024 * 1024))
+cnames=postgres
diff --git a/vars/hostname/ttrss1 b/vars/hostname/ttrss1
new file mode 100644
index 0000000..d6fbb39
--- /dev/null
+++ b/vars/hostname/ttrss1
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cnames=ttrss
+ttrss_hostname="ttrss.${domain}"
diff --git a/vars/hostname/turn1 b/vars/hostname/turn1
new file mode 100644
index 0000000..86e970a
--- /dev/null
+++ b/vars/hostname/turn1
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cnames=turn
diff --git a/vars/hostname/www1 b/vars/hostname/www1
new file mode 100644
index 0000000..88a683e
--- /dev/null
+++ b/vars/hostname/www1
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cnames='www'
+acmeproxy_client_group=$prosody_username
+acmeproxy_client_gid=$prosody_uid
diff --git a/vars/hostname/xmpp1 b/vars/hostname/xmpp1
new file mode 100644
index 0000000..e094b54
--- /dev/null
+++ b/vars/hostname/xmpp1
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cnames=xmpp
+prosody_acme_host=www1
+prosody_public_fqdn=xmpp.example.com
diff --git a/vars/os/freebsd b/vars/os/freebsd
index 5fae2d6..d13c84e 100644
--- a/vars/os/freebsd
+++ b/vars/os/freebsd
@@ -14,6 +14,7 @@ export ASSUME_ALWAYS_YES=yes
 keytab_dir=/var/db/keytabs
 nfscbd_port=7745
 nginx_user=www
+nginx_conf_dir=/usr/local/etc/nginx
 nslcd_user=nslcd
 php_version=82
 postgresql_version=16