initial commit

58 files changed, 913 insertions, 0 deletions

diff --git a/inventory-example/group_vars/access_points/vars.yml b/inventory-example/group_vars/access_points/vars.yml
new file mode 100644
index 0000000..05aaf5d
--- /dev/null
+++ b/inventory-example/group_vars/access_points/vars.yml
@@ -0,0 +1,12 @@
+nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}'
+nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}'
+
+nagios_interfaces:
+  - eth0
+  - regex: '^wifi[0-9]'
+    description: wifi
+    down_ok: yes
+    discard_warn: 500
+    discard_crit: 1000
+    error_warn: 500
+    error_crit: 1000
diff --git a/inventory-example/group_vars/access_points/vault.yml b/inventory-example/group_vars/access_points/vault.yml
new file mode 100644
index 0000000..f39f186
--- /dev/null
+++ b/inventory-example/group_vars/access_points/vault.yml
@@ -0,0 +1,6 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+# Unifi APs require the privpass and authpass to be identical...sad!
+vault_nagios_snmp_priv_pass: changeme
+vault_nagios_snmp_auth_pass: changeme
diff --git a/inventory-example/group_vars/all/apache.yml b/inventory-example/group_vars/all/apache.yml
new file mode 100644
index 0000000..85c7abf
--- /dev/null
+++ b/inventory-example/group_vars/all/apache.yml
@@ -0,0 +1 @@
+apache_sysaccount_password: '{{ vault_apache_sysaccount_password }}'
diff --git a/inventory-example/group_vars/all/archive.yml b/inventory-example/group_vars/all/archive.yml
new file mode 100644
index 0000000..65d8144
--- /dev/null
+++ b/inventory-example/group_vars/all/archive.yml
@@ -0,0 +1,2 @@
+archive_ssh_privkey: '{{ vault_archive_ssh_privkey }}'
+archive_ssh_pubkey: ssh-rsa AAAAAAAAAchangeme
diff --git a/inventory-example/group_vars/all/asterisk.yml b/inventory-example/group_vars/all/asterisk.yml
new file mode 100644
index 0000000..0f4f1b2
--- /dev/null
+++ b/inventory-example/group_vars/all/asterisk.yml
@@ -0,0 +1,105 @@
+asterisk_external_ip: 203.0.113.62  # changeme
+asterisk_fqdn: pbx.example.com      # changeme
+asterisk_local_nets:
+  - '{{ vlans.voip.cidr }}'
+
+asterisk_password_salt: '{{ vault_asterisk_password_salt }}'
+
+asterisk_voicemail_contexts:  # changeme
+  default:
+    - address: 6000
+      password: 1234
+      name: Doe Family
+      email: doefamily@example.com
+
+asterisk_sip_trunks: '{{ vault_asterisk_sip_trunks }}'
+asterisk_sip_extensions: '{{ vault_asterisk_sip_extensions }}'
+asterisk_ari_users: '{{ vault_asterisk_ari_users }}'
+
+asterisk_queues:  # changeme
+  - name: house-phones
+    strategy: ringall
+    retry: 1
+    timeout: 30
+    members:
+      - 6001
+      - 6002
+      - 6003
+
+# changeme - dump your asterisk dialplan into this variable
+asterisk_dialplan: |
+  [globals]
+  AREA_CODE = 555
+
+  ; voicemail
+  VOICEMAIL_NUMBER       = *99
+  VOICEMAIL_CONTEXT      = default
+  VOICEMAIL_RING_TIMEOUT = 25
+
+  ; extension patterns
+  INTERCOM = 6000
+  HOUSE    = _6XXX
+
+  ; Queue for all local home phones
+  HOME_QUEUE = house-phones
+
+  ; All home phones use the same voicemail box.
+  HOME_MAILBOX = 6000
+
+  ; Caller ID for outgoing PSTN calls from the home phone line.
+  HOME_CID = John Doe <+15555555555>
+
+  [gosub-voicemail]
+  ; Dial the given channel, if no answer send to voicemail.
+  ; ${ARG1} - channel to dial
+  ; ${ARG2} - voicemail box
+  exten => s,1,Dial(${ARG1},${VOICEMAIL_RING_TIMEOUT})
+   same => n,Answer(500)
+   same => n,Voicemail(${ARG2},su)
+   same => n,Hangup()
+
+  [gosub-intercom]
+  exten => s,1,Set(PJSIP_HEADER(add,Alert-Info)=auto answer)
+   same => n,Return()
+
+  [subscribe]
+  exten => _XXXX,hint,PJSIP/${EXTEN}
+
+  [internal]
+  ; For INTERCOM, page all participants into 2-way conference
+  exten => ${INTERCOM},1,Set(CALLERID(all)=Intercom <${EXTEN}>
+   same => n,Page(${STRREPLACE(QUEUE_MEMBER_LIST(${HOME_QUEUE}),",","&")},db(gosub-intercom^s^1),10)
+
+  ; For HOME extensions, ring indefinitely.
+  exten => ${HOME},1,Dial(PJSIP/${EXTEN})
+   same => n,Hangup()
+
+  [from-upstream-provider]
+  ; Ring all house phones for incoming PSTN calls, if no answer send to voicemail.
+  exten => _X.,1,Queue(${HOME_QUEUE},nr,,,${VOICEMAIL_RING_TIMEOUT})
+   same => n,Answer(500)
+   same => n,Voicemail(${HOME_MAILBOX}@${VOICEMAIL_CONTEXT},su)
+   same => n,Hangup()
+
+  [from-house-phones]
+  include => internal
+  ; local voicemail access
+  exten => ${VOICEMAIL_NUMBER},1,Answer(500)
+   same => n,VoiceMailMain(${HOME_MAILBOX}@${VOICEMAIL_CONTEXT},s)
+   same => n,Hangup()
+  ; pstn - normalize all outgoing numbers to +1XXXXXXXXXX
+  exten => _+1NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/+${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/+1${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _NXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/+1${AREA_CODE}${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _N11,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/${EXTEN}@upstream-provider)
+   same => n,Hangup()
diff --git a/inventory-example/group_vars/all/coturn.yml b/inventory-example/group_vars/all/coturn.yml
new file mode 100644
index 0000000..0af566b
--- /dev/null
+++ b/inventory-example/group_vars/all/coturn.yml
@@ -0,0 +1,3 @@
+coturn_auth_secret: '{{ vault_coturn_auth_secret }}'
+coturn_external_ip: 203.0.113.61  # changeme
+coturn_realm: turn.example.com    # changeme
diff --git a/inventory-example/group_vars/all/cups.yml b/inventory-example/group_vars/all/cups.yml
new file mode 100644
index 0000000..11087a1
--- /dev/null
+++ b/inventory-example/group_vars/all/cups.yml
@@ -0,0 +1 @@
+cups_host: cups.{{ domain }}
diff --git a/inventory-example/group_vars/all/firefox.yml b/inventory-example/group_vars/all/firefox.yml
new file mode 100644
index 0000000..5ebc61b
--- /dev/null
+++ b/inventory-example/group_vars/all/firefox.yml
@@ -0,0 +1,73 @@
+# Managed firefox settings go in this file.
+---
+firefox_offer_to_save_logins_default: no
+
+firefox_extensions:
+  - name: ublock-origin
+    id: uBlock0@raymondhill.net
+    mode: force_installed
+    policy:
+      toOverwrite:
+        filterLists:
+          - user-filters
+          - ublock-filters
+          - ublock-badware
+          - ublock-privacy
+          - ublock-abuse
+          - ublock-unbreak
+          - ublock-annoyances
+          - easylist
+          - easyprivacy
+          - urlhaus-1
+          - plowe-0
+          - fanboy-annoyance
+          - fanboy-thirdparty_social
+          - adguard-spyware-url
+          - ublock-quick-fixes
+      toAdd:
+        trustedSiteDirectives:
+          - id.spectrum.net
+          - '{{ domain }}'
+
+  - name: bitwarden-password-manager
+    id: '{446900e4-71c2-419f-a6a7-df9c091e268b}'
+
+  - name: libredirect
+    id: 7esoorv3@alefvanoon.anonaddy.me
+
+firefox_preferences:
+  - name: dom.security.https_only_mode
+    value: true
+    status: locked
+
+firefox_managed_bookmarks:
+  - name: Bitwarden
+    url: 'https://bitwarden.{{ domain }}'
+  - name: Git
+    url: 'https://git.example.com'
+  - name: Invidious
+    url: 'https://invidious.{{ domain }}'
+  - name: Jellyfin
+    url: 'https://jellyfin.{{ domain }}'
+  - name: Nagios
+    url: 'https://nagios.{{ domain }}'
+  - name: Nitter
+    url: 'https://nitter.{{ domain }}'
+  - name: Photostructure
+    url: 'https://photos.{{ domain }}/'
+  - name: Printers
+    url: 'https://cups.{{ domain }}/printers/'
+  - name: Rspamd
+    url: 'https://rspamd.{{ domain }}'
+  - name: Syncthing
+    url: 'https://syncthing.{{ domain }}'
+  - name: Teddit
+    url: 'https://teddit.{{ domain }}'
+  - name: TinyTinyRSS
+    url: 'https://ttrss.{{ domain }}'
+  - name: Unifi
+    url: 'https://unifi.{{ domain }}'
+  - name: Wiki
+    url: 'https://wiki.{{ domain }}'
+  - name: ZNC
+    url: 'https://znc.{{ domain }}'
diff --git a/inventory-example/group_vars/all/freeipa.yml b/inventory-example/group_vars/all/freeipa.yml
new file mode 100644
index 0000000..3501061
--- /dev/null
+++ b/inventory-example/group_vars/all/freeipa.yml
@@ -0,0 +1,144 @@
+# This file contains a bunch of example data for populating your FreeIPA
+# domain with users, groups, sudo rules, etc.
+---
+freeipa_workgroup: ACME
+freeipa_nfs_homedirs: yes
+freeipa_dns_forwarders:
+  - 10.10.12.1
+
+freeipa_users:
+  - name: johndoe
+    givenname: John
+    sn: Doe
+    mail: john@example.com
+    jid: john@example.com
+    mail_aliases:
+      - john.nickname@example.com
+      - john.alias@exmaple.com
+
+  - name: bobbytables
+    givenname: Bobby
+    sn: Tables
+    mail: btables@example.com
+    jid: btables@example.com
+
+  - name: janedoe
+    givenname: Jane
+    sn: Doe
+    mail: jane@example.com
+    jid: jane@example.com
+
+freeipa_groups:
+  # built-in freeipa admin group - be careful!
+  - name: admins
+    append: yes
+    user:
+      - johndoe
+
+  - name: sysadmins
+    mail: sysadmins@example.com
+    mail_aliases:
+      - root@example.com
+      - postmaster@example.com
+      - hostmaster@example.com
+      - webmaster@example.com
+      - abuse@example.com
+    description: System Administrators
+    user:
+      - johndoe
+      - btables
+
+  - name: webmasters
+    user:
+      - johndoe
+
+  - name: doefamily
+    description: Doe Family
+    mail: doefamily@example.com
+    user:
+      - johndoe
+      - janedoe
+
+  - name: role-nagios-access
+    group: sysadmins
+
+  - name: role-bitwarden-admin
+    group: sysadmins
+
+  - name: role-cups-admin
+    group: sysadmins
+
+  - name: role-ttrss-admin
+    group: sysadmins
+
+  - name: role-music-admin
+    group: sysadmins
+    append: yes
+
+  - name: role-rspamd-admin
+    group: sysadmins
+
+  - name: role-imap-access
+    group: doefamily
+
+  - name: role-music-access
+    group: doefamily
+    append: yes
+
+  - name: role-dav-access
+    group: doefamily
+
+  - name: role-linux-desktop-access
+    group: doefamily
+
+  - name: role-ttrss-access
+    group: doefamily
+
+  - name: role-znc-access
+    group: doefamily
+
+  - name: role-wiki-access
+    group: doefamily
+
+  - name: role-wiki-admin
+    group: sysadmins
+
+  - name: role-wifi-access
+    group: doefamily
+
+  - name: role-media-admin
+    group: sysadmins
+
+  - name: role-media-access
+    group: doefamily
+
+  - name: role-photo-admin
+    group: doefamily
+    append: yes
+
+  - name: role-xmpp-access
+    group: doefamily
+
+  - name: role-git-access
+    group: doefamily
+
+  - name: role-git-admin
+    group: sysadmins
+
+freeipa_hbac_rules:
+  - name: sysadmins_ssh_and_console_to_all
+    description: allow sysadmins to ssh to all hosts
+    usergroup: sysadmins
+    hostcategory: all
+    service:
+      - sshd
+      - login
+
+freeipa_sudo_rules:
+  - name: sysadmins_all
+    description: allow sysadmins to run anything as any user
+    cmdcategory: all
+    hostcategory: all
+    runasusercategory: all
+    runasgroupcategory: all
+    usergroup: sysadmins
diff --git a/inventory-example/group_vars/all/freeradius.yml b/inventory-example/group_vars/all/freeradius.yml
new file mode 100644
index 0000000..8172e44
--- /dev/null
+++ b/inventory-example/group_vars/all/freeradius.yml
@@ -0,0 +1 @@
+freeradius_clients: '{{ vault_freeradius_clients }}'
diff --git a/inventory-example/group_vars/all/git.yml b/inventory-example/group_vars/all/git.yml
new file mode 100644
index 0000000..9975c7e
--- /dev/null
+++ b/inventory-example/group_vars/all/git.yml
@@ -0,0 +1,2 @@
+cgit_logo: ~/Development/assets/cgit/acme-logo.png        # changeme (or delete)
+cgit_favicon: ~/Development/assets/cgit/acme-favicon.svg  # changeme (or delete)
diff --git a/inventory-example/group_vars/all/global.yml b/inventory-example/group_vars/all/global.yml
new file mode 100644
index 0000000..f4ea98e
--- /dev/null
+++ b/inventory-example/group_vars/all/global.yml
@@ -0,0 +1,105 @@
+# By convention, variables defined in this file are safe to use in all roles.
+#
+# In other words, this should be the only place where you should see variables
+# without a 'rolename_' prefix.
+---
+ansible_python_interpreter: /usr/libexec/platform-python
+
+timezone: America/New_York
+domain: ipa.example.com    # changeme
+email_domain: example.com  # changeme
+
+organization: ACME, Inc.   # changeme
+
+# This variable will be used to configure an SSID with certificate-based auth
+# for any hosts in the linux-laptops group.
+wifi_ssid: acme-wifi
+
+# Hosts in these CIDRs should be capable of kerberos authentication.
+# We use this in many apache configs to determine when to force GSSAPI auth.
+kerberized_cidrs:  # changeme
+  - 10.10.12.0/24
+
+backup_path: ~/backups
+
+# Use your external MX hostname so that TLS validation works.
+mail_host: mx1.exmaple.com
+
+imap_host: imap.{{ domain }}
+rspamd_host: rspamd.{{ domain }}
+
+# changeme: specify your vlans here.
+# This dictionary is used to discover which VLAN a host belongs to.
+# The appropriate VLAN object will end up in the `vlan` variable in host_vars.
+vlans:
+  mgmt:
+    id: 11
+    cidr: 10.10.11.0/24
+    gateway: 10.10.11.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.11.1']
+
+  trusted:
+    id: 12
+    cidr: 10.10.12.0/23
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    gateway: 10.10.12.1
+    ntp_servers: ['10.10.12.1']
+
+  voip:
+    id: 14
+    cidr: 10.10.14.0/24
+    gateway: 10.10.14.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.14.1']
+
+  print:
+    id: 15
+    cidr: 10.10.15.0/24
+    gateway: 10.10.15.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.15.1']
+
+  vpn:
+    id: 16
+    cidr: 10.10.16.0/24
+    gateway: 10.10.16.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.16.1']
+
+  dmz:
+    id: 19
+    cidr: 10.10.19.0/24
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    gateway: 10.10.19.1
+    ntp_servers: ['10.10.19.1']
+
+
+# standard freeipa variables
+freeipa_realm: '{{ domain | upper }}'
+freeipa_basedn: "dc={{ domain.split('.') | join(',dc=') }}"
+freeipa_hosts: "{{ groups['freeipa_servers'] | map('regex_replace', '$', '.' ~ domain) }}"
+freeipa_ldap_uri: "{{ groups['freeipa_servers'] | map('regex_replace', '^(.*)$', 'ldap://\\1.' ~ domain) | join(' ') }}"
+freeipa_master: "{{ groups['freeipa_master'][0] }}"
+freeipa_sysaccount_basedn: 'cn=sysaccounts,cn=etc,{{ freeipa_basedn }}'
+freeipa_user_basedn: cn=users,cn=accounts,{{ freeipa_basedn }}
+freeipa_group_basedn: cn=groups,cn=accounts,{{ freeipa_basedn }}
+freeipa_accounts_basedn: cn=accounts,{{ freeipa_basedn }}
+freeipa_service_basedn: cn=services,cn=accounts,{{ freeipa_basedn }}
+freeipa_ds_password: '{{ vault_freeipa_ds_password }}'
+freeipa_admin_password: '{{ vault_freeipa_admin_password }}'
+ipa_host: '{{ freeipa_master }}.{{ domain }}'
+ipa_user: admin
+ipa_pass: '{{ freeipa_admin_password }}'
diff --git a/inventory-example/group_vars/all/hastebin.yml b/inventory-example/group_vars/all/hastebin.yml
new file mode 100644
index 0000000..d6c6a43
--- /dev/null
+++ b/inventory-example/group_vars/all/hastebin.yml
@@ -0,0 +1,3 @@
+hastebin_upload_cidrs:
+  - '{{ vlans.trusted.cidr }}'
+  - '{{ vlans.vpn.cidr }}'
diff --git a/inventory-example/group_vars/all/invidious.yml b/inventory-example/group_vars/all/invidious.yml
new file mode 100644
index 0000000..31f3cf2
--- /dev/null
+++ b/inventory-example/group_vars/all/invidious.yml
@@ -0,0 +1,4 @@
+invidious_port: 8080
+invidious_db_password: '{{ vault_invidious_db_password }}'
+invidious_hmac_key: '{{ vault_invidious_hmac_key }}'
+invidious_db_user: s-invidious
diff --git a/inventory-example/group_vars/all/jellyfin.yml b/inventory-example/group_vars/all/jellyfin.yml
new file mode 100644
index 0000000..954e498
--- /dev/null
+++ b/inventory-example/group_vars/all/jellyfin.yml
@@ -0,0 +1 @@
+jellyfin_sysaccount_password: '{{ vault_jellyfin_sysaccount_password }}'
diff --git a/inventory-example/group_vars/all/mail.yml b/inventory-example/group_vars/all/mail.yml
new file mode 100644
index 0000000..120ca91
--- /dev/null
+++ b/inventory-example/group_vars/all/mail.yml
@@ -0,0 +1,21 @@
+dovecot_default_user_quota: 20G
+
+# accept mail for these domains:
+postfix_virtual_domains:
+  - example.com
+  - example.net
+
+rspamd_domain_whitelist:
+  - badly.configured.domain.com
+  - dont.mark.mail.from.this.domain.as.spam.com
+
+rspamd_password: '{{ vault_rspamd_password }}'
+rspamd_password_hash: '{{ vault_rspamd_password_hash }}'
+rspamd_dkim_keys: '{{ vault_rspamd_dkim_keys }}'
+
+# generate with `rspamadm keypair`
+rspamd_privkey: '{{ vault_rspamd_privkey }}'
+rspamd_pubkey: AAAAAAAAAAAAAchangeme
+
+rspamd_redis_port: 6379
+rspamd_redis_bayes_port: 6380
diff --git a/inventory-example/group_vars/all/mediawiki.yml b/inventory-example/group_vars/all/mediawiki.yml
new file mode 100644
index 0000000..d54f199
--- /dev/null
+++ b/inventory-example/group_vars/all/mediawiki.yml
@@ -0,0 +1,9 @@
+mediawiki_upgrade_key: '{{ vault_mediawiki_upgrade_key }}'
+mediawiki_secret_key: '{{ vault_mediawiki_secret_key }}'
+mediawiki_admin_password: '{{ vault_mediawiki_admin_password }}'
+
+mediawiki_sysaccount_password: '{{ vault_mediawiki_sysaccount_password }}'
+
+mediawiki_logo_1x: ~/Development/assets/mediawiki/acme-logo.svg     # changeme (or delete)
+mediawiki_logo_icon: ~/Development/assets/mediawiki/acme-icon.svg   # changeme (or delete)
+mediawiki_favicon: ~/Development/assets/mediawiki/acme-favicon.svg  # changeme (or delete)
diff --git a/inventory-example/group_vars/all/nagios.yml b/inventory-example/group_vars/all/nagios.yml
new file mode 100644
index 0000000..84fc7ce
--- /dev/null
+++ b/inventory-example/group_vars/all/nagios.yml
@@ -0,0 +1,90 @@
+nagios_email: sysadmins@example.com
+nagios_ssh_privkey: '{{ vault_nagios_ssh_privkey }}'
+nagios_ssh_pubkey: ssh-ed25519 AAAAAAAAAAAAAAchangeme
+
+nagios_excluded_groups:
+  - linux_laptops
+  - cellphones
+
+nagios_snmp_user: nagios
+nagios_snmp_community: public
+nagios_snmp_priv_proto: AES
+nagios_snmp_auth_proto: SHA
+nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}'
+nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}'
+
+nagios_ping_count: 5
+nagios_ping_rtt_warn: 50.0
+nagios_ping_rtt_crit: 100.0
+nagios_ping_loss_warn: 20%
+nagios_ping_loss_crit: 40%
+
+nagios_temp_warn: 60
+nagios_temp_crit: 70
+
+nagios_power_draw_warn: 50%
+nagios_power_draw_crit: 75%
+
+nagios_load_1m_warn: 1.0
+nagios_load_5m_warn: 0.9
+nagios_load_15m_warn: 0.8
+nagios_load_1m_crit: 2.0
+nagios_load_5m_crit: 1.8
+nagios_load_15m_crit: 1.6
+
+nagios_mem_warn: 80%
+nagios_mem_crit: 90%
+
+nagios_swap_warn: 50%
+nagios_swap_crit: 80%
+
+nagios_interface_bandwidth_warn: 0
+nagios_interface_bandwidth_crit: 0
+nagios_interface_discard_warn: 10
+nagios_interface_discard_crit: 50
+nagios_interface_error_warn: 5
+nagios_interface_error_crit: 20
+
+nagios_interfaces:
+  - regex: ^(?!.*(lo[0-9]*|virbr[0-9]*|tap.*|vmbr.*|lagg[0-9]+_vlan))
+    description: interfaces
+    down_ok: no
+    bandwidth_warn: '{{ nagios_interface_bandwidth_warn }}'
+    bandwidth_crit: '{{ nagios_interface_bandwidth_crit }}'
+    discard_warn: '{{ nagios_interface_discard_warn }}'
+    discard_crit: '{{ nagios_interface_discard_crit }}'
+    error_warn: '{{ nagios_interface_error_warn }}'
+    error_crit: '{{ nagios_interface_error_crit }}'
+
+nagios_disk_warn: 80%
+nagios_disk_crit: 90%
+
+nagios_disks:
+  - regex: ^(/sys|/dev|/run|/rpool|/tank)
+    exclude: yes
+    description: disks
+    warn: '{{ nagios_disk_warn }}'
+    crit: '{{ nagios_disk_crit }}'
+
+nagios_certificate_warn: 28
+nagios_certificate_crit: 14
+
+nagios_smtp_warn: 0.5
+nagios_smtp_crit: 1.0
+nagios_mailq_warn: 5
+nagios_mailq_crit: 20
+
+nagios_imap_warn: 0.5
+nagios_imap_crit: 1.0
+
+nagios_http_warn: 0.5
+nagios_http_crit: 1.0
+
+nagios_check_dns:
+  - name: www.example.com
+    server: 8.8.8.8
+    expect: 203.0.113.42
+
+  - name: mx1.example.com
+    server: 8.8.8.8
+    expect: 203.0.113.43
diff --git a/inventory-example/group_vars/all/nfs.yml b/inventory-example/group_vars/all/nfs.yml
new file mode 100644
index 0000000..713b5d3
--- /dev/null
+++ b/inventory-example/group_vars/all/nfs.yml
@@ -0,0 +1,11 @@
+nfs_homedir_options: rw,crossmnt
+
+# These clients will be added to the export list for NFS home directories.
+nfs_homedir_clients:
+  - client: '{{ vlans.trusted.cidr }}'
+    options: sec=krb5p
+
+  # We can't use kerberos for Syncthing, because the Syncthing daemons have
+  # to impersonate each user, and I don't feel like shuffling keytabs around.
+  - client: syncthing1
+    options: sec=sys
diff --git a/inventory-example/group_vars/all/nitter.yml b/inventory-example/group_vars/all/nitter.yml
new file mode 100644
index 0000000..3d13f76
--- /dev/null
+++ b/inventory-example/group_vars/all/nitter.yml
@@ -0,0 +1,3 @@
+nitter_port: 8082
+nitter_redis_port: 16379
+nitter_hmac_key: '{{ vault_nitter_hmac_key }}'
diff --git a/inventory-example/group_vars/all/nsd.yml b/inventory-example/group_vars/all/nsd.yml
new file mode 100644
index 0000000..ff1afe6
--- /dev/null
+++ b/inventory-example/group_vars/all/nsd.yml
@@ -0,0 +1,54 @@
+# Put the desired contents of any zone files in nsd_zones.
+#
+# I only recommend self-hosting DNS if you're farming out your *real* query
+# traffic to a secondary DNS provider.
+---
+nsd_zones:
+  - name: example.com
+    slave_nameservers:
+      - 203.0.113.50
+      - 203.0.113.51
+    ttl: 3600
+    content: |
+      @    IN  NS    ns1.example.com.
+      @    IN  NS    ns2.example.com.
+      ns1  IN  A     203.0.113.52
+      ns1  IN  AAAA  2001:db8::2
+      ns2  IN  A     203.0.113.53
+      ns2  IN  AAAA  2001:db8::3
+
+      @  IN  CAA     0 issue "letsencrypt.org"
+
+      ; mail
+      @  IN  MX      10 mx1.example.com.
+      @  IN  TXT     "v=spf1 mx -all"
+      dkim._domainkey  IN  TXT  ( "v=DKIM1; k=rsa; "
+        "p=AAAAAAAAAAAAAAAAchangeme"
+        "AAAAAAAAAAAAAAAAAAchangeme"
+      ) ;
+      _dmarc  IN  TXT  "v=DMARC1; p=reject; ruf=mailto:postmaster@example.com"
+
+      @           IN  A      203.0.113.54
+      mx1         IN  A      203.0.113.55
+      www1        IN  A      203.0.113.56
+      xmpp1       IN  A      203.0.113.57
+      turn1       IN  A      203.0.113.58
+      pbx1        IN  A      203.0.113.59
+      www         IN  CNAME  www1
+      xmpp        IN  CNAME  xmpp1
+      conference  IN  CNAME  xmpp1
+      turn        IN  CNAME  turn1
+      pbx         IN  CNAME  pbx1
+
+      _xmpp-client._tcp             IN  SRV  0  5  5222  xmpp1
+      _xmpp-server._tcp             IN  SRV  0  5  5269  xmpp1
+      _xmpp-server._tcp.conference  IN  SRV  0  5  5269  xmpp1
+
+      _stun._tcp                    IN  SRV  0  5  3478  turn1
+      _stun._udp                    IN  SRV  0  5  3478  turn1
+      _turn._tcp                    IN  SRV  0  5  3478  turn1
+      _turn._udp                    IN  SRV  0  5  3478  turn1
+
+      _sip._udp                     IN  SRV  0  5  5060  pbx1
+      _sip._tcp                     IN  SRV  0  5  5060  pbx1
+      _sip._tls                     IN  SRV  0  5  5061  pbx1
diff --git a/inventory-example/group_vars/all/packages.yml b/inventory-example/group_vars/all/packages.yml
new file mode 100644
index 0000000..2883e64
--- /dev/null
+++ b/inventory-example/group_vars/all/packages.yml
@@ -0,0 +1,4 @@
+packages_install:
+  - man
+  - less
+  - tmux
diff --git a/inventory-example/group_vars/all/photostructure.yml b/inventory-example/group_vars/all/photostructure.yml
new file mode 100644
index 0000000..6f7963e
--- /dev/null
+++ b/inventory-example/group_vars/all/photostructure.yml
@@ -0,0 +1,3 @@
+photostructure_access_group: role-photo-admin
+photostructure_scan_paths:
+  - /nfs/media/pictures
diff --git a/inventory-example/group_vars/all/polkit.yml b/inventory-example/group_vars/all/polkit.yml
new file mode 100644
index 0000000..fed46cc
--- /dev/null
+++ b/inventory-example/group_vars/all/polkit.yml
@@ -0,0 +1 @@
+polkit_admin_group: sysadmins
diff --git a/inventory-example/group_vars/all/postgres.yml b/inventory-example/group_vars/all/postgres.yml
new file mode 100644
index 0000000..be90568
--- /dev/null
+++ b/inventory-example/group_vars/all/postgres.yml
@@ -0,0 +1,4 @@
+postgresql_host: postgres.{{ domain }}
+postgresql_inventory_host: "{{ postgresql_host.split('.')[0] }}"
+postgresql_password_users:
+  - '{{ invidious_db_user }}'
diff --git a/inventory-example/group_vars/all/prosody.yml b/inventory-example/group_vars/all/prosody.yml
new file mode 100644
index 0000000..b317a96
--- /dev/null
+++ b/inventory-example/group_vars/all/prosody.yml
@@ -0,0 +1,16 @@
+prosody_http_host: xmpp.example.com  # changeme
+prosody_sysaccount_password: '{{ vault_prosody_sysaccount_password }}'
+prosody_vhosts: # changeme - your jabber domain(s)
+  - example.com
+
+# XMPP clients expect a certificate matching the domain of the given JID.
+# Unfortunately, this situation only works for LetsEncrypt if you run your XMPP
+# server on the same host as your webserver (or if you use the ACME DNS
+# challenge).
+#
+# Check out the prosody_letsencrypt_proxy role for how we get around this.
+# Basically, just specify the hostname of your public webserver here, along with
+# and ssh keypair.
+prosody_le_proxy_host: dmz-www1
+prosody_le_ssh_privkey: '{{ vault_prosody_le_ssh_privkey }}'
+prosody_le_ssh_pubkey: ssh-ed25519 AAAAAAAchangeme
diff --git a/inventory-example/group_vars/all/proxmox.yml b/inventory-example/group_vars/all/proxmox.yml
new file mode 100644
index 0000000..44cb9a1
--- /dev/null
+++ b/inventory-example/group_vars/all/proxmox.yml
@@ -0,0 +1,7 @@
+# These settings are used when provisioning new proxmox VMs.
+---
+proxmox_api_host: '{{ groups["proxmox_hypervisors"] | first }}'
+proxmox_api_user: ansible@pam
+proxmox_api_password: '{{ vault_proxmox_api_password }}'
+proxmox_node: '{{ proxmox_api_host }}'
+proxmox_password_salt: '{{ vault_proxmox_password_salt }}'
diff --git a/inventory-example/group_vars/all/psitransfer.yml b/inventory-example/group_vars/all/psitransfer.yml
new file mode 100644
index 0000000..eb61ea9
--- /dev/null
+++ b/inventory-example/group_vars/all/psitransfer.yml
@@ -0,0 +1,7 @@
+psitransfer_upload_cidrs:
+  - '{{ vlans.trusted.cidr }}'
+  - '{{ vlans.vpn.cidr }}'
+psitransfer_admin_cidrs:
+  - '{{ vlans.trusted.cidr }}'
+  - '{{ vlans.vpn.cidr }}'
+psitransfer_admin_password: '{{ vault_psitransfer_admin_password }}'
diff --git a/inventory-example/group_vars/all/root.yml b/inventory-example/group_vars/all/root.yml
new file mode 100644
index 0000000..bd86f96
--- /dev/null
+++ b/inventory-example/group_vars/all/root.yml
@@ -0,0 +1,6 @@
+root_authorized_keys:
+  - ssh-ed25519 AAAAAAAchangeme
+  - ssh-ed25519 AAAAAAAchangeme
+
+root_password: '{{ vault_root_password }}'
+root_password_salt: '{{ vault_root_password_salt }}'
diff --git a/inventory-example/group_vars/all/sudo.yml b/inventory-example/group_vars/all/sudo.yml
new file mode 100644
index 0000000..f6e93db
--- /dev/null
+++ b/inventory-example/group_vars/all/sudo.yml
@@ -0,0 +1,2 @@
+sudo_email: yes
+sudo_mailto: sysadmins@example.com
diff --git a/inventory-example/group_vars/all/syncthing.yml b/inventory-example/group_vars/all/syncthing.yml
new file mode 100644
index 0000000..ac3257f
--- /dev/null
+++ b/inventory-example/group_vars/all/syncthing.yml
@@ -0,0 +1,6 @@
+# Each user with a dedicated syncthing instance must have his or her own unique
+# port number for the sync traffic.
+---
+syncthing_users:
+  johndoe: 22001
+  janedoe: 22002
diff --git a/inventory-example/group_vars/all/syslog.yml b/inventory-example/group_vars/all/syslog.yml
new file mode 100644
index 0000000..390c157
--- /dev/null
+++ b/inventory-example/group_vars/all/syslog.yml
@@ -0,0 +1,2 @@
+syslog_host: syslog.{{ domain }}
+syslog_host_ip: "{{ hostvars[groups['syslog_servers'] | sort | first].ip }}"
diff --git a/inventory-example/group_vars/all/teddit.yml b/inventory-example/group_vars/all/teddit.yml
new file mode 100644
index 0000000..269bb27
--- /dev/null
+++ b/inventory-example/group_vars/all/teddit.yml
@@ -0,0 +1,3 @@
+teddit_port: 8081
+teddit_redis_port: 6379
+teddit_reddit_app_id: '{{ vault_teddit_reddit_app_id }}'
diff --git a/inventory-example/group_vars/all/vault.yml b/inventory-example/group_vars/all/vault.yml
new file mode 100644
index 0000000..c3e29c5
--- /dev/null
+++ b/inventory-example/group_vars/all/vault.yml
@@ -0,0 +1,124 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+# apache
+vault_apache_sysaccount_password: changeme
+
+
+# archiver
+vault_archive_ssh_privkey: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  AAAAAAAAAAAAchangeme
+  -----END OPENSSH PRIVATE KEY-----
+
+
+# asterisk
+vault_asterisk_ari_users:
+  - name: nagios
+    readonly: yes
+    password: changeme
+
+vault_asterisk_password_salt: changeme
+
+vault_asterisk_sip_extensions:
+  - name: 6001
+    context: house-phones
+    mailbox: 6000@default
+    cid_name: Living Room
+    password: changeme
+
+  - name: 6002
+    context: house-phones
+    mailbox: 6000@default
+    cid_name: Kitchen
+    password: changeme
+
+vault_asterisk_sip_trunks:
+  - name: upstream-provider
+    host: 'sip.example.com:5060'
+    username: changeme
+    password: changeme
+
+
+# coturn
+vault_coturn_auth_secret: changeme
+
+
+# freeipa
+vault_freeipa_admin_password: changeme
+vault_freeipa_ds_password: changeme
+
+
+# freeradius
+vault_freeradius_clients:
+  - name: unifi
+    address: '{{ vlans.mgmt.cidr }}'
+    secret: changeme
+
+
+# invidious
+vault_invidious_db_password: changeme
+vault_invidious_hmac_key: changeme
+
+
+# jellyfin
+vault_jellyfin_sysaccount_password: changeme
+
+
+# mediawiki
+vault_mediawiki_admin_password: changeme
+vault_mediawiki_upgrade_key: changeme
+vault_mediawiki_secret_key: changeme
+vault_mediawiki_sysaccount_password: changeme
+
+
+# nagios
+vault_nagios_snmp_auth_pass: changeme
+vault_nagios_snmp_priv_pass: changeme
+vault_nagios_ssh_privkey: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  AAAAAAAAAAAAAAAAchangeme
+  -----END OPENSSH PRIVATE KEY-----
+
+
+# nitter
+vault_nitter_hmac_key: changeme
+
+
+# prosody
+vault_prosody_le_ssh_privkey: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  AAAAAAAAAAAAAAAAchangeme
+  -----END OPENSSH PRIVATE KEY-----
+vault_prosody_sysaccount_password: changeme
+
+
+# proxmox
+vault_proxmox_api_password: changeme
+vault_proxmox_password_salt: changeme
+
+
+# psitransfer
+vault_psitransfer_admin_password: changeme
+
+
+# root user
+vault_root_password_salt: changeme
+vault_root_password: changeme
+
+
+# rspamd
+vault_rspamd_password: changeme
+vault_rspamd_password_hash: $2$changeme  # generate with `rspamadm pw`
+vault_rspamd_privkey: changeme           # generate with `rspamadm keypair`
+vault_rspamd_dkim_keys:                  # generate with `rspamadm dkim_keygen`
+  example.com: |
+    -----BEGIN RSA PRIVATE KEY-----
+    AAAAAAAAAAAAAAAAchangeme
+    -----END RSA PRIVATE KEY-----
+
+# teddit
+vault_teddit_reddit_app_id: changeme
+
+# vaultwarden
+vault_vaultwarden_admin_token: changeme  # generate with `openssl rand -base64 48`
diff --git a/inventory-example/group_vars/all/vaultwarden.yml b/inventory-example/group_vars/all/vaultwarden.yml
new file mode 100644
index 0000000..71637f7
--- /dev/null
+++ b/inventory-example/group_vars/all/vaultwarden.yml
@@ -0,0 +1 @@
+vaultwarden_admin_token: '{{ vault_vaultwarden_admin_token }}'
diff --git a/inventory-example/group_vars/all/wireguard.yml b/inventory-example/group_vars/all/wireguard.yml
new file mode 100644
index 0000000..1c0a33c
--- /dev/null
+++ b/inventory-example/group_vars/all/wireguard.yml
@@ -0,0 +1,2 @@
+wireguard_host: 203.0.113.41  # your external VPN IP - changeme
+wireguard_pubkey: AAAAAAAAAAchangeme
diff --git a/inventory-example/group_vars/all/yum.yml b/inventory-example/group_vars/all/yum.yml
new file mode 100644
index 0000000..6cbfae5
--- /dev/null
+++ b/inventory-example/group_vars/all/yum.yml
@@ -0,0 +1 @@
+yum_host: yum.{{ domain }}
diff --git a/inventory-example/group_vars/dav_servers.yml b/inventory-example/group_vars/dav_servers.yml
new file mode 100644
index 0000000..239067a
--- /dev/null
+++ b/inventory-example/group_vars/dav_servers.yml
@@ -0,0 +1,6 @@
+apache_can_sendmail: yes
+apache_can_network_connect_db: yes
+apache_can_connect_ldap: yes
+apache_gssapi: yes
+
+nagios_http_status: 401
diff --git a/inventory-example/group_vars/dmz.yml b/inventory-example/group_vars/dmz.yml
new file mode 100644
index 0000000..ba0b0c9
--- /dev/null
+++ b/inventory-example/group_vars/dmz.yml
@@ -0,0 +1 @@
+freeipa_autofs: no
diff --git a/inventory-example/group_vars/el8.yml b/inventory-example/group_vars/el8.yml
new file mode 100644
index 0000000..1aedd96
--- /dev/null
+++ b/inventory-example/group_vars/el8.yml
@@ -0,0 +1,3 @@
+# Force legacy BIOS for Rocky 8 VMs - UEFI doesn't seem to work.
+proxmox_template: rocky8.7
+proxmox_bios: seabios
diff --git a/inventory-example/group_vars/freeipa_master.yml b/inventory-example/group_vars/freeipa_master.yml
new file mode 100644
index 0000000..fbaa5b2
--- /dev/null
+++ b/inventory-example/group_vars/freeipa_master.yml
@@ -0,0 +1,6 @@
+# The initial FreeIPA installation requires an upstream DNS server to bootstrap itself.
+proxmox_nameservers: '{{ freeipa_dns_forwarders }}'
+
+# Update the FreeIPA master every *other* day. If there's a botched automatic
+# update, we don't want to take the entire domain down overnight.
+dnf_automatic_on_calendar: '*-*-1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 04:00:00'
diff --git a/inventory-example/group_vars/git_servers.yml b/inventory-example/group_vars/git_servers.yml
new file mode 100644
index 0000000..5f975fc
--- /dev/null
+++ b/inventory-example/group_vars/git_servers.yml
@@ -0,0 +1 @@
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/linux_desktops.yml b/inventory-example/group_vars/linux_desktops.yml
new file mode 100644
index 0000000..af4775a
--- /dev/null
+++ b/inventory-example/group_vars/linux_desktops.yml
@@ -0,0 +1 @@
+tuned_profile: desktop
diff --git a/inventory-example/group_vars/linux_laptops.yml b/inventory-example/group_vars/linux_laptops.yml
new file mode 100644
index 0000000..428c40b
--- /dev/null
+++ b/inventory-example/group_vars/linux_laptops.yml
@@ -0,0 +1,2 @@
+tuned_profile: powersave
+rsyslog_forward: no
diff --git a/inventory-example/group_vars/nagios_servers.yml b/inventory-example/group_vars/nagios_servers.yml
new file mode 100644
index 0000000..5f975fc
--- /dev/null
+++ b/inventory-example/group_vars/nagios_servers.yml
@@ -0,0 +1 @@
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/nfs_servers.yml b/inventory-example/group_vars/nfs_servers.yml
new file mode 100644
index 0000000..59135b8
--- /dev/null
+++ b/inventory-example/group_vars/nfs_servers.yml
@@ -0,0 +1,10 @@
+dnf_automatic_restart: no
+
+nagios_disks:
+  - regex: ^(/sys|/dev|/run|/rpool|/tank)
+    exclude: yes
+    description: disks
+
+  - regex: ^/tank
+    description: zfs
+    terse: yes
diff --git a/inventory-example/group_vars/opnsense_firewalls.yml b/inventory-example/group_vars/opnsense_firewalls.yml
new file mode 100644
index 0000000..8a4ac7b
--- /dev/null
+++ b/inventory-example/group_vars/opnsense_firewalls.yml
@@ -0,0 +1,7 @@
+ansible_python_interpreter: /usr/local/bin/python3
+
+# If you want OPNsense to serve PXE, you need the following plugins:
+#   - os-tftp
+#   - os-nginx
+pxe_root: /usr/local/tftp
+pxe_http_port: 8080
diff --git a/inventory-example/group_vars/photostructure_servers.yml b/inventory-example/group_vars/photostructure_servers.yml
new file mode 100644
index 0000000..a5542b4
--- /dev/null
+++ b/inventory-example/group_vars/photostructure_servers.yml
@@ -0,0 +1,2 @@
+apache_gssapi: yes
+nagios_http_status: 401
diff --git a/inventory-example/group_vars/proxmox_hypervisors.yml b/inventory-example/group_vars/proxmox_hypervisors.yml
new file mode 100644
index 0000000..f1a3ed4
--- /dev/null
+++ b/inventory-example/group_vars/proxmox_hypervisors.yml
@@ -0,0 +1 @@
+ansible_python_interpreter: /usr/bin/python3
diff --git a/inventory-example/group_vars/proxmox_instances.yml b/inventory-example/group_vars/proxmox_instances.yml
new file mode 100644
index 0000000..e6e7eab
--- /dev/null
+++ b/inventory-example/group_vars/proxmox_instances.yml
@@ -0,0 +1,2 @@
+tuned_profile: virtual-guest
+grub_cmdline: console=ttyS0,115200n8 no_timer_check net.ifnames=0
diff --git a/inventory-example/group_vars/rspamd_servers.yml b/inventory-example/group_vars/rspamd_servers.yml
new file mode 100644
index 0000000..54e8be4
--- /dev/null
+++ b/inventory-example/group_vars/rspamd_servers.yml
@@ -0,0 +1,2 @@
+nagios_http_status: 401
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/switches/vars.yml b/inventory-example/group_vars/switches/vars.yml
new file mode 100644
index 0000000..8892a35
--- /dev/null
+++ b/inventory-example/group_vars/switches/vars.yml
@@ -0,0 +1,6 @@
+nagios_snmp_priv_proto: DES
+nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}'
+nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}'
+
+nagios_interface_discard_warn: 1000
+nagios_interface_discard_crit: 2000
diff --git a/inventory-example/group_vars/switches/vault.yml b/inventory-example/group_vars/switches/vault.yml
new file mode 100644
index 0000000..2015d5f
--- /dev/null
+++ b/inventory-example/group_vars/switches/vault.yml
@@ -0,0 +1,5 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+vault_nagios_snmp_priv_pass: changeme
+vault_nagios_snmp_auth_pass: changeme
diff --git a/inventory-example/group_vars/syncthing_servers.yml b/inventory-example/group_vars/syncthing_servers.yml
new file mode 100644
index 0000000..5f975fc
--- /dev/null
+++ b/inventory-example/group_vars/syncthing_servers.yml
@@ -0,0 +1 @@
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/ttrss_servers.yml b/inventory-example/group_vars/ttrss_servers.yml
new file mode 100644
index 0000000..fc33f6a
--- /dev/null
+++ b/inventory-example/group_vars/ttrss_servers.yml
@@ -0,0 +1,5 @@
+apache_gssapi: yes
+apache_can_sendmail: yes
+apache_can_network_connect_db: yes
+apache_can_network_connect: yes
+apache_can_connect_ldap: yes
diff --git a/inventory-example/group_vars/unifi_controllers.yml b/inventory-example/group_vars/unifi_controllers.yml
new file mode 100644
index 0000000..d3a5574
--- /dev/null
+++ b/inventory-example/group_vars/unifi_controllers.yml
@@ -0,0 +1,3 @@
+nagios_interface_discard_warn: 500
+nagios_interface_discard_crit: 1000
+freeipa_autofs: no
diff --git a/inventory-example/group_vars/wiki_servers.yml b/inventory-example/group_vars/wiki_servers.yml
new file mode 100644
index 0000000..527d9ef
--- /dev/null
+++ b/inventory-example/group_vars/wiki_servers.yml
@@ -0,0 +1,7 @@
+apache_gssapi: yes
+apache_can_sendmail: yes
+apache_can_network_connect_db: yes
+apache_can_connect_ldap: yes
+apache_can_network_connect: yes
+
+nagios_http_status: 401
diff --git a/inventory-example/group_vars/xmpp_servers.yml b/inventory-example/group_vars/xmpp_servers.yml
new file mode 100644
index 0000000..dd6b7b4
--- /dev/null
+++ b/inventory-example/group_vars/xmpp_servers.yml
@@ -0,0 +1 @@
+nagios_https_vhosts: ['{{ prosody_http_host | default(ansible_fqdn) }}']