initial commit

78 files changed, 1316 insertions, 0 deletions

diff --git a/inventory-example/10-hosts b/inventory-example/10-hosts
new file mode 100644
index 0000000..d8c4cc6
--- /dev/null
+++ b/inventory-example/10-hosts
@@ -0,0 +1,65 @@
+[baremetal]
+opnsense1    ip=10.10.11.1    cname=opnsense
+proxmox1     ip=10.10.11.11   cname=proxmox
+nas1         ip=10.10.12.5    cname=nas
+tuxstation1  ip=10.10.12.51
+tuxbook1     ip=10.10.12.52
+
+[proxmox_instances]
+freeipa1        ip=10.10.12.2                    cores=4  ram=8g   disk=64g
+freeipa2        ip=10.10.12.3                    cores=4  ram=8g   disk=64g
+yum1            ip=10.10.12.4   cname=yum        cores=4           disk=256g
+syslog1         ip=10.10.12.6   cname=syslog                       disk=256g
+imap1           ip=10.10.12.7   cname=imap       cores=4  ram=8g   disk=256g
+rspamd1         ip=10.10.12.8   cname=rspamd
+radius1         ip=10.10.12.9   cname=radius
+postgres1       ip=10.10.12.10  cname=postgres   cores=4  ram=8g
+ttrss1          ip=10.10.12.11  cname=ttrss
+znc1            ip=10.10.12.12  cname=znc
+dav1            ip=10.10.12.13  cname=dav                          disk=64g
+bitwarden1      ip=10.10.12.14  cname=bitwarden
+cups1           ip=10.10.12.15  cname=cups
+dev1            ip=10.10.12.16                   cores=4           disk=256g
+www1            ip=10.10.12.17  cname=www
+syncthing1      ip=10.10.12.18  cname=syncthing
+wiki1           ip=10.10.12.19  cname=wiki                         disk=64g
+jellyfin1       ip=10.10.12.20  cname=jellyfin   cores=8  ram=32g  disk=512g
+privbrowse1     ip=10.10.12.21                   cores=4  ram=8g   disk=64g
+nagios1         ip=10.10.12.22  cname=nagios     cores=4
+archive1        ip=10.10.12.23  cname=archive
+photostructure1 ip=10.10.12.24  cname=photos     cores=8  ram=16g  disk=256g
+unifi1          ip=10.10.11.30  cname=unifi
+dmz-dns1        ip=10.10.19.2
+dmz-mx1         ip=10.10.19.3   cname=smtp
+dmz-www1        ip=10.10.19.4
+dmz-xmpp1       ip=10.10.19.5   cname=xmpp
+dmz-turn1       ip=10.10.19.6   cname=turn
+dmz-git1        ip=10.10.19.13
+dmz-asterisk1   ip=10.10.14.10  cname=asterisk   cores=4
+
+[unmanaged]
+switch1           ip=10.10.11.2
+wap-livingroom    ip=10.10.11.31
+wap-bedroom       ip=10.10.11.32
+wap-kitchen       ip=10.10.11.33
+pixel1            ip=10.10.13.11
+pixel2            ip=10.10.13.12
+printer1          ip=10.10.15.2
+phone1            ip=10.10.14.11
+phone2            ip=10.10.14.12
+
+
+# Only one host can be the freeipa master.
+[freeipa_master]
+freeipa1
+
+
+# The "all" group must be specified explicitly; otherwise the constructed inventory
+# plugin won't parse the group_vars.
+# https://github.com/ansible/ansible/issues/71738
+[all:children]
+baremetal
+proxmox_instances
+unmanaged
+
+# vi: ft=dosini
diff --git a/inventory-example/20-by-hostname.yml b/inventory-example/20-by-hostname.yml
new file mode 100644
index 0000000..165bd37
--- /dev/null
+++ b/inventory-example/20-by-hostname.yml
@@ -0,0 +1,43 @@
+plugin: constructed
+strict: yes
+groups:
+  internal:                  inventory_hostname is not match('dmz-')
+  dmz:                       inventory_hostname is match('dmz-')
+  switches:                  inventory_hostname is match('switch[0-9]')
+  access_points:             inventory_hostname is match('wap-')
+  printers:                  inventory_hostname is match('printer[0-9]')
+  cellphones:                inventory_hostname is match('pixel')
+  phones:                    inventory_hostname is match('phone[0-9]')
+  opnsense_firewalls:        inventory_hostname is match('opnsense[0-9]')
+  proxmox_hypervisors:       inventory_hostname is match('proxmox[0-9]')
+  nfs_servers:               inventory_hostname is match('nas[0-9]')
+  linux_desktops:            inventory_hostname is match('tuxstation[0-9]')
+  linux_laptops:             inventory_hostname is match('tuxbook[0-9]')
+  freeipa_servers:           inventory_hostname is match('freeipa[0-9]')
+  unifi_controllers:         inventory_hostname is match('unifi[0-9]')
+  yum_mirrors:               inventory_hostname is match('yum[0-9]')
+  syslog_servers:            inventory_hostname is match('syslog[0-9]')
+  mail_servers:              inventory_hostname is match('(dmz-)?mx[0-9]')
+  imap_servers:              inventory_hostname is match('imap[0-9]')
+  radius_servers:            inventory_hostname is match('radius[0-9]')
+  postgresql_servers:        inventory_hostname is match('postgres[0-9]')
+  ttrss_servers:             inventory_hostname is match('ttrss[0-9]')
+  znc_servers:               inventory_hostname is match('znc[0-9]')
+  dav_servers:               inventory_hostname is match('dav[0-9]')
+  bitwarden_servers:         inventory_hostname is match('bitwarden[0-9]')
+  cups_servers:              inventory_hostname is match('cups[0-9]')
+  xmpp_servers:              inventory_hostname is match('(dmz-)?xmpp[0-9]')
+  dev_servers:               inventory_hostname is match('dev[0-9]')
+  web_servers:               inventory_hostname is match('(dmz-)?www[0-9]')
+  git_servers:               inventory_hostname is match('(dmz-)?git[0-9]')
+  syncthing_servers:         inventory_hostname is match('syncthing[0-9]')
+  wiki_servers:              inventory_hostname is match('(dmz-)?wiki[0-9]')
+  jellyfin_servers:          inventory_hostname is match('jellyfin[0-9]')
+  privbrowse_servers:        inventory_hostname is match('privbrowse[0-9]')
+  nagios_servers:            inventory_hostname is match('nagios[0-9]')
+  archive_servers:           inventory_hostname is match('archive[0-9]')
+  photostructure_servers:    inventory_hostname is match('photostructure[0-9]')
+  rspamd_servers:            inventory_hostname is match('rspamd[0-9]')
+  authoritative_nameservers: inventory_hostname is match('(dmz-)?dns[0-9]')
+  turn_servers:              inventory_hostname is match('(dmz-)?turn[0-9]')
+  asterisk_servers:          inventory_hostname is match('(dmz-)?asterisk[0-9]')
diff --git a/inventory-example/30-constructed.yml b/inventory-example/30-constructed.yml
new file mode 100644
index 0000000..f519d22
--- /dev/null
+++ b/inventory-example/30-constructed.yml
@@ -0,0 +1,15 @@
+plugin: constructed
+strict: yes
+use_vars_plugins: yes
+compose:
+  vlan: vlans.values() | selectattr('cidr', 'contains_ip', ip) | first
+  ansible_host: ansible_ip | default(ip) | default(ansible_host)
+  fqdn: inventory_hostname ~ '.' ~ domain
+  cnames: ([] if cname is not defined else (((cname | split(',')) if cname is string else cname) | map('regex_replace', '$', '.'~domain)))
+  proxmox_disk: (disk | default('32g') | human_to_bytes / 1073741824) | int
+  proxmox_memory: (ram | default('4g') | human_to_bytes / 1048576) | int
+  proxmox_cores: cores | default(2)
+groups:
+  el:                             (group_names | intersect(['unmanaged','opnsense_firewalls','proxmox_hypervisors']) | length) == 0
+  nagios_ansible_managed_clients: (group_names | intersect(['unmanaged','opnsense_firewalls','linux_laptops']) | length) == 0
+  nagios_el_clients:              (group_names | intersect(['unmanaged','opnsense_firewalls','linux_laptops','proxmox_hypervisors']) | length) == 0
diff --git a/inventory-example/40-groups b/inventory-example/40-groups
new file mode 100644
index 0000000..41c1705
--- /dev/null
+++ b/inventory-example/40-groups
@@ -0,0 +1,62 @@
+# Hosts that aren't ready for Rocky 9 yet.
+[el8:children]
+asterisk_servers
+git_servers
+imap_servers
+nagios_servers
+rspamd_servers
+unifi_controllers
+xmpp_servers
+
+##### Nagios Hostgroups #####
+[nagios_net_snmp_clients:children]
+nagios_ansible_managed_clients
+opnsense_firewalls
+
+[nagios_check_load:children]
+nagios_net_snmp_clients
+
+[nagios_check_mem:children]
+nagios_net_snmp_clients
+
+[nagios_check_disk:children]
+nagios_net_snmp_clients
+
+[nagios_check_interfaces:children]
+nagios_net_snmp_clients
+switches
+access_points
+
+[nagios_check_systemd:children]
+nagios_ansible_managed_clients
+
+[nagios_check_ssh:children]
+baremetal
+proxmox_instances
+switches
+access_points
+
+[nagios_check_zfs:children]
+nfs_servers
+proxmox_hypervisors
+
+[nagios_check_https:children]
+freeipa_servers
+yum_mirrors
+ttrss_servers
+znc_servers
+dav_servers
+bitwarden_servers
+cups_servers
+web_servers
+git_servers
+syncthing_servers
+wiki_servers
+jellyfin_servers
+privbrowse_servers
+photostructure_servers
+rspamd_servers
+unifi_controllers
+xmpp_servers
+
+# vi: ft=dosini
diff --git a/inventory-example/group_vars/access_points/vars.yml b/inventory-example/group_vars/access_points/vars.yml
new file mode 100644
index 0000000..05aaf5d
--- /dev/null
+++ b/inventory-example/group_vars/access_points/vars.yml
@@ -0,0 +1,12 @@
+nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}'
+nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}'
+
+nagios_interfaces:
+  - eth0
+  - regex: '^wifi[0-9]'
+    description: wifi
+    down_ok: yes
+    discard_warn: 500
+    discard_crit: 1000
+    error_warn: 500
+    error_crit: 1000
diff --git a/inventory-example/group_vars/access_points/vault.yml b/inventory-example/group_vars/access_points/vault.yml
new file mode 100644
index 0000000..f39f186
--- /dev/null
+++ b/inventory-example/group_vars/access_points/vault.yml
@@ -0,0 +1,6 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+# Unifi APs require the privpass and authpass to be identical...sad!
+vault_nagios_snmp_priv_pass: changeme
+vault_nagios_snmp_auth_pass: changeme
diff --git a/inventory-example/group_vars/all/apache.yml b/inventory-example/group_vars/all/apache.yml
new file mode 100644
index 0000000..85c7abf
--- /dev/null
+++ b/inventory-example/group_vars/all/apache.yml
@@ -0,0 +1 @@
+apache_sysaccount_password: '{{ vault_apache_sysaccount_password }}'
diff --git a/inventory-example/group_vars/all/archive.yml b/inventory-example/group_vars/all/archive.yml
new file mode 100644
index 0000000..65d8144
--- /dev/null
+++ b/inventory-example/group_vars/all/archive.yml
@@ -0,0 +1,2 @@
+archive_ssh_privkey: '{{ vault_archive_ssh_privkey }}'
+archive_ssh_pubkey: ssh-rsa AAAAAAAAAchangeme
diff --git a/inventory-example/group_vars/all/asterisk.yml b/inventory-example/group_vars/all/asterisk.yml
new file mode 100644
index 0000000..0f4f1b2
--- /dev/null
+++ b/inventory-example/group_vars/all/asterisk.yml
@@ -0,0 +1,105 @@
+asterisk_external_ip: 203.0.113.62  # changeme
+asterisk_fqdn: pbx.example.com      # changeme
+asterisk_local_nets:
+  - '{{ vlans.voip.cidr }}'
+
+asterisk_password_salt: '{{ vault_asterisk_password_salt }}'
+
+asterisk_voicemail_contexts:  # changeme
+  default:
+    - address: 6000
+      password: 1234
+      name: Doe Family
+      email: doefamily@example.com
+
+asterisk_sip_trunks: '{{ vault_asterisk_sip_trunks }}'
+asterisk_sip_extensions: '{{ vault_asterisk_sip_extensions }}'
+asterisk_ari_users: '{{ vault_asterisk_ari_users }}'
+
+asterisk_queues:  # changeme
+  - name: house-phones
+    strategy: ringall
+    retry: 1
+    timeout: 30
+    members:
+      - 6001
+      - 6002
+      - 6003
+
+# changeme - dump your asterisk dialplan into this variable
+asterisk_dialplan: |
+  [globals]
+  AREA_CODE = 555
+
+  ; voicemail
+  VOICEMAIL_NUMBER       = *99
+  VOICEMAIL_CONTEXT      = default
+  VOICEMAIL_RING_TIMEOUT = 25
+
+  ; extension patterns
+  INTERCOM = 6000
+  HOUSE    = _6XXX
+
+  ; Queue for all local home phones
+  HOME_QUEUE = house-phones
+
+  ; All home phones use the same voicemail box.
+  HOME_MAILBOX = 6000
+
+  ; Caller ID for outgoing PSTN calls from the home phone line.
+  HOME_CID = John Doe <+15555555555>
+
+  [gosub-voicemail]
+  ; Dial the given channel, if no answer send to voicemail.
+  ; ${ARG1} - channel to dial
+  ; ${ARG2} - voicemail box
+  exten => s,1,Dial(${ARG1},${VOICEMAIL_RING_TIMEOUT})
+   same => n,Answer(500)
+   same => n,Voicemail(${ARG2},su)
+   same => n,Hangup()
+
+  [gosub-intercom]
+  exten => s,1,Set(PJSIP_HEADER(add,Alert-Info)=auto answer)
+   same => n,Return()
+
+  [subscribe]
+  exten => _XXXX,hint,PJSIP/${EXTEN}
+
+  [internal]
+  ; For INTERCOM, page all participants into 2-way conference
+  exten => ${INTERCOM},1,Set(CALLERID(all)=Intercom <${EXTEN}>
+   same => n,Page(${STRREPLACE(QUEUE_MEMBER_LIST(${HOME_QUEUE}),",","&")},db(gosub-intercom^s^1),10)
+
+  ; For HOME extensions, ring indefinitely.
+  exten => ${HOME},1,Dial(PJSIP/${EXTEN})
+   same => n,Hangup()
+
+  [from-upstream-provider]
+  ; Ring all house phones for incoming PSTN calls, if no answer send to voicemail.
+  exten => _X.,1,Queue(${HOME_QUEUE},nr,,,${VOICEMAIL_RING_TIMEOUT})
+   same => n,Answer(500)
+   same => n,Voicemail(${HOME_MAILBOX}@${VOICEMAIL_CONTEXT},su)
+   same => n,Hangup()
+
+  [from-house-phones]
+  include => internal
+  ; local voicemail access
+  exten => ${VOICEMAIL_NUMBER},1,Answer(500)
+   same => n,VoiceMailMain(${HOME_MAILBOX}@${VOICEMAIL_CONTEXT},s)
+   same => n,Hangup()
+  ; pstn - normalize all outgoing numbers to +1XXXXXXXXXX
+  exten => _+1NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/+${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/+1${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _NXXXXXX,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/+1${AREA_CODE}${EXTEN}@upstream-provider)
+   same => n,Hangup()
+  exten => _N11,1,Set(CALLERID(all)=${HOME_CID})
+   same => n,Dial(PJSIP/${EXTEN}@upstream-provider)
+   same => n,Hangup()
diff --git a/inventory-example/group_vars/all/coturn.yml b/inventory-example/group_vars/all/coturn.yml
new file mode 100644
index 0000000..0af566b
--- /dev/null
+++ b/inventory-example/group_vars/all/coturn.yml
@@ -0,0 +1,3 @@
+coturn_auth_secret: '{{ vault_coturn_auth_secret }}'
+coturn_external_ip: 203.0.113.61  # changeme
+coturn_realm: turn.example.com    # changeme
diff --git a/inventory-example/group_vars/all/cups.yml b/inventory-example/group_vars/all/cups.yml
new file mode 100644
index 0000000..11087a1
--- /dev/null
+++ b/inventory-example/group_vars/all/cups.yml
@@ -0,0 +1 @@
+cups_host: cups.{{ domain }}
diff --git a/inventory-example/group_vars/all/firefox.yml b/inventory-example/group_vars/all/firefox.yml
new file mode 100644
index 0000000..5ebc61b
--- /dev/null
+++ b/inventory-example/group_vars/all/firefox.yml
@@ -0,0 +1,73 @@
+# Managed firefox settings go in this file.
+---
+firefox_offer_to_save_logins_default: no
+
+firefox_extensions:
+  - name: ublock-origin
+    id: uBlock0@raymondhill.net
+    mode: force_installed
+    policy:
+      toOverwrite:
+        filterLists:
+          - user-filters
+          - ublock-filters
+          - ublock-badware
+          - ublock-privacy
+          - ublock-abuse
+          - ublock-unbreak
+          - ublock-annoyances
+          - easylist
+          - easyprivacy
+          - urlhaus-1
+          - plowe-0
+          - fanboy-annoyance
+          - fanboy-thirdparty_social
+          - adguard-spyware-url
+          - ublock-quick-fixes
+      toAdd:
+        trustedSiteDirectives:
+          - id.spectrum.net
+          - '{{ domain }}'
+
+  - name: bitwarden-password-manager
+    id: '{446900e4-71c2-419f-a6a7-df9c091e268b}'
+
+  - name: libredirect
+    id: 7esoorv3@alefvanoon.anonaddy.me
+
+firefox_preferences:
+  - name: dom.security.https_only_mode
+    value: true
+    status: locked
+
+firefox_managed_bookmarks:
+  - name: Bitwarden
+    url: 'https://bitwarden.{{ domain }}'
+  - name: Git
+    url: 'https://git.example.com'
+  - name: Invidious
+    url: 'https://invidious.{{ domain }}'
+  - name: Jellyfin
+    url: 'https://jellyfin.{{ domain }}'
+  - name: Nagios
+    url: 'https://nagios.{{ domain }}'
+  - name: Nitter
+    url: 'https://nitter.{{ domain }}'
+  - name: Photostructure
+    url: 'https://photos.{{ domain }}/'
+  - name: Printers
+    url: 'https://cups.{{ domain }}/printers/'
+  - name: Rspamd
+    url: 'https://rspamd.{{ domain }}'
+  - name: Syncthing
+    url: 'https://syncthing.{{ domain }}'
+  - name: Teddit
+    url: 'https://teddit.{{ domain }}'
+  - name: TinyTinyRSS
+    url: 'https://ttrss.{{ domain }}'
+  - name: Unifi
+    url: 'https://unifi.{{ domain }}'
+  - name: Wiki
+    url: 'https://wiki.{{ domain }}'
+  - name: ZNC
+    url: 'https://znc.{{ domain }}'
diff --git a/inventory-example/group_vars/all/freeipa.yml b/inventory-example/group_vars/all/freeipa.yml
new file mode 100644
index 0000000..3501061
--- /dev/null
+++ b/inventory-example/group_vars/all/freeipa.yml
@@ -0,0 +1,144 @@
+# This file contains a bunch of example data for populating your FreeIPA
+# domain with users, groups, sudo rules, etc.
+---
+freeipa_workgroup: ACME
+freeipa_nfs_homedirs: yes
+freeipa_dns_forwarders:
+  - 10.10.12.1
+
+freeipa_users:
+  - name: johndoe
+    givenname: John
+    sn: Doe
+    mail: john@example.com
+    jid: john@example.com
+    mail_aliases:
+      - john.nickname@example.com
+      - john.alias@exmaple.com
+
+  - name: bobbytables
+    givenname: Bobby
+    sn: Tables
+    mail: btables@example.com
+    jid: btables@example.com
+
+  - name: janedoe
+    givenname: Jane
+    sn: Doe
+    mail: jane@example.com
+    jid: jane@example.com
+
+freeipa_groups:
+  # built-in freeipa admin group - be careful!
+  - name: admins
+    append: yes
+    user:
+      - johndoe
+
+  - name: sysadmins
+    mail: sysadmins@example.com
+    mail_aliases:
+      - root@example.com
+      - postmaster@example.com
+      - hostmaster@example.com
+      - webmaster@example.com
+      - abuse@example.com
+    description: System Administrators
+    user:
+      - johndoe
+      - btables
+
+  - name: webmasters
+    user:
+      - johndoe
+
+  - name: doefamily
+    description: Doe Family
+    mail: doefamily@example.com
+    user:
+      - johndoe
+      - janedoe
+
+  - name: role-nagios-access
+    group: sysadmins
+
+  - name: role-bitwarden-admin
+    group: sysadmins
+
+  - name: role-cups-admin
+    group: sysadmins
+
+  - name: role-ttrss-admin
+    group: sysadmins
+
+  - name: role-music-admin
+    group: sysadmins
+    append: yes
+
+  - name: role-rspamd-admin
+    group: sysadmins
+
+  - name: role-imap-access
+    group: doefamily
+
+  - name: role-music-access
+    group: doefamily
+    append: yes
+
+  - name: role-dav-access
+    group: doefamily
+
+  - name: role-linux-desktop-access
+    group: doefamily
+
+  - name: role-ttrss-access
+    group: doefamily
+
+  - name: role-znc-access
+    group: doefamily
+
+  - name: role-wiki-access
+    group: doefamily
+
+  - name: role-wiki-admin
+    group: sysadmins
+
+  - name: role-wifi-access
+    group: doefamily
+
+  - name: role-media-admin
+    group: sysadmins
+
+  - name: role-media-access
+    group: doefamily
+
+  - name: role-photo-admin
+    group: doefamily
+    append: yes
+
+  - name: role-xmpp-access
+    group: doefamily
+
+  - name: role-git-access
+    group: doefamily
+
+  - name: role-git-admin
+    group: sysadmins
+
+freeipa_hbac_rules:
+  - name: sysadmins_ssh_and_console_to_all
+    description: allow sysadmins to ssh to all hosts
+    usergroup: sysadmins
+    hostcategory: all
+    service:
+      - sshd
+      - login
+
+freeipa_sudo_rules:
+  - name: sysadmins_all
+    description: allow sysadmins to run anything as any user
+    cmdcategory: all
+    hostcategory: all
+    runasusercategory: all
+    runasgroupcategory: all
+    usergroup: sysadmins
diff --git a/inventory-example/group_vars/all/freeradius.yml b/inventory-example/group_vars/all/freeradius.yml
new file mode 100644
index 0000000..8172e44
--- /dev/null
+++ b/inventory-example/group_vars/all/freeradius.yml
@@ -0,0 +1 @@
+freeradius_clients: '{{ vault_freeradius_clients }}'
diff --git a/inventory-example/group_vars/all/git.yml b/inventory-example/group_vars/all/git.yml
new file mode 100644
index 0000000..9975c7e
--- /dev/null
+++ b/inventory-example/group_vars/all/git.yml
@@ -0,0 +1,2 @@
+cgit_logo: ~/Development/assets/cgit/acme-logo.png        # changeme (or delete)
+cgit_favicon: ~/Development/assets/cgit/acme-favicon.svg  # changeme (or delete)
diff --git a/inventory-example/group_vars/all/global.yml b/inventory-example/group_vars/all/global.yml
new file mode 100644
index 0000000..f4ea98e
--- /dev/null
+++ b/inventory-example/group_vars/all/global.yml
@@ -0,0 +1,105 @@
+# By convention, variables defined in this file are safe to use in all roles.
+#
+# In other words, this should be the only place where you should see variables
+# without a 'rolename_' prefix.
+---
+ansible_python_interpreter: /usr/libexec/platform-python
+
+timezone: America/New_York
+domain: ipa.example.com    # changeme
+email_domain: example.com  # changeme
+
+organization: ACME, Inc.   # changeme
+
+# This variable will be used to configure an SSID with certificate-based auth
+# for any hosts in the linux-laptops group.
+wifi_ssid: acme-wifi
+
+# Hosts in these CIDRs should be capable of kerberos authentication.
+# We use this in many apache configs to determine when to force GSSAPI auth.
+kerberized_cidrs:  # changeme
+  - 10.10.12.0/24
+
+backup_path: ~/backups
+
+# Use your external MX hostname so that TLS validation works.
+mail_host: mx1.exmaple.com
+
+imap_host: imap.{{ domain }}
+rspamd_host: rspamd.{{ domain }}
+
+# changeme: specify your vlans here.
+# This dictionary is used to discover which VLAN a host belongs to.
+# The appropriate VLAN object will end up in the `vlan` variable in host_vars.
+vlans:
+  mgmt:
+    id: 11
+    cidr: 10.10.11.0/24
+    gateway: 10.10.11.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.11.1']
+
+  trusted:
+    id: 12
+    cidr: 10.10.12.0/23
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    gateway: 10.10.12.1
+    ntp_servers: ['10.10.12.1']
+
+  voip:
+    id: 14
+    cidr: 10.10.14.0/24
+    gateway: 10.10.14.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.14.1']
+
+  print:
+    id: 15
+    cidr: 10.10.15.0/24
+    gateway: 10.10.15.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.15.1']
+
+  vpn:
+    id: 16
+    cidr: 10.10.16.0/24
+    gateway: 10.10.16.1
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    ntp_servers: ['10.10.16.1']
+
+  dmz:
+    id: 19
+    cidr: 10.10.19.0/24
+    dns_servers: # freeipa servers
+      - 10.10.12.2
+      - 10.10.12.3
+    gateway: 10.10.19.1
+    ntp_servers: ['10.10.19.1']
+
+
+# standard freeipa variables
+freeipa_realm: '{{ domain | upper }}'
+freeipa_basedn: "dc={{ domain.split('.') | join(',dc=') }}"
+freeipa_hosts: "{{ groups['freeipa_servers'] | map('regex_replace', '$', '.' ~ domain) }}"
+freeipa_ldap_uri: "{{ groups['freeipa_servers'] | map('regex_replace', '^(.*)$', 'ldap://\\1.' ~ domain) | join(' ') }}"
+freeipa_master: "{{ groups['freeipa_master'][0] }}"
+freeipa_sysaccount_basedn: 'cn=sysaccounts,cn=etc,{{ freeipa_basedn }}'
+freeipa_user_basedn: cn=users,cn=accounts,{{ freeipa_basedn }}
+freeipa_group_basedn: cn=groups,cn=accounts,{{ freeipa_basedn }}
+freeipa_accounts_basedn: cn=accounts,{{ freeipa_basedn }}
+freeipa_service_basedn: cn=services,cn=accounts,{{ freeipa_basedn }}
+freeipa_ds_password: '{{ vault_freeipa_ds_password }}'
+freeipa_admin_password: '{{ vault_freeipa_admin_password }}'
+ipa_host: '{{ freeipa_master }}.{{ domain }}'
+ipa_user: admin
+ipa_pass: '{{ freeipa_admin_password }}'
diff --git a/inventory-example/group_vars/all/hastebin.yml b/inventory-example/group_vars/all/hastebin.yml
new file mode 100644
index 0000000..d6c6a43
--- /dev/null
+++ b/inventory-example/group_vars/all/hastebin.yml
@@ -0,0 +1,3 @@
+hastebin_upload_cidrs:
+  - '{{ vlans.trusted.cidr }}'
+  - '{{ vlans.vpn.cidr }}'
diff --git a/inventory-example/group_vars/all/invidious.yml b/inventory-example/group_vars/all/invidious.yml
new file mode 100644
index 0000000..31f3cf2
--- /dev/null
+++ b/inventory-example/group_vars/all/invidious.yml
@@ -0,0 +1,4 @@
+invidious_port: 8080
+invidious_db_password: '{{ vault_invidious_db_password }}'
+invidious_hmac_key: '{{ vault_invidious_hmac_key }}'
+invidious_db_user: s-invidious
diff --git a/inventory-example/group_vars/all/jellyfin.yml b/inventory-example/group_vars/all/jellyfin.yml
new file mode 100644
index 0000000..954e498
--- /dev/null
+++ b/inventory-example/group_vars/all/jellyfin.yml
@@ -0,0 +1 @@
+jellyfin_sysaccount_password: '{{ vault_jellyfin_sysaccount_password }}'
diff --git a/inventory-example/group_vars/all/mail.yml b/inventory-example/group_vars/all/mail.yml
new file mode 100644
index 0000000..120ca91
--- /dev/null
+++ b/inventory-example/group_vars/all/mail.yml
@@ -0,0 +1,21 @@
+dovecot_default_user_quota: 20G
+
+# accept mail for these domains:
+postfix_virtual_domains:
+  - example.com
+  - example.net
+
+rspamd_domain_whitelist:
+  - badly.configured.domain.com
+  - dont.mark.mail.from.this.domain.as.spam.com
+
+rspamd_password: '{{ vault_rspamd_password }}'
+rspamd_password_hash: '{{ vault_rspamd_password_hash }}'
+rspamd_dkim_keys: '{{ vault_rspamd_dkim_keys }}'
+
+# generate with `rspamadm keypair`
+rspamd_privkey: '{{ vault_rspamd_privkey }}'
+rspamd_pubkey: AAAAAAAAAAAAAchangeme
+
+rspamd_redis_port: 6379
+rspamd_redis_bayes_port: 6380
diff --git a/inventory-example/group_vars/all/mediawiki.yml b/inventory-example/group_vars/all/mediawiki.yml
new file mode 100644
index 0000000..d54f199
--- /dev/null
+++ b/inventory-example/group_vars/all/mediawiki.yml
@@ -0,0 +1,9 @@
+mediawiki_upgrade_key: '{{ vault_mediawiki_upgrade_key }}'
+mediawiki_secret_key: '{{ vault_mediawiki_secret_key }}'
+mediawiki_admin_password: '{{ vault_mediawiki_admin_password }}'
+
+mediawiki_sysaccount_password: '{{ vault_mediawiki_sysaccount_password }}'
+
+mediawiki_logo_1x: ~/Development/assets/mediawiki/acme-logo.svg     # changeme (or delete)
+mediawiki_logo_icon: ~/Development/assets/mediawiki/acme-icon.svg   # changeme (or delete)
+mediawiki_favicon: ~/Development/assets/mediawiki/acme-favicon.svg  # changeme (or delete)
diff --git a/inventory-example/group_vars/all/nagios.yml b/inventory-example/group_vars/all/nagios.yml
new file mode 100644
index 0000000..84fc7ce
--- /dev/null
+++ b/inventory-example/group_vars/all/nagios.yml
@@ -0,0 +1,90 @@
+nagios_email: sysadmins@example.com
+nagios_ssh_privkey: '{{ vault_nagios_ssh_privkey }}'
+nagios_ssh_pubkey: ssh-ed25519 AAAAAAAAAAAAAAchangeme
+
+nagios_excluded_groups:
+  - linux_laptops
+  - cellphones
+
+nagios_snmp_user: nagios
+nagios_snmp_community: public
+nagios_snmp_priv_proto: AES
+nagios_snmp_auth_proto: SHA
+nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}'
+nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}'
+
+nagios_ping_count: 5
+nagios_ping_rtt_warn: 50.0
+nagios_ping_rtt_crit: 100.0
+nagios_ping_loss_warn: 20%
+nagios_ping_loss_crit: 40%
+
+nagios_temp_warn: 60
+nagios_temp_crit: 70
+
+nagios_power_draw_warn: 50%
+nagios_power_draw_crit: 75%
+
+nagios_load_1m_warn: 1.0
+nagios_load_5m_warn: 0.9
+nagios_load_15m_warn: 0.8
+nagios_load_1m_crit: 2.0
+nagios_load_5m_crit: 1.8
+nagios_load_15m_crit: 1.6
+
+nagios_mem_warn: 80%
+nagios_mem_crit: 90%
+
+nagios_swap_warn: 50%
+nagios_swap_crit: 80%
+
+nagios_interface_bandwidth_warn: 0
+nagios_interface_bandwidth_crit: 0
+nagios_interface_discard_warn: 10
+nagios_interface_discard_crit: 50
+nagios_interface_error_warn: 5
+nagios_interface_error_crit: 20
+
+nagios_interfaces:
+  - regex: ^(?!.*(lo[0-9]*|virbr[0-9]*|tap.*|vmbr.*|lagg[0-9]+_vlan))
+    description: interfaces
+    down_ok: no
+    bandwidth_warn: '{{ nagios_interface_bandwidth_warn }}'
+    bandwidth_crit: '{{ nagios_interface_bandwidth_crit }}'
+    discard_warn: '{{ nagios_interface_discard_warn }}'
+    discard_crit: '{{ nagios_interface_discard_crit }}'
+    error_warn: '{{ nagios_interface_error_warn }}'
+    error_crit: '{{ nagios_interface_error_crit }}'
+
+nagios_disk_warn: 80%
+nagios_disk_crit: 90%
+
+nagios_disks:
+  - regex: ^(/sys|/dev|/run|/rpool|/tank)
+    exclude: yes
+    description: disks
+    warn: '{{ nagios_disk_warn }}'
+    crit: '{{ nagios_disk_crit }}'
+
+nagios_certificate_warn: 28
+nagios_certificate_crit: 14
+
+nagios_smtp_warn: 0.5
+nagios_smtp_crit: 1.0
+nagios_mailq_warn: 5
+nagios_mailq_crit: 20
+
+nagios_imap_warn: 0.5
+nagios_imap_crit: 1.0
+
+nagios_http_warn: 0.5
+nagios_http_crit: 1.0
+
+nagios_check_dns:
+  - name: www.example.com
+    server: 8.8.8.8
+    expect: 203.0.113.42
+
+  - name: mx1.example.com
+    server: 8.8.8.8
+    expect: 203.0.113.43
diff --git a/inventory-example/group_vars/all/nfs.yml b/inventory-example/group_vars/all/nfs.yml
new file mode 100644
index 0000000..713b5d3
--- /dev/null
+++ b/inventory-example/group_vars/all/nfs.yml
@@ -0,0 +1,11 @@
+nfs_homedir_options: rw,crossmnt
+
+# These clients will be added to the export list for NFS home directories.
+nfs_homedir_clients:
+  - client: '{{ vlans.trusted.cidr }}'
+    options: sec=krb5p
+
+  # We can't use kerberos for Syncthing, because the Syncthing daemons have
+  # to impersonate each user, and I don't feel like shuffling keytabs around.
+  - client: syncthing1
+    options: sec=sys
diff --git a/inventory-example/group_vars/all/nitter.yml b/inventory-example/group_vars/all/nitter.yml
new file mode 100644
index 0000000..3d13f76
--- /dev/null
+++ b/inventory-example/group_vars/all/nitter.yml
@@ -0,0 +1,3 @@
+nitter_port: 8082
+nitter_redis_port: 16379
+nitter_hmac_key: '{{ vault_nitter_hmac_key }}'
diff --git a/inventory-example/group_vars/all/nsd.yml b/inventory-example/group_vars/all/nsd.yml
new file mode 100644
index 0000000..ff1afe6
--- /dev/null
+++ b/inventory-example/group_vars/all/nsd.yml
@@ -0,0 +1,54 @@
+# Put the desired contents of any zone files in nsd_zones.
+#
+# I only recommend self-hosting DNS if you're farming out your *real* query
+# traffic to a secondary DNS provider.
+---
+nsd_zones:
+  - name: example.com
+    slave_nameservers:
+      - 203.0.113.50
+      - 203.0.113.51
+    ttl: 3600
+    content: |
+      @    IN  NS    ns1.example.com.
+      @    IN  NS    ns2.example.com.
+      ns1  IN  A     203.0.113.52
+      ns1  IN  AAAA  2001:db8::2
+      ns2  IN  A     203.0.113.53
+      ns2  IN  AAAA  2001:db8::3
+
+      @  IN  CAA     0 issue "letsencrypt.org"
+
+      ; mail
+      @  IN  MX      10 mx1.example.com.
+      @  IN  TXT     "v=spf1 mx -all"
+      dkim._domainkey  IN  TXT  ( "v=DKIM1; k=rsa; "
+        "p=AAAAAAAAAAAAAAAAchangeme"
+        "AAAAAAAAAAAAAAAAAAchangeme"
+      ) ;
+      _dmarc  IN  TXT  "v=DMARC1; p=reject; ruf=mailto:postmaster@example.com"
+
+      @           IN  A      203.0.113.54
+      mx1         IN  A      203.0.113.55
+      www1        IN  A      203.0.113.56
+      xmpp1       IN  A      203.0.113.57
+      turn1       IN  A      203.0.113.58
+      pbx1        IN  A      203.0.113.59
+      www         IN  CNAME  www1
+      xmpp        IN  CNAME  xmpp1
+      conference  IN  CNAME  xmpp1
+      turn        IN  CNAME  turn1
+      pbx         IN  CNAME  pbx1
+
+      _xmpp-client._tcp             IN  SRV  0  5  5222  xmpp1
+      _xmpp-server._tcp             IN  SRV  0  5  5269  xmpp1
+      _xmpp-server._tcp.conference  IN  SRV  0  5  5269  xmpp1
+
+      _stun._tcp                    IN  SRV  0  5  3478  turn1
+      _stun._udp                    IN  SRV  0  5  3478  turn1
+      _turn._tcp                    IN  SRV  0  5  3478  turn1
+      _turn._udp                    IN  SRV  0  5  3478  turn1
+
+      _sip._udp                     IN  SRV  0  5  5060  pbx1
+      _sip._tcp                     IN  SRV  0  5  5060  pbx1
+      _sip._tls                     IN  SRV  0  5  5061  pbx1
diff --git a/inventory-example/group_vars/all/packages.yml b/inventory-example/group_vars/all/packages.yml
new file mode 100644
index 0000000..2883e64
--- /dev/null
+++ b/inventory-example/group_vars/all/packages.yml
@@ -0,0 +1,4 @@
+packages_install:
+  - man
+  - less
+  - tmux
diff --git a/inventory-example/group_vars/all/photostructure.yml b/inventory-example/group_vars/all/photostructure.yml
new file mode 100644
index 0000000..6f7963e
--- /dev/null
+++ b/inventory-example/group_vars/all/photostructure.yml
@@ -0,0 +1,3 @@
+photostructure_access_group: role-photo-admin
+photostructure_scan_paths:
+  - /nfs/media/pictures
diff --git a/inventory-example/group_vars/all/polkit.yml b/inventory-example/group_vars/all/polkit.yml
new file mode 100644
index 0000000..fed46cc
--- /dev/null
+++ b/inventory-example/group_vars/all/polkit.yml
@@ -0,0 +1 @@
+polkit_admin_group: sysadmins
diff --git a/inventory-example/group_vars/all/postgres.yml b/inventory-example/group_vars/all/postgres.yml
new file mode 100644
index 0000000..be90568
--- /dev/null
+++ b/inventory-example/group_vars/all/postgres.yml
@@ -0,0 +1,4 @@
+postgresql_host: postgres.{{ domain }}
+postgresql_inventory_host: "{{ postgresql_host.split('.')[0] }}"
+postgresql_password_users:
+  - '{{ invidious_db_user }}'
diff --git a/inventory-example/group_vars/all/prosody.yml b/inventory-example/group_vars/all/prosody.yml
new file mode 100644
index 0000000..b317a96
--- /dev/null
+++ b/inventory-example/group_vars/all/prosody.yml
@@ -0,0 +1,16 @@
+prosody_http_host: xmpp.example.com  # changeme
+prosody_sysaccount_password: '{{ vault_prosody_sysaccount_password }}'
+prosody_vhosts: # changeme - your jabber domain(s)
+  - example.com
+
+# XMPP clients expect a certificate matching the domain of the given JID.
+# Unfortunately, this situation only works for LetsEncrypt if you run your XMPP
+# server on the same host as your webserver (or if you use the ACME DNS
+# challenge).
+#
+# Check out the prosody_letsencrypt_proxy role for how we get around this.
+# Basically, just specify the hostname of your public webserver here, along with
+# and ssh keypair.
+prosody_le_proxy_host: dmz-www1
+prosody_le_ssh_privkey: '{{ vault_prosody_le_ssh_privkey }}'
+prosody_le_ssh_pubkey: ssh-ed25519 AAAAAAAchangeme
diff --git a/inventory-example/group_vars/all/proxmox.yml b/inventory-example/group_vars/all/proxmox.yml
new file mode 100644
index 0000000..44cb9a1
--- /dev/null
+++ b/inventory-example/group_vars/all/proxmox.yml
@@ -0,0 +1,7 @@
+# These settings are used when provisioning new proxmox VMs.
+---
+proxmox_api_host: '{{ groups["proxmox_hypervisors"] | first }}'
+proxmox_api_user: ansible@pam
+proxmox_api_password: '{{ vault_proxmox_api_password }}'
+proxmox_node: '{{ proxmox_api_host }}'
+proxmox_password_salt: '{{ vault_proxmox_password_salt }}'
diff --git a/inventory-example/group_vars/all/psitransfer.yml b/inventory-example/group_vars/all/psitransfer.yml
new file mode 100644
index 0000000..eb61ea9
--- /dev/null
+++ b/inventory-example/group_vars/all/psitransfer.yml
@@ -0,0 +1,7 @@
+psitransfer_upload_cidrs:
+  - '{{ vlans.trusted.cidr }}'
+  - '{{ vlans.vpn.cidr }}'
+psitransfer_admin_cidrs:
+  - '{{ vlans.trusted.cidr }}'
+  - '{{ vlans.vpn.cidr }}'
+psitransfer_admin_password: '{{ vault_psitransfer_admin_password }}'
diff --git a/inventory-example/group_vars/all/root.yml b/inventory-example/group_vars/all/root.yml
new file mode 100644
index 0000000..bd86f96
--- /dev/null
+++ b/inventory-example/group_vars/all/root.yml
@@ -0,0 +1,6 @@
+root_authorized_keys:
+  - ssh-ed25519 AAAAAAAchangeme
+  - ssh-ed25519 AAAAAAAchangeme
+
+root_password: '{{ vault_root_password }}'
+root_password_salt: '{{ vault_root_password_salt }}'
diff --git a/inventory-example/group_vars/all/sudo.yml b/inventory-example/group_vars/all/sudo.yml
new file mode 100644
index 0000000..f6e93db
--- /dev/null
+++ b/inventory-example/group_vars/all/sudo.yml
@@ -0,0 +1,2 @@
+sudo_email: yes
+sudo_mailto: sysadmins@example.com
diff --git a/inventory-example/group_vars/all/syncthing.yml b/inventory-example/group_vars/all/syncthing.yml
new file mode 100644
index 0000000..ac3257f
--- /dev/null
+++ b/inventory-example/group_vars/all/syncthing.yml
@@ -0,0 +1,6 @@
+# Each user with a dedicated syncthing instance must have his or her own unique
+# port number for the sync traffic.
+---
+syncthing_users:
+  johndoe: 22001
+  janedoe: 22002
diff --git a/inventory-example/group_vars/all/syslog.yml b/inventory-example/group_vars/all/syslog.yml
new file mode 100644
index 0000000..390c157
--- /dev/null
+++ b/inventory-example/group_vars/all/syslog.yml
@@ -0,0 +1,2 @@
+syslog_host: syslog.{{ domain }}
+syslog_host_ip: "{{ hostvars[groups['syslog_servers'] | sort | first].ip }}"
diff --git a/inventory-example/group_vars/all/teddit.yml b/inventory-example/group_vars/all/teddit.yml
new file mode 100644
index 0000000..269bb27
--- /dev/null
+++ b/inventory-example/group_vars/all/teddit.yml
@@ -0,0 +1,3 @@
+teddit_port: 8081
+teddit_redis_port: 6379
+teddit_reddit_app_id: '{{ vault_teddit_reddit_app_id }}'
diff --git a/inventory-example/group_vars/all/vault.yml b/inventory-example/group_vars/all/vault.yml
new file mode 100644
index 0000000..c3e29c5
--- /dev/null
+++ b/inventory-example/group_vars/all/vault.yml
@@ -0,0 +1,124 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+# apache
+vault_apache_sysaccount_password: changeme
+
+
+# archiver
+vault_archive_ssh_privkey: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  AAAAAAAAAAAAchangeme
+  -----END OPENSSH PRIVATE KEY-----
+
+
+# asterisk
+vault_asterisk_ari_users:
+  - name: nagios
+    readonly: yes
+    password: changeme
+
+vault_asterisk_password_salt: changeme
+
+vault_asterisk_sip_extensions:
+  - name: 6001
+    context: house-phones
+    mailbox: 6000@default
+    cid_name: Living Room
+    password: changeme
+
+  - name: 6002
+    context: house-phones
+    mailbox: 6000@default
+    cid_name: Kitchen
+    password: changeme
+
+vault_asterisk_sip_trunks:
+  - name: upstream-provider
+    host: 'sip.example.com:5060'
+    username: changeme
+    password: changeme
+
+
+# coturn
+vault_coturn_auth_secret: changeme
+
+
+# freeipa
+vault_freeipa_admin_password: changeme
+vault_freeipa_ds_password: changeme
+
+
+# freeradius
+vault_freeradius_clients:
+  - name: unifi
+    address: '{{ vlans.mgmt.cidr }}'
+    secret: changeme
+
+
+# invidious
+vault_invidious_db_password: changeme
+vault_invidious_hmac_key: changeme
+
+
+# jellyfin
+vault_jellyfin_sysaccount_password: changeme
+
+
+# mediawiki
+vault_mediawiki_admin_password: changeme
+vault_mediawiki_upgrade_key: changeme
+vault_mediawiki_secret_key: changeme
+vault_mediawiki_sysaccount_password: changeme
+
+
+# nagios
+vault_nagios_snmp_auth_pass: changeme
+vault_nagios_snmp_priv_pass: changeme
+vault_nagios_ssh_privkey: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  AAAAAAAAAAAAAAAAchangeme
+  -----END OPENSSH PRIVATE KEY-----
+
+
+# nitter
+vault_nitter_hmac_key: changeme
+
+
+# prosody
+vault_prosody_le_ssh_privkey: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  AAAAAAAAAAAAAAAAchangeme
+  -----END OPENSSH PRIVATE KEY-----
+vault_prosody_sysaccount_password: changeme
+
+
+# proxmox
+vault_proxmox_api_password: changeme
+vault_proxmox_password_salt: changeme
+
+
+# psitransfer
+vault_psitransfer_admin_password: changeme
+
+
+# root user
+vault_root_password_salt: changeme
+vault_root_password: changeme
+
+
+# rspamd
+vault_rspamd_password: changeme
+vault_rspamd_password_hash: $2$changeme  # generate with `rspamadm pw`
+vault_rspamd_privkey: changeme           # generate with `rspamadm keypair`
+vault_rspamd_dkim_keys:                  # generate with `rspamadm dkim_keygen`
+  example.com: |
+    -----BEGIN RSA PRIVATE KEY-----
+    AAAAAAAAAAAAAAAAchangeme
+    -----END RSA PRIVATE KEY-----
+
+# teddit
+vault_teddit_reddit_app_id: changeme
+
+# vaultwarden
+vault_vaultwarden_admin_token: changeme  # generate with `openssl rand -base64 48`
diff --git a/inventory-example/group_vars/all/vaultwarden.yml b/inventory-example/group_vars/all/vaultwarden.yml
new file mode 100644
index 0000000..71637f7
--- /dev/null
+++ b/inventory-example/group_vars/all/vaultwarden.yml
@@ -0,0 +1 @@
+vaultwarden_admin_token: '{{ vault_vaultwarden_admin_token }}'
diff --git a/inventory-example/group_vars/all/wireguard.yml b/inventory-example/group_vars/all/wireguard.yml
new file mode 100644
index 0000000..1c0a33c
--- /dev/null
+++ b/inventory-example/group_vars/all/wireguard.yml
@@ -0,0 +1,2 @@
+wireguard_host: 203.0.113.41  # your external VPN IP - changeme
+wireguard_pubkey: AAAAAAAAAAchangeme
diff --git a/inventory-example/group_vars/all/yum.yml b/inventory-example/group_vars/all/yum.yml
new file mode 100644
index 0000000..6cbfae5
--- /dev/null
+++ b/inventory-example/group_vars/all/yum.yml
@@ -0,0 +1 @@
+yum_host: yum.{{ domain }}
diff --git a/inventory-example/group_vars/dav_servers.yml b/inventory-example/group_vars/dav_servers.yml
new file mode 100644
index 0000000..239067a
--- /dev/null
+++ b/inventory-example/group_vars/dav_servers.yml
@@ -0,0 +1,6 @@
+apache_can_sendmail: yes
+apache_can_network_connect_db: yes
+apache_can_connect_ldap: yes
+apache_gssapi: yes
+
+nagios_http_status: 401
diff --git a/inventory-example/group_vars/dmz.yml b/inventory-example/group_vars/dmz.yml
new file mode 100644
index 0000000..ba0b0c9
--- /dev/null
+++ b/inventory-example/group_vars/dmz.yml
@@ -0,0 +1 @@
+freeipa_autofs: no
diff --git a/inventory-example/group_vars/el8.yml b/inventory-example/group_vars/el8.yml
new file mode 100644
index 0000000..1aedd96
--- /dev/null
+++ b/inventory-example/group_vars/el8.yml
@@ -0,0 +1,3 @@
+# Force legacy BIOS for Rocky 8 VMs - UEFI doesn't seem to work.
+proxmox_template: rocky8.7
+proxmox_bios: seabios
diff --git a/inventory-example/group_vars/freeipa_master.yml b/inventory-example/group_vars/freeipa_master.yml
new file mode 100644
index 0000000..fbaa5b2
--- /dev/null
+++ b/inventory-example/group_vars/freeipa_master.yml
@@ -0,0 +1,6 @@
+# The initial FreeIPA installation requires an upstream DNS server to bootstrap itself.
+proxmox_nameservers: '{{ freeipa_dns_forwarders }}'
+
+# Update the FreeIPA master every *other* day. If there's a botched automatic
+# update, we don't want to take the entire domain down overnight.
+dnf_automatic_on_calendar: '*-*-1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 04:00:00'
diff --git a/inventory-example/group_vars/git_servers.yml b/inventory-example/group_vars/git_servers.yml
new file mode 100644
index 0000000..5f975fc
--- /dev/null
+++ b/inventory-example/group_vars/git_servers.yml
@@ -0,0 +1 @@
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/linux_desktops.yml b/inventory-example/group_vars/linux_desktops.yml
new file mode 100644
index 0000000..af4775a
--- /dev/null
+++ b/inventory-example/group_vars/linux_desktops.yml
@@ -0,0 +1 @@
+tuned_profile: desktop
diff --git a/inventory-example/group_vars/linux_laptops.yml b/inventory-example/group_vars/linux_laptops.yml
new file mode 100644
index 0000000..428c40b
--- /dev/null
+++ b/inventory-example/group_vars/linux_laptops.yml
@@ -0,0 +1,2 @@
+tuned_profile: powersave
+rsyslog_forward: no
diff --git a/inventory-example/group_vars/nagios_servers.yml b/inventory-example/group_vars/nagios_servers.yml
new file mode 100644
index 0000000..5f975fc
--- /dev/null
+++ b/inventory-example/group_vars/nagios_servers.yml
@@ -0,0 +1 @@
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/nfs_servers.yml b/inventory-example/group_vars/nfs_servers.yml
new file mode 100644
index 0000000..59135b8
--- /dev/null
+++ b/inventory-example/group_vars/nfs_servers.yml
@@ -0,0 +1,10 @@
+dnf_automatic_restart: no
+
+nagios_disks:
+  - regex: ^(/sys|/dev|/run|/rpool|/tank)
+    exclude: yes
+    description: disks
+
+  - regex: ^/tank
+    description: zfs
+    terse: yes
diff --git a/inventory-example/group_vars/opnsense_firewalls.yml b/inventory-example/group_vars/opnsense_firewalls.yml
new file mode 100644
index 0000000..8a4ac7b
--- /dev/null
+++ b/inventory-example/group_vars/opnsense_firewalls.yml
@@ -0,0 +1,7 @@
+ansible_python_interpreter: /usr/local/bin/python3
+
+# If you want OPNsense to serve PXE, you need the following plugins:
+#   - os-tftp
+#   - os-nginx
+pxe_root: /usr/local/tftp
+pxe_http_port: 8080
diff --git a/inventory-example/group_vars/photostructure_servers.yml b/inventory-example/group_vars/photostructure_servers.yml
new file mode 100644
index 0000000..a5542b4
--- /dev/null
+++ b/inventory-example/group_vars/photostructure_servers.yml
@@ -0,0 +1,2 @@
+apache_gssapi: yes
+nagios_http_status: 401
diff --git a/inventory-example/group_vars/proxmox_hypervisors.yml b/inventory-example/group_vars/proxmox_hypervisors.yml
new file mode 100644
index 0000000..f1a3ed4
--- /dev/null
+++ b/inventory-example/group_vars/proxmox_hypervisors.yml
@@ -0,0 +1 @@
+ansible_python_interpreter: /usr/bin/python3
diff --git a/inventory-example/group_vars/proxmox_instances.yml b/inventory-example/group_vars/proxmox_instances.yml
new file mode 100644
index 0000000..e6e7eab
--- /dev/null
+++ b/inventory-example/group_vars/proxmox_instances.yml
@@ -0,0 +1,2 @@
+tuned_profile: virtual-guest
+grub_cmdline: console=ttyS0,115200n8 no_timer_check net.ifnames=0
diff --git a/inventory-example/group_vars/rspamd_servers.yml b/inventory-example/group_vars/rspamd_servers.yml
new file mode 100644
index 0000000..54e8be4
--- /dev/null
+++ b/inventory-example/group_vars/rspamd_servers.yml
@@ -0,0 +1,2 @@
+nagios_http_status: 401
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/switches/vars.yml b/inventory-example/group_vars/switches/vars.yml
new file mode 100644
index 0000000..8892a35
--- /dev/null
+++ b/inventory-example/group_vars/switches/vars.yml
@@ -0,0 +1,6 @@
+nagios_snmp_priv_proto: DES
+nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}'
+nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}'
+
+nagios_interface_discard_warn: 1000
+nagios_interface_discard_crit: 2000
diff --git a/inventory-example/group_vars/switches/vault.yml b/inventory-example/group_vars/switches/vault.yml
new file mode 100644
index 0000000..2015d5f
--- /dev/null
+++ b/inventory-example/group_vars/switches/vault.yml
@@ -0,0 +1,5 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+vault_nagios_snmp_priv_pass: changeme
+vault_nagios_snmp_auth_pass: changeme
diff --git a/inventory-example/group_vars/syncthing_servers.yml b/inventory-example/group_vars/syncthing_servers.yml
new file mode 100644
index 0000000..5f975fc
--- /dev/null
+++ b/inventory-example/group_vars/syncthing_servers.yml
@@ -0,0 +1 @@
+apache_gssapi: yes
diff --git a/inventory-example/group_vars/ttrss_servers.yml b/inventory-example/group_vars/ttrss_servers.yml
new file mode 100644
index 0000000..fc33f6a
--- /dev/null
+++ b/inventory-example/group_vars/ttrss_servers.yml
@@ -0,0 +1,5 @@
+apache_gssapi: yes
+apache_can_sendmail: yes
+apache_can_network_connect_db: yes
+apache_can_network_connect: yes
+apache_can_connect_ldap: yes
diff --git a/inventory-example/group_vars/unifi_controllers.yml b/inventory-example/group_vars/unifi_controllers.yml
new file mode 100644
index 0000000..d3a5574
--- /dev/null
+++ b/inventory-example/group_vars/unifi_controllers.yml
@@ -0,0 +1,3 @@
+nagios_interface_discard_warn: 500
+nagios_interface_discard_crit: 1000
+freeipa_autofs: no
diff --git a/inventory-example/group_vars/wiki_servers.yml b/inventory-example/group_vars/wiki_servers.yml
new file mode 100644
index 0000000..527d9ef
--- /dev/null
+++ b/inventory-example/group_vars/wiki_servers.yml
@@ -0,0 +1,7 @@
+apache_gssapi: yes
+apache_can_sendmail: yes
+apache_can_network_connect_db: yes
+apache_can_connect_ldap: yes
+apache_can_network_connect: yes
+
+nagios_http_status: 401
diff --git a/inventory-example/group_vars/xmpp_servers.yml b/inventory-example/group_vars/xmpp_servers.yml
new file mode 100644
index 0000000..dd6b7b4
--- /dev/null
+++ b/inventory-example/group_vars/xmpp_servers.yml
@@ -0,0 +1 @@
+nagios_https_vhosts: ['{{ prosody_http_host | default(ansible_fqdn) }}']
diff --git a/inventory-example/host_vars/bitwarden1.yml b/inventory-example/host_vars/bitwarden1.yml
new file mode 100644
index 0000000..feb6baa
--- /dev/null
+++ b/inventory-example/host_vars/bitwarden1.yml
@@ -0,0 +1 @@
+vaultwarden_server_name: bitwarden.{{ domain }}
diff --git a/inventory-example/host_vars/dmz-git1.yml b/inventory-example/host_vars/dmz-git1.yml
new file mode 100644
index 0000000..e5b5f76
--- /dev/null
+++ b/inventory-example/host_vars/dmz-git1.yml
@@ -0,0 +1,21 @@
+apache_letsencrypt: yes
+apache_server_name: git.example.com  # changeme
+nagios_https_vhosts: ['{{ apache_server_name }}']
+
+cgit_clone_prefixes:  # changeme - public clone URL displayed in cgit interface
+  - https://git.example.com
+
+cgit_cache_size: 10000
+
+# changeme: everything below this line
+cgit_title: 'ACME Corp : git'
+cgit_description: Source code for ACME Corporation
+
+cgit_about_html: >
+  This is just an example. Change me!
+
+cgit_logo: ~/assets/cgit/acme_logo.png
+cgit_favicon: ~/assets/cgit/acme_favicon.png
+cgit_css: ~/assets/cgit/acme.css
+cgit_header: ~/assets/cgit/acme-header.html
+cgit_head_include: ~/assets/cgit/acme-head-include.html
diff --git a/inventory-example/host_vars/dmz-mx1.yml b/inventory-example/host_vars/dmz-mx1.yml
new file mode 100644
index 0000000..2ee6004
--- /dev/null
+++ b/inventory-example/host_vars/dmz-mx1.yml
@@ -0,0 +1 @@
+postfix_myhostname: mx1.example.com  # changeme - your public MX hostname
diff --git a/inventory-example/host_vars/dmz-www1.yml b/inventory-example/host_vars/dmz-www1.yml
new file mode 100644
index 0000000..b44309e
--- /dev/null
+++ b/inventory-example/host_vars/dmz-www1.yml
@@ -0,0 +1,9 @@
+nagios_https_vhosts:  # changeme - https vhosts to monitor
+  - example.com
+  - example.net
+  - www.example.com
+  - www.example.net
+
+# subdirs of /var/www to be included in the backup.yml playbook
+apache_backup_dirs:
+  - www.example.com
diff --git a/inventory-example/host_vars/nas1.yml b/inventory-example/host_vars/nas1.yml
new file mode 100644
index 0000000..304e16f
--- /dev/null
+++ b/inventory-example/host_vars/nas1.yml
@@ -0,0 +1,128 @@
+# This file contains a few complex dictionaries used to set up ZFS datasets,
+# NFS exports, autofs mounts, and file permissions for network shares.
+#
+# changeme: everything in this file, probably.
+---
+# zpools for this host, and any pool-level properties you wish to set
+zfs_pools:
+  - name: tank
+    mountpoint: /tank
+    properties:
+      ashift: 12
+      autotrim: 'on'
+    vdevs:
+      - type: raidz2
+        devices:
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000001
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000002
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000003
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000004
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000005
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000006
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000007
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000008
+      - type: raidz2
+        devices:
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000009
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000010
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000011
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000012
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000013
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000014
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000015
+          - /dev/disk/by-id/scsi-SSEAGATE_SSSSSSSSSSSS_00000016
+      - type: log
+        devices:
+          - /dev/disk/by-id/nvme-INTEL_IIIIIIIIIIIII_000000000000000001
+
+# ZFS datasets for this host, and any properties you wish to set.
+zfs_datasets:
+  - name: tank
+    properties:
+      compression: lz4
+      acltype: posix
+      xattr: sa
+      relatime: 'on'
+      com.sun:auto-snapshot:frequent: 'false'
+
+# For each NFS export on this host, specify the following:
+#   - dataset: zfs dataset
+#   - zfs_properties: zfs dataset properties
+#   - owner: unix owner of the directory
+#   - group: unix group owner of the directory
+#   - acl: list of POSIX ACLs for the directory
+#   - options: NFS export options
+#   - client: NFS client list
+#   - automount_map: autofs map name
+#   - autofs_key: autofs key name (default: basename)
+#   - smb_share: SMB share name if you want to share directory over CIFS
+nfs_exports:
+  - dataset: tank/archive
+    zfs_properties:
+      refquota: 500G
+    owner: s-archiver
+    group: sysadmins
+    mode: 02770
+    acl:
+      - entity: sysadmins
+        etype: group
+        permissions: rwX
+        default: yes
+    options: crossmnt
+    clients:
+      - client: archive1
+        options: sec=krb5p,rw
+    automount_map: auto.nfs
+
+  - dataset: tank/media/pictures
+    group: role-photo-admin
+    mode: 02770
+    acl:
+      - entity: role-photo-admin
+        etype: group
+        permissions: rwX
+        default: yes
+    options: rw,crossmnt
+    clients:
+      - client: '{{ vlans.trusted.cidr }}'
+        options: sec=krb5p
+      - client: syncthing1
+        options: sec=sys
+    automount_map: auto.nfs_media
+
+  - dataset: tank/media/music
+    group: role-music-admin
+    mode: 02770
+    acl:
+      - entity: role-music-admin
+        etype: group
+        permissions: rwX
+        default: yes
+
+      - entity: role-music-access
+        etype: group
+        permissions: rX
+        default: yes
+    options: rw,crossmnt
+    clients:
+      - client: '{{ vlans.trusted.cidr }}'
+        options: sec=krb5p
+      - client: syncthing1
+        options: sec=sys
+    automount_map: auto.nfs_media
+
+# This list contains all users whose homedirs should live on this host.
+# ZFS datasets, NFS exports, and autofs maps will be created automatically.
+nfs_homedirs:
+  - user: johndoe
+    priv_quota: 250G
+  - user: janedoe
+    priv_quota: 250G
+  - group: doefamily
+    priv_quota: 500G
+
+# List any SMB shares to create here.
+# All home directories automatically get an SMB share.
+smb_shares:
+  - name: media
+    path: /tank/media
diff --git a/inventory-example/host_vars/opnsense1/vars.yml b/inventory-example/host_vars/opnsense1/vars.yml
new file mode 100644
index 0000000..ec5ab37
--- /dev/null
+++ b/inventory-example/host_vars/opnsense1/vars.yml
@@ -0,0 +1,8 @@
+freebsd_loader_config:
+  'mrsas_load': 'YES'
+  'hw.mfi.mrsas_enable': 1
+  'kern.ipc.nmbclusters': 1000000
+  'kern.ipc.nmbjumbop': 524288
+
+opnsense_backup_api_key: '{{ vault_opnsense_backup_api_key }}'
+opnsense_backup_api_secret: '{{ vault_opnsense_backup_api_secret }}'
diff --git a/inventory-example/host_vars/opnsense1/vault.yml b/inventory-example/host_vars/opnsense1/vault.yml
new file mode 100644
index 0000000..fbc5b60
--- /dev/null
+++ b/inventory-example/host_vars/opnsense1/vault.yml
@@ -0,0 +1,6 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+# Generate these values from the OPNsense web interface.
+vault_opnsense_backup_api_key: AAAAAAAAAAAchangeme
+vault_opnsense_backup_api_secret: AAAAAAAAAchangeme
diff --git a/inventory-example/host_vars/privbrowse1.yml b/inventory-example/host_vars/privbrowse1.yml
new file mode 100644
index 0000000..155cbf0
--- /dev/null
+++ b/inventory-example/host_vars/privbrowse1.yml
@@ -0,0 +1,8 @@
+cname:
+  - invidious
+  - nitter
+  - teddit
+
+invidious_server_name: invidious.{{ domain }}
+teddit_server_name: teddit.{{ domain }}
+nitter_server_name: nitter.{{ domain }}
diff --git a/inventory-example/host_vars/switch1/vars.yml b/inventory-example/host_vars/switch1/vars.yml
new file mode 100644
index 0000000..f09d6f3
--- /dev/null
+++ b/inventory-example/host_vars/switch1/vars.yml
@@ -0,0 +1,15 @@
+edgeswitch_backup_username: changeme
+edgeswitch_backup_password: '{{ vault_edgeswitch_backup_password }}'
+
+nagios_interfaces: # changeme (or delete)
+  - 0/1
+  - 0/2
+  - 0/3
+  - 0/4
+  - 0/5
+  - 0/6
+  - 0/7
+  - 0/8
+  - 0/9
+  - 0/10
+  - 3/1
diff --git a/inventory-example/host_vars/switch1/vault.yml b/inventory-example/host_vars/switch1/vault.yml
new file mode 100644
index 0000000..7067cd6
--- /dev/null
+++ b/inventory-example/host_vars/switch1/vault.yml
@@ -0,0 +1,4 @@
+# This is a sample file with fake secrets. For a real deployment, encrypt this
+# file with `ansible-vault encrypt` and add your own secrets.
+---
+vault_edgeswitch_backup_password: changeme
diff --git a/inventory-example/host_vars/ttrss1.yml b/inventory-example/host_vars/ttrss1.yml
new file mode 100644
index 0000000..f81784a
--- /dev/null
+++ b/inventory-example/host_vars/ttrss1.yml
@@ -0,0 +1 @@
+ttrss_server_name: ttrss.{{ domain }}
diff --git a/inventory-example/host_vars/tuxbook1.yml b/inventory-example/host_vars/tuxbook1.yml
new file mode 100644
index 0000000..9fd1945
--- /dev/null
+++ b/inventory-example/host_vars/tuxbook1.yml
@@ -0,0 +1 @@
+linux_laptop_wlan_device: wlp2s0
diff --git a/inventory-example/host_vars/tuxstation1.yml b/inventory-example/host_vars/tuxstation1.yml
new file mode 100644
index 0000000..92f34ef
--- /dev/null
+++ b/inventory-example/host_vars/tuxstation1.yml
@@ -0,0 +1,5 @@
+# When powersave is enabled on the communication controller of the Dell
+# Optiplex Micro, the onboad NIC drops a *huge* amount of packets.
+# see https://bugzilla.kernel.org/show_bug.cgi?id=213377
+udev_pci_powersave_blacklist:
+  - 8086:43e0
diff --git a/inventory-example/host_vars/tuxstation2.yml b/inventory-example/host_vars/tuxstation2.yml
new file mode 100644
index 0000000..ca83f4e
--- /dev/null
+++ b/inventory-example/host_vars/tuxstation2.yml
@@ -0,0 +1,8 @@
+# When powersave is enabled on the communication controller of the Dell
+# Optiplex Micro, the onboad NIC drops a *huge* amount of packets.
+# see https://bugzilla.kernel.org/show_bug.cgi?id=213377
+udev_pci_powersave_blacklist:
+  - 8086:7ae8
+
+# This i915 parameter was required in EL8
+grub_cmdline: resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap i915.force_probe=4680
diff --git a/inventory-example/host_vars/wiki1.yml b/inventory-example/host_vars/wiki1.yml
new file mode 100644
index 0000000..3141618
--- /dev/null
+++ b/inventory-example/host_vars/wiki1.yml
@@ -0,0 +1 @@
+mediawiki_fqdn: wiki.{{ domain }}
diff --git a/inventory-example/host_vars/www1.yml b/inventory-example/host_vars/www1.yml
new file mode 100644
index 0000000..d65643b
--- /dev/null
+++ b/inventory-example/host_vars/www1.yml
@@ -0,0 +1 @@
+apache_use_nfs: yes