From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 01:23:43 -0500 Subject: initial commit --- .../group_vars/access_points/vars.yml | 12 ++ .../group_vars/access_points/vault.yml | 6 + inventory-example/group_vars/all/apache.yml | 1 + inventory-example/group_vars/all/archive.yml | 2 + inventory-example/group_vars/all/asterisk.yml | 105 +++++++++++++++ inventory-example/group_vars/all/coturn.yml | 3 + inventory-example/group_vars/all/cups.yml | 1 + inventory-example/group_vars/all/firefox.yml | 73 +++++++++++ inventory-example/group_vars/all/freeipa.yml | 144 +++++++++++++++++++++ inventory-example/group_vars/all/freeradius.yml | 1 + inventory-example/group_vars/all/git.yml | 2 + inventory-example/group_vars/all/global.yml | 105 +++++++++++++++ inventory-example/group_vars/all/hastebin.yml | 3 + inventory-example/group_vars/all/invidious.yml | 4 + inventory-example/group_vars/all/jellyfin.yml | 1 + inventory-example/group_vars/all/mail.yml | 21 +++ inventory-example/group_vars/all/mediawiki.yml | 9 ++ inventory-example/group_vars/all/nagios.yml | 90 +++++++++++++ inventory-example/group_vars/all/nfs.yml | 11 ++ inventory-example/group_vars/all/nitter.yml | 3 + inventory-example/group_vars/all/nsd.yml | 54 ++++++++ inventory-example/group_vars/all/packages.yml | 4 + .../group_vars/all/photostructure.yml | 3 + inventory-example/group_vars/all/polkit.yml | 1 + inventory-example/group_vars/all/postgres.yml | 4 + inventory-example/group_vars/all/prosody.yml | 16 +++ inventory-example/group_vars/all/proxmox.yml | 7 + inventory-example/group_vars/all/psitransfer.yml | 7 + inventory-example/group_vars/all/root.yml | 6 + inventory-example/group_vars/all/sudo.yml | 2 + inventory-example/group_vars/all/syncthing.yml | 6 + inventory-example/group_vars/all/syslog.yml | 2 + inventory-example/group_vars/all/teddit.yml | 3 + inventory-example/group_vars/all/vault.yml | 124 ++++++++++++++++++ inventory-example/group_vars/all/vaultwarden.yml | 1 + inventory-example/group_vars/all/wireguard.yml | 2 + inventory-example/group_vars/all/yum.yml | 1 + inventory-example/group_vars/dav_servers.yml | 6 + inventory-example/group_vars/dmz.yml | 1 + inventory-example/group_vars/el8.yml | 3 + inventory-example/group_vars/freeipa_master.yml | 6 + inventory-example/group_vars/git_servers.yml | 1 + inventory-example/group_vars/linux_desktops.yml | 1 + inventory-example/group_vars/linux_laptops.yml | 2 + inventory-example/group_vars/nagios_servers.yml | 1 + inventory-example/group_vars/nfs_servers.yml | 10 ++ .../group_vars/opnsense_firewalls.yml | 7 + .../group_vars/photostructure_servers.yml | 2 + .../group_vars/proxmox_hypervisors.yml | 1 + inventory-example/group_vars/proxmox_instances.yml | 2 + inventory-example/group_vars/rspamd_servers.yml | 2 + inventory-example/group_vars/switches/vars.yml | 6 + inventory-example/group_vars/switches/vault.yml | 5 + inventory-example/group_vars/syncthing_servers.yml | 1 + inventory-example/group_vars/ttrss_servers.yml | 5 + inventory-example/group_vars/unifi_controllers.yml | 3 + inventory-example/group_vars/wiki_servers.yml | 7 + inventory-example/group_vars/xmpp_servers.yml | 1 + 58 files changed, 913 insertions(+) create mode 100644 inventory-example/group_vars/access_points/vars.yml create mode 100644 inventory-example/group_vars/access_points/vault.yml create mode 100644 inventory-example/group_vars/all/apache.yml create mode 100644 inventory-example/group_vars/all/archive.yml create mode 100644 inventory-example/group_vars/all/asterisk.yml create mode 100644 inventory-example/group_vars/all/coturn.yml create mode 100644 inventory-example/group_vars/all/cups.yml create mode 100644 inventory-example/group_vars/all/firefox.yml create mode 100644 inventory-example/group_vars/all/freeipa.yml create mode 100644 inventory-example/group_vars/all/freeradius.yml create mode 100644 inventory-example/group_vars/all/git.yml create mode 100644 inventory-example/group_vars/all/global.yml create mode 100644 inventory-example/group_vars/all/hastebin.yml create mode 100644 inventory-example/group_vars/all/invidious.yml create mode 100644 inventory-example/group_vars/all/jellyfin.yml create mode 100644 inventory-example/group_vars/all/mail.yml create mode 100644 inventory-example/group_vars/all/mediawiki.yml create mode 100644 inventory-example/group_vars/all/nagios.yml create mode 100644 inventory-example/group_vars/all/nfs.yml create mode 100644 inventory-example/group_vars/all/nitter.yml create mode 100644 inventory-example/group_vars/all/nsd.yml create mode 100644 inventory-example/group_vars/all/packages.yml create mode 100644 inventory-example/group_vars/all/photostructure.yml create mode 100644 inventory-example/group_vars/all/polkit.yml create mode 100644 inventory-example/group_vars/all/postgres.yml create mode 100644 inventory-example/group_vars/all/prosody.yml create mode 100644 inventory-example/group_vars/all/proxmox.yml create mode 100644 inventory-example/group_vars/all/psitransfer.yml create mode 100644 inventory-example/group_vars/all/root.yml create mode 100644 inventory-example/group_vars/all/sudo.yml create mode 100644 inventory-example/group_vars/all/syncthing.yml create mode 100644 inventory-example/group_vars/all/syslog.yml create mode 100644 inventory-example/group_vars/all/teddit.yml create mode 100644 inventory-example/group_vars/all/vault.yml create mode 100644 inventory-example/group_vars/all/vaultwarden.yml create mode 100644 inventory-example/group_vars/all/wireguard.yml create mode 100644 inventory-example/group_vars/all/yum.yml create mode 100644 inventory-example/group_vars/dav_servers.yml create mode 100644 inventory-example/group_vars/dmz.yml create mode 100644 inventory-example/group_vars/el8.yml create mode 100644 inventory-example/group_vars/freeipa_master.yml create mode 100644 inventory-example/group_vars/git_servers.yml create mode 100644 inventory-example/group_vars/linux_desktops.yml create mode 100644 inventory-example/group_vars/linux_laptops.yml create mode 100644 inventory-example/group_vars/nagios_servers.yml create mode 100644 inventory-example/group_vars/nfs_servers.yml create mode 100644 inventory-example/group_vars/opnsense_firewalls.yml create mode 100644 inventory-example/group_vars/photostructure_servers.yml create mode 100644 inventory-example/group_vars/proxmox_hypervisors.yml create mode 100644 inventory-example/group_vars/proxmox_instances.yml create mode 100644 inventory-example/group_vars/rspamd_servers.yml create mode 100644 inventory-example/group_vars/switches/vars.yml create mode 100644 inventory-example/group_vars/switches/vault.yml create mode 100644 inventory-example/group_vars/syncthing_servers.yml create mode 100644 inventory-example/group_vars/ttrss_servers.yml create mode 100644 inventory-example/group_vars/unifi_controllers.yml create mode 100644 inventory-example/group_vars/wiki_servers.yml create mode 100644 inventory-example/group_vars/xmpp_servers.yml (limited to 'inventory-example/group_vars') diff --git a/inventory-example/group_vars/access_points/vars.yml b/inventory-example/group_vars/access_points/vars.yml new file mode 100644 index 0000000..05aaf5d --- /dev/null +++ b/inventory-example/group_vars/access_points/vars.yml @@ -0,0 +1,12 @@ +nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}' +nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}' + +nagios_interfaces: + - eth0 + - regex: '^wifi[0-9]' + description: wifi + down_ok: yes + discard_warn: 500 + discard_crit: 1000 + error_warn: 500 + error_crit: 1000 diff --git a/inventory-example/group_vars/access_points/vault.yml b/inventory-example/group_vars/access_points/vault.yml new file mode 100644 index 0000000..f39f186 --- /dev/null +++ b/inventory-example/group_vars/access_points/vault.yml @@ -0,0 +1,6 @@ +# This is a sample file with fake secrets. For a real deployment, encrypt this +# file with `ansible-vault encrypt` and add your own secrets. +--- +# Unifi APs require the privpass and authpass to be identical...sad! +vault_nagios_snmp_priv_pass: changeme +vault_nagios_snmp_auth_pass: changeme diff --git a/inventory-example/group_vars/all/apache.yml b/inventory-example/group_vars/all/apache.yml new file mode 100644 index 0000000..85c7abf --- /dev/null +++ b/inventory-example/group_vars/all/apache.yml @@ -0,0 +1 @@ +apache_sysaccount_password: '{{ vault_apache_sysaccount_password }}' diff --git a/inventory-example/group_vars/all/archive.yml b/inventory-example/group_vars/all/archive.yml new file mode 100644 index 0000000..65d8144 --- /dev/null +++ b/inventory-example/group_vars/all/archive.yml @@ -0,0 +1,2 @@ +archive_ssh_privkey: '{{ vault_archive_ssh_privkey }}' +archive_ssh_pubkey: ssh-rsa AAAAAAAAAchangeme diff --git a/inventory-example/group_vars/all/asterisk.yml b/inventory-example/group_vars/all/asterisk.yml new file mode 100644 index 0000000..0f4f1b2 --- /dev/null +++ b/inventory-example/group_vars/all/asterisk.yml @@ -0,0 +1,105 @@ +asterisk_external_ip: 203.0.113.62 # changeme +asterisk_fqdn: pbx.example.com # changeme +asterisk_local_nets: + - '{{ vlans.voip.cidr }}' + +asterisk_password_salt: '{{ vault_asterisk_password_salt }}' + +asterisk_voicemail_contexts: # changeme + default: + - address: 6000 + password: 1234 + name: Doe Family + email: doefamily@example.com + +asterisk_sip_trunks: '{{ vault_asterisk_sip_trunks }}' +asterisk_sip_extensions: '{{ vault_asterisk_sip_extensions }}' +asterisk_ari_users: '{{ vault_asterisk_ari_users }}' + +asterisk_queues: # changeme + - name: house-phones + strategy: ringall + retry: 1 + timeout: 30 + members: + - 6001 + - 6002 + - 6003 + +# changeme - dump your asterisk dialplan into this variable +asterisk_dialplan: | + [globals] + AREA_CODE = 555 + + ; voicemail + VOICEMAIL_NUMBER = *99 + VOICEMAIL_CONTEXT = default + VOICEMAIL_RING_TIMEOUT = 25 + + ; extension patterns + INTERCOM = 6000 + HOUSE = _6XXX + + ; Queue for all local home phones + HOME_QUEUE = house-phones + + ; All home phones use the same voicemail box. + HOME_MAILBOX = 6000 + + ; Caller ID for outgoing PSTN calls from the home phone line. + HOME_CID = John Doe <+15555555555> + + [gosub-voicemail] + ; Dial the given channel, if no answer send to voicemail. + ; ${ARG1} - channel to dial + ; ${ARG2} - voicemail box + exten => s,1,Dial(${ARG1},${VOICEMAIL_RING_TIMEOUT}) + same => n,Answer(500) + same => n,Voicemail(${ARG2},su) + same => n,Hangup() + + [gosub-intercom] + exten => s,1,Set(PJSIP_HEADER(add,Alert-Info)=auto answer) + same => n,Return() + + [subscribe] + exten => _XXXX,hint,PJSIP/${EXTEN} + + [internal] + ; For INTERCOM, page all participants into 2-way conference + exten => ${INTERCOM},1,Set(CALLERID(all)=Intercom <${EXTEN}> + same => n,Page(${STRREPLACE(QUEUE_MEMBER_LIST(${HOME_QUEUE}),",","&")},db(gosub-intercom^s^1),10) + + ; For HOME extensions, ring indefinitely. + exten => ${HOME},1,Dial(PJSIP/${EXTEN}) + same => n,Hangup() + + [from-upstream-provider] + ; Ring all house phones for incoming PSTN calls, if no answer send to voicemail. + exten => _X.,1,Queue(${HOME_QUEUE},nr,,,${VOICEMAIL_RING_TIMEOUT}) + same => n,Answer(500) + same => n,Voicemail(${HOME_MAILBOX}@${VOICEMAIL_CONTEXT},su) + same => n,Hangup() + + [from-house-phones] + include => internal + ; local voicemail access + exten => ${VOICEMAIL_NUMBER},1,Answer(500) + same => n,VoiceMailMain(${HOME_MAILBOX}@${VOICEMAIL_CONTEXT},s) + same => n,Hangup() + ; pstn - normalize all outgoing numbers to +1XXXXXXXXXX + exten => _+1NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID}) + same => n,Dial(PJSIP/${EXTEN}@upstream-provider) + same => n,Hangup() + exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID}) + same => n,Dial(PJSIP/+${EXTEN}@upstream-provider) + same => n,Hangup() + exten => _NXXNXXXXXX,1,Set(CALLERID(all)=${HOME_CID}) + same => n,Dial(PJSIP/+1${EXTEN}@upstream-provider) + same => n,Hangup() + exten => _NXXXXXX,1,Set(CALLERID(all)=${HOME_CID}) + same => n,Dial(PJSIP/+1${AREA_CODE}${EXTEN}@upstream-provider) + same => n,Hangup() + exten => _N11,1,Set(CALLERID(all)=${HOME_CID}) + same => n,Dial(PJSIP/${EXTEN}@upstream-provider) + same => n,Hangup() diff --git a/inventory-example/group_vars/all/coturn.yml b/inventory-example/group_vars/all/coturn.yml new file mode 100644 index 0000000..0af566b --- /dev/null +++ b/inventory-example/group_vars/all/coturn.yml @@ -0,0 +1,3 @@ +coturn_auth_secret: '{{ vault_coturn_auth_secret }}' +coturn_external_ip: 203.0.113.61 # changeme +coturn_realm: turn.example.com # changeme diff --git a/inventory-example/group_vars/all/cups.yml b/inventory-example/group_vars/all/cups.yml new file mode 100644 index 0000000..11087a1 --- /dev/null +++ b/inventory-example/group_vars/all/cups.yml @@ -0,0 +1 @@ +cups_host: cups.{{ domain }} diff --git a/inventory-example/group_vars/all/firefox.yml b/inventory-example/group_vars/all/firefox.yml new file mode 100644 index 0000000..5ebc61b --- /dev/null +++ b/inventory-example/group_vars/all/firefox.yml @@ -0,0 +1,73 @@ +# Managed firefox settings go in this file. +--- +firefox_offer_to_save_logins_default: no + +firefox_extensions: + - name: ublock-origin + id: uBlock0@raymondhill.net + mode: force_installed + policy: + toOverwrite: + filterLists: + - user-filters + - ublock-filters + - ublock-badware + - ublock-privacy + - ublock-abuse + - ublock-unbreak + - ublock-annoyances + - easylist + - easyprivacy + - urlhaus-1 + - plowe-0 + - fanboy-annoyance + - fanboy-thirdparty_social + - adguard-spyware-url + - ublock-quick-fixes + toAdd: + trustedSiteDirectives: + - id.spectrum.net + - '{{ domain }}' + + - name: bitwarden-password-manager + id: '{446900e4-71c2-419f-a6a7-df9c091e268b}' + + - name: libredirect + id: 7esoorv3@alefvanoon.anonaddy.me + +firefox_preferences: + - name: dom.security.https_only_mode + value: true + status: locked + +firefox_managed_bookmarks: + - name: Bitwarden + url: 'https://bitwarden.{{ domain }}' + - name: Git + url: 'https://git.example.com' + - name: Invidious + url: 'https://invidious.{{ domain }}' + - name: Jellyfin + url: 'https://jellyfin.{{ domain }}' + - name: Nagios + url: 'https://nagios.{{ domain }}' + - name: Nitter + url: 'https://nitter.{{ domain }}' + - name: Photostructure + url: 'https://photos.{{ domain }}/' + - name: Printers + url: 'https://cups.{{ domain }}/printers/' + - name: Rspamd + url: 'https://rspamd.{{ domain }}' + - name: Syncthing + url: 'https://syncthing.{{ domain }}' + - name: Teddit + url: 'https://teddit.{{ domain }}' + - name: TinyTinyRSS + url: 'https://ttrss.{{ domain }}' + - name: Unifi + url: 'https://unifi.{{ domain }}' + - name: Wiki + url: 'https://wiki.{{ domain }}' + - name: ZNC + url: 'https://znc.{{ domain }}' diff --git a/inventory-example/group_vars/all/freeipa.yml b/inventory-example/group_vars/all/freeipa.yml new file mode 100644 index 0000000..3501061 --- /dev/null +++ b/inventory-example/group_vars/all/freeipa.yml @@ -0,0 +1,144 @@ +# This file contains a bunch of example data for populating your FreeIPA +# domain with users, groups, sudo rules, etc. +--- +freeipa_workgroup: ACME +freeipa_nfs_homedirs: yes +freeipa_dns_forwarders: + - 10.10.12.1 + +freeipa_users: + - name: johndoe + givenname: John + sn: Doe + mail: john@example.com + jid: john@example.com + mail_aliases: + - john.nickname@example.com + - john.alias@exmaple.com + + - name: bobbytables + givenname: Bobby + sn: Tables + mail: btables@example.com + jid: btables@example.com + + - name: janedoe + givenname: Jane + sn: Doe + mail: jane@example.com + jid: jane@example.com + +freeipa_groups: + # built-in freeipa admin group - be careful! + - name: admins + append: yes + user: + - johndoe + + - name: sysadmins + mail: sysadmins@example.com + mail_aliases: + - root@example.com + - postmaster@example.com + - hostmaster@example.com + - webmaster@example.com + - abuse@example.com + description: System Administrators + user: + - johndoe + - btables + + - name: webmasters + user: + - johndoe + + - name: doefamily + description: Doe Family + mail: doefamily@example.com + user: + - johndoe + - janedoe + + - name: role-nagios-access + group: sysadmins + + - name: role-bitwarden-admin + group: sysadmins + + - name: role-cups-admin + group: sysadmins + + - name: role-ttrss-admin + group: sysadmins + + - name: role-music-admin + group: sysadmins + append: yes + + - name: role-rspamd-admin + group: sysadmins + + - name: role-imap-access + group: doefamily + + - name: role-music-access + group: doefamily + append: yes + + - name: role-dav-access + group: doefamily + + - name: role-linux-desktop-access + group: doefamily + + - name: role-ttrss-access + group: doefamily + + - name: role-znc-access + group: doefamily + + - name: role-wiki-access + group: doefamily + + - name: role-wiki-admin + group: sysadmins + + - name: role-wifi-access + group: doefamily + + - name: role-media-admin + group: sysadmins + + - name: role-media-access + group: doefamily + + - name: role-photo-admin + group: doefamily + append: yes + + - name: role-xmpp-access + group: doefamily + + - name: role-git-access + group: doefamily + + - name: role-git-admin + group: sysadmins + +freeipa_hbac_rules: + - name: sysadmins_ssh_and_console_to_all + description: allow sysadmins to ssh to all hosts + usergroup: sysadmins + hostcategory: all + service: + - sshd + - login + +freeipa_sudo_rules: + - name: sysadmins_all + description: allow sysadmins to run anything as any user + cmdcategory: all + hostcategory: all + runasusercategory: all + runasgroupcategory: all + usergroup: sysadmins diff --git a/inventory-example/group_vars/all/freeradius.yml b/inventory-example/group_vars/all/freeradius.yml new file mode 100644 index 0000000..8172e44 --- /dev/null +++ b/inventory-example/group_vars/all/freeradius.yml @@ -0,0 +1 @@ +freeradius_clients: '{{ vault_freeradius_clients }}' diff --git a/inventory-example/group_vars/all/git.yml b/inventory-example/group_vars/all/git.yml new file mode 100644 index 0000000..9975c7e --- /dev/null +++ b/inventory-example/group_vars/all/git.yml @@ -0,0 +1,2 @@ +cgit_logo: ~/Development/assets/cgit/acme-logo.png # changeme (or delete) +cgit_favicon: ~/Development/assets/cgit/acme-favicon.svg # changeme (or delete) diff --git a/inventory-example/group_vars/all/global.yml b/inventory-example/group_vars/all/global.yml new file mode 100644 index 0000000..f4ea98e --- /dev/null +++ b/inventory-example/group_vars/all/global.yml @@ -0,0 +1,105 @@ +# By convention, variables defined in this file are safe to use in all roles. +# +# In other words, this should be the only place where you should see variables +# without a 'rolename_' prefix. +--- +ansible_python_interpreter: /usr/libexec/platform-python + +timezone: America/New_York +domain: ipa.example.com # changeme +email_domain: example.com # changeme + +organization: ACME, Inc. # changeme + +# This variable will be used to configure an SSID with certificate-based auth +# for any hosts in the linux-laptops group. +wifi_ssid: acme-wifi + +# Hosts in these CIDRs should be capable of kerberos authentication. +# We use this in many apache configs to determine when to force GSSAPI auth. +kerberized_cidrs: # changeme + - 10.10.12.0/24 + +backup_path: ~/backups + +# Use your external MX hostname so that TLS validation works. +mail_host: mx1.exmaple.com + +imap_host: imap.{{ domain }} +rspamd_host: rspamd.{{ domain }} + +# changeme: specify your vlans here. +# This dictionary is used to discover which VLAN a host belongs to. +# The appropriate VLAN object will end up in the `vlan` variable in host_vars. +vlans: + mgmt: + id: 11 + cidr: 10.10.11.0/24 + gateway: 10.10.11.1 + dns_servers: # freeipa servers + - 10.10.12.2 + - 10.10.12.3 + ntp_servers: ['10.10.11.1'] + + trusted: + id: 12 + cidr: 10.10.12.0/23 + dns_servers: # freeipa servers + - 10.10.12.2 + - 10.10.12.3 + gateway: 10.10.12.1 + ntp_servers: ['10.10.12.1'] + + voip: + id: 14 + cidr: 10.10.14.0/24 + gateway: 10.10.14.1 + dns_servers: # freeipa servers + - 10.10.12.2 + - 10.10.12.3 + ntp_servers: ['10.10.14.1'] + + print: + id: 15 + cidr: 10.10.15.0/24 + gateway: 10.10.15.1 + dns_servers: # freeipa servers + - 10.10.12.2 + - 10.10.12.3 + ntp_servers: ['10.10.15.1'] + + vpn: + id: 16 + cidr: 10.10.16.0/24 + gateway: 10.10.16.1 + dns_servers: # freeipa servers + - 10.10.12.2 + - 10.10.12.3 + ntp_servers: ['10.10.16.1'] + + dmz: + id: 19 + cidr: 10.10.19.0/24 + dns_servers: # freeipa servers + - 10.10.12.2 + - 10.10.12.3 + gateway: 10.10.19.1 + ntp_servers: ['10.10.19.1'] + + +# standard freeipa variables +freeipa_realm: '{{ domain | upper }}' +freeipa_basedn: "dc={{ domain.split('.') | join(',dc=') }}" +freeipa_hosts: "{{ groups['freeipa_servers'] | map('regex_replace', '$', '.' ~ domain) }}" +freeipa_ldap_uri: "{{ groups['freeipa_servers'] | map('regex_replace', '^(.*)$', 'ldap://\\1.' ~ domain) | join(' ') }}" +freeipa_master: "{{ groups['freeipa_master'][0] }}" +freeipa_sysaccount_basedn: 'cn=sysaccounts,cn=etc,{{ freeipa_basedn }}' +freeipa_user_basedn: cn=users,cn=accounts,{{ freeipa_basedn }} +freeipa_group_basedn: cn=groups,cn=accounts,{{ freeipa_basedn }} +freeipa_accounts_basedn: cn=accounts,{{ freeipa_basedn }} +freeipa_service_basedn: cn=services,cn=accounts,{{ freeipa_basedn }} +freeipa_ds_password: '{{ vault_freeipa_ds_password }}' +freeipa_admin_password: '{{ vault_freeipa_admin_password }}' +ipa_host: '{{ freeipa_master }}.{{ domain }}' +ipa_user: admin +ipa_pass: '{{ freeipa_admin_password }}' diff --git a/inventory-example/group_vars/all/hastebin.yml b/inventory-example/group_vars/all/hastebin.yml new file mode 100644 index 0000000..d6c6a43 --- /dev/null +++ b/inventory-example/group_vars/all/hastebin.yml @@ -0,0 +1,3 @@ +hastebin_upload_cidrs: + - '{{ vlans.trusted.cidr }}' + - '{{ vlans.vpn.cidr }}' diff --git a/inventory-example/group_vars/all/invidious.yml b/inventory-example/group_vars/all/invidious.yml new file mode 100644 index 0000000..31f3cf2 --- /dev/null +++ b/inventory-example/group_vars/all/invidious.yml @@ -0,0 +1,4 @@ +invidious_port: 8080 +invidious_db_password: '{{ vault_invidious_db_password }}' +invidious_hmac_key: '{{ vault_invidious_hmac_key }}' +invidious_db_user: s-invidious diff --git a/inventory-example/group_vars/all/jellyfin.yml b/inventory-example/group_vars/all/jellyfin.yml new file mode 100644 index 0000000..954e498 --- /dev/null +++ b/inventory-example/group_vars/all/jellyfin.yml @@ -0,0 +1 @@ +jellyfin_sysaccount_password: '{{ vault_jellyfin_sysaccount_password }}' diff --git a/inventory-example/group_vars/all/mail.yml b/inventory-example/group_vars/all/mail.yml new file mode 100644 index 0000000..120ca91 --- /dev/null +++ b/inventory-example/group_vars/all/mail.yml @@ -0,0 +1,21 @@ +dovecot_default_user_quota: 20G + +# accept mail for these domains: +postfix_virtual_domains: + - example.com + - example.net + +rspamd_domain_whitelist: + - badly.configured.domain.com + - dont.mark.mail.from.this.domain.as.spam.com + +rspamd_password: '{{ vault_rspamd_password }}' +rspamd_password_hash: '{{ vault_rspamd_password_hash }}' +rspamd_dkim_keys: '{{ vault_rspamd_dkim_keys }}' + +# generate with `rspamadm keypair` +rspamd_privkey: '{{ vault_rspamd_privkey }}' +rspamd_pubkey: AAAAAAAAAAAAAchangeme + +rspamd_redis_port: 6379 +rspamd_redis_bayes_port: 6380 diff --git a/inventory-example/group_vars/all/mediawiki.yml b/inventory-example/group_vars/all/mediawiki.yml new file mode 100644 index 0000000..d54f199 --- /dev/null +++ b/inventory-example/group_vars/all/mediawiki.yml @@ -0,0 +1,9 @@ +mediawiki_upgrade_key: '{{ vault_mediawiki_upgrade_key }}' +mediawiki_secret_key: '{{ vault_mediawiki_secret_key }}' +mediawiki_admin_password: '{{ vault_mediawiki_admin_password }}' + +mediawiki_sysaccount_password: '{{ vault_mediawiki_sysaccount_password }}' + +mediawiki_logo_1x: ~/Development/assets/mediawiki/acme-logo.svg # changeme (or delete) +mediawiki_logo_icon: ~/Development/assets/mediawiki/acme-icon.svg # changeme (or delete) +mediawiki_favicon: ~/Development/assets/mediawiki/acme-favicon.svg # changeme (or delete) diff --git a/inventory-example/group_vars/all/nagios.yml b/inventory-example/group_vars/all/nagios.yml new file mode 100644 index 0000000..84fc7ce --- /dev/null +++ b/inventory-example/group_vars/all/nagios.yml @@ -0,0 +1,90 @@ +nagios_email: sysadmins@example.com +nagios_ssh_privkey: '{{ vault_nagios_ssh_privkey }}' +nagios_ssh_pubkey: ssh-ed25519 AAAAAAAAAAAAAAchangeme + +nagios_excluded_groups: + - linux_laptops + - cellphones + +nagios_snmp_user: nagios +nagios_snmp_community: public +nagios_snmp_priv_proto: AES +nagios_snmp_auth_proto: SHA +nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}' +nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}' + +nagios_ping_count: 5 +nagios_ping_rtt_warn: 50.0 +nagios_ping_rtt_crit: 100.0 +nagios_ping_loss_warn: 20% +nagios_ping_loss_crit: 40% + +nagios_temp_warn: 60 +nagios_temp_crit: 70 + +nagios_power_draw_warn: 50% +nagios_power_draw_crit: 75% + +nagios_load_1m_warn: 1.0 +nagios_load_5m_warn: 0.9 +nagios_load_15m_warn: 0.8 +nagios_load_1m_crit: 2.0 +nagios_load_5m_crit: 1.8 +nagios_load_15m_crit: 1.6 + +nagios_mem_warn: 80% +nagios_mem_crit: 90% + +nagios_swap_warn: 50% +nagios_swap_crit: 80% + +nagios_interface_bandwidth_warn: 0 +nagios_interface_bandwidth_crit: 0 +nagios_interface_discard_warn: 10 +nagios_interface_discard_crit: 50 +nagios_interface_error_warn: 5 +nagios_interface_error_crit: 20 + +nagios_interfaces: + - regex: ^(?!.*(lo[0-9]*|virbr[0-9]*|tap.*|vmbr.*|lagg[0-9]+_vlan)) + description: interfaces + down_ok: no + bandwidth_warn: '{{ nagios_interface_bandwidth_warn }}' + bandwidth_crit: '{{ nagios_interface_bandwidth_crit }}' + discard_warn: '{{ nagios_interface_discard_warn }}' + discard_crit: '{{ nagios_interface_discard_crit }}' + error_warn: '{{ nagios_interface_error_warn }}' + error_crit: '{{ nagios_interface_error_crit }}' + +nagios_disk_warn: 80% +nagios_disk_crit: 90% + +nagios_disks: + - regex: ^(/sys|/dev|/run|/rpool|/tank) + exclude: yes + description: disks + warn: '{{ nagios_disk_warn }}' + crit: '{{ nagios_disk_crit }}' + +nagios_certificate_warn: 28 +nagios_certificate_crit: 14 + +nagios_smtp_warn: 0.5 +nagios_smtp_crit: 1.0 +nagios_mailq_warn: 5 +nagios_mailq_crit: 20 + +nagios_imap_warn: 0.5 +nagios_imap_crit: 1.0 + +nagios_http_warn: 0.5 +nagios_http_crit: 1.0 + +nagios_check_dns: + - name: www.example.com + server: 8.8.8.8 + expect: 203.0.113.42 + + - name: mx1.example.com + server: 8.8.8.8 + expect: 203.0.113.43 diff --git a/inventory-example/group_vars/all/nfs.yml b/inventory-example/group_vars/all/nfs.yml new file mode 100644 index 0000000..713b5d3 --- /dev/null +++ b/inventory-example/group_vars/all/nfs.yml @@ -0,0 +1,11 @@ +nfs_homedir_options: rw,crossmnt + +# These clients will be added to the export list for NFS home directories. +nfs_homedir_clients: + - client: '{{ vlans.trusted.cidr }}' + options: sec=krb5p + + # We can't use kerberos for Syncthing, because the Syncthing daemons have + # to impersonate each user, and I don't feel like shuffling keytabs around. + - client: syncthing1 + options: sec=sys diff --git a/inventory-example/group_vars/all/nitter.yml b/inventory-example/group_vars/all/nitter.yml new file mode 100644 index 0000000..3d13f76 --- /dev/null +++ b/inventory-example/group_vars/all/nitter.yml @@ -0,0 +1,3 @@ +nitter_port: 8082 +nitter_redis_port: 16379 +nitter_hmac_key: '{{ vault_nitter_hmac_key }}' diff --git a/inventory-example/group_vars/all/nsd.yml b/inventory-example/group_vars/all/nsd.yml new file mode 100644 index 0000000..ff1afe6 --- /dev/null +++ b/inventory-example/group_vars/all/nsd.yml @@ -0,0 +1,54 @@ +# Put the desired contents of any zone files in nsd_zones. +# +# I only recommend self-hosting DNS if you're farming out your *real* query +# traffic to a secondary DNS provider. +--- +nsd_zones: + - name: example.com + slave_nameservers: + - 203.0.113.50 + - 203.0.113.51 + ttl: 3600 + content: | + @ IN NS ns1.example.com. + @ IN NS ns2.example.com. + ns1 IN A 203.0.113.52 + ns1 IN AAAA 2001:db8::2 + ns2 IN A 203.0.113.53 + ns2 IN AAAA 2001:db8::3 + + @ IN CAA 0 issue "letsencrypt.org" + + ; mail + @ IN MX 10 mx1.example.com. + @ IN TXT "v=spf1 mx -all" + dkim._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=AAAAAAAAAAAAAAAAchangeme" + "AAAAAAAAAAAAAAAAAAchangeme" + ) ; + _dmarc IN TXT "v=DMARC1; p=reject; ruf=mailto:postmaster@example.com" + + @ IN A 203.0.113.54 + mx1 IN A 203.0.113.55 + www1 IN A 203.0.113.56 + xmpp1 IN A 203.0.113.57 + turn1 IN A 203.0.113.58 + pbx1 IN A 203.0.113.59 + www IN CNAME www1 + xmpp IN CNAME xmpp1 + conference IN CNAME xmpp1 + turn IN CNAME turn1 + pbx IN CNAME pbx1 + + _xmpp-client._tcp IN SRV 0 5 5222 xmpp1 + _xmpp-server._tcp IN SRV 0 5 5269 xmpp1 + _xmpp-server._tcp.conference IN SRV 0 5 5269 xmpp1 + + _stun._tcp IN SRV 0 5 3478 turn1 + _stun._udp IN SRV 0 5 3478 turn1 + _turn._tcp IN SRV 0 5 3478 turn1 + _turn._udp IN SRV 0 5 3478 turn1 + + _sip._udp IN SRV 0 5 5060 pbx1 + _sip._tcp IN SRV 0 5 5060 pbx1 + _sip._tls IN SRV 0 5 5061 pbx1 diff --git a/inventory-example/group_vars/all/packages.yml b/inventory-example/group_vars/all/packages.yml new file mode 100644 index 0000000..2883e64 --- /dev/null +++ b/inventory-example/group_vars/all/packages.yml @@ -0,0 +1,4 @@ +packages_install: + - man + - less + - tmux diff --git a/inventory-example/group_vars/all/photostructure.yml b/inventory-example/group_vars/all/photostructure.yml new file mode 100644 index 0000000..6f7963e --- /dev/null +++ b/inventory-example/group_vars/all/photostructure.yml @@ -0,0 +1,3 @@ +photostructure_access_group: role-photo-admin +photostructure_scan_paths: + - /nfs/media/pictures diff --git a/inventory-example/group_vars/all/polkit.yml b/inventory-example/group_vars/all/polkit.yml new file mode 100644 index 0000000..fed46cc --- /dev/null +++ b/inventory-example/group_vars/all/polkit.yml @@ -0,0 +1 @@ +polkit_admin_group: sysadmins diff --git a/inventory-example/group_vars/all/postgres.yml b/inventory-example/group_vars/all/postgres.yml new file mode 100644 index 0000000..be90568 --- /dev/null +++ b/inventory-example/group_vars/all/postgres.yml @@ -0,0 +1,4 @@ +postgresql_host: postgres.{{ domain }} +postgresql_inventory_host: "{{ postgresql_host.split('.')[0] }}" +postgresql_password_users: + - '{{ invidious_db_user }}' diff --git a/inventory-example/group_vars/all/prosody.yml b/inventory-example/group_vars/all/prosody.yml new file mode 100644 index 0000000..b317a96 --- /dev/null +++ b/inventory-example/group_vars/all/prosody.yml @@ -0,0 +1,16 @@ +prosody_http_host: xmpp.example.com # changeme +prosody_sysaccount_password: '{{ vault_prosody_sysaccount_password }}' +prosody_vhosts: # changeme - your jabber domain(s) + - example.com + +# XMPP clients expect a certificate matching the domain of the given JID. +# Unfortunately, this situation only works for LetsEncrypt if you run your XMPP +# server on the same host as your webserver (or if you use the ACME DNS +# challenge). +# +# Check out the prosody_letsencrypt_proxy role for how we get around this. +# Basically, just specify the hostname of your public webserver here, along with +# and ssh keypair. +prosody_le_proxy_host: dmz-www1 +prosody_le_ssh_privkey: '{{ vault_prosody_le_ssh_privkey }}' +prosody_le_ssh_pubkey: ssh-ed25519 AAAAAAAchangeme diff --git a/inventory-example/group_vars/all/proxmox.yml b/inventory-example/group_vars/all/proxmox.yml new file mode 100644 index 0000000..44cb9a1 --- /dev/null +++ b/inventory-example/group_vars/all/proxmox.yml @@ -0,0 +1,7 @@ +# These settings are used when provisioning new proxmox VMs. +--- +proxmox_api_host: '{{ groups["proxmox_hypervisors"] | first }}' +proxmox_api_user: ansible@pam +proxmox_api_password: '{{ vault_proxmox_api_password }}' +proxmox_node: '{{ proxmox_api_host }}' +proxmox_password_salt: '{{ vault_proxmox_password_salt }}' diff --git a/inventory-example/group_vars/all/psitransfer.yml b/inventory-example/group_vars/all/psitransfer.yml new file mode 100644 index 0000000..eb61ea9 --- /dev/null +++ b/inventory-example/group_vars/all/psitransfer.yml @@ -0,0 +1,7 @@ +psitransfer_upload_cidrs: + - '{{ vlans.trusted.cidr }}' + - '{{ vlans.vpn.cidr }}' +psitransfer_admin_cidrs: + - '{{ vlans.trusted.cidr }}' + - '{{ vlans.vpn.cidr }}' +psitransfer_admin_password: '{{ vault_psitransfer_admin_password }}' diff --git a/inventory-example/group_vars/all/root.yml b/inventory-example/group_vars/all/root.yml new file mode 100644 index 0000000..bd86f96 --- /dev/null +++ b/inventory-example/group_vars/all/root.yml @@ -0,0 +1,6 @@ +root_authorized_keys: + - ssh-ed25519 AAAAAAAchangeme + - ssh-ed25519 AAAAAAAchangeme + +root_password: '{{ vault_root_password }}' +root_password_salt: '{{ vault_root_password_salt }}' diff --git a/inventory-example/group_vars/all/sudo.yml b/inventory-example/group_vars/all/sudo.yml new file mode 100644 index 0000000..f6e93db --- /dev/null +++ b/inventory-example/group_vars/all/sudo.yml @@ -0,0 +1,2 @@ +sudo_email: yes +sudo_mailto: sysadmins@example.com diff --git a/inventory-example/group_vars/all/syncthing.yml b/inventory-example/group_vars/all/syncthing.yml new file mode 100644 index 0000000..ac3257f --- /dev/null +++ b/inventory-example/group_vars/all/syncthing.yml @@ -0,0 +1,6 @@ +# Each user with a dedicated syncthing instance must have his or her own unique +# port number for the sync traffic. +--- +syncthing_users: + johndoe: 22001 + janedoe: 22002 diff --git a/inventory-example/group_vars/all/syslog.yml b/inventory-example/group_vars/all/syslog.yml new file mode 100644 index 0000000..390c157 --- /dev/null +++ b/inventory-example/group_vars/all/syslog.yml @@ -0,0 +1,2 @@ +syslog_host: syslog.{{ domain }} +syslog_host_ip: "{{ hostvars[groups['syslog_servers'] | sort | first].ip }}" diff --git a/inventory-example/group_vars/all/teddit.yml b/inventory-example/group_vars/all/teddit.yml new file mode 100644 index 0000000..269bb27 --- /dev/null +++ b/inventory-example/group_vars/all/teddit.yml @@ -0,0 +1,3 @@ +teddit_port: 8081 +teddit_redis_port: 6379 +teddit_reddit_app_id: '{{ vault_teddit_reddit_app_id }}' diff --git a/inventory-example/group_vars/all/vault.yml b/inventory-example/group_vars/all/vault.yml new file mode 100644 index 0000000..c3e29c5 --- /dev/null +++ b/inventory-example/group_vars/all/vault.yml @@ -0,0 +1,124 @@ +# This is a sample file with fake secrets. For a real deployment, encrypt this +# file with `ansible-vault encrypt` and add your own secrets. +--- +# apache +vault_apache_sysaccount_password: changeme + + +# archiver +vault_archive_ssh_privkey: | + -----BEGIN OPENSSH PRIVATE KEY----- + AAAAAAAAAAAAchangeme + -----END OPENSSH PRIVATE KEY----- + + +# asterisk +vault_asterisk_ari_users: + - name: nagios + readonly: yes + password: changeme + +vault_asterisk_password_salt: changeme + +vault_asterisk_sip_extensions: + - name: 6001 + context: house-phones + mailbox: 6000@default + cid_name: Living Room + password: changeme + + - name: 6002 + context: house-phones + mailbox: 6000@default + cid_name: Kitchen + password: changeme + +vault_asterisk_sip_trunks: + - name: upstream-provider + host: 'sip.example.com:5060' + username: changeme + password: changeme + + +# coturn +vault_coturn_auth_secret: changeme + + +# freeipa +vault_freeipa_admin_password: changeme +vault_freeipa_ds_password: changeme + + +# freeradius +vault_freeradius_clients: + - name: unifi + address: '{{ vlans.mgmt.cidr }}' + secret: changeme + + +# invidious +vault_invidious_db_password: changeme +vault_invidious_hmac_key: changeme + + +# jellyfin +vault_jellyfin_sysaccount_password: changeme + + +# mediawiki +vault_mediawiki_admin_password: changeme +vault_mediawiki_upgrade_key: changeme +vault_mediawiki_secret_key: changeme +vault_mediawiki_sysaccount_password: changeme + + +# nagios +vault_nagios_snmp_auth_pass: changeme +vault_nagios_snmp_priv_pass: changeme +vault_nagios_ssh_privkey: | + -----BEGIN OPENSSH PRIVATE KEY----- + AAAAAAAAAAAAAAAAchangeme + -----END OPENSSH PRIVATE KEY----- + + +# nitter +vault_nitter_hmac_key: changeme + + +# prosody +vault_prosody_le_ssh_privkey: | + -----BEGIN OPENSSH PRIVATE KEY----- + AAAAAAAAAAAAAAAAchangeme + -----END OPENSSH PRIVATE KEY----- +vault_prosody_sysaccount_password: changeme + + +# proxmox +vault_proxmox_api_password: changeme +vault_proxmox_password_salt: changeme + + +# psitransfer +vault_psitransfer_admin_password: changeme + + +# root user +vault_root_password_salt: changeme +vault_root_password: changeme + + +# rspamd +vault_rspamd_password: changeme +vault_rspamd_password_hash: $2$changeme # generate with `rspamadm pw` +vault_rspamd_privkey: changeme # generate with `rspamadm keypair` +vault_rspamd_dkim_keys: # generate with `rspamadm dkim_keygen` + example.com: | + -----BEGIN RSA PRIVATE KEY----- + AAAAAAAAAAAAAAAAchangeme + -----END RSA PRIVATE KEY----- + +# teddit +vault_teddit_reddit_app_id: changeme + +# vaultwarden +vault_vaultwarden_admin_token: changeme # generate with `openssl rand -base64 48` diff --git a/inventory-example/group_vars/all/vaultwarden.yml b/inventory-example/group_vars/all/vaultwarden.yml new file mode 100644 index 0000000..71637f7 --- /dev/null +++ b/inventory-example/group_vars/all/vaultwarden.yml @@ -0,0 +1 @@ +vaultwarden_admin_token: '{{ vault_vaultwarden_admin_token }}' diff --git a/inventory-example/group_vars/all/wireguard.yml b/inventory-example/group_vars/all/wireguard.yml new file mode 100644 index 0000000..1c0a33c --- /dev/null +++ b/inventory-example/group_vars/all/wireguard.yml @@ -0,0 +1,2 @@ +wireguard_host: 203.0.113.41 # your external VPN IP - changeme +wireguard_pubkey: AAAAAAAAAAchangeme diff --git a/inventory-example/group_vars/all/yum.yml b/inventory-example/group_vars/all/yum.yml new file mode 100644 index 0000000..6cbfae5 --- /dev/null +++ b/inventory-example/group_vars/all/yum.yml @@ -0,0 +1 @@ +yum_host: yum.{{ domain }} diff --git a/inventory-example/group_vars/dav_servers.yml b/inventory-example/group_vars/dav_servers.yml new file mode 100644 index 0000000..239067a --- /dev/null +++ b/inventory-example/group_vars/dav_servers.yml @@ -0,0 +1,6 @@ +apache_can_sendmail: yes +apache_can_network_connect_db: yes +apache_can_connect_ldap: yes +apache_gssapi: yes + +nagios_http_status: 401 diff --git a/inventory-example/group_vars/dmz.yml b/inventory-example/group_vars/dmz.yml new file mode 100644 index 0000000..ba0b0c9 --- /dev/null +++ b/inventory-example/group_vars/dmz.yml @@ -0,0 +1 @@ +freeipa_autofs: no diff --git a/inventory-example/group_vars/el8.yml b/inventory-example/group_vars/el8.yml new file mode 100644 index 0000000..1aedd96 --- /dev/null +++ b/inventory-example/group_vars/el8.yml @@ -0,0 +1,3 @@ +# Force legacy BIOS for Rocky 8 VMs - UEFI doesn't seem to work. +proxmox_template: rocky8.7 +proxmox_bios: seabios diff --git a/inventory-example/group_vars/freeipa_master.yml b/inventory-example/group_vars/freeipa_master.yml new file mode 100644 index 0000000..fbaa5b2 --- /dev/null +++ b/inventory-example/group_vars/freeipa_master.yml @@ -0,0 +1,6 @@ +# The initial FreeIPA installation requires an upstream DNS server to bootstrap itself. +proxmox_nameservers: '{{ freeipa_dns_forwarders }}' + +# Update the FreeIPA master every *other* day. If there's a botched automatic +# update, we don't want to take the entire domain down overnight. +dnf_automatic_on_calendar: '*-*-1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 04:00:00' diff --git a/inventory-example/group_vars/git_servers.yml b/inventory-example/group_vars/git_servers.yml new file mode 100644 index 0000000..5f975fc --- /dev/null +++ b/inventory-example/group_vars/git_servers.yml @@ -0,0 +1 @@ +apache_gssapi: yes diff --git a/inventory-example/group_vars/linux_desktops.yml b/inventory-example/group_vars/linux_desktops.yml new file mode 100644 index 0000000..af4775a --- /dev/null +++ b/inventory-example/group_vars/linux_desktops.yml @@ -0,0 +1 @@ +tuned_profile: desktop diff --git a/inventory-example/group_vars/linux_laptops.yml b/inventory-example/group_vars/linux_laptops.yml new file mode 100644 index 0000000..428c40b --- /dev/null +++ b/inventory-example/group_vars/linux_laptops.yml @@ -0,0 +1,2 @@ +tuned_profile: powersave +rsyslog_forward: no diff --git a/inventory-example/group_vars/nagios_servers.yml b/inventory-example/group_vars/nagios_servers.yml new file mode 100644 index 0000000..5f975fc --- /dev/null +++ b/inventory-example/group_vars/nagios_servers.yml @@ -0,0 +1 @@ +apache_gssapi: yes diff --git a/inventory-example/group_vars/nfs_servers.yml b/inventory-example/group_vars/nfs_servers.yml new file mode 100644 index 0000000..59135b8 --- /dev/null +++ b/inventory-example/group_vars/nfs_servers.yml @@ -0,0 +1,10 @@ +dnf_automatic_restart: no + +nagios_disks: + - regex: ^(/sys|/dev|/run|/rpool|/tank) + exclude: yes + description: disks + + - regex: ^/tank + description: zfs + terse: yes diff --git a/inventory-example/group_vars/opnsense_firewalls.yml b/inventory-example/group_vars/opnsense_firewalls.yml new file mode 100644 index 0000000..8a4ac7b --- /dev/null +++ b/inventory-example/group_vars/opnsense_firewalls.yml @@ -0,0 +1,7 @@ +ansible_python_interpreter: /usr/local/bin/python3 + +# If you want OPNsense to serve PXE, you need the following plugins: +# - os-tftp +# - os-nginx +pxe_root: /usr/local/tftp +pxe_http_port: 8080 diff --git a/inventory-example/group_vars/photostructure_servers.yml b/inventory-example/group_vars/photostructure_servers.yml new file mode 100644 index 0000000..a5542b4 --- /dev/null +++ b/inventory-example/group_vars/photostructure_servers.yml @@ -0,0 +1,2 @@ +apache_gssapi: yes +nagios_http_status: 401 diff --git a/inventory-example/group_vars/proxmox_hypervisors.yml b/inventory-example/group_vars/proxmox_hypervisors.yml new file mode 100644 index 0000000..f1a3ed4 --- /dev/null +++ b/inventory-example/group_vars/proxmox_hypervisors.yml @@ -0,0 +1 @@ +ansible_python_interpreter: /usr/bin/python3 diff --git a/inventory-example/group_vars/proxmox_instances.yml b/inventory-example/group_vars/proxmox_instances.yml new file mode 100644 index 0000000..e6e7eab --- /dev/null +++ b/inventory-example/group_vars/proxmox_instances.yml @@ -0,0 +1,2 @@ +tuned_profile: virtual-guest +grub_cmdline: console=ttyS0,115200n8 no_timer_check net.ifnames=0 diff --git a/inventory-example/group_vars/rspamd_servers.yml b/inventory-example/group_vars/rspamd_servers.yml new file mode 100644 index 0000000..54e8be4 --- /dev/null +++ b/inventory-example/group_vars/rspamd_servers.yml @@ -0,0 +1,2 @@ +nagios_http_status: 401 +apache_gssapi: yes diff --git a/inventory-example/group_vars/switches/vars.yml b/inventory-example/group_vars/switches/vars.yml new file mode 100644 index 0000000..8892a35 --- /dev/null +++ b/inventory-example/group_vars/switches/vars.yml @@ -0,0 +1,6 @@ +nagios_snmp_priv_proto: DES +nagios_snmp_priv_pass: '{{ vault_nagios_snmp_priv_pass }}' +nagios_snmp_auth_pass: '{{ vault_nagios_snmp_auth_pass }}' + +nagios_interface_discard_warn: 1000 +nagios_interface_discard_crit: 2000 diff --git a/inventory-example/group_vars/switches/vault.yml b/inventory-example/group_vars/switches/vault.yml new file mode 100644 index 0000000..2015d5f --- /dev/null +++ b/inventory-example/group_vars/switches/vault.yml @@ -0,0 +1,5 @@ +# This is a sample file with fake secrets. For a real deployment, encrypt this +# file with `ansible-vault encrypt` and add your own secrets. +--- +vault_nagios_snmp_priv_pass: changeme +vault_nagios_snmp_auth_pass: changeme diff --git a/inventory-example/group_vars/syncthing_servers.yml b/inventory-example/group_vars/syncthing_servers.yml new file mode 100644 index 0000000..5f975fc --- /dev/null +++ b/inventory-example/group_vars/syncthing_servers.yml @@ -0,0 +1 @@ +apache_gssapi: yes diff --git a/inventory-example/group_vars/ttrss_servers.yml b/inventory-example/group_vars/ttrss_servers.yml new file mode 100644 index 0000000..fc33f6a --- /dev/null +++ b/inventory-example/group_vars/ttrss_servers.yml @@ -0,0 +1,5 @@ +apache_gssapi: yes +apache_can_sendmail: yes +apache_can_network_connect_db: yes +apache_can_network_connect: yes +apache_can_connect_ldap: yes diff --git a/inventory-example/group_vars/unifi_controllers.yml b/inventory-example/group_vars/unifi_controllers.yml new file mode 100644 index 0000000..d3a5574 --- /dev/null +++ b/inventory-example/group_vars/unifi_controllers.yml @@ -0,0 +1,3 @@ +nagios_interface_discard_warn: 500 +nagios_interface_discard_crit: 1000 +freeipa_autofs: no diff --git a/inventory-example/group_vars/wiki_servers.yml b/inventory-example/group_vars/wiki_servers.yml new file mode 100644 index 0000000..527d9ef --- /dev/null +++ b/inventory-example/group_vars/wiki_servers.yml @@ -0,0 +1,7 @@ +apache_gssapi: yes +apache_can_sendmail: yes +apache_can_network_connect_db: yes +apache_can_connect_ldap: yes +apache_can_network_connect: yes + +nagios_http_status: 401 diff --git a/inventory-example/group_vars/xmpp_servers.yml b/inventory-example/group_vars/xmpp_servers.yml new file mode 100644 index 0000000..dd6b7b4 --- /dev/null +++ b/inventory-example/group_vars/xmpp_servers.yml @@ -0,0 +1 @@ +nagios_https_vhosts: ['{{ prosody_http_host | default(ansible_fqdn) }}'] -- cgit