1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
# Required Groups
# ===============
# Hosts that aren't ready for Rocky 9 yet.
[el8:children]
# libstrp is broken: https://community.asterisk.org/t/erro-loading-srtp-on-asterisk-20-and-centos-9/95766
# Might be worth building our own, locally?
asterisk_servers
# Rspamd not yet available for EL9: https://github.com/rspamd/rspamd/issues/4215
imap_servers
rspamd_servers
# Unifi controller depends on MongoDB 3.6 (though I'm running 4.4 without any
# issues on Rocky 8). Unfortunately, only MongoDB 6.0 is currently packaged
# for EL9: https://repo.mongodb.org/yum/redhat/9/mongodb-org/
unifi_controllers
# Prosody needs lua-ldap. There's no package for EL9 and it appears to be
# abandoned: https://src.fedoraproject.org/rpms/lua-ldap
# Apparently lua-ldap can be installed from luarocks. Should investigate that.
xmpp_servers
# Required Variables
# ==================
[all:vars]
ansible_python_interpreter = /usr/libexec/platform-python
freeipa_realm = '{{ domain | upper }}'
freeipa_basedn = "dc={{ domain.split('.') | join(',dc=') }}"
freeipa_hosts = "{{ groups['freeipa_servers'] | map('regex_replace', '$', '.' ~ domain) }}"
freeipa_ldap_uri = "{{ groups['freeipa_servers'] | map('regex_replace', '^(.*)$', 'ldap://\\1.' ~ domain) | join(' ') }}"
freeipa_master = "{{ groups['freeipa_master'][0] }}"
freeipa_sysaccount_basedn = 'cn=sysaccounts,cn=etc,{{ freeipa_basedn }}'
freeipa_user_basedn = 'cn=users,cn=accounts,{{ freeipa_basedn }}'
freeipa_group_basedn = 'cn=groups,cn=accounts,{{ freeipa_basedn }}'
freeipa_accounts_basedn = 'cn=accounts,{{ freeipa_basedn }}'
freeipa_service_basedn = 'cn=services,cn=accounts,{{ freeipa_basedn }}'
ipa_host = '{{ freeipa_master }}.{{ domain }}'
ipa_user = admin
ipa_pass = '{{ freeipa_admin_password }}'
[dav_servers:vars]
apache_can_sendmail = True
apache_can_network_connect_db = True
apache_can_connect_ldap = True
apache_gssapi = True
nagios_http_status = 401
[el8:vars]
proxmox_template = rocky8.8
proxmox_bios = seabios
[freeipa_master:vars]
# The initial FreeIPA installation requires an upstream DNS server to bootstrap itself.
proxmox_nameservers = '{{ freeipa_dns_forwarders }}'
# Don't update all freeipa servers at once
dnf_automatic_on_calendar = '*-*-1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 04:00:00'
[freeipa_replicas:vars]
# Don't update all freeipa servers at once
dnf_automatic_on_calendar = '*-*-2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 04:00:00'
[freeipa_servers:vars]
dnf_automatic_restart = False
[git_servers:vars]
apache_gssapi = True
[linux_desktops:vars]
tuned_profile = desktop
[linux_laptops:vars]
tuned_profile = powersave
rsyslog_forward = no
[nagios_servers:vars]
apache_gssapi = True
[matrix_servers:vars]
apache_ssl_listen_ports='[443,{{ synapse_client_port }},{{ synapse_federation_port }}]'
[opnsense_firewalls:vars]
ansible_python_interpreter = /usr/local/bin/python3
[photostructure_servers:vars]
apache_gssapi = True
nagios_http_status = 401
[proxmox_hypervisors:vars]
ansible_python_interpreter = /usr/bin/python3
[proxmox_instances:vars]
tuned_profile = virtual-guest
grub_cmdline = 'console=ttyS0,115200n8 no_timer_check net.ifnames=0'
[rspamd_servers:vars]
apache_gssapi = True
nagios_http_status = 401
[syncthing_servers:vars]
apache_gssapi = True
[ttrss_servers:vars]
apache_gssapi = True
apache_can_sendmail = True
apache_can_network_connect_db = True
apache_can_network_connect = True
apache_can_connect_ldap = True
[wiki_servers:vars]
apache_gssapi = True
apache_can_sendmail = True
apache_can_network_connect_db = True
apache_can_connect_ldap = True
apache_can_network_connect = True
nagios_http_status = 401
[xmpp_servers:vars]
apache_can_network_connect = True
nagios_https_vhosts = '["{{ prosody_http_host | default(ansible_fqdn) }}"]'
[mastodon_servers:vars]
nagios_https_vhosts = '["{{ mastodon_web_domain }}"]'
[matrix_servers:vars]
nagios_https_vhosts = '["{{ synapse_server_name }}"]'
# Nagios hostgroups
# =================
[nagios_net_snmp_clients:children]
nagios_ansible_managed_clients
opnsense_firewalls
[nagios_check_load:children]
nagios_net_snmp_clients
[nagios_check_mem:children]
nagios_net_snmp_clients
[nagios_check_disk:children]
nagios_net_snmp_clients
[nagios_check_interfaces:children]
nagios_net_snmp_clients
switches
access_points
[nagios_check_systemd:children]
nagios_ansible_managed_clients
[nagios_check_ssh:children]
baremetal
proxmox_instances
switches
access_points
[nagios_check_zfs:children]
nfs_servers
proxmox_hypervisors
[nagios_check_https:children]
freeipa_servers
yum_mirrors
ttrss_servers
znc_servers
dav_servers
bitwarden_servers
cups_servers
web_servers
git_servers
syncthing_servers
wiki_servers
jellyfin_servers
privbrowse_servers
photostructure_servers
rspamd_servers
unifi_controllers
xmpp_servers
mastodon_servers
matrix_servers
# vi: ft=dosini
|
