104 lines
4.9 KiB
YAML
104 lines
4.9 KiB
YAML
# Ansible Roles for managing Auengun.net Infrastructure & Testing/Learning.
|
|
# Source available at git.auengun.net/homelab/ansible-collection
|
|
# Copyright (C) 2023 GregoryDosh
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
# SPDX-FileCopyrightText: 2023 GregoryDosh
|
|
---
|
|
INSTALL_QEMU_AGENT: true
|
|
|
|
LXC_SSH_TUNEUP: false
|
|
|
|
LDAPD_BINDDN: "{{ lookup('ansible.builtin.env', 'LDAPD_BINDDN') }}"
|
|
LDAPD_BINDPW: "{{ lookup('ansible.builtin.env', 'LDAPD_BINDPW') }}"
|
|
|
|
PAM_AUENGUN_SSH_ENABLE: true
|
|
PAM_AUENGUN_SSH_DEFAULT: "yes"
|
|
PAM_AUENGUN_SSH_PRIORITY: 257
|
|
PAM_AUENGUN_SSH_AUTHORIZED_PRINCIPALS: "{{ lookup('ansible.builtin.env', 'PAM_AUENGUN_SSH_AUTHORIZED_PRINCIPALS') }}"
|
|
|
|
PAM_MKHOMEDIR_SPM_ENABLE: true
|
|
PAM_MKHOMEDIR_SPM_DEFAULT: "yes"
|
|
PAM_MKHOMEDIR_SPM_PRIORITY: 0
|
|
|
|
PAM_SHARED_MODULE_PATH: /usr/lib/{{ ansible_architecture }}-linux-gnu/security/
|
|
|
|
# renovate: datasource=gitea-releases depName=GregoryDosh/pam_ussh versioning=loose
|
|
PAM_SHARED_MODULE_VERSION: v0.43.0-161-b904
|
|
PAM_SHARED_MODULE_URL: "https://git.auengun.net/GregoryDosh/pam_ussh/releases/download/{{ PAM_SHARED_MODULE_VERSION }}/pam_ussh.{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.so"
|
|
PAM_SHARED_MODULE_URL_SHA: "https://git.auengun.net/GregoryDosh/pam_ussh/releases/download/{{ PAM_SHARED_MODULE_VERSION }}/pam_ussh.{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.so.sha256"
|
|
|
|
SSSD_DEFAULT_SHELL: /bin/bash
|
|
SSSD_LDAP_FILTER: "{{ lookup('ansible.builtin.env', 'SSSD_LDAP_FILTER') }}"
|
|
SSSD_FILTER_GROUPS: ""
|
|
SSSD_FILTER_USERS: ""
|
|
|
|
CERT_RENEWAL_SERVICE_NAME: cert-renew
|
|
CERT_SAN:
|
|
- "{{ inventory_hostname_short }}.auengun.net"
|
|
- "{{ inventory_hostname_short }}.virt.auengun.net"
|
|
CERT_RENEWAL_RESTART_SYSTEMD_SERVICES: []
|
|
|
|
GRAFANA_ALLOY_INSTALL: true
|
|
# renovate: datasource=github-releases depName=grafana/alloy
|
|
GRAFANA_ALLOY_VERSION: "1.11.3"
|
|
GRAFANA_ALLOY_ORGID: "{{ lookup('ansible.builtin.env', 'GRAFANA_ALLOY_ORGID') }}"
|
|
GRAFANA_ALLOY_PACKAGE_DEB_URL: "https://github.com/grafana/alloy/releases/download/v{{ GRAFANA_ALLOY_VERSION }}/alloy-{{ GRAFANA_ALLOY_VERSION }}-1.{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.deb"
|
|
GRAFANA_ALLOY_PACKAGE_ZIP_URL: "https://github.com/grafana/alloy/releases/download/v{{ GRAFANA_ALLOY_VERSION }}/alloy-linux-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.zip"
|
|
GRAFANA_ALLOY_EXTRA_CONFIG: ""
|
|
GRAFANA_ALLOY_EXTRA_CLEANUP_RULES: ""
|
|
GRAFANA_ALLOY_OBSERVE_ALLOY: true
|
|
GRAFANA_ALLOY_OBSERVE_DOCKER: true
|
|
GRAFANA_ALLOY_CADVISOR_DISABLED_METRICS: ""
|
|
GRAFANA_ALLOY_CADVISOR_ENABLED_METRICS: ""
|
|
GRAFANA_ALLOY_NODE_EXPORTER_EXTRA_RULES: ""
|
|
GRAFANA_ALLOY_NODE_EXPORTER_DISABLED_COLLECTORS: ""
|
|
GRAFANA_ALLOY_NODE_EXPORTER_ENABLED_COLLECTORS: ""
|
|
|
|
HEALTHCHECK_SITE_API_KEY: "{{ lookup('ansible.builtin.env', 'HEALTHCHECK_SITE_API_KEY') }}"
|
|
|
|
STEP_BIN_INSTALL: true
|
|
# renovate: datasource=github-releases depName=smallstep/cli
|
|
STEP_BIN_VERSION: "0.28.7"
|
|
STEP_BIN_PACKAGE_DEB_URL: "https://github.com/smallstep/cli/releases/download/v{{ STEP_BIN_VERSION }}/step-cli_{{ STEP_BIN_VERSION }}-1_{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.deb"
|
|
STEP_BIN_NAME: step-cli
|
|
STEP_USER_NAME: root
|
|
STEP_GROUP_NAME: root
|
|
STEP_PATH: /etc/step-ca/
|
|
STEP_CONFIG_PATH: "{{ STEP_PATH }}config/"
|
|
STEP_CERTS_PATH: "{{ STEP_PATH }}certs/"
|
|
STEP_CERTS_ACME_CA_PROVISIONER: "{{ lookup('ansible.builtin.env', 'STEP_CERTS_ACME_CA_PROVISIONER') }}"
|
|
STEP_CERTS_ACME_CRT: acme.crt
|
|
STEP_CERTS_ACME_KEY: acme.key
|
|
STEP_CERTS_ROOT_CRT: root_ca.crt
|
|
STEP_CERTS_BUNDLE_CRT: bundle.crt # fullchain.pem
|
|
STEP_CERTS_SSH_ROOT: ssh_host_ecdsa
|
|
STEP_CERTS_SSH_PRIVATE_KEY: "{{ STEP_CERTS_SSH_ROOT }}"
|
|
STEP_CERTS_SSH_PUBLIC_KEY: "{{ STEP_CERTS_SSH_ROOT }}.pub"
|
|
STEP_CERTS_SSH_HOST_CERT: "{{ STEP_CERTS_SSH_ROOT }}-cert.pub"
|
|
STEP_CERTS_SSH_TRUSTED_USER_CA_KEYS: trusted_user_ca_key.crt
|
|
STEP_CERTS_SYSTEMD_EXTRA_CONFIG: ""
|
|
STEP_BOOTSTRAP_URL: https://ca.auengun.net
|
|
STEP_BOOTSTRAP_FINGERPRINT: "{{ lookup('ansible.builtin.env', 'STEP_BOOTSTRAP_FINGERPRINT') }}"
|
|
STEP_BOOTSTRAP_HOST: false # deprecated: enable on ad-hoc basis until future PKI rewrite
|
|
STEP_BOOTSTRAP_HOST_TRUST: true
|
|
|
|
STEP_WEBROOT_PATH: ""
|
|
|
|
STEP_HC_RENEWAL_NAME: "Cert - ACME/SSH - {{ inventory_hostname_short }} 🔄"
|
|
STEP_HC_RENEWAL_TIMEOUT: 86400
|
|
STEP_HC_RENEWAL_GRACE: 300
|
|
STEP_HC_RENEWAL_TAGS: "certs 🔄 {{ inventory_hostname_short }}"
|