homelab/ansible-collection
0
0
Fork 0
Code Issues 1 Pull requests 1 Releases 159 Activity Actions
ansible-collection/roles/common/defaults/main.yml

104 lines
4.9 KiB
YAML
Raw Permalink Blame History

# Ansible Roles for managing Auengun.net Infrastructure & Testing/Learning.
# Source available at git.auengun.net/homelab/ansible-collection
# Copyright (C) 2023 GregoryDosh
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2023 GregoryDosh
---
INSTALL_QEMU_AGENT: true
LXC_SSH_TUNEUP: false
LDAPD_BINDDN: "{{ lookup('ansible.builtin.env', 'LDAPD_BINDDN') }}"
LDAPD_BINDPW: "{{ lookup('ansible.builtin.env', 'LDAPD_BINDPW') }}"
PAM_AUENGUN_SSH_ENABLE: true
PAM_AUENGUN_SSH_DEFAULT: "yes"
PAM_AUENGUN_SSH_PRIORITY: 257
PAM_AUENGUN_SSH_AUTHORIZED_PRINCIPALS: "{{ lookup('ansible.builtin.env', 'PAM_AUENGUN_SSH_AUTHORIZED_PRINCIPALS') }}"
PAM_MKHOMEDIR_SPM_ENABLE: true
PAM_MKHOMEDIR_SPM_DEFAULT: "yes"
PAM_MKHOMEDIR_SPM_PRIORITY: 0
PAM_SHARED_MODULE_PATH: /usr/lib/{{ ansible_architecture }}-linux-gnu/security/
# renovate: datasource=gitea-releases depName=GregoryDosh/pam_ussh versioning=loose
PAM_SHARED_MODULE_VERSION: v0.43.0-161-b904
PAM_SHARED_MODULE_URL: "https://git.auengun.net/GregoryDosh/pam_ussh/releases/download/{{ PAM_SHARED_MODULE_VERSION }}/pam_ussh.{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.so"
PAM_SHARED_MODULE_URL_SHA: "https://git.auengun.net/GregoryDosh/pam_ussh/releases/download/{{ PAM_SHARED_MODULE_VERSION }}/pam_ussh.{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.so.sha256"
SSSD_DEFAULT_SHELL: /bin/bash
SSSD_LDAP_FILTER: "{{ lookup('ansible.builtin.env', 'SSSD_LDAP_FILTER') }}"
SSSD_FILTER_GROUPS: ""
SSSD_FILTER_USERS: ""
CERT_RENEWAL_SERVICE_NAME: cert-renew
CERT_SAN:
- "{{ inventory_hostname_short }}.auengun.net"
- "{{ inventory_hostname_short }}.virt.auengun.net"
CERT_RENEWAL_RESTART_SYSTEMD_SERVICES: []
GRAFANA_ALLOY_INSTALL: true
# renovate: datasource=github-releases depName=grafana/alloy
GRAFANA_ALLOY_VERSION: "1.11.3"
GRAFANA_ALLOY_ORGID: "{{ lookup('ansible.builtin.env', 'GRAFANA_ALLOY_ORGID') }}"
GRAFANA_ALLOY_PACKAGE_DEB_URL: "https://github.com/grafana/alloy/releases/download/v{{ GRAFANA_ALLOY_VERSION }}/alloy-{{ GRAFANA_ALLOY_VERSION }}-1.{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.deb"
GRAFANA_ALLOY_PACKAGE_ZIP_URL: "https://github.com/grafana/alloy/releases/download/v{{ GRAFANA_ALLOY_VERSION }}/alloy-linux-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.zip"
GRAFANA_ALLOY_EXTRA_CONFIG: ""
GRAFANA_ALLOY_EXTRA_CLEANUP_RULES: ""
GRAFANA_ALLOY_OBSERVE_ALLOY: true
GRAFANA_ALLOY_OBSERVE_DOCKER: true
GRAFANA_ALLOY_CADVISOR_DISABLED_METRICS: ""
GRAFANA_ALLOY_CADVISOR_ENABLED_METRICS: ""
GRAFANA_ALLOY_NODE_EXPORTER_EXTRA_RULES: ""
GRAFANA_ALLOY_NODE_EXPORTER_DISABLED_COLLECTORS: ""
GRAFANA_ALLOY_NODE_EXPORTER_ENABLED_COLLECTORS: ""
HEALTHCHECK_SITE_API_KEY: "{{ lookup('ansible.builtin.env', 'HEALTHCHECK_SITE_API_KEY') }}"
STEP_BIN_INSTALL: true
# renovate: datasource=github-releases depName=smallstep/cli
STEP_BIN_VERSION: "0.28.7"
STEP_BIN_PACKAGE_DEB_URL: "https://github.com/smallstep/cli/releases/download/v{{ STEP_BIN_VERSION }}/step-cli_{{ STEP_BIN_VERSION }}-1_{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.deb"
STEP_BIN_NAME: step-cli
STEP_USER_NAME: root
STEP_GROUP_NAME: root
STEP_PATH: /etc/step-ca/
STEP_CONFIG_PATH: "{{ STEP_PATH }}config/"
STEP_CERTS_PATH: "{{ STEP_PATH }}certs/"
STEP_CERTS_ACME_CA_PROVISIONER: "{{ lookup('ansible.builtin.env', 'STEP_CERTS_ACME_CA_PROVISIONER') }}"
STEP_CERTS_ACME_CRT: acme.crt
STEP_CERTS_ACME_KEY: acme.key
STEP_CERTS_ROOT_CRT: root_ca.crt
STEP_CERTS_BUNDLE_CRT: bundle.crt # fullchain.pem
STEP_CERTS_SSH_ROOT: ssh_host_ecdsa
STEP_CERTS_SSH_PRIVATE_KEY: "{{ STEP_CERTS_SSH_ROOT }}"
STEP_CERTS_SSH_PUBLIC_KEY: "{{ STEP_CERTS_SSH_ROOT }}.pub"
STEP_CERTS_SSH_HOST_CERT: "{{ STEP_CERTS_SSH_ROOT }}-cert.pub"
STEP_CERTS_SSH_TRUSTED_USER_CA_KEYS: trusted_user_ca_key.crt
STEP_CERTS_SYSTEMD_EXTRA_CONFIG: ""
STEP_BOOTSTRAP_URL: https://ca.auengun.net
STEP_BOOTSTRAP_FINGERPRINT: "{{ lookup('ansible.builtin.env', 'STEP_BOOTSTRAP_FINGERPRINT') }}"
STEP_BOOTSTRAP_HOST: false # deprecated: enable on ad-hoc basis until future PKI rewrite
STEP_BOOTSTRAP_HOST_TRUST: true
STEP_WEBROOT_PATH: ""
STEP_HC_RENEWAL_NAME: "Cert - ACME/SSH - {{ inventory_hostname_short }} 🔄"
STEP_HC_RENEWAL_TIMEOUT: 86400
STEP_HC_RENEWAL_GRACE: 300
STEP_HC_RENEWAL_TAGS: "certs 🔄 {{ inventory_hostname_short }}"
Reference in a new issue View git blame Copy permalink