2018-09-03 20:06:05 +02:00
|
|
|
|
---
|
|
|
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
|
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
|
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
|
|
|
|
|
|
# Short personal nickname that will be mostly used as part of filenames under /etc.
|
|
|
|
|
nickname: personal
|
|
|
|
|
|
|
|
|
|
# Hostname and IPv4 address of the DMZ.
|
|
|
|
|
DMZ: dmz
|
|
|
|
|
DMZ_IP: 192.168.1.254
|
|
|
|
|
|
|
|
|
|
# Hostname and IPv4 address of the back-end server (with all the data).
|
|
|
|
|
SafeZone: home
|
|
|
|
|
SafeZone_IP: 192.168.1.253
|
|
|
|
|
|
|
|
|
|
# Domain names that the certificate should cover.
|
|
|
|
|
acme_domains: 'example.org www.example.org pubsub.example.org'
|
|
|
|
|
|
|
|
|
|
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
|
|
|
|
|
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
|
|
|
|
|
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
|
|
|
|
|
ansible_master: 192.168.1.252
|
|
|
|
|
|
|
|
|
|
# System user that will build packages from AUR (https://aur.archlinux.org/).
|
|
|
|
|
aur_user: git
|
|
|
|
|
|
|
|
|
|
# Just leave this with an empty-string value.
|
|
|
|
|
chroot: ''
|
|
|
|
|
|
|
|
|
|
# https://wiki.archlinux.org/index.php/Keyboard_configuration_in_console
|
|
|
|
|
default_keymap: en
|
|
|
|
|
|
|
|
|
|
# https://jlk.fjfi.cvut.cz/arch/manpages/man/papersize.5
|
|
|
|
|
default_papersize: a4
|
|
|
|
|
|
|
|
|
|
# LDAP (real) user that will have admin rights in Dotclear (the blog).
|
|
|
|
|
dotclear_admin_user: me
|
|
|
|
|
|
|
|
|
|
# Name of the Dotclear database in PostgreSQL.
|
|
|
|
|
dotclear_db: dotclear
|
|
|
|
|
|
|
|
|
|
# PostgreSQL user who owns the Dotclear database.
|
|
|
|
|
dotclear_db_user: dotclear
|
|
|
|
|
|
|
|
|
|
# Password for the PostgreSQL user who owns the Dotclear database.
|
|
|
|
|
dotclear_db_password: dotclear
|
|
|
|
|
|
|
|
|
|
# Dotclear encrypts sensitive data with a master key, that is set here (random string).
|
|
|
|
|
dotclear_master_key: 0123456789abcdefghijklmnopqrstuvwxyz
|
|
|
|
|
|
|
|
|
|
# Location where Dotclear is installed, which *must* end with “/dotclear”
|
|
|
|
|
dotclear_root: /srv/webapps/dotclear
|
|
|
|
|
|
|
|
|
|
# The default locale (https://wiki.archlinux.org/index.php/Locale).
|
|
|
|
|
locales_default: 'en_US.UTF-8'
|
|
|
|
|
|
|
|
|
|
# All installed locales on the server.
|
|
|
|
|
locales_enabled: 'en_US.UTF-8 fr_FR.UTF-8 fr_FR@euro'
|
|
|
|
|
|
|
|
|
|
# Enable DNSSEC in systemd-resolved (“yes” or “no”, as a character string); experimental!
|
|
|
|
|
dns_sec: 'no'
|
|
|
|
|
|
|
|
|
|
# DNS servers to use on the server, for example:
|
|
|
|
|
# FDN-1 (v4) FDN-2 (v4) FDN-1 (v6) FDN-2 (v6) OpenNIC-1 OpenNIC-2 Google
|
|
|
|
|
dns_hosts: '80.67.169.12 80.67.169.40 2001:910:800::12 2001:910:800::40 87.98.175.85 5.135.183.146 8.8.8.8'
|
|
|
|
|
|
|
|
|
|
# Nearest NTP servers (https://www.ntppool.org/).
|
|
|
|
|
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
|
|
|
|
|
|
|
|
|
|
# IP addresses that are allowed to browse DLNA/uPNP contents, even though they are not trusted.
|
|
|
|
|
# This is a space-separated list of networks (IP/bits).
|
|
|
|
|
# A typical example would be a living-room BD player or TV, which includes a DLNA client.
|
|
|
|
|
fw_dlna_clients: 192.168.1.53/32
|
|
|
|
|
|
|
|
|
|
# Number of minutes allowed between two consecutive ports of the port-knocking sequence.
|
|
|
|
|
fw_knock_timeout_min: 2
|
|
|
|
|
|
|
|
|
|
# Port-knocking sequence. A port may appear multiple times, but not next to each-other.
|
|
|
|
|
fw_portknock_seq: 1 22 333 4444 333 22 1
|
|
|
|
|
|
|
|
|
|
# The email address associated to root, for commits in the git repository that stores changes to /etc.
|
|
|
|
|
git_contact_email: hostmaster@example.org
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Watch new repositories inside the already-watched perimeter by default.
|
|
|
|
|
gitea_auto_watch_new_repos: 'true'
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Name of the Gitea (web UI for Git) database in PostgreSQL.
|
|
|
|
|
gitea_db: gitea
|
|
|
|
|
|
|
|
|
|
# PostgreSQL user who owns the Gitea database.
|
|
|
|
|
gitea_db_user: gitea
|
|
|
|
|
|
|
|
|
|
# Password for the PostgreSQL user who owns the Gitea database.
|
|
|
|
|
gitea_db_password: gitea
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Disable Gravatar pictures.
|
|
|
|
|
gitea_disable_gravatar: 'false'
|
|
|
|
|
|
|
|
|
|
# Disable HTTP for Git access.
|
|
|
|
|
gitea_disable_http_git: 'false'
|
|
|
|
|
|
|
|
|
|
# Disable mirrors.
|
|
|
|
|
gitea_disable_mirrors: 'true'
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Disable creation of organisations in Gitea (“true” or “false”, as a character string).
|
|
|
|
|
gitea_disable_org_creation: 'true'
|
|
|
|
|
|
|
|
|
|
# Disable self-registration in Gitea (“true” or “false”, as a character string).
|
|
|
|
|
gitea_disable_registration: 'false'
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Disable logs by Gitea router.
|
|
|
|
|
gitea_disable_router_log: 'false'
|
|
|
|
|
|
|
|
|
|
# Enable API and Swagger UI.
|
|
|
|
|
gitea_enable_api: 'true'
|
|
|
|
|
|
|
|
|
|
# Enable caching for the web UI.
|
|
|
|
|
gitea_enable_cache: 'true'
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Enable email notifications in Gitea (“true” or “false”, as a character string).
|
|
|
|
|
gitea_enable_notify_email: 'true'
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Enable OAuth2 provider.
|
|
|
|
|
gitea_enable_oauth2_provider: 'false'
|
|
|
|
|
|
|
|
|
|
# Index repositories.
|
|
|
|
|
gitea_enable_repo_indexer: 'true'
|
|
|
|
|
|
|
|
|
|
# Enable user heat-map.
|
|
|
|
|
gitea_enable_user_heatmap: 'true'
|
|
|
|
|
|
|
|
|
|
# Enable the time-tracking feature.
|
|
|
|
|
gitea_enable_timetracking: 'true'
|
|
|
|
|
|
|
|
|
|
# Available languages.
|
|
|
|
|
gitea_i18n: [
|
|
|
|
|
{"code": "en-US", "label": "English"},
|
|
|
|
|
{"code": "zh-CN", "label": "简体中文"},
|
|
|
|
|
{"code": "zh-HK", "label": "繁體中文(香港)"},
|
|
|
|
|
{"code": "zh-TW", "label": "繁體中文(台灣)"},
|
|
|
|
|
{"code": "de-DE", "label": "Deutsch"},
|
|
|
|
|
{"code": "fr-FR", "label": "français"},
|
|
|
|
|
{"code": "nl-NL", "label": "Nederlands"},
|
|
|
|
|
{"code": "lv-LV", "label": "latviešu"},
|
|
|
|
|
{"code": "ru-RU", "label": "русский"},
|
|
|
|
|
{"code": "uk-UA", "label": "Українська"},
|
|
|
|
|
{"code": "ja-JP", "label": "日本語"},
|
|
|
|
|
{"code": "es-ES", "label": "español"},
|
|
|
|
|
{"code": "pt-BR", "label": "português do Brasil"},
|
|
|
|
|
{"code": "pt-PT", "label": "Português de Portugal"},
|
|
|
|
|
{"code": "pl-PL", "label": "polski"},
|
|
|
|
|
{"code": "bg-BG", "label": "български"},
|
|
|
|
|
{"code": "it-IT", "label": "italiano"},
|
|
|
|
|
{"code": "fi-FI", "label": "suomi"},
|
|
|
|
|
{"code": "tr-TR", "label": "Türkçe"},
|
|
|
|
|
{"code": "cs-CZ", "label": "čeština"},
|
|
|
|
|
{"code": "sr-SP", "label": "српски"},
|
|
|
|
|
{"code": "sv-SE", "label": "svenska"},
|
|
|
|
|
{"code": "ko-KR", "label": "한국어"}
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
# JWT secret for OAuth2
|
|
|
|
|
gitea_jwt_secret: az09ZA_az09ZA_az09ZA_az09ZA_az09ZA_az09ZA
|
|
|
|
|
|
2018-09-13 08:32:38 +02:00
|
|
|
|
# Space-separated list of mime types to accept for attachments (“*/*” means: “anything”).
|
|
|
|
|
gitea_mime_attach: 'image/jpeg image/png application/zip application/gzip'
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Notifications refresh in seconds.
|
|
|
|
|
gitea_notif_min_timeout: 10
|
|
|
|
|
gitea_notif_max_timeout: 60
|
|
|
|
|
gitea_notif_timeout_step: 10
|
|
|
|
|
|
2018-11-18 11:46:21 +01:00
|
|
|
|
# A random salt-string for internal encryption (change it!).
|
|
|
|
|
gitea_security_secret: '!#@FDEWREWR&*('
|
|
|
|
|
|
2019-03-10 18:33:53 +01:00
|
|
|
|
# System user running Gitea
|
|
|
|
|
gitea_user: gitea
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Maximum size of HTTP and PHP uploads.
|
|
|
|
|
http_max_upload: 10000M
|
|
|
|
|
|
|
|
|
|
# Document-root of the HTTP server.
|
|
|
|
|
http_root: /srv/http
|
|
|
|
|
|
|
|
|
|
# URL prefix of Dotclear (blog).
|
|
|
|
|
http_pfx_dotclear: /blog
|
|
|
|
|
|
|
|
|
|
# URL prefix of Gitea (web UI for Git).
|
|
|
|
|
http_pfx_gitea: /git
|
|
|
|
|
|
|
|
|
|
# URL prefix of LDAP-Account-Manager (web UI for LDAP).
|
|
|
|
|
http_pfx_lam: /account
|
|
|
|
|
|
2020-10-10 16:37:52 +02:00
|
|
|
|
# URL prefix of Motion (video surveillance).
|
|
|
|
|
http_pfx_motion: /netcam
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# URL prefix of Movim (XMPP web client).
|
|
|
|
|
http_pfx_movim: /social
|
|
|
|
|
|
|
|
|
|
# URL prefix of Nextcloud (self-hosted “cloud”).
|
|
|
|
|
http_pfx_nextcloud: /cloud
|
|
|
|
|
|
|
|
|
|
# URL prefix of PrivateBin (self-hosted “pastebin”).
|
|
|
|
|
http_pfx_privatebin: /paste
|
|
|
|
|
|
|
|
|
|
# URL prefix of Prosody-generated URL (file uploads, BOSH, websockets…).
|
|
|
|
|
http_pfx_prosody: /xmpp-
|
|
|
|
|
|
|
|
|
|
# URL prefix of SSOwat (SSO and web portal).
|
|
|
|
|
http_pfx_ssowat: /start
|
|
|
|
|
|
|
|
|
|
# URL prefix of Transmission (web UI for BitTorrent).
|
|
|
|
|
http_pfx_transmission: /torrent
|
|
|
|
|
|
|
|
|
|
# URL prefix of Wallabag (social sharing of bookmarks).
|
|
|
|
|
http_pfx_wallabag: /bookmarks
|
|
|
|
|
|
|
|
|
|
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
|
|
|
|
|
iodine_domain: dt.example.org
|
|
|
|
|
|
|
|
|
|
# Network associated with the DNS tunnel (IP address of the server on this network, “/”, bits for the network-mask).
|
|
|
|
|
iodine_net: '172.16.12.1/28'
|
|
|
|
|
|
|
|
|
|
# Password of the DNS tunnel.
|
|
|
|
|
iodine_password: '_t_r___e@6358'
|
|
|
|
|
|
|
|
|
|
# Location of Kodi state data (not the media contents).
|
|
|
|
|
kodi_data: /var/lib/kodi
|
|
|
|
|
|
|
|
|
|
# System user that will run Kodi.
|
|
|
|
|
kodi_user: kodi
|
|
|
|
|
|
|
|
|
|
# Master password, needed to change LDAP-Account-Manager settings.
|
|
|
|
|
lam_master_password: lam
|
|
|
|
|
|
|
|
|
|
# Password policy for LDAP-Account-Manager (https://www.ldap-account-manager.org/static/doc/manual-onePage/#idm695).
|
|
|
|
|
# “-1” means “all”.
|
|
|
|
|
lam_checkedRulesCount: -1
|
|
|
|
|
lam_passwordMinClasses: 3
|
|
|
|
|
lam_passwordMinLength: 10
|
|
|
|
|
lam_passwordMinLower: 0
|
|
|
|
|
lam_passwordMinNumeric: 0
|
|
|
|
|
lam_passwordMinSymbol: 1
|
|
|
|
|
lam_passwordMinUpper: 0
|
|
|
|
|
lam_passwordMustNotContain3Chars: 'true'
|
|
|
|
|
lam_passwordMustNotContainUser: 'true'
|
|
|
|
|
|
|
|
|
|
# Title for LDAP-Account-Manager in the SSOwat portal.
|
|
|
|
|
lam_sso_title: Directory
|
|
|
|
|
|
|
|
|
|
# Additional ACL for LDAP.
|
|
|
|
|
# This is typically used to give extra powers to users, for example regarding aliases management.
|
|
|
|
|
ldap_extra_acl: |
|
|
|
|
|
access to dn.subtree="ou=Aliases,dc=example,dc=org"
|
|
|
|
|
by dn.base="uid=me,ou=Users,dc=example,dc=org" write
|
|
|
|
|
by self read
|
|
|
|
|
by * read
|
|
|
|
|
|
|
|
|
|
# Organization-name for this home-server LDAP directory.
|
|
|
|
|
ldap_o_name: 'Home'
|
|
|
|
|
|
|
|
|
|
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
|
|
|
|
|
ldap_root: dc=example,dc=org
|
|
|
|
|
|
|
|
|
|
# Password of the root user (administrator) in OpenLDAP.
|
|
|
|
|
ldap_rootpw: 'OE104995à6&o_zKR4'
|
|
|
|
|
|
|
|
|
|
# Same password, as expected by OpenLDAP.
|
|
|
|
|
# See https://gist.github.com/rca/7217540 (python2) or https://www.openldap.org/faq/data/cache/347.html.
|
|
|
|
|
ldap_rootpw_sha: '{SSHA}Raa3TlvDPZTjdM44nKZQt+hDvQRvaMDC'
|
|
|
|
|
|
|
|
|
|
# Custom system groups and memberships, declared in LDAP.
|
|
|
|
|
# This is the right place to declare a group in which to put all real and system users, who will be allowed to read media contents.
|
|
|
|
|
ldap_system_groups: '[
|
|
|
|
|
{"cn": "registered", "gidNumber": 1200}
|
|
|
|
|
{"cn": "media", "gidNumber": 1201}
|
|
|
|
|
]'
|
|
|
|
|
ldap_system_group_members: '[
|
|
|
|
|
{"group": "media", "member": "me"},
|
|
|
|
|
{"group": "media", "member": "cloud"},
|
|
|
|
|
{"group": "media", "member": "kodi"}
|
|
|
|
|
]'
|
|
|
|
|
|
|
|
|
|
# Real users (ie. with a Linux account on the server) to declare in LDAP.
|
|
|
|
|
# Each user in the JSON list contains:
|
|
|
|
|
# — uidNumber: a unique user ID, which must be ≥1000;
|
|
|
|
|
# — gidNumber: a group ID, which should be a “gidNumber” of ldap_system_groups;
|
|
|
|
|
# — uid: the login name, usually short, without spaces, and all lowercase;
|
|
|
|
|
# — cn: the user’s firstname;
|
|
|
|
|
# — sn: the user’s surname;
|
|
|
|
|
# — password: the user’s password upon creation, in the same format as ldap_rootpw_sha (“change_me” in the example).
|
|
|
|
|
# These settings are only read when creating the users in LDAP.
|
|
|
|
|
ldap_system_users: '[
|
|
|
|
|
{"uidNumber": 1000, "gidNumber": 1200, "uid": "you", "cn": "Yule-Offa", "sn": "Udel", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"},
|
|
|
|
|
{"uidNumber": 1001, "gidNumber": 1200, "uid": "me", "cn": "Mae", "sn": "Ellen", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"}
|
|
|
|
|
]'
|
|
|
|
|
|
|
|
|
|
# Guest users (they can use the provided software, but do not have a Linux account).
|
|
|
|
|
# The fields are the same as above, minus the Linux UID and GID numbers.
|
|
|
|
|
# These settings are only read when creating the users in LDAP.
|
|
|
|
|
ldap_virtual_users: '[
|
|
|
|
|
{"uid": "she", "cn": "Her", "sn": "…", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"},
|
|
|
|
|
{"uid": "he", "cn": "Him", "sn": "…", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"}
|
|
|
|
|
]'
|
|
|
|
|
|
|
|
|
|
# Linux UID and GID to use for users who do not have their own.
|
|
|
|
|
# 65534 = nobody
|
|
|
|
|
ldap_virtual_user_uid: 65534
|
|
|
|
|
ldap_virtual_user_gid: 65534
|
|
|
|
|
|
|
|
|
|
# LDAP attributes to assign to users, either Linux users or guests.
|
|
|
|
|
# Each entry in the list contains:
|
|
|
|
|
# — uid: the login name of the user to modify;
|
|
|
|
|
# — attr: the LDAP attribute to set;
|
|
|
|
|
# — value: the value to store in the chosen attribute.
|
|
|
|
|
# These settings are enforced at each run. Examples:
|
|
|
|
|
# — gecos: the full name that typically appears on the login screen;
|
|
|
|
|
# — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
|
|
|
|
|
ldap_users_attrs: '[
|
|
|
|
|
{"uid": "you", "attr": "gecos", "value": "Y-O. Udel"},
|
|
|
|
|
{"uid": "you", "attr": "shadowLastChange", "value": "16000"},
|
|
|
|
|
{"uid": "you", "attr": "shadowMax", "value": "99999"},
|
|
|
|
|
{"uid": "you", "attr": "shadowWarning", "value": "7"},
|
|
|
|
|
{"uid": "me", "attr": "gecos", "value": "M. Ellen"},
|
|
|
|
|
{"uid": "me", "attr": "shadowLastChange", "value": "16000"},
|
|
|
|
|
{"uid": "me", "attr": "shadowMax", "value": "99999"},
|
|
|
|
|
{"uid": "me", "attr": "shadowWarning", "value": "7"}
|
|
|
|
|
]'
|
|
|
|
|
|
|
|
|
|
# Login name and password of the LibreOffice OnLine web services’ administrator.
|
|
|
|
|
# Usefulness not clear; it doesn’t hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
|
|
|
|
|
loolwsd_admin_user: nextcloud_admin
|
|
|
|
|
loolwsd_admin_password: nextcloud_admin
|
|
|
|
|
|
|
|
|
|
# LibreOffice OnLine’s description: “The maximum percentage of system memory consumed
|
|
|
|
|
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
|
|
|
|
|
loolwsd_maxmem_asdouble: '80.0'
|
|
|
|
|
|
|
|
|
|
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
|
|
|
|
|
# Each entry in the list contains:
|
|
|
|
|
# — alias: a unique mail alias, either new or with existing associated recipients;
|
|
|
|
|
# — member: the login name of the user to add as a recipient for the alias.
|
|
|
|
|
mail_alias_memberships: '[
|
|
|
|
|
{"alias": "shop", "member": "you"},
|
|
|
|
|
{"alias": "throwable", "member": "me"},
|
|
|
|
|
{"alias": "family", "member": "me"},
|
|
|
|
|
{"alias": "family", "member": "you"}
|
|
|
|
|
]'
|
|
|
|
|
|
|
|
|
|
# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
|
|
|
|
|
# See the “dmz_exim” role for the storage of the private and public keys.
|
|
|
|
|
mail_dkim_selector: home
|
|
|
|
|
|
|
|
|
|
# Actual Linux user, that receives all system emails (for root, postmaster, hostmaster…).
|
|
|
|
|
mail_forward_root_to: me
|
|
|
|
|
|
|
|
|
|
# IPv6 address of the ISP’s smarthost when the ISP does not handle SMTP on IPv6 (example: smtp.bbox.fr).
|
|
|
|
|
mail_ignore_ip: '2001:860:e2ef::f503:0:2'
|
|
|
|
|
|
|
|
|
|
# All local mail destinations, which include managed domains, as well as host names.
|
|
|
|
|
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Maximum number of SPAM-filter workers.
|
|
|
|
|
mail_max_spam_workers: 5
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# The ISP’s smarthost (which listens on port 25).
|
|
|
|
|
mail_smtp_smarthost: smtp.bbox.fr
|
|
|
|
|
|
|
|
|
|
# The group name for media contents (see also “ldap_system_groups”).
|
|
|
|
|
media_group: media
|
|
|
|
|
|
|
|
|
|
# Custom Minidlna configuration, including the locations where it will look for media contents.
|
|
|
|
|
# None of the “media_dir” paths is currently allowed under /opt.
|
|
|
|
|
# Apart from “media_dir”, the settings already set upstream must not be overriden.
|
|
|
|
|
# See also “nfs_exports”, and https://sourceforge.net/p/minidlna/git/ci/master/tree/minidlna.conf (upstream).
|
|
|
|
|
media_minidlna_conf: |
|
|
|
|
|
media_dir=V,/srv/nfs/share/video
|
|
|
|
|
media_dir=A,/srv/nfs/share/my_CDs
|
|
|
|
|
media_dir=A,/srv/nfs/share/my_MP3
|
|
|
|
|
media_dir=P,/srv/nfs/share/photos
|
|
|
|
|
root_container=B
|
|
|
|
|
friendly_name=HomeMedia
|
|
|
|
|
|
2020-10-10 16:37:52 +02:00
|
|
|
|
# Motion data directory
|
|
|
|
|
motion_data: /var/lib/motion
|
|
|
|
|
motion_cloud_url: 'https://www.mediafire.com/'
|
|
|
|
|
motion_cloud_login: login
|
|
|
|
|
motion_cloud_password: password
|
|
|
|
|
motion_cloud_id: app_id_xxxxx
|
|
|
|
|
motion_cloud_key: xxxxxxxxxx…xxxxxxxxxx
|
|
|
|
|
motion_email_recipient: hostmaster@localhost
|
|
|
|
|
motion_cameras: '[
|
|
|
|
|
{
|
|
|
|
|
"id": 1, "name": "street door",
|
|
|
|
|
"url": "rtsp://user:password@street.example.org:554/videoMain",
|
|
|
|
|
"width": 640, "height": 360,
|
|
|
|
|
"mask_file": "example_mask_640_360.pgm",
|
|
|
|
|
"framerate": 5
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"id": 2, "name": "garden door",
|
|
|
|
|
"url": "rtsp://user:password@garden.example.org:554/videoMain",
|
|
|
|
|
"width": 640, "height": 360,
|
|
|
|
|
"mask_file": null,
|
|
|
|
|
"framerate": 5
|
|
|
|
|
}
|
|
|
|
|
]'
|
|
|
|
|
motion_web_title: "Video surveillance"
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Name of the Movim database in PostgreSQL.
|
|
|
|
|
movim_db: movim
|
|
|
|
|
|
|
|
|
|
# PostgreSQL user who owns the Movim database.
|
|
|
|
|
movim_db_user: movim
|
|
|
|
|
|
|
|
|
|
# Password for the PostgreSQL user who owns the Movim database.
|
|
|
|
|
movim_db_password: movim
|
|
|
|
|
|
|
|
|
|
# Administrator for Movim.
|
|
|
|
|
movim_admin_user: movim_admin
|
|
|
|
|
|
|
|
|
|
# Password of the administrator for Movim.
|
|
|
|
|
movim_admin_password: movim_admin
|
|
|
|
|
|
|
|
|
|
# Localhost port on which Movim is listening
|
|
|
|
|
movim_private_port: 33333
|
|
|
|
|
|
|
|
|
|
# Domain names to which network access from the DMZ is allowed.
|
|
|
|
|
# This space-separated list should contain:
|
|
|
|
|
# — the web address for checking the current public IP given by the ISP;
|
|
|
|
|
# — the web address for updating the dynamic DNS;
|
|
|
|
|
# — the web address for updating web applications…
|
|
|
|
|
net_allowed_domains: 'checkip.dns.he.net dyn.dns.he.net freedns.afraid.org download.dotclear.org dotaddict.org api.movim.eu'
|
|
|
|
|
|
|
|
|
|
# Start Of Authority: the root domain name configured on the server.
|
|
|
|
|
net_soa: example.org
|
|
|
|
|
|
|
|
|
|
# Subdomain for the XMPP multi-user chat component.
|
|
|
|
|
net_subdom_muc: muc
|
|
|
|
|
|
|
|
|
|
# Subdomain for the XMPP pub-sub component.
|
|
|
|
|
net_subdom_pubsub: pubsub
|
|
|
|
|
|
|
|
|
|
# Subdomain for which TLS traffic (port 443) is analysed as SSH instead of HTTP.
|
|
|
|
|
net_subdom_ssh: ssh
|
|
|
|
|
|
|
|
|
|
# Local networks from which network connections are trusted.
|
|
|
|
|
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
|
|
|
|
|
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
|
|
|
|
|
|
|
|
|
|
# Administrator for Nextcloud (not necessarily an LDAP user).
|
|
|
|
|
nextcloud_admin_user: nextcloud_admin
|
|
|
|
|
|
|
|
|
|
# Password of the administrator for Nextcloud.
|
|
|
|
|
nextcloud_admin_password: nextcloud_admin
|
|
|
|
|
|
|
|
|
|
# Path to Nextcloud’s configuration.
|
|
|
|
|
nextcloud_conf: /etc/webapps/nextcloud/config
|
|
|
|
|
|
|
|
|
|
# Path to local Nextcloud data (not the users’ files).
|
|
|
|
|
nextcloud_data: /var/lib/nextcloud
|
|
|
|
|
|
|
|
|
|
# Name of the Nextcloud database in PostgreSQL.
|
|
|
|
|
nextcloud_db: nextcloud
|
|
|
|
|
|
|
|
|
|
# PostgreSQL user who owns the Nextcloud database.
|
|
|
|
|
nextcloud_db_user: nextcloud
|
|
|
|
|
|
|
|
|
|
# Password for the PostgreSQL user who owns the Nextcloud database.
|
|
|
|
|
nextcloud_db_password: nextcloud
|
|
|
|
|
|
|
|
|
|
# Path to Nextcloud distribution data (not the users’ files).
|
|
|
|
|
nextcloud_root: /usr/share/webapps/nextcloud
|
|
|
|
|
|
|
|
|
|
# System user that will run Nextcloud.
|
|
|
|
|
nextcloud_user: cloud
|
|
|
|
|
|
|
|
|
|
# Local paths (on the safe side of the server) that shall be exported with NFS.
|
|
|
|
|
# Each entry contains:
|
|
|
|
|
# — name: the name of the NFS export, under /srv/nfs;
|
|
|
|
|
# — path: the exported local path.
|
|
|
|
|
nfs_exports: '[
|
|
|
|
|
{"name": "share", "path": "/mnt/share"},
|
|
|
|
|
{"name": "share/video", "path": "/mnt/media/video"},
|
|
|
|
|
{"name": "share/my_CDs", "path": "/mnt/media/my_CDs"},
|
|
|
|
|
{"name": "share/my_MP3", "path": "/mnt/media/my_MP3"},
|
|
|
|
|
{"name": "share/photos", "path": "/mnt/media/photos"}
|
|
|
|
|
]'
|
|
|
|
|
|
|
|
|
|
# NFS export options (https://linux.die.net/man/5/exports).
|
|
|
|
|
nfs_options: 'rw,no_subtree_check,no_root_squash,no_wdelay,crossmnt'
|
|
|
|
|
|
|
|
|
|
# Log level for nginx (http://nginx.org/en/docs/ngx_core_module.html#error_log).
|
|
|
|
|
nginx_loglevel: info
|
|
|
|
|
|
|
|
|
|
# Administrator password for PostgreSQL.
|
|
|
|
|
pgpassword: PostgreSQL
|
|
|
|
|
|
2021-05-02 21:14:27 +02:00
|
|
|
|
# Maximum number of PHP-handling processes.
|
|
|
|
|
php_max_workers: 5
|
|
|
|
|
|
|
|
|
|
# Maximum number of requests a PHP-handling process can handle before being reset (0: never reset).
|
|
|
|
|
php_worker_max_reqs: 0
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
# Maximum number of bytes in a Privatebin paste (or image).
|
|
|
|
|
privatebin_bytes_limit: 10485760
|
|
|
|
|
|
|
|
|
|
# Enable discussions in Privatebin (“true” or “false” as a character string).
|
|
|
|
|
privatebin_enable_discussion: 'false'
|
|
|
|
|
|
|
|
|
|
# Enable passwords in Privatebin (“true” or “false” as a character string).
|
|
|
|
|
privatebin_enable_passwords: 'false'
|
|
|
|
|
|
|
|
|
|
# Enable uploads in Privatebin (“true” or “false” as a character string).
|
|
|
|
|
privatebin_enable_uploads: 'true'
|
|
|
|
|
|
|
|
|
|
# Open discussions by default in Privatebin (“true” or “false” as a character string).
|
|
|
|
|
privatebin_open_discussion: 'false'
|
|
|
|
|
|
|
|
|
|
# Delay in seconds before an opportunistic purge of old pastes is attempted while processing a request.
|
|
|
|
|
privatebin_purge_delay: 300
|
|
|
|
|
|
|
|
|
|
# Title for Privatebin in the SSOwat portal.
|
|
|
|
|
privatebin_sso_title: Privatebin
|
|
|
|
|
|
|
|
|
|
# Name of the Prosody database in PostgreSQL.
|
|
|
|
|
prosody_db: prosody
|
|
|
|
|
|
|
|
|
|
# PostgreSQL user who owns the Prosody database.
|
|
|
|
|
prosody_db_user: prosody
|
|
|
|
|
|
|
|
|
|
# Password for the PostgreSQL user who owns the Prosody database.
|
|
|
|
|
prosody_db_password: prosody
|
|
|
|
|
|
|
|
|
|
# Space-separated list of SANE drivers to keep enabled, for scanner sharing.
|
|
|
|
|
sane_drivers: epson2
|
|
|
|
|
|
|
|
|
|
# Space-separated list of pacman mirrors to use.
|
|
|
|
|
software_mirrors: 'archlinux.de-labrusse.fr mirror.archlinux.ikoula.com'
|
|
|
|
|
|
|
|
|
|
# Software that will get removed if present, on next run of the playbook (JSON list).
|
|
|
|
|
software_to_del: '["dhcpcd"]'
|
|
|
|
|
|
|
|
|
|
# Comma-separated list of software that pacman should not automatically upgrade.
|
|
|
|
|
software_to_ignore: 'linux,linux-firmware,linux-headers'
|
|
|
|
|
|
|
|
|
|
# Environment variables that SSH may keep for remote connections.
|
|
|
|
|
ssh_accept_env: 'LANG LC_*'
|
|
|
|
|
|
|
|
|
|
# Allow port-forwarding with SSH (“yes” or “no” as a character string).
|
|
|
|
|
ssh_allow_tcpforward: 'yes'
|
|
|
|
|
|
|
|
|
|
# Allow binding of port-forwardings on the LAN interface with SSH (“yes” or “no” as a character string).
|
|
|
|
|
ssh_allow_gatewayports: 'yes'
|
|
|
|
|
|
|
|
|
|
# Allow X11 forwarding with SSH (“yes” or “no” as a character string).
|
|
|
|
|
ssh_allow_x11forward: 'yes'
|
|
|
|
|
|
|
|
|
|
# Allow SSH tunnels (“yes” or “no” as a character string).
|
|
|
|
|
ssh_allow_tunnel: 'yes'
|
|
|
|
|
|
|
|
|
|
# System user that will accept SSH connections in the DMZ, as a way to get access to the safe zone.
|
|
|
|
|
ssh_bastion_user: gatekeeper
|
|
|
|
|
|
|
|
|
|
# SHA-512 password of the system user who can remotely SSH to the DMZ (here: “let-me-in”).
|
|
|
|
|
# See https://unix.stackexchange.com/a/76337 for some help.
|
|
|
|
|
ssh_bastion_pwd_sha512: '$6$ZN4I.yIVUj0amxqe$5dBx1d34tNm9NMmmFV3UxZ0V2ecmOjefK5dbTW5Da/xC8M78sZbPQdegcqA3/9Wtr2fMQ0y6pxVh31Q01PrfS/'
|
|
|
|
|
|
|
|
|
|
# Client-alive interval for the SSH daemon, in seconds.
|
|
|
|
|
ssh_clientalive_interval: 600
|
|
|
|
|
|
|
|
|
|
# Server’s timezone.
|
|
|
|
|
timezone: Europe/Paris
|
|
|
|
|
|
|
|
|
|
# TLS ciphers to enable in TLS-terminating software (HAProxy, Nginx…).
|
|
|
|
|
# See https://wiki.mozilla.org/Security/Server_Side_TLS.
|
|
|
|
|
tls_ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
|
|
|
|
|
|
|
|
|
|
# HAProxy server and bind options to use (https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5).
|
|
|
|
|
tls_options: 'no-sslv3 no-tls-tickets'
|
|
|
|
|
|
|
|
|
|
# Transmission (BitTorrent) public/peer port
|
|
|
|
|
transmission_bt_port: 60000
|
|
|
|
|
|
|
|
|
|
# Transmission private RPC port (for the Web UI).
|
|
|
|
|
transmission_rpc_port: 50000
|
|
|
|
|
|
|
|
|
|
# Path to the directory where Transmission should store the downloads that are finished, on the safe side.
|
|
|
|
|
transmission_real_done_at: /mnt/share/p2p/iso
|
|
|
|
|
|
|
|
|
|
# Path to the directory where Transmission should read torrent files to process, on the safe side.
|
|
|
|
|
transmission_real_todo_at: /mnt/share/p2p/iso.torrent
|
|
|
|
|
|
|
|
|
|
# Name given to “transmission_real_done_at” and “transmission_real_todo_at” as NFS exports.
|
|
|
|
|
transmission_nfs_done_at: share/p2p/iso
|
|
|
|
|
transmission_nfs_todo_at: share/p2p/iso.torrent
|
|
|
|
|
|
|
|
|
|
# Name of the Wallabag database in PostgreSQL.
|
|
|
|
|
wallabag_db: wallabag
|
|
|
|
|
|
|
|
|
|
# PostgreSQL user who owns the Wallabag database.
|
|
|
|
|
wallabag_db_user: wallabag
|
|
|
|
|
|
|
|
|
|
# Password for the PostgreSQL user who owns the Wallabag database.
|
|
|
|
|
wallabag_db_password: wallabag
|
|
|
|
|
|
|
|
|
|
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
|
|
|
|
|
xmpp_admins: 'me@example.org'
|
|
|
|
|
|
|
|
|
|
# Network hosts from which registration is possible (else it is forbidden).
|
|
|
|
|
# Registration of hosted users is automatic.
|
|
|
|
|
xmpp_registration_hosts: '127.0.0.1 192.168.1.254 192.168.1.253 192.168.1.252'
|
|
|
|
|
|
|
|
|
|
# Secret value known to the XMPP upload service (HTTP), so that it is only used by the XMPP network.
|
|
|
|
|
xmpp_upload_secret: 'xmpp upload secret'
|