---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

# Short personal nickname that will be mostly used as part of filenames under /etc.
nickname: personal

# Hostname and IPv4 address of the DMZ.
DMZ: dmz
DMZ_IP: 192.168.1.254

# Hostname and IPv4 address of the back-end server (with all the data).
SafeZone: home
SafeZone_IP: 192.168.1.253

# Domain names that the certificate should cover.
acme_domains: 'example.org www.example.org pubsub.example.org'

# Public key that Ansible will use to manage the server, and IP address of the controller PC.
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
ansible_master: 192.168.1.252

# System user that will build packages from AUR (https://aur.archlinux.org/).
aur_user: git

# Just leave this with an empty-string value.
chroot: ''

# https://wiki.archlinux.org/index.php/Keyboard_configuration_in_console
default_keymap: en

# https://jlk.fjfi.cvut.cz/arch/manpages/man/papersize.5
default_papersize: a4

# LDAP (real) user that will have admin rights in Dotclear (the blog).
dotclear_admin_user: me

# Name of the Dotclear database in PostgreSQL.
dotclear_db: dotclear

# PostgreSQL user who owns the Dotclear database.
dotclear_db_user: dotclear

# Password for the PostgreSQL user who owns the Dotclear database.
dotclear_db_password: dotclear

# Dotclear encrypts sensitive data with a master key, that is set here (random string).
dotclear_master_key: 0123456789abcdefghijklmnopqrstuvwxyz

# Location where Dotclear is installed, which *must* end with “/dotclear”
dotclear_root: /srv/webapps/dotclear

# The default locale (https://wiki.archlinux.org/index.php/Locale).
locales_default: 'en_US.UTF-8'

# All installed locales on the server.
locales_enabled: 'en_US.UTF-8 fr_FR.UTF-8 fr_FR@euro'

# Enable DNSSEC in systemd-resolved (“yes” or “no”, as a character string); experimental!
dns_sec: 'no'

# DNS servers to use on the server, for example:
#           FDN-1 (v4)   FDN-2 (v4)   FDN-1 (v6)       FDN-2 (v6)       OpenNIC-1    OpenNIC-2     Google
dns_hosts: '80.67.169.12 80.67.169.40 2001:910:800::12 2001:910:800::40 87.98.175.85 5.135.183.146 8.8.8.8'

# Nearest NTP servers (https://www.ntppool.org/).
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'

# IP addresses that are allowed to browse DLNA/uPNP contents, even though they are not trusted.
# This is a space-separated list of networks (IP/bits).
# A typical example would be a living-room BD player or TV, which includes a DLNA client.
fw_dlna_clients: 192.168.1.53/32

# Number of minutes allowed between two consecutive ports of the port-knocking sequence.
fw_knock_timeout_min: 2

# Port-knocking sequence. A port may appear multiple times, but not next to each-other.
fw_portknock_seq: 1 22 333 4444 333 22 1

# The email address associated to root, for commits in the git repository that stores changes to /etc.
git_contact_email: hostmaster@example.org

# Watch new repositories inside the already-watched perimeter by default.
gitea_auto_watch_new_repos: 'true'

# Name of the Gitea (web UI for Git) database in PostgreSQL.
gitea_db: gitea

# PostgreSQL user who owns the Gitea database.
gitea_db_user: gitea

# Password for the PostgreSQL user who owns the Gitea database.
gitea_db_password: gitea

# Disable Gravatar pictures.
gitea_disable_gravatar: 'false'

# Disable HTTP for Git access.
gitea_disable_http_git: 'false'

# Disable mirrors.
gitea_disable_mirrors: 'true'

# Disable creation of organisations in Gitea (“true” or “false”, as a character string).
gitea_disable_org_creation: 'true'

# Disable self-registration in Gitea (“true” or “false”, as a character string).
gitea_disable_registration: 'false'

# Disable logs by Gitea router.
gitea_disable_router_log: 'false'

# Enable API and Swagger UI.
gitea_enable_api: 'true'

# Enable caching for the web UI.
gitea_enable_cache: 'true'

# Enable email notifications in Gitea (“true” or “false”, as a character string).
gitea_enable_notify_email: 'true'

# Enable OAuth2 provider.
gitea_enable_oauth2_provider: 'false'

# Index repositories.
gitea_enable_repo_indexer: 'true'

# Enable user heat-map.
gitea_enable_user_heatmap: 'true'

# Enable the time-tracking feature.
gitea_enable_timetracking: 'true'

# Available languages.
gitea_i18n: [
    {"code": "en-US", "label": "English"},
    {"code": "zh-CN", "label": "简体中文"},
    {"code": "zh-HK", "label": "繁體中文（香港）"},
    {"code": "zh-TW", "label": "繁體中文（台灣）"},
    {"code": "de-DE", "label": "Deutsch"},
    {"code": "fr-FR", "label": "français"},
    {"code": "nl-NL", "label": "Nederlands"},
    {"code": "lv-LV", "label": "latviešu"},
    {"code": "ru-RU", "label": "русский"},
    {"code": "uk-UA", "label": "Українська"},
    {"code": "ja-JP", "label": "日本語"},
    {"code": "es-ES", "label": "español"},
    {"code": "pt-BR", "label": "português do Brasil"},
    {"code": "pt-PT", "label": "Português de Portugal"},
    {"code": "pl-PL", "label": "polski"},
    {"code": "bg-BG", "label": "български"},
    {"code": "it-IT", "label": "italiano"},
    {"code": "fi-FI", "label": "suomi"},
    {"code": "tr-TR", "label": "Türkçe"},
    {"code": "cs-CZ", "label": "čeština"},
    {"code": "sr-SP", "label": "српски"},
    {"code": "sv-SE", "label": "svenska"},
    {"code": "ko-KR", "label": "한국어"}
  ]

# JWT secret for OAuth2
gitea_jwt_secret: az09ZA_az09ZA_az09ZA_az09ZA_az09ZA_az09ZA

# Space-separated list of mime types to accept for attachments (“*/*” means: “anything”).
gitea_mime_attach: 'image/jpeg image/png application/zip application/gzip'

# Notifications refresh in seconds.
gitea_notif_min_timeout: 10
gitea_notif_max_timeout: 60
gitea_notif_timeout_step: 10

# A random salt-string for internal encryption (change it!).
gitea_security_secret: '!#@FDEWREWR&*('

# System user running Gitea
gitea_user: gitea

# Maximum size of HTTP and PHP uploads.
http_max_upload: 10000M

# Document-root of the HTTP server.
http_root: /srv/http

# URL prefix of Dotclear (blog).
http_pfx_dotclear: /blog

# URL prefix of Gitea (web UI for Git).
http_pfx_gitea: /git

# URL prefix of LDAP-Account-Manager (web UI for LDAP).
http_pfx_lam: /account

# URL prefix of Motion (video surveillance).
http_pfx_motion: /netcam

# URL prefix of Movim (XMPP web client).
http_pfx_movim: /social

# URL prefix of Nextcloud (self-hosted “cloud”).
http_pfx_nextcloud: /cloud

# URL prefix of PrivateBin (self-hosted “pastebin”).
http_pfx_privatebin: /paste

# URL prefix of Prosody-generated URL (file uploads, BOSH, websockets…).
http_pfx_prosody: /xmpp-

# URL prefix of SSOwat (SSO and web portal).
http_pfx_ssowat: /start

# URL prefix of Transmission (web UI for BitTorrent).
http_pfx_transmission: /torrent

# URL prefix of Wallabag (social sharing of bookmarks).
http_pfx_wallabag: /bookmarks

# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
iodine_domain: dt.example.org

# Network associated with the DNS tunnel (IP address of the server on this network, “/”, bits for the network-mask).
iodine_net: '172.16.12.1/28'

# Password of the DNS tunnel.
iodine_password: '_t_r___e@6358'

# Location of Kodi state data (not the media contents).
kodi_data: /var/lib/kodi

# System user that will run Kodi.
kodi_user: kodi

# Master password, needed to change LDAP-Account-Manager settings.
lam_master_password: lam

# Password policy for LDAP-Account-Manager (https://www.ldap-account-manager.org/static/doc/manual-onePage/#idm695).
# “-1” means “all”.
lam_checkedRulesCount: -1
lam_passwordMinClasses: 3
lam_passwordMinLength: 10
lam_passwordMinLower: 0
lam_passwordMinNumeric: 0
lam_passwordMinSymbol: 1
lam_passwordMinUpper: 0
lam_passwordMustNotContain3Chars: 'true'
lam_passwordMustNotContainUser: 'true'

# Title for LDAP-Account-Manager in the SSOwat portal.
lam_sso_title: Directory

# Additional ACL for LDAP.
# This is typically used to give extra powers to users, for example regarding aliases management.
ldap_extra_acl: |
  access to dn.subtree="ou=Aliases,dc=example,dc=org"
          by dn.base="uid=me,ou=Users,dc=example,dc=org" write
          by self read
          by * read

# Organization-name for this home-server LDAP directory.
ldap_o_name: 'Home'

# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
ldap_root: dc=example,dc=org

# Password of the root user (administrator) in OpenLDAP.
ldap_rootpw: 'OE104995à6&o_zKR4'

# Same password, as expected by OpenLDAP.
# See https://gist.github.com/rca/7217540 (python2) or https://www.openldap.org/faq/data/cache/347.html.
ldap_rootpw_sha: '{SSHA}Raa3TlvDPZTjdM44nKZQt+hDvQRvaMDC'

# Custom system groups and memberships, declared in LDAP.
# This is the right place to declare a group in which to put all real and system users, who will be allowed to read media contents.
ldap_system_groups: '[
    {"cn": "registered", "gidNumber": 1200}
    {"cn": "media", "gidNumber": 1201}
  ]'
ldap_system_group_members: '[
    {"group": "media", "member": "me"},
    {"group": "media", "member": "cloud"},
    {"group": "media", "member": "kodi"}
  ]'

# Real users (ie. with a Linux account on the server) to declare in LDAP.
# Each user in the JSON list contains:
# — uidNumber: a unique user ID, which must be ≥1000;
# — gidNumber: a group ID, which should be a “gidNumber” of ldap_system_groups;
# — uid: the login name, usually short, without spaces, and all lowercase;
# — cn: the user’s firstname;
# — sn: the user’s surname;
# — password: the user’s password upon creation, in the same format as ldap_rootpw_sha (“change_me” in the example).
# These settings are only read when creating the users in LDAP.
ldap_system_users: '[
    {"uidNumber": 1000, "gidNumber": 1200, "uid": "you", "cn": "Yule-Offa", "sn": "Udel", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"},
    {"uidNumber": 1001, "gidNumber": 1200, "uid": "me", "cn": "Mae", "sn": "Ellen", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"}
  ]'

# Guest users (they can use the provided software, but do not have a Linux account).
# The fields are the same as above, minus the Linux UID and GID numbers.
# These settings are only read when creating the users in LDAP.
ldap_virtual_users: '[
    {"uid": "she", "cn": "Her", "sn": "…", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"},
    {"uid": "he", "cn": "Him", "sn": "…", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"}
  ]'

# Linux UID and GID to use for users who do not have their own.
# 65534 = nobody
ldap_virtual_user_uid: 65534
ldap_virtual_user_gid: 65534

# LDAP attributes to assign to users, either Linux users or guests.
# Each entry in the list contains:
# — uid: the login name of the user to modify;
# — attr: the LDAP attribute to set;
# — value: the value to store in the chosen attribute.
# These settings are enforced at each run. Examples:
# — gecos: the full name that typically appears on the login screen;
# — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
ldap_users_attrs:
  - {uid: "you", attr: "gecos", value: "Y-O. Udel"}
  - {uid: "you", attr: "shadowLastChange", value: "16000"}
  - {uid: "you", attr: "shadowMax", value: "99999"}
  - {uid: "you", attr: "shadowWarning", value: "7"}
  - {uid: "me", attr: "gecos", value: "M. Ellen"}
  - {uid: "me", attr: "shadowLastChange", value: "16000"}
  - {uid: "me", attr: "shadowMax", value: "99999"}
  - {uid: "me", attr: "shadowWarning", value: "7"}

# Login name and password of the LibreOffice OnLine web services’ administrator.
# Usefulness not clear; it doesn’t hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
loolwsd_admin_user: nextcloud_admin
loolwsd_admin_password: nextcloud_admin

# Language used by LibreOffice OnLine (LOOL), either 2 or 5 characters, packaged with CollaboraOnline.
loolwsd_lang: en

# LibreOffice OnLine’s description: “The maximum percentage of system memory consumed
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
loolwsd_maxmem_asdouble: '80.0'

# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
# Each entry in the list contains:
# — alias: a unique mail alias, either new or with existing associated recipients;
# — member: the login name of the user to add as a recipient for the alias.
mail_alias_memberships: '[
    {"alias": "shop", "member": "you"},
    {"alias": "throwable", "member": "me"},
    {"alias": "family", "member": "me"},
    {"alias": "family", "member": "you"}
  ]'

# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
# See the “dmz_exim” role for the storage of the private and public keys.
mail_dkim_selector: home

# Actual Linux user, that receives all system emails (for root, postmaster, hostmaster…).
mail_forward_root_to: me

# IPv6 address of the ISP’s smarthost when the ISP does not handle SMTP on IPv6 (example: smtp.bbox.fr).
mail_ignore_ip: '2001:860:e2ef::f503:0:2'

# All local mail destinations, which include managed domains, as well as host names.
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'

# Maximum number of SPAM-filter workers.
mail_max_spam_workers: 5

# The ISP’s smarthost (which listens on port 25).
mail_smtp_smarthost: smtp.bbox.fr

# The group name for media contents (see also “ldap_system_groups”).
media_group: media

# Custom Minidlna configuration, including the locations where it will look for media contents.
# None of the “media_dir” paths is currently allowed under /opt.
# Apart from “media_dir”, the settings already set upstream must not be overriden.
# See also “nfs_exports”, and https://sourceforge.net/p/minidlna/git/ci/master/tree/minidlna.conf (upstream).
media_minidlna_conf: |
  media_dir=V,/srv/nfs/share/video
  media_dir=A,/srv/nfs/share/my_CDs
  media_dir=A,/srv/nfs/share/my_MP3
  media_dir=P,/srv/nfs/share/photos
  root_container=B
  friendly_name=HomeMedia

# Motion data directory
motion_data: /var/lib/motion
motion_cloud_url: 'https://www.mediafire.com/'
motion_cloud_login: login
motion_cloud_password: password
motion_cloud_id: app_id_xxxxx
motion_cloud_key: xxxxxxxxxx…xxxxxxxxxx
motion_email_recipient: hostmaster@localhost
motion_cameras: '[
    {
      "id": 1, "name": "street door",
      "url": "rtsp://user:password@street.example.org:554/videoMain",
      "width": 640, "height": 360,
      "mask_file": "example_mask_640_360.pgm",
      "framerate": 5
    },
    {
      "id": 2, "name": "garden door",
      "url": "rtsp://user:password@garden.example.org:554/videoMain",
      "width": 640, "height": 360,
      "mask_file": null,
      "framerate": 5
    }
  ]'
motion_web_title: "Video surveillance"

# Name of the Movim database in PostgreSQL.
movim_db: movim

# PostgreSQL user who owns the Movim database.
movim_db_user: movim

# Password for the PostgreSQL user who owns the Movim database.
movim_db_password: movim

# Administrator for Movim.
movim_admin_user: movim_admin

# Password of the administrator for Movim.
movim_admin_password: movim_admin

# Localhost port on which Movim is listening
movim_private_port: 33333

# Domain names to which network access from the DMZ is allowed.
# This space-separated list should contain:
# — the web address for checking the current public IP given by the ISP;
# — the web address for updating the dynamic DNS;
# — the web address for updating web applications…
net_allowed_domains: 'checkip.dns.he.net dyn.dns.he.net freedns.afraid.org download.dotclear.org dotaddict.org api.movim.eu'

# Start Of Authority: the root domain name configured on the server.
net_soa: example.org

# Subdomain for the XMPP multi-user chat component.
net_subdom_muc: muc

# Subdomain for the XMPP pub-sub component.
net_subdom_pubsub: pubsub

# Subdomain for which TLS traffic (port 443) is analysed as SSH instead of HTTP.
net_subdom_ssh: ssh

# Local networks from which network connections are trusted.
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'

# Administrator for Nextcloud (not necessarily an LDAP user).
nextcloud_admin_user: nextcloud_admin

# Password of the administrator for Nextcloud.
nextcloud_admin_password: nextcloud_admin

# Path to Nextcloud’s configuration.
nextcloud_conf: /etc/webapps/nextcloud/config

# Path to local Nextcloud data (not the users’ files).
nextcloud_data: /var/lib/nextcloud

# Name of the Nextcloud database in PostgreSQL.
nextcloud_db: nextcloud

# PostgreSQL user who owns the Nextcloud database.
nextcloud_db_user: nextcloud

# Password for the PostgreSQL user who owns the Nextcloud database.
nextcloud_db_password: nextcloud

# Path to Nextcloud distribution data (not the users’ files).
nextcloud_root: /usr/share/webapps/nextcloud

# System user that will run Nextcloud.
nextcloud_user: cloud

# Local paths (on the safe side of the server) that shall be exported with NFS.
# Each entry contains:
# — name: the name of the NFS export, under /srv/nfs;
# — path: the exported local path.
nfs_exports: '[
    {"name": "share", "path": "/mnt/share"},
    {"name": "share/video", "path": "/mnt/media/video"},
    {"name": "share/my_CDs", "path": "/mnt/media/my_CDs"},
    {"name": "share/my_MP3", "path": "/mnt/media/my_MP3"},
    {"name": "share/photos", "path": "/mnt/media/photos"}
  ]'

# NFS export options (https://linux.die.net/man/5/exports).
nfs_options: 'rw,no_subtree_check,no_root_squash,no_wdelay,crossmnt'

# Log level for nginx (http://nginx.org/en/docs/ngx_core_module.html#error_log).
nginx_loglevel: info

# Administrator password for PostgreSQL.
pgpassword: PostgreSQL

# Maximum number of PHP-handling processes.
php_max_workers: 5

# Maximum number of requests a PHP-handling process can handle before being reset (0: never reset).
php_worker_max_reqs: 0

# Maximum number of bytes in a Privatebin paste (or image).
privatebin_bytes_limit: 10485760

# Enable discussions in Privatebin (“true” or “false” as a character string).
privatebin_enable_discussion: 'false'

# Enable passwords in Privatebin (“true” or “false” as a character string).
privatebin_enable_passwords: 'false'

# Enable uploads in Privatebin (“true” or “false” as a character string).
privatebin_enable_uploads: 'true'

# Open discussions by default in Privatebin (“true” or “false” as a character string).
privatebin_open_discussion: 'false'

# Delay in seconds before an opportunistic purge of old pastes is attempted while processing a request.
privatebin_purge_delay: 300

# Title for Privatebin in the SSOwat portal.
privatebin_sso_title: Privatebin

# Name of the Prosody database in PostgreSQL.
prosody_db: prosody

# PostgreSQL user who owns the Prosody database.
prosody_db_user: prosody

# Password for the PostgreSQL user who owns the Prosody database.
prosody_db_password: prosody

# Space-separated list of SANE drivers to keep enabled, for scanner sharing.
sane_drivers: epson2

# Space-separated list of pacman mirrors to use.
software_mirrors: 'mirror.archlinux.ikoula.com archlinux.vi-di.fr'

# Software that will get removed if present, on next run of the playbook (JSON list).
software_to_del: '["dhcpcd"]'

# Comma-separated list of software that pacman should not automatically upgrade.
software_to_ignore: 'linux,linux-firmware,linux-headers'

# Environment variables that SSH may keep for remote connections.
ssh_accept_env: 'LANG LC_*'

# Allow port-forwarding with SSH (“yes” or “no” as a character string).
ssh_allow_tcpforward: 'yes'

# Allow binding of port-forwardings on the LAN interface with SSH (“yes” or “no” as a character string).
ssh_allow_gatewayports: 'yes'

# Allow X11 forwarding with SSH (“yes” or “no” as a character string).
ssh_allow_x11forward: 'yes'

# Allow SSH tunnels (“yes” or “no” as a character string).
ssh_allow_tunnel: 'yes'

# System user that will accept SSH connections in the DMZ, as a way to get access to the safe zone.
ssh_bastion_user: gatekeeper

# SHA-512 password of the system user who can remotely SSH to the DMZ (here: “let-me-in”).
# See https://unix.stackexchange.com/a/76337 for some help.
ssh_bastion_pwd_sha512: '$6$ZN4I.yIVUj0amxqe$5dBx1d34tNm9NMmmFV3UxZ0V2ecmOjefK5dbTW5Da/xC8M78sZbPQdegcqA3/9Wtr2fMQ0y6pxVh31Q01PrfS/'

# Client-alive interval for the SSH daemon, in seconds.
ssh_clientalive_interval: 600

# Server’s timezone.
timezone: Europe/Paris

# TLS ciphers to enable in TLS-terminating software (HAProxy, Nginx…).
# See https://wiki.mozilla.org/Security/Server_Side_TLS.
tls_ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'

# HAProxy server and bind options to use (https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5).
tls_options: 'no-sslv3 no-tls-tickets'

# Transmission (BitTorrent) public/peer port
transmission_bt_port: 60000

# Transmission private RPC port (for the Web UI).
transmission_rpc_port: 50000

# Path to the directory where Transmission should store the downloads that are finished, on the safe side.
transmission_real_done_at: /mnt/share/p2p/iso

# Path to the directory where Transmission should read torrent files to process, on the safe side.
transmission_real_todo_at: /mnt/share/p2p/iso.torrent

# Name given to “transmission_real_done_at” and “transmission_real_todo_at” as NFS exports.
transmission_nfs_done_at: share/p2p/iso
transmission_nfs_todo_at: share/p2p/iso.torrent

# Name of the Wallabag database in PostgreSQL.
wallabag_db: wallabag

# PostgreSQL user who owns the Wallabag database.
wallabag_db_user: wallabag

# Password for the PostgreSQL user who owns the Wallabag database.
wallabag_db_password: wallabag

# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
xmpp_admins: 'me@example.org'

# Network hosts from which registration is possible (else it is forbidden).
# Registration of hosted users is automatic.
xmpp_registration_hosts: '127.0.0.1 192.168.1.254 192.168.1.253 192.168.1.252'

# Secret value known to the XMPP upload service (HTTP), so that it is only used by the XMPP network.
xmpp_upload_secret: 'xmpp upload secret'