home-server/group_vars/all

502 lines
20 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# Short personal nickname that will be mostly used as part of filenames under /etc.
nickname: personal
# Hostname and IPv4 address of the DMZ.
DMZ: dmz
DMZ_IP: 192.168.1.254
# Hostname and IPv4 address of the back-end server (with all the data).
SafeZone: home
SafeZone_IP: 192.168.1.253
# Domain names that the certificate should cover.
acme_domains: 'example.org www.example.org pubsub.example.org'
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
ansible_master: 192.168.1.252
# System user that will build packages from AUR (https://aur.archlinux.org/).
aur_user: git
# Just leave this with an empty-string value.
chroot: ''
# https://wiki.archlinux.org/index.php/Keyboard_configuration_in_console
default_keymap: en
# https://jlk.fjfi.cvut.cz/arch/manpages/man/papersize.5
default_papersize: a4
# LDAP (real) user that will have admin rights in Dotclear (the blog).
dotclear_admin_user: me
# Name of the Dotclear database in PostgreSQL.
dotclear_db: dotclear
# PostgreSQL user who owns the Dotclear database.
dotclear_db_user: dotclear
# Password for the PostgreSQL user who owns the Dotclear database.
dotclear_db_password: dotclear
# Dotclear encrypts sensitive data with a master key, that is set here (random string).
dotclear_master_key: 0123456789abcdefghijklmnopqrstuvwxyz
# Location where Dotclear is installed, which *must* end with “/dotclear”
dotclear_root: /srv/webapps/dotclear
# The default locale (https://wiki.archlinux.org/index.php/Locale).
locales_default: 'en_US.UTF-8'
# All installed locales on the server.
locales_enabled: 'en_US.UTF-8 fr_FR.UTF-8 fr_FR@euro'
# Enable DNSSEC in systemd-resolved (“yes” or “no”, as a character string); experimental!
dns_sec: 'no'
# DNS servers to use on the server, for example:
# FDN-1 (v4) FDN-2 (v4) FDN-1 (v6) FDN-2 (v6) OpenNIC-1 OpenNIC-2 Google
dns_hosts: '80.67.169.12 80.67.169.40 2001:910:800::12 2001:910:800::40 87.98.175.85 5.135.183.146 8.8.8.8'
# Nearest NTP servers (https://www.ntppool.org/).
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
# IP addresses that are allowed to browse DLNA/uPNP contents, even though they are not trusted.
# This is a space-separated list of networks (IP/bits).
# A typical example would be a living-room BD player or TV, which includes a DLNA client.
fw_dlna_clients: 192.168.1.53/32
# Number of minutes allowed between two consecutive ports of the port-knocking sequence.
fw_knock_timeout_min: 2
# Port-knocking sequence. A port may appear multiple times, but not next to each-other.
fw_portknock_seq: 1 22 333 4444 333 22 1
# The email address associated to root, for commits in the git repository that stores changes to /etc.
git_contact_email: hostmaster@example.org
# Name of the Gitea (web UI for Git) database in PostgreSQL.
gitea_db: gitea
# PostgreSQL user who owns the Gitea database.
gitea_db_user: gitea
# Password for the PostgreSQL user who owns the Gitea database.
gitea_db_password: gitea
# Disable creation of organisations in Gitea (“true” or “false”, as a character string).
gitea_disable_org_creation: 'true'
# Disable self-registration in Gitea (“true” or “false”, as a character string).
gitea_disable_registration: 'false'
# Enable email notifications in Gitea (“true” or “false”, as a character string).
gitea_enable_notify_email: 'true'
# Maximum size of HTTP and PHP uploads.
http_max_upload: 10000M
# Document-root of the HTTP server.
http_root: /srv/http
# URL prefix of Dotclear (blog).
http_pfx_dotclear: /blog
# URL prefix of Gitea (web UI for Git).
http_pfx_gitea: /git
# URL prefix of LDAP-Account-Manager (web UI for LDAP).
http_pfx_lam: /account
# URL prefix of Movim (XMPP web client).
http_pfx_movim: /social
# URL prefix of Nextcloud (self-hosted “cloud”).
http_pfx_nextcloud: /cloud
# URL prefix of PrivateBin (self-hosted “pastebin”).
http_pfx_privatebin: /paste
# URL prefix of Prosody-generated URL (file uploads, BOSH, websockets…).
http_pfx_prosody: /xmpp-
# URL prefix of SSOwat (SSO and web portal).
http_pfx_ssowat: /start
# URL prefix of Transmission (web UI for BitTorrent).
http_pfx_transmission: /torrent
# URL prefix of Wallabag (social sharing of bookmarks).
http_pfx_wallabag: /bookmarks
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
iodine_domain: dt.example.org
# Network associated with the DNS tunnel (IP address of the server on this network, “/”, bits for the network-mask).
iodine_net: '172.16.12.1/28'
# Password of the DNS tunnel.
iodine_password: '_t_r___e@6358'
# Location of Kodi state data (not the media contents).
kodi_data: /var/lib/kodi
# System user that will run Kodi.
kodi_user: kodi
# Master password, needed to change LDAP-Account-Manager settings.
lam_master_password: lam
# Password policy for LDAP-Account-Manager (https://www.ldap-account-manager.org/static/doc/manual-onePage/#idm695).
# “-1” means “all”.
lam_checkedRulesCount: -1
lam_passwordMinClasses: 3
lam_passwordMinLength: 10
lam_passwordMinLower: 0
lam_passwordMinNumeric: 0
lam_passwordMinSymbol: 1
lam_passwordMinUpper: 0
lam_passwordMustNotContain3Chars: 'true'
lam_passwordMustNotContainUser: 'true'
# Title for LDAP-Account-Manager in the SSOwat portal.
lam_sso_title: Directory
# Additional ACL for LDAP.
# This is typically used to give extra powers to users, for example regarding aliases management.
ldap_extra_acl: |
access to dn.subtree="ou=Aliases,dc=example,dc=org"
by dn.base="uid=me,ou=Users,dc=example,dc=org" write
by self read
by * read
# Organization-name for this home-server LDAP directory.
ldap_o_name: 'Home'
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
ldap_root: dc=example,dc=org
# Password of the root user (administrator) in OpenLDAP.
ldap_rootpw: 'OE104995à6&o_zKR4'
# Same password, as expected by OpenLDAP.
# See https://gist.github.com/rca/7217540 (python2) or https://www.openldap.org/faq/data/cache/347.html.
ldap_rootpw_sha: '{SSHA}Raa3TlvDPZTjdM44nKZQt+hDvQRvaMDC'
# Custom system groups and memberships, declared in LDAP.
# This is the right place to declare a group in which to put all real and system users, who will be allowed to read media contents.
ldap_system_groups: '[
{"cn": "registered", "gidNumber": 1200}
{"cn": "media", "gidNumber": 1201}
]'
ldap_system_group_members: '[
{"group": "media", "member": "me"},
{"group": "media", "member": "cloud"},
{"group": "media", "member": "kodi"}
]'
# Real users (ie. with a Linux account on the server) to declare in LDAP.
# Each user in the JSON list contains:
# — uidNumber: a unique user ID, which must be ≥1000;
# — gidNumber: a group ID, which should be a “gidNumber” of ldap_system_groups;
# — uid: the login name, usually short, without spaces, and all lowercase;
# — cn: the users firstname;
# — sn: the users surname;
# — password: the users password upon creation, in the same format as ldap_rootpw_sha (“change_me” in the example).
# These settings are only read when creating the users in LDAP.
ldap_system_users: '[
{"uidNumber": 1000, "gidNumber": 1200, "uid": "you", "cn": "Yule-Offa", "sn": "Udel", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"},
{"uidNumber": 1001, "gidNumber": 1200, "uid": "me", "cn": "Mae", "sn": "Ellen", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"}
]'
# Guest users (they can use the provided software, but do not have a Linux account).
# The fields are the same as above, minus the Linux UID and GID numbers.
# These settings are only read when creating the users in LDAP.
ldap_virtual_users: '[
{"uid": "she", "cn": "Her", "sn": "…", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"},
{"uid": "he", "cn": "Him", "sn": "…", "password": "{SSHA}393aKNBzihkeHWXalkw/vpdy3dYHoh5L"}
]'
# Linux UID and GID to use for users who do not have their own.
# 65534 = nobody
ldap_virtual_user_uid: 65534
ldap_virtual_user_gid: 65534
# LDAP attributes to assign to users, either Linux users or guests.
# Each entry in the list contains:
# — uid: the login name of the user to modify;
# — attr: the LDAP attribute to set;
# — value: the value to store in the chosen attribute.
# These settings are enforced at each run. Examples:
# — gecos: the full name that typically appears on the login screen;
# — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
ldap_users_attrs: '[
{"uid": "you", "attr": "gecos", "value": "Y-O. Udel"},
{"uid": "you", "attr": "shadowLastChange", "value": "16000"},
{"uid": "you", "attr": "shadowMax", "value": "99999"},
{"uid": "you", "attr": "shadowWarning", "value": "7"},
{"uid": "me", "attr": "gecos", "value": "M. Ellen"},
{"uid": "me", "attr": "shadowLastChange", "value": "16000"},
{"uid": "me", "attr": "shadowMax", "value": "99999"},
{"uid": "me", "attr": "shadowWarning", "value": "7"}
]'
# Login name and password of the LibreOffice OnLine web services administrator.
# Usefulness not clear; it doesnt hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
loolwsd_admin_user: nextcloud_admin
loolwsd_admin_password: nextcloud_admin
# LibreOffice OnLines description: “The maximum percentage of system memory consumed
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
loolwsd_maxmem_asdouble: '80.0'
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
# Each entry in the list contains:
# — alias: a unique mail alias, either new or with existing associated recipients;
# — member: the login name of the user to add as a recipient for the alias.
mail_alias_memberships: '[
{"alias": "shop", "member": "you"},
{"alias": "throwable", "member": "me"},
{"alias": "family", "member": "me"},
{"alias": "family", "member": "you"}
]'
# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
# See the “dmz_exim” role for the storage of the private and public keys.
mail_dkim_selector: home
# Actual Linux user, that receives all system emails (for root, postmaster, hostmaster…).
mail_forward_root_to: me
# IPv6 address of the ISPs smarthost when the ISP does not handle SMTP on IPv6 (example: smtp.bbox.fr).
mail_ignore_ip: '2001:860:e2ef::f503:0:2'
# All local mail destinations, which include managed domains, as well as host names.
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
# The ISPs smarthost (which listens on port 25).
mail_smtp_smarthost: smtp.bbox.fr
# The group name for media contents (see also “ldap_system_groups”).
media_group: media
# Custom Minidlna configuration, including the locations where it will look for media contents.
# None of the “media_dir” paths is currently allowed under /opt.
# Apart from “media_dir”, the settings already set upstream must not be overriden.
# See also “nfs_exports”, and https://sourceforge.net/p/minidlna/git/ci/master/tree/minidlna.conf (upstream).
media_minidlna_conf: |
media_dir=V,/srv/nfs/share/video
media_dir=A,/srv/nfs/share/my_CDs
media_dir=A,/srv/nfs/share/my_MP3
media_dir=P,/srv/nfs/share/photos
root_container=B
friendly_name=HomeMedia
# Name of the Movim database in PostgreSQL.
movim_db: movim
# PostgreSQL user who owns the Movim database.
movim_db_user: movim
# Password for the PostgreSQL user who owns the Movim database.
movim_db_password: movim
# Administrator for Movim.
movim_admin_user: movim_admin
# Password of the administrator for Movim.
movim_admin_password: movim_admin
# Localhost port on which Movim is listening
movim_private_port: 33333
# Domain names to which network access from the DMZ is allowed.
# This space-separated list should contain:
# — the web address for checking the current public IP given by the ISP;
# — the web address for updating the dynamic DNS;
# — the web address for updating web applications…
net_allowed_domains: 'checkip.dns.he.net dyn.dns.he.net freedns.afraid.org download.dotclear.org dotaddict.org api.movim.eu'
# Start Of Authority: the root domain name configured on the server.
net_soa: example.org
# Subdomain for the XMPP multi-user chat component.
net_subdom_muc: muc
# Subdomain for the XMPP pub-sub component.
net_subdom_pubsub: pubsub
# Subdomain for which TLS traffic (port 443) is analysed as SSH instead of HTTP.
net_subdom_ssh: ssh
# Local networks from which network connections are trusted.
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
# Administrator for Nextcloud (not necessarily an LDAP user).
nextcloud_admin_user: nextcloud_admin
# Password of the administrator for Nextcloud.
nextcloud_admin_password: nextcloud_admin
# Path to Nextclouds configuration.
nextcloud_conf: /etc/webapps/nextcloud/config
# Path to local Nextcloud data (not the users files).
nextcloud_data: /var/lib/nextcloud
# Name of the Nextcloud database in PostgreSQL.
nextcloud_db: nextcloud
# PostgreSQL user who owns the Nextcloud database.
nextcloud_db_user: nextcloud
# Password for the PostgreSQL user who owns the Nextcloud database.
nextcloud_db_password: nextcloud
# Path to Nextcloud distribution data (not the users files).
nextcloud_root: /usr/share/webapps/nextcloud
# System user that will run Nextcloud.
nextcloud_user: cloud
# Local paths (on the safe side of the server) that shall be exported with NFS.
# Each entry contains:
# — name: the name of the NFS export, under /srv/nfs;
# — path: the exported local path.
nfs_exports: '[
{"name": "share", "path": "/mnt/share"},
{"name": "share/video", "path": "/mnt/media/video"},
{"name": "share/my_CDs", "path": "/mnt/media/my_CDs"},
{"name": "share/my_MP3", "path": "/mnt/media/my_MP3"},
{"name": "share/photos", "path": "/mnt/media/photos"}
]'
# NFS export options (https://linux.die.net/man/5/exports).
nfs_options: 'rw,no_subtree_check,no_root_squash,no_wdelay,crossmnt'
# Log level for nginx (http://nginx.org/en/docs/ngx_core_module.html#error_log).
nginx_loglevel: info
# Administrator password for PostgreSQL.
pgpassword: PostgreSQL
# Maximum number of bytes in a Privatebin paste (or image).
privatebin_bytes_limit: 10485760
# Enable discussions in Privatebin (“true” or “false” as a character string).
privatebin_enable_discussion: 'false'
# Enable passwords in Privatebin (“true” or “false” as a character string).
privatebin_enable_passwords: 'false'
# Enable uploads in Privatebin (“true” or “false” as a character string).
privatebin_enable_uploads: 'true'
# Open discussions by default in Privatebin (“true” or “false” as a character string).
privatebin_open_discussion: 'false'
# Delay in seconds before an opportunistic purge of old pastes is attempted while processing a request.
privatebin_purge_delay: 300
# Title for Privatebin in the SSOwat portal.
privatebin_sso_title: Privatebin
# Name of the Prosody database in PostgreSQL.
prosody_db: prosody
# PostgreSQL user who owns the Prosody database.
prosody_db_user: prosody
# Password for the PostgreSQL user who owns the Prosody database.
prosody_db_password: prosody
# Space-separated list of SANE drivers to keep enabled, for scanner sharing.
sane_drivers: epson2
# Space-separated list of pacman mirrors to use.
software_mirrors: 'archlinux.de-labrusse.fr mirror.archlinux.ikoula.com'
# Software that will get removed if present, on next run of the playbook (JSON list).
software_to_del: '["dhcpcd"]'
# Comma-separated list of software that pacman should not automatically upgrade.
software_to_ignore: 'linux,linux-firmware,linux-headers'
# Environment variables that SSH may keep for remote connections.
ssh_accept_env: 'LANG LC_*'
# Allow port-forwarding with SSH (“yes” or “no” as a character string).
ssh_allow_tcpforward: 'yes'
# Allow binding of port-forwardings on the LAN interface with SSH (“yes” or “no” as a character string).
ssh_allow_gatewayports: 'yes'
# Allow X11 forwarding with SSH (“yes” or “no” as a character string).
ssh_allow_x11forward: 'yes'
# Allow SSH tunnels (“yes” or “no” as a character string).
ssh_allow_tunnel: 'yes'
# System user that will accept SSH connections in the DMZ, as a way to get access to the safe zone.
ssh_bastion_user: gatekeeper
# SHA-512 password of the system user who can remotely SSH to the DMZ (here: “let-me-in”).
# See https://unix.stackexchange.com/a/76337 for some help.
ssh_bastion_pwd_sha512: '$6$ZN4I.yIVUj0amxqe$5dBx1d34tNm9NMmmFV3UxZ0V2ecmOjefK5dbTW5Da/xC8M78sZbPQdegcqA3/9Wtr2fMQ0y6pxVh31Q01PrfS/'
# Client-alive interval for the SSH daemon, in seconds.
ssh_clientalive_interval: 600
# Servers timezone.
timezone: Europe/Paris
# TLS ciphers to enable in TLS-terminating software (HAProxy, Nginx…).
# See https://wiki.mozilla.org/Security/Server_Side_TLS.
tls_ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
# HAProxy server and bind options to use (https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5).
tls_options: 'no-sslv3 no-tls-tickets'
# Transmission (BitTorrent) public/peer port
transmission_bt_port: 60000
# Transmission private RPC port (for the Web UI).
transmission_rpc_port: 50000
# Path to the directory where Transmission should store the downloads that are finished, on the safe side.
transmission_real_done_at: /mnt/share/p2p/iso
# Path to the directory where Transmission should read torrent files to process, on the safe side.
transmission_real_todo_at: /mnt/share/p2p/iso.torrent
# Name given to “transmission_real_done_at” and “transmission_real_todo_at” as NFS exports.
transmission_nfs_done_at: share/p2p/iso
transmission_nfs_todo_at: share/p2p/iso.torrent
# Name of the Wallabag database in PostgreSQL.
wallabag_db: wallabag
# PostgreSQL user who owns the Wallabag database.
wallabag_db_user: wallabag
# Password for the PostgreSQL user who owns the Wallabag database.
wallabag_db_password: wallabag
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
xmpp_admins: 'me@example.org'
# Network hosts from which registration is possible (else it is forbidden).
# Registration of hosted users is automatic.
xmpp_registration_hosts: '127.0.0.1 192.168.1.254 192.168.1.253 192.168.1.252'
# Secret value known to the XMPP upload service (HTTP), so that it is only used by the XMPP network.
xmpp_upload_secret: 'xmpp upload secret'