-
Notifications
You must be signed in to change notification settings - Fork 0
/
parameters.yml.dist
264 lines (245 loc) · 9.95 KB
/
parameters.yml.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
#############
# Raspberry #
#############
py_default_user: pi
py_default_user_password: raspberry
py_root_username: user
py_root_password: "{{ vault.root_password }}"
# URL (or IP) Raspberry server
py_serveur_url: 170.xxx.xxx.xxx
py_locale: fr_FR.UTF-8
py_timezone: "Europe/Paris"
# See "ls -la /usr/share/X11/xkb/symbols/" to find keybord template
py_keyboard_layout: "fr"
#############
# ADMIN #
#############
admin_network: admin
admin_username: foobar
portainer_uri: portainer.lan
portainer_gui_port: 9000
###################
# Bokehlicious #
###################
username : bokehlicious
project_name : bokehlicious
domain : bokehlicious.fr
admin_firstname: foo
admin_lastname: bar
admin_email: [email protected]
admin_password: "{{vault.bokehlicious_admin_password}}"
deploy_private_key: ~/.ssh/deploy_ssh_key
project_deploy_dir: "/home/{{ username }}/www"
# git_hostname : gitlab.com || github.com
git_hostname: gitlab.com
git_repo: [email protected]/alcyon/bokehlicious.git
# Database
DB_CONNECTION: mysql
DB_HOST: database # Name of the database service in docker-compose.yml
DB_PORT: 3306
DB_DATABASE: homestead
DB_USERNAME: homestead
DB_PASSWORD: "{{ vault.bokehlicious_database_user_password }}"
DB_ROOT_PASSWORD: "{{ vault.bokehlicious_database_root_password }}"
#############
# Docker #
#############
docker_host_os: raspbian
docker_host_os_release: stretch
docker_host_arch: armhf
docker_version: stable
docker_users:
- "{{ py_root_username }}"
#############
# Traefik #
#############
traefik_contact_mail: [email protected]
traefik_admin_port: 8080
traefik_http_port: 80
traefik_https_port: 443
traefik_path: "/home/{{ py_root_username }}/traefik"
# DEBUG, INFO, WARN, ERROR, FATAL, PANIC
traefik_log_level: DEBUG
traefik_dashboard_entrypoint: traefik
# traefik_network allow container to be reached from outside the lan network (with the reverse proxy)
traefik_network: web
# lan_network allow container to be reached from inside the lan network (with the docker macvlan driver)
lan_network: lan
# ethernet_interface : find your ethernet interface with ifconfig (eth0, enp3s0)
ethernet_interface: eth0
# lan_subnet : your local subnet
lan_subnet: 192.168.1.0/16
# define a range of ip for the containers connected to this network.
lan_ip_range: 192.168.1.150/26
lan_gateway: 192.168.1.254
traefik_dashboard_pwd: "{{ vault.traefik_dashboard_password }}"
#############
# PiHole #
#############
pihole_git_repo: [email protected]:fred-lab/pihole_cloudflared.git
pihole_username: foo
pihole_entryPoint: pihole
# Choose an architecture :
# amd64 / x86-64 = amd64
# x86 (32-bit) = 386
# ARMv6 = arm
pihole_cloudflared_architecture: arm
# Cloudflared port
pihole_cloudflared_port: 5053
# Timezone = 'America/Chicago'
pihole_timezone: 'Europe/Paris'
#http://pi.hole/admin password.
pihole_password: "{{ vault.pihole_dashboard_password }}"
# Local IP adress of the Raspberry pi (or server)
pihole_host_local_ip: 192.0.0.1
# URL (or IP) Openvpn server
vpn_serveur_url: "{{py_serveur_url}}"
# Secondary upstream DNS provider, default is Cloudflare DNS (1.1.1.1)
pihole_dns2: 1.1.1.1
# Interface listening behavior
# local => listens on all local subnets,
# all => permits listening on internet origin subnets in addition to local. Note that the last option should not be used on devices which are directly connected to the Internet. This option is safe if your Pi-hole is located within your local network, i.e. protected behind your router, and you have not forwarded port 53 to this device. In virtually all other cases you have to make sure that your Pi-hole is properly firewalled.
# nic => Allows only queries from devices that are at most one hop away (local devices)
# <local|all|nic>
pihole_DNSMASQ_LISTENING: all
################
# Wireguard #
#############
wireguard_peers: name_1,name_2
wireguard_dns: 172.28.1.1,1.1.1.1
wireguard_server_port: 51820
#############
# Media #
#############
media_username: media
media_network: media
media_timezone: "Europe/Paris"
emby_name: emby
emby_http_port: 8096
emby_https_port: 8920
navidrome_name: navidrome
navidrome_web_port: 4533
samba_pwd: pwd
samba_workgroup: WORKGROUP
samba_security: auto
samba_share_comment: Samba Share
samba_share_path: /home/{{media_username}}/media/share
samba_share_read_only: no
samba_share_browsable: yes
samba_share_guest_ok: yes
samba_share_create_mask: 0775
samba_share_directory_mask: 0771
samba_hosts_allow: 192.168.0.0/24
samba_hosts_deny: 0.0.0.0/0
samba_authorizes_ports:
- { port: 445, permission: allow, proto: tcp, from: "{{ lan_network }}" }
- { port: 137, permission: allow, proto: udp, from: "{{ lan_network }}" }
- { port: 138, permission: allow, proto: udp, from: "{{ lan_network }}" }
nextcloud_timezone: "Europe/Paris"
nextcloud_port: 443
############
# Firewall #
############
# See : https://docs.ansible.com/ansible/latest/modules/ufw_module.html
# Permission values are : allow, deny, limit & reject
# Proto values are : tcp, udp
# From values are : "any" (for internet connexion) or a specific IP or a range of IP
firewalls_authorizes_ports:
# Allow SSH connection only for Local network
- { port: ssh, permission: allow, proto: tcp, from: "{{ lan_network }}" }
- { port: http, permission: allow, proto: tcp, from: any }
- { port: https, permission: allow, proto: tcp, from: any }
#8080 is used to access Traefik dashbord
- { port: 8080, permission: allow, proto: tcp, from: any }
#1194/udp is used to connect to Openvpn server
- { port: 1194, permission: allow, proto: udp, from: any }
#51820/udp is used to connect to Wireguard server
- { port: 51820, permission: allow, proto: udp, from: any }
lan_network: 192.0.0.0/24
#########
# Fail2Ban #
#########
# Default
# "bantime" is the number of seconds or minute that a host is banned.
default_bantime: 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
default_findtime: 10m
# "maxretry" is the number of failures before a host get banned.
default_maxretry: 5
# "enabled" enables the jails.
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
jail_enabled: false
# Actions
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# Sending mail require a SMTP server
# action_ => ban only
# action_mw => ban & send an e-mail with whois report to the destemail.
# action_mwl => ban & send an e-mail with whois report and relevant log lines to the destemail
default_action: action_
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail: root@localhost
# Sender email address used solely for some actions
sender: root@<fq-hostname>
# Jails
# Nginx
nginx_logpath: "%(nginx_error_log)s"
# Recidive
recidive_bantime: 1w
recidive_findtime: 1d
#########
# Vault #
#########
vault:
root_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234
bokehlicious_database_user_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234
bokehlicious_database_root_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234
bokehlicious_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234
traefik_dashboard_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234
pihole_dashboard_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234
samba_password !vault |
$ANSIBLE_VAULT;1.1;AES256
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
12345645678912345678912345678912346578912345678913246578913456789134657891345678
1234