Separate vault and vars

2022-12-13 22:06:29 +01:00 · 2022-12-13 22:06:29 +01:00 · ec1009eb02
commit ec1009eb02
parent f06d757010
9 changed files with 210 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,4 @@
 **/__pycache__/**
 .coverage
 fact_cache/**
-group_vars/**
+.coverage
-host_vars/**
+vault.yml
 playbooks/filesystem/tmp/valkyrie/etc/resolv.conf
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -0,0 +1,18 @@
 # --------------------------------------------------------------------------------------------------
 # ansible
 # --------------------------------------------------------------------------------------------------
 ansible_port: "{{ vault_ansible_port }}"
 ansible_become_password: "{{ vault_ansible_become_password }}"
 # --------------------------------------------------------------------------------------------------
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_ssh_user: "{{ vault_system_base_ssh_user }}"
 # --------------------------------------------------------------------------------------------------
 # system:mail
 # --------------------------------------------------------------------------------------------------
 system_mail_domain: "{{ vault_system_mail_domain }}"
 system_mail_smtp_server: "{{ vault_system_mail_smtp_server }}"
 system_mail_smtp_port: 465
 system_mail_smtp_user: "{{ vault_system_mail_smtp_user }}"
--- a/group_vars/asgard/vars.yml
+++ b/group_vars/asgard/vars.yml
@ -0,0 +1,58 @@
 # --------------------------------------------------------------------------------------------------
 # vpn:wireguard
 # --------------------------------------------------------------------------------------------------
 vpn_wireguard_port: 51820
 vpn_wireguard_address: "10.66.0.{{ vpn_subnet_id }}"
 vpn_wireguard_netmask: "255.255.255.252"
 vpn_wireguard_subnet: "10.66.0.0/30"
 # --------------------------------------------------------------------------------------------------
 # vpn:bridge
 # --------------------------------------------------------------------------------------------------
 vpn_bridge_prefix: "10.66.{{ vpn_subnet_id }}"
 vpn_bridge_address: "{{ vpn_bridge_prefix }}.1"
 vpn_bridge_broadcast: "{{ vpn_bridge_prefix }}.255"
 vpn_bridge_netmask: "255.255.255.0"
 # --------------------------------------------------------------------------------------------------
 # services
 # --------------------------------------------------------------------------------------------------
 services:
  rproxy: {}
  www:
    repo_user: "{{ vault_services.www.repo_user }}"
    repo_token: "{{ vault_services.www.repo_token }}"
  lrproxy: {}
  database:
    password: "{{ vault_services.database.password }}"
  cloud:
    domain: "{{ vault_services.cloud.domain }}"
    database_name: "{{ vault_services.cloud.database_name }}"
    database_user: "{{ vault_services.cloud.database_user }}"
    database_password: "{{ vault_services.cloud.database_password }}"
    admin_user: "{{ vault_services.cloud.admin_user }}"
    admin_password: "{{ vault_services.cloud.admin_password }}"
    smtp_host: "{{ vault_services.cloud.smtp_host }}"
    smtp_name: "{{ vault_services.cloud.smtp_name }}"
    smtp_password: "{{ vault_services.cloud.smtp_password }}"
  git:
    domain: "{{ vault_services.git.domain }}"
    database_name: "{{ vault_services.git.database_name }}"
    database_user: "{{ vault_services.git.database_user }}"
    database_passwd: "{{ vault_services.git.database_passwd }}"
    smtp_host: "{{ vault_services.git.smtp_host }}"
    smtp_user: "{{ vault_services.git.smtp_user }}"
    smtp_passwd: "{{ vault_services.git.smtp_passwd }}"
  notes:
    domain: "{{ vault_services.notes.domain }}"
    database_name: "{{ vault_services.notes.database_name }}"
    database_user: "{{ vault_services.notes.database_user }}"
    database_password: "{{ vault_services.notes.database_password }}"
    smtp_host: "{{ vault_services.notes.smtp_host }}"
    smtp_name: "{{ vault_services.notes.smtp_name }}"
    smtp_password: "{{ vault_services.notes.smtp_password }}"
 scw_bucket_endpoint: "{{ vault_scw_bucket_endpoint }}"
 scw_access_key: "{{ vault_scw_access_key }}"
 scw_secret_key: "{{ vault_scw_secret_key }}"
 restic_password: "{{ vault_restic_password }}"
--- a/group_vars/bifrost/vars.yml
+++ b/group_vars/bifrost/vars.yml
@ -0,0 +1,6 @@
 # --------------------------------------------------------------------------------------------------
 # vpn:wireguard
 # --------------------------------------------------------------------------------------------------
 vpn_wireguard_port: 12768
 vpn_wireguard_netmask: "255.255.255.252"
 vpn_wireguard_subnet: "10.68.0.0/30"
--- a/group_vars/home/vars.yml
+++ b/group_vars/home/vars.yml
@ -0,0 +1,11 @@
 # --------------------------------------------------------------------------------------------------
 # network
 # --------------------------------------------------------------------------------------------------
 local_network_address: "192.168.0.0"
 local_network_masklen: 16
 local_network: "{{ local_network_address  }}/{{ local_network_masklen }}"
 # --------------------------------------------------------------------------------------------------
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_fail2ban_ignoreip: "{{ local_network }}"
--- a/group_vars/remote/vars.yml
+++ b/group_vars/remote/vars.yml
@ -0,0 +1,4 @@
 # --------------------------------------------------------------------------------------------------
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_fail2ban_ignoreip: "{{ vault_system_base_fail2ban_ignoreip }}"
--- a/host_vars/heimdall/vars.yml
+++ b/host_vars/heimdall/vars.yml
@ -0,0 +1,20 @@
 # --------------------------------------------------------------------------------------------------
 # system:mail
 # --------------------------------------------------------------------------------------------------
 system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
 # --------------------------------------------------------------------------------------------------
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_udp_ports:
  - 12768
 # --------------------------------------------------------------------------------------------------
 # vpn:wireguard
 # --------------------------------------------------------------------------------------------------
 vpn_wireguard_role: "server"
 vpn_wireguard_address: "10.68.0.1"
 vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_key }}"
 vpn_wireguard_clients:
  - public_key: "{{ vault_vpn_wireguard_clients_0_public_key }}"
    preshared_key: "{{ vault_vpn_wireguard_clients_0_preshared_key }}"
--- a/host_vars/valkyrie/vars.yml
+++ b/host_vars/valkyrie/vars.yml
@ -0,0 +1,39 @@
 # --------------------------------------------------------------------------------------------------
 # system:mail
 # --------------------------------------------------------------------------------------------------
 system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
 # --------------------------------------------------------------------------------------------------
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_additional_ssh_users:
  - "pod-rproxy"
 system_base_additional_tcp_ports:
  - 80
  - 443
 system_base_udp_ports:
  - 51820
 # --------------------------------------------------------------------------------------------------
 # vpn
 # --------------------------------------------------------------------------------------------------
 vpn_subnet_id: 1
 # --------------------------------------------------------------------------------------------------
 # vpn:wireguard
 # --------------------------------------------------------------------------------------------------
 vpn_wireguard_role: "server"
 vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_key }}"
 vpn_wireguard_clients:
  - public_key: "{{ vault_vpn_wireguard_clients_0_public_key }}"
    preshared_key: "{{ vault_vpn_wireguard_clients_0_preshared_key }}"
    subnet: "{{ hostvars.yggdrasil.vpn_bridge_prefix }}.0/24"
 # --------------------------------------------------------------------------------------------------
 # vpn:bridge
 # --------------------------------------------------------------------------------------------------
 vpn_bridge_dnat:
  - address: "{{ vpn_bridge_prefix }}.2"
    ports:
      - 80
      - 443
--- a/host_vars/yggdrasil/vars.yml
+++ b/host_vars/yggdrasil/vars.yml
@ -0,0 +1,52 @@
 # --------------------------------------------------------------------------------------------------
 # system:zfs
 # --------------------------------------------------------------------------------------------------
 system_zfs_zpools:
  - "bpool"
  - "rpool"
  - "hpool"
 system_zfs_zpools_trim:
  - "bpool"
  - "rpool"
 system_zfs_zpools_load_key:
  - "hpool"
 # --------------------------------------------------------------------------------------------------
 # system:mail
 # --------------------------------------------------------------------------------------------------
 system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
 # --------------------------------------------------------------------------------------------------
 # system:base
 # --------------------------------------------------------------------------------------------------
 system_base_additional_tcp_ports:
  - 80
  - 443
  - 2770
 # --------------------------------------------------------------------------------------------------
 # vpn
 # --------------------------------------------------------------------------------------------------
 vpn_subnet_id: 2
 # --------------------------------------------------------------------------------------------------
 # vpn:wireguard
 # --------------------------------------------------------------------------------------------------
 vpn_wireguard_role: "client"
 vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_key }}"
 vpn_wireguard_server_public_key: "{{ vault_vpn_wireguard_server_public_key }}"
 vpn_wireguard_server_preshared_key: "{{ vault_vpn_wireguard_server_preshared_key }}"
 vpn_wireguard_server_address: "{{ vault_vpn_wireguard_server_address }}"
 vpn_wireguard_routing_table: 66
 # --------------------------------------------------------------------------------------------------
 # vpn:bridge
 # --------------------------------------------------------------------------------------------------
 vpn_bridge_dnat:
  - address: "{{ vpn_bridge_prefix }}.2"
    ports:
      - 80
      - 443
  - address: "{{ vpn_bridge_prefix }}.5"
    ports:
      - 2770