Separate vault and vars

This commit is contained in:
Wojciech Kozlowski 2022-12-13 22:06:29 +01:00
parent f06d757010
commit ec1009eb02
9 changed files with 210 additions and 4 deletions

6
.gitignore vendored
View File

@ -1,6 +1,4 @@
**/__pycache__/**
.coverage
fact_cache/**
group_vars/**
host_vars/**
playbooks/filesystem/tmp/valkyrie/etc/resolv.conf
.coverage
vault.yml

18
group_vars/all/vars.yml Normal file
View File

@ -0,0 +1,18 @@
# --------------------------------------------------------------------------------------------------
# ansible
# --------------------------------------------------------------------------------------------------
ansible_port: "{{ vault_ansible_port }}"
ansible_become_password: "{{ vault_ansible_become_password }}"
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_ssh_user: "{{ vault_system_base_ssh_user }}"
# --------------------------------------------------------------------------------------------------
# system:mail
# --------------------------------------------------------------------------------------------------
system_mail_domain: "{{ vault_system_mail_domain }}"
system_mail_smtp_server: "{{ vault_system_mail_smtp_server }}"
system_mail_smtp_port: 465
system_mail_smtp_user: "{{ vault_system_mail_smtp_user }}"

View File

@ -0,0 +1,58 @@
# --------------------------------------------------------------------------------------------------
# vpn:wireguard
# --------------------------------------------------------------------------------------------------
vpn_wireguard_port: 51820
vpn_wireguard_address: "10.66.0.{{ vpn_subnet_id }}"
vpn_wireguard_netmask: "255.255.255.252"
vpn_wireguard_subnet: "10.66.0.0/30"
# --------------------------------------------------------------------------------------------------
# vpn:bridge
# --------------------------------------------------------------------------------------------------
vpn_bridge_prefix: "10.66.{{ vpn_subnet_id }}"
vpn_bridge_address: "{{ vpn_bridge_prefix }}.1"
vpn_bridge_broadcast: "{{ vpn_bridge_prefix }}.255"
vpn_bridge_netmask: "255.255.255.0"
# --------------------------------------------------------------------------------------------------
# services
# --------------------------------------------------------------------------------------------------
services:
rproxy: {}
www:
repo_user: "{{ vault_services.www.repo_user }}"
repo_token: "{{ vault_services.www.repo_token }}"
lrproxy: {}
database:
password: "{{ vault_services.database.password }}"
cloud:
domain: "{{ vault_services.cloud.domain }}"
database_name: "{{ vault_services.cloud.database_name }}"
database_user: "{{ vault_services.cloud.database_user }}"
database_password: "{{ vault_services.cloud.database_password }}"
admin_user: "{{ vault_services.cloud.admin_user }}"
admin_password: "{{ vault_services.cloud.admin_password }}"
smtp_host: "{{ vault_services.cloud.smtp_host }}"
smtp_name: "{{ vault_services.cloud.smtp_name }}"
smtp_password: "{{ vault_services.cloud.smtp_password }}"
git:
domain: "{{ vault_services.git.domain }}"
database_name: "{{ vault_services.git.database_name }}"
database_user: "{{ vault_services.git.database_user }}"
database_passwd: "{{ vault_services.git.database_passwd }}"
smtp_host: "{{ vault_services.git.smtp_host }}"
smtp_user: "{{ vault_services.git.smtp_user }}"
smtp_passwd: "{{ vault_services.git.smtp_passwd }}"
notes:
domain: "{{ vault_services.notes.domain }}"
database_name: "{{ vault_services.notes.database_name }}"
database_user: "{{ vault_services.notes.database_user }}"
database_password: "{{ vault_services.notes.database_password }}"
smtp_host: "{{ vault_services.notes.smtp_host }}"
smtp_name: "{{ vault_services.notes.smtp_name }}"
smtp_password: "{{ vault_services.notes.smtp_password }}"
scw_bucket_endpoint: "{{ vault_scw_bucket_endpoint }}"
scw_access_key: "{{ vault_scw_access_key }}"
scw_secret_key: "{{ vault_scw_secret_key }}"
restic_password: "{{ vault_restic_password }}"

View File

@ -0,0 +1,6 @@
# --------------------------------------------------------------------------------------------------
# vpn:wireguard
# --------------------------------------------------------------------------------------------------
vpn_wireguard_port: 12768
vpn_wireguard_netmask: "255.255.255.252"
vpn_wireguard_subnet: "10.68.0.0/30"

11
group_vars/home/vars.yml Normal file
View File

@ -0,0 +1,11 @@
# --------------------------------------------------------------------------------------------------
# network
# --------------------------------------------------------------------------------------------------
local_network_address: "192.168.0.0"
local_network_masklen: 16
local_network: "{{ local_network_address }}/{{ local_network_masklen }}"
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_fail2ban_ignoreip: "{{ local_network }}"

View File

@ -0,0 +1,4 @@
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_fail2ban_ignoreip: "{{ vault_system_base_fail2ban_ignoreip }}"

View File

@ -0,0 +1,20 @@
# --------------------------------------------------------------------------------------------------
# system:mail
# --------------------------------------------------------------------------------------------------
system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_udp_ports:
- 12768
# --------------------------------------------------------------------------------------------------
# vpn:wireguard
# --------------------------------------------------------------------------------------------------
vpn_wireguard_role: "server"
vpn_wireguard_address: "10.68.0.1"
vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_key }}"
vpn_wireguard_clients:
- public_key: "{{ vault_vpn_wireguard_clients_0_public_key }}"
preshared_key: "{{ vault_vpn_wireguard_clients_0_preshared_key }}"

View File

@ -0,0 +1,39 @@
# --------------------------------------------------------------------------------------------------
# system:mail
# --------------------------------------------------------------------------------------------------
system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_additional_ssh_users:
- "pod-rproxy"
system_base_additional_tcp_ports:
- 80
- 443
system_base_udp_ports:
- 51820
# --------------------------------------------------------------------------------------------------
# vpn
# --------------------------------------------------------------------------------------------------
vpn_subnet_id: 1
# --------------------------------------------------------------------------------------------------
# vpn:wireguard
# --------------------------------------------------------------------------------------------------
vpn_wireguard_role: "server"
vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_key }}"
vpn_wireguard_clients:
- public_key: "{{ vault_vpn_wireguard_clients_0_public_key }}"
preshared_key: "{{ vault_vpn_wireguard_clients_0_preshared_key }}"
subnet: "{{ hostvars.yggdrasil.vpn_bridge_prefix }}.0/24"
# --------------------------------------------------------------------------------------------------
# vpn:bridge
# --------------------------------------------------------------------------------------------------
vpn_bridge_dnat:
- address: "{{ vpn_bridge_prefix }}.2"
ports:
- 80
- 443

View File

@ -0,0 +1,52 @@
# --------------------------------------------------------------------------------------------------
# system:zfs
# --------------------------------------------------------------------------------------------------
system_zfs_zpools:
- "bpool"
- "rpool"
- "hpool"
system_zfs_zpools_trim:
- "bpool"
- "rpool"
system_zfs_zpools_load_key:
- "hpool"
# --------------------------------------------------------------------------------------------------
# system:mail
# --------------------------------------------------------------------------------------------------
system_mail_smtp_pass: "{{ vault_system_mail_smtp_pass }}"
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_additional_tcp_ports:
- 80
- 443
- 2770
# --------------------------------------------------------------------------------------------------
# vpn
# --------------------------------------------------------------------------------------------------
vpn_subnet_id: 2
# --------------------------------------------------------------------------------------------------
# vpn:wireguard
# --------------------------------------------------------------------------------------------------
vpn_wireguard_role: "client"
vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_key }}"
vpn_wireguard_server_public_key: "{{ vault_vpn_wireguard_server_public_key }}"
vpn_wireguard_server_preshared_key: "{{ vault_vpn_wireguard_server_preshared_key }}"
vpn_wireguard_server_address: "{{ vault_vpn_wireguard_server_address }}"
vpn_wireguard_routing_table: 66
# --------------------------------------------------------------------------------------------------
# vpn:bridge
# --------------------------------------------------------------------------------------------------
vpn_bridge_dnat:
- address: "{{ vpn_bridge_prefix }}.2"
ports:
- 80
- 443
- address: "{{ vpn_bridge_prefix }}.5"
ports:
- 2770