This repository has been archived by the owner on Nov 9, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 263
/
inventory.yml
executable file
·111 lines (79 loc) · 2.86 KB
/
inventory.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Please don't edit this file directly! It will be reset when you update the git repository
# Instead, put your variable customizations into custom.yml
---
all:
hosts:
localhost:
ansible_connection: local
vars:
username: notthebee
root_host: example.duckdns.org
enable_username_creation: yes
user_shell: /bin/bash
enable_passwordless_sudo: yes
# Whether or not you want to generate a public key pair for SSH auth
# The playbook will not generate a new pair if $HOME/.ssh/authorized_keys exists and isn't empty
enable_ssh_keygen: yes
# Uncomment this line if you already have a public SSH key and put your public key in it
# This overrides `enable_ssh_keygen`
# ssh_public_key: ""
authelia_host: "auth.{{ root_host }}"
wireguard_host: "wg.{{ root_host }}"
wireguard_subnet: "10.8.0.x"
wireguard_client_allowed_ips: "0.0.0.0/0, ::/0"
adguard_host: "adguard.{{ root_host }}"
wireguard_port: "51820"
# Possible choices: cloudflare, quad9, google
#
# In case you've enabled Adguard, Unbound and DoH functionality,
# this will also set upstream DoH resolvers for dnscrypt
dns_nameservers: cloudflare
# This will enable Adguard, Unbound and dnscrypt-proxy
# for secure DNS resolution with ad-blocking functionality
#
# The ad blocking is disabled by default, you need to navigate to
# adguard.your_domain.com to set it up.
enable_adguard_unbound_doh: false
# Set the time at which the system should reboot after installing updates (24H format)
autoupdate_reboot_time: 03:00
docker_dir: "/opt/docker"
# You can set it to a different port in order to avoid automated scanner bots
ssh_port: 22
# Optional e-mail for notifications (unattended upgrades, banned IPs, etc.)
# Leave everything in place if you don't want any notifications
email_login: root@localhost
email: "{{ email_login }}"
email_recipient: "{{ email_login }}"
email_smtp_host: smtp.localhost.com
email_smtp_port: 465
# MSMTP
msmtp_accounts:
- account: mailbox
host: "{{ email_smtp_host }}"
port: "{{ email_smtp_port }}"
auth: "on"
from: "{{ email }}"
user: "{{ email_login }}"
password: "{{ email_password }}"
msmtp_default_account: "mailbox"
msmtp_alias_default: "{{ email }}"
ssh_allow_cidr: 0.0.0.0/0
iptables_allow_rules:
- desc: "Allow Wireguard"
proto: udp
port: "{{ wireguard_port }}"
- desc: "Allow HTTP"
proto: tcp
port: "80"
- desc: "Allow HTTPS"
proto: tcp
port: "443"
- desc: "Allow SSH"
proto: tcp
port: "{{ ssh_port }}"
# Fail2Ban only comes with the SSH jail by default
enable_fail2ban: true
pip_install_packages:
- name: docker
docker_users:
- "{{ username }}"