initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-27 15:09:25 -07:00 · 2026-02-27 15:09:25 -07:00 · 75891c3271
commit 75891c3271
129 changed files with 8046 additions and 0 deletions
--- a/inventory/group_vars/all/config.yml.setup
+++ b/inventory/group_vars/all/config.yml.setup
@ -0,0 +1,164 @@
+---
+# ============================================================
+# Linderhof Configuration
+# ============================================================
+# Generated by setup.sh — edit freely to match your needs.
+# Secrets are stored separately in vault.yml.
+# Tunable defaults live in each role's defaults/main.yml.
+#
+# To override any variable for this stack without editing this file,
+# create $LINDERHOF_DIR/group_vars/all/overrides.yml, e.g.:
+#   mail_hostname: mail2.$domain
+#   caddy_sites:
+#     - $domain
+#     - example2.com
+# ============================================================
+
+# ============================================================
+# Services — set to false to disable
+# ============================================================
+enable_mail: true
+enable_forgejo: true
+enable_monitoring: true
+enable_restic: true
+enable_fail2ban: true
+enable_tuwunel: true
+enable_nebula: true
+enable_diun: true
+enable_goaccess: true
+
+# ============================================================
+# System
+# ============================================================
+domain: $domain
+server_name: $server_name
+server_ip: $server_ip
+admin_user: $admin_user
+admin_ssh_key: "{{ lookup('file', '$ssh_key_pub') }}"
+timezone: UTC
+
+# ============================================================
+# Image versions (update when Diun notifies of new releases)
+# ============================================================
+caddy_version: "2"
+mailserver_version: "latest"
+rainloop_version: "latest"
+forgejo_version: "11"
+prometheus_version: "latest"
+alloy_version: "latest"
+grafana_version: "latest"
+loki_version: "latest"
+diun_version: "latest"
+tuwunel_version: "latest"
+radicale_version: "latest"
+nebula_version: "1.9.5"
+
+# ============================================================
+# Caddy (web server / reverse proxy)
+# ============================================================
+# Static sites served as file servers — each gets /srv/caddy/sites/<domain>/
+# Override in overrides.yml to add more domains.
+caddy_sites:
+  - $domain
+
+# Service subdomains — override individually in overrides.yml
+webmail_domain: webmail.$domain
+rspamd_domain: rspamd.$domain
+grafana_domain: watch.$domain
+goaccess_domain: stats.$domain
+radicale_domain: cal.$domain
+
+# Service ports — defined here so caddy can reference them when run standalone
+rainloop_port: 8888
+rspamd_port: 11334
+forgejo_port: 3000
+grafana_port: 3000
+tuwunel_port: 6167
+radicale_port: 5232
+caddy_metrics_port: 9000
+
+# ============================================================
+# Mail (docker-mailserver + rainloop)
+# ============================================================
+# Override mail_hostname in overrides.yml if migrating (e.g. mail2.$domain)
+mail_hostname: mail.$domain
+
+mail_domains:
+  - $domain
+# Add more domains this mail server should handle:
+# mail_domains:
+#   - $domain
+#   - example2.com
+
+mail_users:
+  - address: $admin_user@$domain
+    password: "{{ mail_passwords['$admin_user@$domain'] }}"
+  - address: git@$domain
+    password: "{{ mail_passwords['git@$domain'] }}"
+  - address: notifications@$domain
+    password: "{{ mail_passwords['notifications@$domain'] }}"
+
+mail_aliases:
+  - from: root@$domain
+    to: $admin_user@$domain
+  - from: dmarc@$domain
+    to: $admin_user@$domain
+  - from: postmaster@$domain
+    to: $admin_user@$domain
+  - from: hostmaster@$domain
+    to: $admin_user@$domain
+  - from: webmaster@$domain
+    to: $admin_user@$domain
+  - from: abuse@$domain
+    to: $admin_user@$domain
+
+# ============================================================
+# Forgejo (git hosting)
+# ============================================================
+forgejo_domain: code.$domain
+
+# ============================================================
+# Monitoring
+# ============================================================
+grafana_root_url: "https://{{ grafana_domain }}"
+
+# ============================================================
+# Restic (encrypted backups)
+# ============================================================
+restic_backend_type: "sftp"
+# restic_host: "uXXXXXX.your-storagebox.de"
+# restic_user: uXXXXXX
+# restic_ssh_port: 23
+# restic_remote_path: "backups/$server_name"
+# restic_ssh_key: "/root/.ssh/island_restic_backup"
+
+# ============================================================
+# GoAccess (web analytics)
+# ============================================================
+goaccess_sites:
+  - $domain
+  - code.$domain
+  - watch.$domain
+  - webmail.$domain
+  - rspamd.$domain
+goaccess_user: admin
+
+# ============================================================
+# Diun (Docker Image Update Notifier)
+# ============================================================
+diun_notify_email: true
+diun_email_user: notifications@$domain
+## diun_email_password: defined in vault.yml
+diun_email_to: $admin_user@$domain
+
+# ============================================================
+# Tuwunel (Matrix homeserver)
+# ============================================================
+tuwunel_server_name: $domain
+tuwunel_domain: chat.$domain
+
+# ============================================================
+# Nebula (overlay network)
+# ============================================================
+nebula_subnet: "192.168.100.0/24"
+nebula_lighthouse_ip: "192.168.100.1"