initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

inventory/group_vars/all/vault.yml.setup

@@ -0,0 +1,55 @@
+---
+# ============================================================
+# Linderhof Secrets
+# ============================================================
+# Generated by setup.sh
+# Edit with: ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml
+# ============================================================
+
+# hetzner
+hcloud_token: "$hcloud_token"
+
+# mail
+# passwords generated with: openssl rand -base64 32
+mail_passwords:
+  $admin_user@$domain: "$admin_mail_password"
+  git@$domain: "$git_mail_password"
+  notifications@$domain: "$notifications_mail_password"
+rspamd_web_password: "$rspamd_web_password"
+rainloop_admin_password: "$rainloop_admin_password"
+
+# forgejo
+# keys generated with: openssl rand -hex 32
+forgejo_secret_key: "$forgejo_secret_key"
+forgejo_internal_token: "$forgejo_internal_token"
+forgejo_jwt_secret: "$forgejo_jwt_secret"
+forgejo_smtp_password: "$notifications_mail_password"
+
+# monitoring
+# password generated with: openssl rand -base64 32
+grafana_admin_password: "$grafana_admin_password"
+
+# tuwunel
+# token generated with: openssl rand -base64 32
+tuwunel_registration_token: "$tuwunel_registration_token"
+
+# goaccess
+# password generated with: openssl rand -base64 32
+goaccess_password: "$goaccess_password"
+
+# diun (uses the notifications mail account)
+diun_email_password: "$notifications_mail_password"
+
+# restic
+# password generated with: openssl rand -base64 32
+restic_password: "$restic_password"
+
+# fail2ban (optional — IPs/CIDRs to whitelist)
+# fail2ban_ignoreip: "your-home-ip/32"
+
+# DKIM public keys — one entry per domain
+# Retrieve after first mail deployment:
+#   docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub
+# Format: "v=DKIM1; k=rsa; p=<base64 public key>"
+dkim_keys:
+  $domain: ""