--- # ============================================================ # Linderhof Configuration # ============================================================ # Generated by setup.sh — edit freely to match your needs. # Secrets are stored separately in vault.yml. # Tunable defaults live in each role's defaults/main.yml. # # To override any variable for this stack without editing this file, # create $LINDERHOF_DIR/group_vars/all/overrides.yml, e.g.: # mail_hostname: mail2.$domain # caddy_sites: # - $domain # - example2.com # ============================================================ # ============================================================ # Services — set to false to disable # ============================================================ enable_caddy: true enable_mail: true enable_forgejo: true enable_monitoring: true enable_restic: false enable_fail2ban: true enable_tuwunel: true enable_nebula: true enable_diun: true enable_goaccess: true enable_goaccess_sync: false enable_radicale: true # ============================================================ # System # ============================================================ domain: $domain server_name: $server_name # Labels applied to all Hetzner cloud resources (server, SSH key). # DNS resources do not support labels. hcloud_labels: managed-by: linderhof stack: $stack_name server_ip: $server_ip admin_user: $admin_user admin_shell: /bin/zsh admin_ssh_key: "{{ lookup('file', '$ssh_key_pub') }}" timezone: UTC # ============================================================ # Image versions (update when Diun notifies of new releases) # ============================================================ caddy_version: "2" mailserver_version: "latest" rainloop_version: "latest" forgejo_version: "11" forgejo_runner_version: "12" prometheus_version: "latest" alloy_version: "latest" grafana_version: "latest" loki_version: "latest" diun_version: "latest" tuwunel_version: "latest" radicale_version: "latest" nebula_version: "1.9.5" # ============================================================ # Caddy (web server / reverse proxy) # ============================================================ # Static sites served as file servers — each gets /srv/caddy/sites// # Override in overrides.yml to add more domains. caddy_sites: - $domain # Service subdomains — override individually in overrides.yml webmail_domain: webmail.$domain rspamd_domain: rspamd.$domain grafana_domain: watch.$domain goaccess_domain: stats.$domain radicale_domain: cal.$domain # Service ports — defined here so caddy can reference them when run standalone rainloop_port: 8888 rspamd_port: 11334 forgejo_port: 3000 grafana_port: 3000 tuwunel_port: 6167 radicale_port: 5232 caddy_metrics_port: 9000 # ============================================================ # Mail (docker-mailserver + rainloop) # ============================================================ # Override mail_hostname in overrides.yml if migrating (e.g. mail2.$domain) mail_hostname: mail.$domain mail_domains: - $domain # Add more domains this mail server should handle: # mail_domains: # - $domain # - example2.com mail_users: - address: $admin_user@$domain password: "{{ mail_passwords['$admin_user@$domain'] }}" - address: git@$domain password: "{{ mail_passwords['git@$domain'] }}" - address: notifications@$domain password: "{{ mail_passwords['notifications@$domain'] }}" mail_aliases: - from: root@$domain to: $admin_user@$domain - from: dmarc@$domain to: $admin_user@$domain - from: postmaster@$domain to: $admin_user@$domain - from: hostmaster@$domain to: $admin_user@$domain - from: webmaster@$domain to: $admin_user@$domain - from: abuse@$domain to: $admin_user@$domain # ============================================================ # Forgejo (git hosting) # ============================================================ forgejo_domain: code.$domain # ============================================================ # Monitoring # ============================================================ grafana_root_url: "https://{{ grafana_domain }}" # ============================================================ # Restic (encrypted backups) # ============================================================ restic_backend_type: "sftp" # Storage box name in Hetzner Cloud (https://console.hetzner.cloud) restic_storagebox_name: "$restic_storagebox_name" # To create a new storage box via storage_box.yml (rather than adopting an existing one): # restic_storagebox_type: bx11 # restic_storagebox_location: $hcloud_location # The following are written automatically by storage_box.yml — do not edit manually # restic_host: "uXXXXXX.your-storagebox.de" # restic_user: uXXXXXX # restic_ssh_port: 23 # restic_remote_path: "backups/$server_name" # restic_ssh_key: "/root/.ssh/restic_backup" # ============================================================ # GoAccess (web analytics) # ============================================================ goaccess_sites: - $domain - code.$domain - watch.$domain - webmail.$domain - rspamd.$domain goaccess_user: admin # Sync reports to a remote host via rsync over SSH (enable_goaccess_sync: true to activate) # goaccess_sync_host: "uXXXXXX.your-storagebox.de" # goaccess_sync_user: uXXXXXX # goaccess_sync_ssh_port: 23 # goaccess_sync_ssh_key: "/root/.ssh/goaccess_sync" # goaccess_sync_remote_path: "analytics" # ============================================================ # Diun (Docker Image Update Notifier) # ============================================================ diun_notify_email: true diun_email_user: notifications@$domain ## diun_email_password: defined in vault.yml diun_email_to: $admin_user@$domain # ============================================================ # Tuwunel (Matrix homeserver) # ============================================================ tuwunel_server_name: $domain tuwunel_domain: chat.$domain # ============================================================ # Nebula (overlay network) # ============================================================ nebula_subnet: "192.168.100.0/24" nebula_lighthouse_ip: "192.168.100.1"