164 lines
5.1 KiB
Text
164 lines
5.1 KiB
Text
---
|
|
# ============================================================
|
|
# Linderhof Configuration
|
|
# ============================================================
|
|
# Generated by setup.sh — edit freely to match your needs.
|
|
# Secrets are stored separately in vault.yml.
|
|
# Tunable defaults live in each role's defaults/main.yml.
|
|
#
|
|
# To override any variable for this stack without editing this file,
|
|
# create $LINDERHOF_DIR/group_vars/all/overrides.yml, e.g.:
|
|
# mail_hostname: mail2.$domain
|
|
# caddy_sites:
|
|
# - $domain
|
|
# - example2.com
|
|
# ============================================================
|
|
|
|
# ============================================================
|
|
# Services — set to false to disable
|
|
# ============================================================
|
|
enable_mail: true
|
|
enable_forgejo: true
|
|
enable_monitoring: true
|
|
enable_restic: true
|
|
enable_fail2ban: true
|
|
enable_tuwunel: true
|
|
enable_nebula: true
|
|
enable_diun: true
|
|
enable_goaccess: true
|
|
|
|
# ============================================================
|
|
# System
|
|
# ============================================================
|
|
domain: $domain
|
|
server_name: $server_name
|
|
server_ip: $server_ip
|
|
admin_user: $admin_user
|
|
admin_ssh_key: "{{ lookup('file', '$ssh_key_pub') }}"
|
|
timezone: UTC
|
|
|
|
# ============================================================
|
|
# Image versions (update when Diun notifies of new releases)
|
|
# ============================================================
|
|
caddy_version: "2"
|
|
mailserver_version: "latest"
|
|
rainloop_version: "latest"
|
|
forgejo_version: "11"
|
|
prometheus_version: "latest"
|
|
alloy_version: "latest"
|
|
grafana_version: "latest"
|
|
loki_version: "latest"
|
|
diun_version: "latest"
|
|
tuwunel_version: "latest"
|
|
radicale_version: "latest"
|
|
nebula_version: "1.9.5"
|
|
|
|
# ============================================================
|
|
# Caddy (web server / reverse proxy)
|
|
# ============================================================
|
|
# Static sites served as file servers — each gets /srv/caddy/sites/<domain>/
|
|
# Override in overrides.yml to add more domains.
|
|
caddy_sites:
|
|
- $domain
|
|
|
|
# Service subdomains — override individually in overrides.yml
|
|
webmail_domain: webmail.$domain
|
|
rspamd_domain: rspamd.$domain
|
|
grafana_domain: watch.$domain
|
|
goaccess_domain: stats.$domain
|
|
radicale_domain: cal.$domain
|
|
|
|
# Service ports — defined here so caddy can reference them when run standalone
|
|
rainloop_port: 8888
|
|
rspamd_port: 11334
|
|
forgejo_port: 3000
|
|
grafana_port: 3000
|
|
tuwunel_port: 6167
|
|
radicale_port: 5232
|
|
caddy_metrics_port: 9000
|
|
|
|
# ============================================================
|
|
# Mail (docker-mailserver + rainloop)
|
|
# ============================================================
|
|
# Override mail_hostname in overrides.yml if migrating (e.g. mail2.$domain)
|
|
mail_hostname: mail.$domain
|
|
|
|
mail_domains:
|
|
- $domain
|
|
# Add more domains this mail server should handle:
|
|
# mail_domains:
|
|
# - $domain
|
|
# - example2.com
|
|
|
|
mail_users:
|
|
- address: $admin_user@$domain
|
|
password: "{{ mail_passwords['$admin_user@$domain'] }}"
|
|
- address: git@$domain
|
|
password: "{{ mail_passwords['git@$domain'] }}"
|
|
- address: notifications@$domain
|
|
password: "{{ mail_passwords['notifications@$domain'] }}"
|
|
|
|
mail_aliases:
|
|
- from: root@$domain
|
|
to: $admin_user@$domain
|
|
- from: dmarc@$domain
|
|
to: $admin_user@$domain
|
|
- from: postmaster@$domain
|
|
to: $admin_user@$domain
|
|
- from: hostmaster@$domain
|
|
to: $admin_user@$domain
|
|
- from: webmaster@$domain
|
|
to: $admin_user@$domain
|
|
- from: abuse@$domain
|
|
to: $admin_user@$domain
|
|
|
|
# ============================================================
|
|
# Forgejo (git hosting)
|
|
# ============================================================
|
|
forgejo_domain: code.$domain
|
|
|
|
# ============================================================
|
|
# Monitoring
|
|
# ============================================================
|
|
grafana_root_url: "https://{{ grafana_domain }}"
|
|
|
|
# ============================================================
|
|
# Restic (encrypted backups)
|
|
# ============================================================
|
|
restic_backend_type: "sftp"
|
|
# restic_host: "uXXXXXX.your-storagebox.de"
|
|
# restic_user: uXXXXXX
|
|
# restic_ssh_port: 23
|
|
# restic_remote_path: "backups/$server_name"
|
|
# restic_ssh_key: "/root/.ssh/island_restic_backup"
|
|
|
|
# ============================================================
|
|
# GoAccess (web analytics)
|
|
# ============================================================
|
|
goaccess_sites:
|
|
- $domain
|
|
- code.$domain
|
|
- watch.$domain
|
|
- webmail.$domain
|
|
- rspamd.$domain
|
|
goaccess_user: admin
|
|
|
|
# ============================================================
|
|
# Diun (Docker Image Update Notifier)
|
|
# ============================================================
|
|
diun_notify_email: true
|
|
diun_email_user: notifications@$domain
|
|
## diun_email_password: defined in vault.yml
|
|
diun_email_to: $admin_user@$domain
|
|
|
|
# ============================================================
|
|
# Tuwunel (Matrix homeserver)
|
|
# ============================================================
|
|
tuwunel_server_name: $domain
|
|
tuwunel_domain: chat.$domain
|
|
|
|
# ============================================================
|
|
# Nebula (overlay network)
|
|
# ============================================================
|
|
nebula_subnet: "192.168.100.0/24"
|
|
nebula_lighthouse_ip: "192.168.100.1"
|