Matthias Johnson
bd90a7e16f
- Add dkim_sync.yml: generates DKIM keys for all mail_domains, writes keys to stack config (group_vars/all/dkim.yml), and publishes mail._domainkey TXT records via dns.yml — replaces manual vault editing - Remove dkim_keys from vault.yml.setup (public keys don't need encryption) - Add hcloud_labels to config.yml.setup and apply to server + SSH key in provision role, enabling project-level tagging of Hetzner resources - Fix setup.sh next steps: add missing bootstrap step, replace manual DKIM instructions with dkim_sync.yml - Update CLAUDE.md and README.md accordingly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
56 lines
1.7 KiB
Text
56 lines
1.7 KiB
Text
---
|
|
# ============================================================
|
|
# Linderhof Secrets
|
|
# ============================================================
|
|
# Generated by setup.sh
|
|
# Edit with: ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml
|
|
# ============================================================
|
|
|
|
# system
|
|
root_password: "$root_password"
|
|
admin_password: "$admin_password"
|
|
|
|
# hetzner
|
|
hcloud_token: "$hcloud_token"
|
|
|
|
# mail
|
|
# passwords generated with: openssl rand -base64 32
|
|
mail_passwords:
|
|
$admin_user@$domain: "$admin_mail_password"
|
|
git@$domain: "$git_mail_password"
|
|
notifications@$domain: "$notifications_mail_password"
|
|
rspamd_web_password: "$rspamd_web_password"
|
|
rainloop_admin_password: "$rainloop_admin_password"
|
|
|
|
# forgejo
|
|
# keys generated with: openssl rand -hex 32
|
|
forgejo_secret_key: "$forgejo_secret_key"
|
|
forgejo_internal_token: "$forgejo_internal_token"
|
|
forgejo_jwt_secret: "$forgejo_jwt_secret"
|
|
forgejo_smtp_password: "$notifications_mail_password"
|
|
|
|
# monitoring
|
|
# password generated with: openssl rand -base64 32
|
|
grafana_admin_password: "$grafana_admin_password"
|
|
|
|
# tuwunel
|
|
# token generated with: openssl rand -base64 32
|
|
tuwunel_registration_token: "$tuwunel_registration_token"
|
|
|
|
# radicale
|
|
# password generated with: openssl rand -base64 32
|
|
radicale_password: "$radicale_password"
|
|
|
|
# goaccess
|
|
# password generated with: openssl rand -base64 32
|
|
goaccess_password: "$goaccess_password"
|
|
|
|
# diun (uses the notifications mail account)
|
|
diun_email_password: "$notifications_mail_password"
|
|
|
|
# restic
|
|
# password generated with: openssl rand -base64 32
|
|
restic_password: "$restic_password"
|
|
|
|
# fail2ban (optional — IPs/CIDRs to whitelist)
|
|
# fail2ban_ignoreip: "your-home-ip/32"
|