Matthias Johnson
db70b4ba06
- Add storage_box role: generates SSH key pair, creates Hetzner Storage Box with known password, installs public key via install-ssh-key, writes storagebox.yml to stack config. Idempotent: skips key install if SSH key auth already works. - Add deploy.yml: one-shot playbook chaining provision → dns → storage_box → bootstrap → site for fresh deployments - Fix .envrc HCLOUD_TOKEN extraction stripping surrounding quotes from vault YAML values - Add restic_storagebox_password to vault template and setup.sh prompt - Add sshpass to README prerequisites Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
188 lines
6.1 KiB
Text
188 lines
6.1 KiB
Text
---
|
|
# ============================================================
|
|
# Linderhof Configuration
|
|
# ============================================================
|
|
# Generated by setup.sh — edit freely to match your needs.
|
|
# Secrets are stored separately in vault.yml.
|
|
# Tunable defaults live in each role's defaults/main.yml.
|
|
#
|
|
# To override any variable for this stack without editing this file,
|
|
# create $LINDERHOF_DIR/group_vars/all/overrides.yml, e.g.:
|
|
# mail_hostname: mail2.$domain
|
|
# caddy_sites:
|
|
# - $domain
|
|
# - example2.com
|
|
# ============================================================
|
|
|
|
# ============================================================
|
|
# Services — set to false to disable
|
|
# ============================================================
|
|
enable_caddy: true
|
|
enable_mail: true
|
|
enable_forgejo: true
|
|
enable_monitoring: true
|
|
enable_restic: false
|
|
enable_fail2ban: true
|
|
enable_tuwunel: true
|
|
enable_nebula: true
|
|
enable_diun: true
|
|
enable_goaccess: true
|
|
enable_goaccess_sync: false
|
|
enable_radicale: true
|
|
|
|
# ============================================================
|
|
# System
|
|
# ============================================================
|
|
domain: $domain
|
|
server_name: $server_name
|
|
|
|
# Labels applied to all Hetzner cloud resources (server, SSH key).
|
|
# DNS resources do not support labels.
|
|
hcloud_labels:
|
|
managed-by: linderhof
|
|
stack: $stack_name
|
|
server_ip: $server_ip
|
|
admin_user: $admin_user
|
|
admin_shell: /bin/zsh
|
|
admin_ssh_key: "{{ lookup('file', '$ssh_key_pub') }}"
|
|
timezone: UTC
|
|
|
|
# ============================================================
|
|
# Image versions (update when Diun notifies of new releases)
|
|
# ============================================================
|
|
caddy_version: "2"
|
|
mailserver_version: "latest"
|
|
rainloop_version: "latest"
|
|
forgejo_version: "11"
|
|
forgejo_runner_version: "12"
|
|
prometheus_version: "latest"
|
|
alloy_version: "latest"
|
|
grafana_version: "latest"
|
|
loki_version: "latest"
|
|
diun_version: "latest"
|
|
tuwunel_version: "latest"
|
|
radicale_version: "latest"
|
|
nebula_version: "1.9.5"
|
|
|
|
# ============================================================
|
|
# Caddy (web server / reverse proxy)
|
|
# ============================================================
|
|
# Static sites served as file servers — each gets /srv/caddy/sites/<domain>/
|
|
# Override in overrides.yml to add more domains.
|
|
caddy_sites:
|
|
- $domain
|
|
|
|
# Service subdomains — override individually in overrides.yml
|
|
webmail_domain: webmail.$domain
|
|
rspamd_domain: rspamd.$domain
|
|
grafana_domain: watch.$domain
|
|
goaccess_domain: stats.$domain
|
|
radicale_domain: cal.$domain
|
|
|
|
# Service ports — defined here so caddy can reference them when run standalone
|
|
rainloop_port: 8888
|
|
rspamd_port: 11334
|
|
forgejo_port: 3000
|
|
grafana_port: 3000
|
|
tuwunel_port: 6167
|
|
radicale_port: 5232
|
|
caddy_metrics_port: 9000
|
|
|
|
# ============================================================
|
|
# Mail (docker-mailserver + rainloop)
|
|
# ============================================================
|
|
# Override mail_hostname in overrides.yml if migrating (e.g. mail2.$domain)
|
|
mail_hostname: mail.$domain
|
|
|
|
mail_domains:
|
|
- $domain
|
|
# Add more domains this mail server should handle:
|
|
# mail_domains:
|
|
# - $domain
|
|
# - example2.com
|
|
|
|
mail_users:
|
|
- address: $admin_user@$domain
|
|
password: "{{ mail_passwords['$admin_user@$domain'] }}"
|
|
- address: git@$domain
|
|
password: "{{ mail_passwords['git@$domain'] }}"
|
|
- address: notifications@$domain
|
|
password: "{{ mail_passwords['notifications@$domain'] }}"
|
|
|
|
mail_aliases:
|
|
- from: root@$domain
|
|
to: $admin_user@$domain
|
|
- from: dmarc@$domain
|
|
to: $admin_user@$domain
|
|
- from: postmaster@$domain
|
|
to: $admin_user@$domain
|
|
- from: hostmaster@$domain
|
|
to: $admin_user@$domain
|
|
- from: webmaster@$domain
|
|
to: $admin_user@$domain
|
|
- from: abuse@$domain
|
|
to: $admin_user@$domain
|
|
|
|
# ============================================================
|
|
# Forgejo (git hosting)
|
|
# ============================================================
|
|
forgejo_domain: code.$domain
|
|
|
|
# ============================================================
|
|
# Monitoring
|
|
# ============================================================
|
|
grafana_root_url: "https://{{ grafana_domain }}"
|
|
|
|
# ============================================================
|
|
# Restic (encrypted backups)
|
|
# ============================================================
|
|
restic_backend_type: "sftp"
|
|
# Storage box name in Hetzner Cloud (https://console.hetzner.cloud)
|
|
restic_storagebox_name: "$restic_storagebox_name"
|
|
# To create a new storage box via storage_box.yml (rather than adopting an existing one):
|
|
# restic_storagebox_type: bx11
|
|
# restic_storagebox_location: $hcloud_location
|
|
# The following are written automatically by storage_box.yml — do not edit manually
|
|
# restic_host: "uXXXXXX.your-storagebox.de"
|
|
# restic_user: uXXXXXX
|
|
# restic_ssh_port: 23
|
|
# restic_remote_path: "backups/$server_name"
|
|
# restic_ssh_key: "/root/.ssh/restic_backup"
|
|
|
|
# ============================================================
|
|
# GoAccess (web analytics)
|
|
# ============================================================
|
|
goaccess_sites:
|
|
- $domain
|
|
- code.$domain
|
|
- watch.$domain
|
|
- webmail.$domain
|
|
- rspamd.$domain
|
|
goaccess_user: admin
|
|
|
|
# Sync reports to a remote host via rsync over SSH (enable_goaccess_sync: true to activate)
|
|
# goaccess_sync_host: "uXXXXXX.your-storagebox.de"
|
|
# goaccess_sync_user: uXXXXXX
|
|
# goaccess_sync_ssh_port: 23
|
|
# goaccess_sync_ssh_key: "/root/.ssh/goaccess_sync"
|
|
# goaccess_sync_remote_path: "analytics"
|
|
|
|
# ============================================================
|
|
# Diun (Docker Image Update Notifier)
|
|
# ============================================================
|
|
diun_notify_email: true
|
|
diun_email_user: notifications@$domain
|
|
## diun_email_password: defined in vault.yml
|
|
diun_email_to: $admin_user@$domain
|
|
|
|
# ============================================================
|
|
# Tuwunel (Matrix homeserver)
|
|
# ============================================================
|
|
tuwunel_server_name: $domain
|
|
tuwunel_domain: chat.$domain
|
|
|
|
# ============================================================
|
|
# Nebula (overlay network)
|
|
# ============================================================
|
|
nebula_subnet: "192.168.100.0/24"
|
|
nebula_lighthouse_ip: "192.168.100.1"
|