--- ansible_ssh_host: "{{ stage_server_domain }}" ssh_macs: - umac-128-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com ssh_host_key_algorithms: - rsa-sha2-512 - rsa-sha2-256 - ssh-ed25519 ssh_kex: - curve25519-sha256 - curve25519-sha256@libssh.org - diffie-hellman-group-exchange-sha256 - diffie-hellman-group16-sha512 - diffie-hellman-group18-sha512 - diffie-hellman-group14-sha256 ssh_ciphers: - chacha20-poly1305@openssh.com - aes128-ctr - aes192-ctr - aes256-ctr - aes128-gcm@openssh.com - aes256-gcm@openssh.com ssh_permit_root_login: "yes" debug: false docker_enabled: true docker_config_enabled: true traefik_enabled: true filebeat_enabled: true metricbeat_enabled: false node_exporter_enabled: true common_apt_dependencies: - jq - vim # TODO Check if we really want this - zip - curl - htop - iotop - net-tools - bash-completion - python3-pip common_pip_dependencies: - passlib - pyOpenSSL>=23.0 - docker==5.0.3 - docker-compose==1.29.2 - requests==2.28 use_ssl: true http_s: "http{{ use_ssl | ternary('s', '', omit) }}" stage_server_domain: "{{ inventory_hostname }}.{{ domain }}" stage_server_url: "{{ http_s }}://{{ stage_server_domain }}" stage_kube_load_balancer: "{{ stage_kube }}-ingress" hetzner_server_type: cx11 hetzner_server_image: ubuntu-20.04 hetzner_location: nbg1 hetzner_load_balancer_type: lb11 gitlab_ansible_user_name: "gitlabci" backupuser_user_name: backupuser # used for root-access by hetzner on server creation # all ssh keys have to be available to hetzner cloud # (@see cloud console / security / ssh-keys) (web ui) default_hetzner_ssh_keys: - "claus.paetow@netgo.de" - "sven.ketelsen@netgo.de" - "michael.haehnel@netgo.de" - "hoan.to@netgo.de" - "{{ awx_ansible_user_name }}@netgo.de" - "{{ gitlab_ansible_user_name }}@git.dev-at.de" hetzner_ssh_keys: "{{ default_hetzner_ssh_keys + (custom_stage_hetzner_ssh_keys | default([])) }}" hetzner_server_labels: "stage={{ stage }} service=none" admin_user: "root" sudo_groups: [ { id: "CentOS", sudo_group: "wheel" }, { id: "RedHat", sudo_group: "wheel" }, { id: "Ubuntu", sudo_group: "sudo" }, ] sudo_group: "{{ sudo_groups | selectattr('id', 'match', '' + ansible_distribution + '') | map(attribute='sudo_group') | list | first | replace('.', '-') }}" # whitelist for outdated user detection - they wont't be deleted at all default_users: - "nobody" - "elastic" - "postgres" - "backuphamster" - "administrator" - "{{ admin_user }}" default_platform_users: - "claus.paetow" - "sven.ketelsen" - "michael.haehnel" - "hoan.to" - "{{ awx_ansible_user_name }}" - "{{ gitlab_ansible_user_name }}" smardigo_platform_users: "{{ default_platform_users + (custom_platform_users | default([])) + (custom_stage_platform_users | default([])) }}" ip_whitelist_netgo: - "212.121.131.106/32" # netgo berlin - "149.233.6.129/32" # netgo e-shelter - "46.245.219.98/32" # netgo borken - "164.138.195.162/32" # netgo Aachen ip_whitelist: "{{ ip_whitelist_netgo + [shared_service_network] + [shared_service_vpn_ip + '/32'] if shared_service_vpn_ip else ip_whitelist_netgo + [shared_service_network] }}" offsite_storage_server_ip: 142.132.155.83/32 docker_owner: "{{ admin_user }}" docker_group: "{{ admin_user }}" docker_users: "{{ smardigo_platform_users }}" docker_compose_path: "/usr/bin/docker-compose" service_base_path: "/etc/smardigo" devops_email_address: "nso.devops@netgo.de" gitea_admin_email: "{{ devops_email_address }}" lets_encrypt_email: "{{ devops_email_address }}" connect_admin_email: "{{ devops_email_address }}" keycloak_admin_email: "{{ devops_email_address }}" pgadmin4_admin_email: "{{ devops_email_address }}" grafana_admin_email: "{{ devops_email_address }}" grafana_smardigo_email: "{{ devops_email_address }}" harbor_oidc_admin_email: "{{ devops_email_address }}" argocd_admin_email: "{{ devops_email_address }}" wordpress_admin_email: "{{ devops_email_address }}" http_port: "80" https_port: "443" service_port: "8080" management_port: "8081" service_port_mssql: "1433" service_port_git: "2222" service_port_mysql: "3306" service_port_logstash: "5044" service_port_postgres: "5432" service_port_kibana: "5601" service_port_cadvisor: "8080" service_port_keycloak: "8080" service_port_iam: "8082" service_port_sonarqube: "9000" service_port_pgadmin: "9001" service_port_phpmyadmin: "9002" service_port_node_exporter: "9100" service_port_blackbox_exporter: "9115" service_port_elasticsearch: "9200" service_port_wireguard: "51820" monitor_port_system: "9082" monitor_port_docker: "9083" monitor_port_elastic: "9084" monitor_port_harbor: "9085" monitor_port_maria: "9086" monitor_port_postgres: "9087" admin_port_service: "9081" admin_port_traefik: "9080" filebeat_certificate: "{{ stage }}-elastic-stack-filebeat" logstash_certificate: "{{ stage }}-elastic-stack-logstash-01" backup_directory: "/backups" get_current_date: "{{ lookup('pipe', 'date +%Y-%m-%d') }}" get_current_date_time: "{{ lookup('pipe', 'date +%Y-%m-%d_%H:%M') }}" hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}" hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}" hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}" k8s_basic_services: - kubelet - containerd selfsigned_ca_private_key_passphrase: "{{ selfsigned_ca_private_key_passphrase_vault }}" # hetzner upstream DNSservers upstream_dns_servers: - 185.12.64.1 - 185.12.64.2 keycloak_admin_username: "keycloak-admin" keycloak_admin_password: "{{ keycloak_admin_password_vault }}" # Note: all dollar signs in the hash need to be doubled for escaping. # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g traefik_admin_username: "traefik-admin" traefik_admin_password_htpasswd: "{{ traefik_admin_password_htpasswd_vault }}" mysql_root_username: "{{ mysql_root_username_vault }}" mysql_root_password: "{{ mysql_root_password_vault }}" lvm_volume_encryption: false