--- ansible_ssh_host: "{{ stage_server_domain }}" debug: false ssh_macs: - umac-128-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com ssh_host_key_algorithms: - rsa-sha2-512 - rsa-sha2-256 - ssh-ed25519 ssh_kex: - curve25519-sha256 - curve25519-sha256@libssh.org - diffie-hellman-group-exchange-sha256 - diffie-hellman-group16-sha512 - diffie-hellman-group18-sha512 - diffie-hellman-group14-sha256 ssh_ciphers: - chacha20-poly1305@openssh.com - aes128-ctr - aes192-ctr - aes256-ctr - aes128-gcm@openssh.com - aes256-gcm@openssh.com ssh_permit_root_login: 'yes' docker_enabled: true docker_config_enabled: true traefik_enabled: true filebeat_enabled: true metricbeat_enabled: false node_exporter_enabled: true common_apt_dependencies: - mc - vim # TODO Check if we really want this - zip - curl - htop - iotop - net-tools - bash-completion - python3-pip common_pip_dependencies: - requests>=2.28 - passlib - pyOpenSSL>=23.0 - docker-compose use_ssl: true http_s: "http{{ use_ssl | ternary('s', '', omit) }}" stage_server_domain: "{{ inventory_hostname }}.{{ domain }}" stage_server_url: "{{ http_s }}://{{ stage_server_domain }}" alertmanager_channel_smardigo: "#monitoring-{{ stage }}" hetzner_server_type: cx11 hetzner_server_image: ubuntu-20.04 awx_ansible_user_name: "awx" awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}" awx_credential_machine_hetzner_name: hetzner-ansible-ssh awx_ansible_username: ansible awx_ansible_password: ansible argocd_bootstrap_infrastructure: false gitlab_ansible_user_name: "gitlabci" backupuser_user_name: backupuser # used for root-access by hetzner on server creation (@see cloud console/security/ssh-keys) default_hetzner_ssh_keys: - "claus.paetow@netgo.de" - "friedrich.goerz@netgo.de" - "sven.ketelsen@netgo.de" - "michael.haehnel@netgo.de" - "hoan.to@netgo.de" - "{{ awx_ansible_user_name }}@netgo.de" - "{{ gitlab_ansible_user_name }}@git.dev-at.de" hetzner_ssh_keys: "{{ default_hetzner_ssh_keys + (custom_stage_hetzner_ssh_keys | default([])) }}" hetzner_server_labels: "stage={{ stage }}" admin_user: "root" sudo_groups: [ { id: "CentOS", sudo_group: "wheel", }, { id: "RedHat", sudo_group: "wheel", }, { id: "Ubuntu", sudo_group: "sudo", }, ] sudo_group: "{{ sudo_groups | selectattr('id', 'match', '' + ansible_distribution + '' ) | map(attribute='sudo_group') | list | first | replace('.','-') }}" # whitelist for outdated user detection - they wont't be deleted at all default_users: - 'nobody' - 'elastic' - 'postgres' - 'administrator' - '{{ admin_user }}' default_plattform_users: - 'claus.paetow' - 'friedrich.goerz' - 'sven.ketelsen' - 'michael.haehnel' - 'hoan.to' - '{{ awx_ansible_user_name }}' - '{{ gitlab_ansible_user_name }}' smardigo_plattform_users: "{{ default_plattform_users + (custom_plattform_users | default([])) + (custom_stage_plattform_users | default([])) }}" ip_whitelist_netgo: - "212.121.131.106/32" # netgo berlin - "149.233.6.129/32" # netgo e-shelter - "46.245.219.98/32" # netgo borken - "164.138.195.162/32" # netgo Aachen ip_whitelist: "{{ ip_whitelist_netgo + [shared_service_network] }}" offsite_storage_server_ip: 142.132.155.83/32 docker_owner: "{{ admin_user }}" docker_group: "{{ admin_user }}" docker_users: "{{ smardigo_plattform_users }}" docker_compose_path: "/usr/bin/docker-compose" service_base_path: '/etc/smardigo' devops_email_address: "nso.devops@netgo.de" gitea_admin_email: '{{ devops_email_address }}' lets_encrypt_email: '{{ devops_email_address }}' connect_admin_email: '{{ devops_email_address }}' keycloak_admin_email: '{{ devops_email_address }}' pgadmin4_admin_email: '{{ devops_email_address }}' harbor_oidc_admin_email: '{{ devops_email_address }}' grafana_admin_email: '{{ devops_email_address }}' argocd_admin_email: '{{ devops_email_address }}' http_port: "80" https_port: "443" service_port: "8080" management_port: "8081" service_port_mssql: "1433" service_port_git: "2222" service_port_mysql: "3306" service_port_logstash: "5044" service_port_postgres: "5432" service_port_kibana: "5601" service_port_cadvisor: "8080" service_port_webdav: "8080" service_port_keycloak: "8080" service_port_iam: "8082" service_port_sonarqube: "9000" service_port_pgadmin: "9001" service_port_phpmyadmin: "9002" service_port_node_exporter: "9100" service_port_elasticsearch: "9200" monitor_port_system: "9082" monitor_port_docker: "9083" monitor_port_elastic: "9084" monitor_port_harbor: "9085" monitor_port_maria: "9086" monitor_port_postgres: "9087" admin_port_service: "9081" admin_port_traefik: "9080" connect_id: "{{ inventory_hostname }}-connect" connect_base_url: "{{ connect_id }}.{{ domain }}" wordpress_id: "{{ inventory_hostname }}-wordpress" wordpress_base_url: "{{ wordpress_id }}.{{ domain }}" smardigo_auth_token_name: "Smardigo-User-Token" filebeat_certificate: "{{ stage }}-elastic-stack-filebeat" logstash_certificate: "{{ stage }}-elastic-stack-logstash-01" backup_directory: "/backups" get_current_date: "{{ lookup('pipe','date +%Y-%m-%d') }}" get_current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}" hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}" hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}" hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}" k8s_basic_services: - kubelet - containerd selfsigned_ca_private_key_passphrase: '{{ selfsigned_ca_private_key_passphrase_vault }}' # hetzner upstream DNSservers upstream_dns_servers: - 185.12.64.1 - 185.12.64.2 harbor_username: "{{ docker_registry_username_vault }}" harbor_token: "{{ docker_registry_token_vault }}" keycloak_admin_username: "keycloak-admin" keycloak_admin_password: "{{ keycloak_admin_password_vault }}" # Note: all dollar signs in the hash need to be doubled for escaping. # To create user:password pair, it's possible to use this command: # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g traefik_admin_username: "traefik-admin" traefik_admin_password_htpasswd: "{{ traefik_admin_password_htpasswd_vault }}"