ansible/hosts.yml

---
all:
  hosts:

    pikvm:
      ansible_host: pikvm
      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
      ansible_become_method: doas
      dags:
        - acme_rsync

    snitch:
      ansible_host: snitch
      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
      ansible_become_method: doas
      alpine_mode: diskless
      alpine_version: v3.17
      alpine_repos:
        - main

    suricata:
      ansible_host: suricata
      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
      ansible_become_method: doas
      alpine_mode: data
      alpine_version: v3.17
      alpine_repos:
        - main
        - community

      lbu_encrypt: true
      lbu_media: mmcblk0p2

      apk_cache_dir: /media/mmcblk0p2/cache

      k3s_args:
        - --secrets-encryption

      dmcrypt_targets:
        - name: "WDC WDS400T1R0A"
          target: "disk0"
          source_uuid: "202c924c-ee53-4321-9efd-1f776e939702"
          key: "/etc/dmcrypt/key.bin"
          options: "--allow-discards"
        - name: "Samsung SSD 870"
          target: "disk1"
          source_uuid: "247ea237-54ce-45d2-9974-04344c06aba4"
          key: "/etc/dmcrypt/key.bin"
          options: "--allow-discards"

      mounts:

        - src: "/dev/mmcblk0p1"
          path: "/media/mmcblk0p1"
          fstype: "vfat"
          opts: "noauto,defaults,ro"
          passno: "0"

        - src: "/media/mmcblk0p1/boot"
          path: "/boot"
          fstype: "none"
          opts: "defaults,bind"
          passno: "0"

        - src: "/dev/mmcblk0p2"
          path: "/media/mmcblk0p2"
          fstype: "ext4"
          opts: "defaults,ro"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/mnt/btr_pool"
          fstype: "btrfs"
          opts: "subvolid=5,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/mnt/btr_backup"
          fstype: "btrfs"
          opts: "subvol=btr_backup,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/var/log"
          fstype: "btrfs"
          opts: "subvol=logs,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/home"
          fstype: "btrfs"
          opts: "subvol=home,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/mnt/backups"
          fstype: "btrfs"
          opts: "subvol=backups,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/opt"
          fstype: "btrfs"
          opts: "subvol=opt,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/var/lib/builder/src"
          fstype: "btrfs"
          opts: "subvol=src,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/etc/rancher"
          fstype: "btrfs"
          opts: "subvol=rancher_config,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/var/lib/rancher"
          fstype: "btrfs"
          opts: "subvol=rancher_data,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/var/lib/containers"
          fstype: "btrfs"
          opts: "subvol=containers,noatime,compress=zstd"
          passno: "0"

        - src: "/dev/mapper/disk0"
          path: "/mnt/certs"
          fstype: "btrfs"
          opts: "subvol=certs,noatime,compress=zstd"
          passno: "0"

        - src: "/mnt/certs/acme"
          path: "/srv/nfs/k8s/acme"
          fstype: "none"
          opts: "bind"
          passno: "0"

      nfs_exports:
        - path: "/srv/nfs"
          hosts:
            - hostname: localhost
              options:
                - ro
                - all_squash
                - no_subtree_check
                - fsid=0

        - path: "/srv/nfs/k8s"
          hosts:
            - hostname: localhost
              options:
                - rw
                - no_root_squash
                - no_subtree_check
                - sync
                - crossmnt

      rpi_cfg:
        - "enable_uart=1"
        - "otg_mode=1"
        - "hdmi_group=2"
        - "hdmi_mode=4"

    caladan:
      ansible_host: caladan
      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
      ansible_become_method: doas
      alpine_mode: system
      alpine_version: v3.17
      alpine_repos:
        - main
        - community

    narwhal:
      ansible_host: narwhal
      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/bin/python3
      ansible_become_method: doas

    fugu:
      ansible_host: fugu
      ansible_user: ansible
      ansible_port: 22
      ansible_python_interpreter: /usr/local/bin/python3
      ansible_become_method: doas
make linter happy 2022-09-04 17:25:14 +02:00			`---`
initial commit 2022-08-30 10:00:27 +02:00			`all:`
			`hosts:`
added caladan host 2022-08-30 17:27:09 +02:00
added pikvm host 2022-10-18 12:05:45 +02:00			`pikvm:`
			`ansible_host: pikvm`
			`ansible_user: ansible`
			`ansible_port: 22`
			`ansible_python_interpreter: /usr/bin/python3`
			`ansible_become_method: doas`
dags first iteration 2022-10-18 18:16:13 +02:00			`dags:`
			`- acme_rsync`
added pikvm host 2022-10-18 12:05:45 +02:00
added snitch host 2022-08-30 10:09:52 +02:00			`snitch:`
			`ansible_host: snitch`
create dedicated ansible user 2022-08-30 14:18:17 +02:00			`ansible_user: ansible`
added snitch host 2022-08-30 10:09:52 +02:00			`ansible_port: 22`
			`ansible_python_interpreter: /usr/bin/python3`
become method defined at host level 2022-09-06 10:52:10 +02:00			`ansible_become_method: doas`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`alpine_mode: diskless`
updated alpine versions 2023-01-03 15:10:12 +01:00			`alpine_version: v3.17`
added suricata and its things 2022-09-20 13:51:20 +02:00			`alpine_repos:`
			`- main`

			`suricata:`
			`ansible_host: suricata`
			`ansible_user: ansible`
			`ansible_port: 22`
			`ansible_python_interpreter: /usr/bin/python3`
			`ansible_become_method: doas`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`alpine_mode: data`
updated suricata's version 2022-12-21 17:30:34 +01:00			`alpine_version: v3.17`
added suricata and its things 2022-09-20 13:51:20 +02:00			`alpine_repos:`
			`- main`
			`- community`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00
lbu.conf role 2022-10-31 17:08:27 +01:00			`lbu_encrypt: true`
			`lbu_media: mmcblk0p2`

setup apk role 2023-01-03 16:57:57 +01:00			`apk_cache_dir: /media/mmcblk0p2/cache`

k3s with secrets encryption 2022-11-02 13:29:32 +01:00			`k3s_args:`
			`- --secrets-encryption`

handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`dmcrypt_targets:`
			`- name: "WDC WDS400T1R0A"`
			`target: "disk0"`
			`source_uuid: "202c924c-ee53-4321-9efd-1f776e939702"`
embed luks key in encrypted lbu for alpine 2022-10-31 16:43:57 +01:00			`key: "/etc/dmcrypt/key.bin"`
allow discards 2022-10-19 18:28:50 +02:00			`options: "--allow-discards"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`- name: "Samsung SSD 870"`
			`target: "disk1"`
			`source_uuid: "247ea237-54ce-45d2-9974-04344c06aba4"`
embed luks key in encrypted lbu for alpine 2022-10-31 16:43:57 +01:00			`key: "/etc/dmcrypt/key.bin"`
allow discards 2022-10-19 18:28:50 +02:00			`options: "--allow-discards"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00
added suricata and its things 2022-09-20 13:51:20 +02:00			`mounts:`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00
			`- src: "/dev/mmcblk0p1"`
			`path: "/media/mmcblk0p1"`
added suricata and its things 2022-09-20 13:51:20 +02:00			`fstype: "vfat"`
suricata ro mounts 2023-01-10 10:57:01 +01:00			`opts: "noauto,defaults,ro"`
added suricata and its things 2022-09-20 13:51:20 +02:00			`passno: "0"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00
			`- src: "/media/mmcblk0p1/boot"`
			`path: "/boot"`
cryptoraid 2022-10-03 18:30:24 +02:00			`fstype: "none"`
			`opts: "defaults,bind"`
			`passno: "0"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00
			`- src: "/dev/mmcblk0p2"`
			`path: "/media/mmcblk0p2"`
added suricata and its things 2022-09-20 13:51:20 +02:00			`fstype: "ext4"`
suricata ro mounts 2023-01-10 10:57:01 +01:00			`opts: "defaults,ro"`
added suricata and its things 2022-09-20 13:51:20 +02:00			`passno: "0"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00
			`- src: "/dev/mapper/disk0"`
			`path: "/mnt/btr_pool"`
some progress on disk encryption and btrfs 2022-10-19 15:29:16 +02:00			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvolid=5,noatime,compress=zstd"`
some progress on disk encryption and btrfs 2022-10-19 15:29:16 +02:00			`passno: "0"`

btrbk backups mount 2022-11-04 16:16:08 +01:00			`- src: "/dev/mapper/disk0"`
			`path: "/mnt/btr_backup"`
			`fstype: "btrfs"`
			`opts: "subvol=btr_backup,noatime,compress=zstd"`
			`passno: "0"`

handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`- src: "/dev/mapper/disk0"`
			`path: "/var/log"`
			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=logs,noatime,compress=zstd"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`passno: "0"`

			`- src: "/dev/mapper/disk0"`
			`path: "/home"`
			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=home,noatime,compress=zstd"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`passno: "0"`

backups lbu to a more permanent location 2023-01-03 18:26:16 +01:00			`- src: "/dev/mapper/disk0"`
			`path: "/mnt/backups"`
			`fstype: "btrfs"`
			`opts: "subvol=backups,noatime,compress=zstd"`
			`passno: "0"`

moved k3s binary to /opt 2022-10-30 16:46:05 +01:00			`- src: "/dev/mapper/disk0"`
			`path: "/opt"`
			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=opt,noatime,compress=zstd"`
moved k3s binary to /opt 2022-10-30 16:46:05 +01:00			`passno: "0"`

handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`- src: "/dev/mapper/disk0"`
			`path: "/var/lib/builder/src"`
			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=src,noatime,compress=zstd"`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`passno: "0"`

host inventory updates 2022-10-30 15:54:15 +01:00			`- src: "/dev/mapper/disk0"`
			`path: "/etc/rancher"`
			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=rancher_config,noatime,compress=zstd"`
host inventory updates 2022-10-30 15:54:15 +01:00			`passno: "0"`

			`- src: "/dev/mapper/disk0"`
			`path: "/var/lib/rancher"`
			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=rancher_data,noatime,compress=zstd"`
host inventory updates 2022-10-30 15:54:15 +01:00			`passno: "0"`

			`- src: "/dev/mapper/disk0"`
podman 2022-10-30 16:32:32 +01:00			`path: "/var/lib/containers"`
host inventory updates 2022-10-30 15:54:15 +01:00			`fstype: "btrfs"`
compress zstd on btrfs suricata 2022-11-04 11:33:58 +01:00			`opts: "subvol=containers,noatime,compress=zstd"`
host inventory updates 2022-10-30 15:54:15 +01:00			`passno: "0"`

suricata mount certs subvolume 2023-01-10 11:03:02 +01:00			`- src: "/dev/mapper/disk0"`
			`path: "/mnt/certs"`
			`fstype: "btrfs"`
			`opts: "subvol=certs,noatime,compress=zstd"`
			`passno: "0"`

nfs server role 2023-01-11 11:55:10 +01:00			`- src: "/mnt/certs/acme"`
			`path: "/srv/nfs/k8s/acme"`
			`fstype: "none"`
			`opts: "bind"`
			`passno: "0"`

			`nfs_exports:`
			`- path: "/srv/nfs"`
			`hosts:`
			`- hostname: localhost`
			`options:`
			`- ro`
			`- all_squash`
			`- no_subtree_check`
			`- fsid=0`

			`- path: "/srv/nfs/k8s"`
			`hosts:`
			`- hostname: localhost`
			`options:`
			`- rw`
			`- no_root_squash`
			`- no_subtree_check`
			`- sync`
			`- crossmnt`

usercfg 2022-09-20 15:02:53 +02:00			`rpi_cfg:`
			`- "enable_uart=1"`
			`- "otg_mode=1"`
force HDMI things on suricata to make pikvm work properly 2023-01-03 15:52:22 +01:00			`- "hdmi_group=2"`
			`- "hdmi_mode=4"`
added caladan host 2022-08-30 17:27:09 +02:00
			`caladan:`
			`ansible_host: caladan`
adjusted users to match caladan 2022-08-30 18:26:16 +02:00			`ansible_user: ansible`
added caladan host 2022-08-30 17:27:09 +02:00			`ansible_port: 22`
			`ansible_python_interpreter: /usr/bin/python3`
become method defined at host level 2022-09-06 10:52:10 +02:00			`ansible_become_method: doas`
handle data mode alpine installs 2022-10-19 17:58:20 +02:00			`alpine_mode: system`
updated alpine versions 2023-01-03 15:10:12 +01:00			`alpine_version: v3.17`
added suricata and its things 2022-09-20 13:51:20 +02:00			`alpine_repos:`
			`- main`
			`- community`
added narwhal host 2022-09-04 16:52:37 +02:00
			`narwhal:`
			`ansible_host: narwhal`
			`ansible_user: ansible`
			`ansible_port: 22`
			`ansible_python_interpreter: /usr/bin/python3`
moved narwhal to doas 2022-09-22 11:19:46 +02:00			`ansible_become_method: doas`
added fugu host 2022-09-04 17:47:06 +02:00
			`fugu:`
			`ansible_host: fugu`
			`ansible_user: ansible`
			`ansible_port: 22`
			`ansible_python_interpreter: /usr/local/bin/python3`
become method defined at host level 2022-09-06 10:52:10 +02:00			`ansible_become_method: doas`