# -*- mode: yaml; -*- --- # NOTE: # Ansible Best Practices - Variables and Vaults # https://docs.ansible.com/ansible/latest/playbooks_best_practices.html#best-practices-for-variables-and-vaults deploy_user: ansible ansible_ssh_private_key_file: "{{ playbook_dir }}/private/ssh/ansible.key" pf: # number of simulataneous connections allowed from one host max_conn: 100 # rate of new connections allowed from one host max_conn_rate: 15/5 # 15 of connections per 5 seconds web: acme_home: /var/db/acme acme_webroot: /home/www/acme ssl_root: /usr/local/etc/ssl/acme domains: - name: liwt.net # sub-domains for which to request certificates sub: - mail - www - git - dav - name: aaronly.me sub: - www - name: 233233.xyz sub: - www - d # duckduckgo - g # google - w # wikipedia - zw # zh wikipedia - name: 1314233.xyz sub: - www dns: ttl: 1h refresh: 10800 retry: 1800 expire: 4w minimum: 1d nameservers: - name: afraid xfr_ip: - 69.65.50.192 ns: - ns2.afraid.org - name: 1984hosting xfr_ip: - 93.95.224.6 ns: - ns0.1984.is - ns1.1984.is - ns2.1984.is mail: domains: - liwt.net # primary - aaronly.me # user database, for both Postfix (receiving mails and transport to # Dovecot) and Dovecot (auth users and deliver mails to disk) userdb: - name: root aliases: - postmaster - hostmaster - webmaster - abuse pass: "{{ vault_mail_userdb_root_pass }}" - name: aly pass: "{{ vault_mail_userdb_aly_pass }}" # for app/device-specific passwords devices: - name: laptop pass: "{{ vault_mail_userdb_aly_pass_laptop }}" - name: office pass: "{{ vault_mail_userdb_aly_pass_office }}" - name: phone pass: "{{ vault_mail_userdb_aly_pass_phone }}" - name: tablet pass: "{{ vault_mail_userdb_aly_pass_tablet }}" - name: lulu pass: "{{ vault_mail_userdb_lulu_pass }}" - name: wt aliases: - weitian pass: "{{ vault_mail_userdb_wt_pass }}" devices: - name: laptop pass: "{{ vault_mail_userdb_wt_pass_laptop }}" - name: office pass: "{{ vault_mail_userdb_wt_pass_office }}" - name: phone pass: "{{ vault_mail_userdb_wt_pass_phone }}" - name: tablet pass: "{{ vault_mail_userdb_wt_pass_tablet }}" # Virtual user for local mail delivery (e.g., by Dovecot) vuser: name: vmail # user & group name id: 5000 # uid & gid home: /home/vmail dkim: selector: default bits: 2048 port: 8901 dmarc: p: none # policy for the domain sp: none # policy for subdomains of this domain pct: 100 # percent of messages subjected to filtering adkim: r # alignment mode for DKIM (r: relaxed; s: strict) aspf: r # alignment mode for SPF (r: relaxed; s: strict) fo: 1 # Forensic options # (0: DKIM & SPF fail; 1: DKIM / SPF fail; # d: DKIM fail; s: SPF fail) # Aggregate reports URI email (required) # Free DMARC weekly digests by https://dmarc.postmarkapp.com/ rua: liwt.net: re+yis1v8izxn0@dmarc.postmarkapp.com aaronly.me: re+f6lpmirefcg@dmarc.postmarkapp.com # Forensic reports URI email (optional) ruf: liwt.net: abuse@liwt.net # To avoid trashing by GMail google-site-verification: liwt.net: n-dVRtkDeJ8k4BuSphkV-GVso0zJJWO-Z6GYoz6ayOQ aaronly.me: rSh99lenrfS-HnzvEahEDYTj9UvoKeX4NdWmDzD-pxo # ShadowSocks servers shadowsocks: # common parameters method: "chacha20-ietf-poly1305" timeout: 600 fast_open: false # not supported on dfly reuse_port: true no_delay: true user: "nobody" # profiles: - name: default port: 8989 password: "{{ vault_shadowsocks_password_default }}" - name: share port: 9090 password: "{{ vault_shadowsocks_password_share }}" vpn: interface: tun0 network4: 10.6.20.0 port: 8080 znc: data_dir: /home/znc # Admin & client user, as well as IRC nickname username: aly realname: "{{ vault_znc_realname }}" password: "{{ vault_znc_password }}" port: 6697 # SSL/TLS # Buffer size for each channel/query playback buffer_size: 5000 # Whether channel buffers are automatically cleared after playback auto_clear_chan_buffer: "true" # Quit message when disconnecting or shutting down quit_msg: "see you" # IRC networks networks: # EFNet: http://www.efnet.org/?module=servers - name: efnet servers: - name: irc.choopa.net port: 9999 ssl: true - name: irc.underworld.no port: 6697 ssl: true - name: efnet.port80.se port: 6697 ssl: true # Without the beginning '#' channels: - dragonflybsd radicale: home: /home/radicale etcdir: /usr/local/etc/radicale2 wwwdir: /usr/local/www/radicale2 # Enable versioning with git git: true users: - name: aly pass: "{{ vault_radicale_users_aly_pass }}" devices: - name: laptop pass: "{{ vault_radicale_users_aly_pass_laptop }}" - name: office pass: "{{ vault_radicale_users_aly_pass_office }}" - name: phone pass: "{{ vault_radicale_users_aly_pass_phone }}" - name: tablet pass: "{{ vault_radicale_users_aly_pass_tablet }}" - name: lulu pass: "{{ vault_radicale_users_lulu_pass }}" devices: - name: phone pass: "{{ vault_radicale_users_lulu_pass_phone }}" - name: tablet pass: "{{ vault_radicale_users_lulu_pass_tablet }}" git: user: name: git # user & group name id: 5001 # uid & gid home: /home/git # Sync public repos to GitHub # NOTE: an unencrypted ssh keypair is required and been added to GitHub github: sync: true user: liweitianux api: "https://api.github.com" url: "git@github.com" keyfile: "{{ playbook_dir }}/private/ssh/github.key" keytype: ed25519 # Export public repositories cgit: # Root of cgit files (config, filters, static, etc.) root: /home/www/cgit # Name of the git repo from which to checkout the static resources static_repo: cgit-static.git # vim: set ft=yaml sw=2: #