--- # A root password for the system in plaintext format root_password: "OverrideMeToSomethingSecurePlease!" # Timezone & Locale timezone: Canada/Eastern locale: en_CA.UTF-8 # Hosts to allow for hostbased authentication hostbased_auth: # Must be list of inventory hostnames # - adminhost.domain.tld # Custom facts (from the templates/etc/ansible/facts.d directory) to install custom_facts: - moe_release - host_id - host_group - dhcp_status # Apt configuration files (from the templates/etc/apt/apt.conf.d directory) to install apt_configurations: - 10norecommends - 30aptcacher - 50unattended-upgrades # Apt sources entries apt_sources: - name: rafal.ca-base has_src: yes url: http://debian.mirror.rafal.ca/debian distribution: "{{ moe_release.debian_codename }}" components: - main - contrib - non-free - name: rafal.ca-updates has_src: yes url: http://debian.mirror.rafal.ca/debian distribution: "{{ moe_release.debian_codename }}-updates" components: - main - contrib - non-free - name: rafal.ca-security has_src: yes url: http://security.debian.org/debian-security distribution: "{{ moe_release.debian_codename }}-security" components: - main - contrib - non-free - name: repo.bonifacelabs.net has_src: no url: https://repo.bonifacelabs.net/debian distribution: "{{ moe_release.debian_codename }}" components: - main gpg_url: https://repo.bonifacelabs.net/debian/bonifacelabs_signing_key.pub gpg_id: 83D07192314835D4 # Packages to explicitly remove from the system packages_remove: - exim4 - exim4-base - exim4-config - exim4-daemon-light - nano - joe - python2 # Packages to install on the system packages_add: - acl - acpi-support-base - acpid - bash - bash-completion - bc - bind9-host - binutils - bzip2 - ca-certificates - check-mk-agent - curl - debconf-utils - deborphan - dns-root-data - dnsutils - dstat - fail2ban - gawk - git - haveged - htop - iotop - iperf - iperf3 - iptables - jnettop - less - libpam-systemd - locales - logrotate - lsof - man - mmv - needrestart - net-tools - netcat-openbsd - nethogs - nftables - nmap - ntp - openssh-client - openssh-server - openssl - postfix - psmisc - pv - reptyr - rsync - rsyslog - screenfetch - sharutils - shellcheck - strace - sudo - sysstat - tcptraceroute - traceroute - tshark - unattended-upgrades - vim - wget - zram-tools - "linux-headers-{{ moe_release.dpkg_architecture }}" - "linux-image-{{ moe_release.dpkg_architecture }}" # Apt preferences to set before installing packages apt_preferences: - name: wireshark-common question: wireshark-common/install-setuid vtype: select value: 'true' - name: postfix question: postfix/main_mailer_type vtype: select value: "Internet Site" # Services to enable (after installing but before configuring) enabled_services: - acpid - rsyslog - nftables - postfix - ntp - ssh # Capabilities overrides on binaries set_capabilities: - path: /bin/ping capability: cap_net_raw=ep # Sysctl configuration files (from templates/etc/sysctl.d) to install sysctl_files: - moe.conf # NFTables rules to create; leave empty for a default allow-all ruleset nftables_rules: # # EXAMPLE: Permit CheckMK only from RFC1918 subnets # - chain: input # rule: "ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } tcp dport 6556 accept" # - chain: input # rule: "ip tcp dport 6556 drop" # CheckMK plugin files (from files/usr/lib/check_mk_agent/plugins) to install check_mk_plugins: - mk_logwatch - backup - cephfsmounts - dpkg - entropy - freshness - kernel_taint - ownership # Additional groups to add add_groups: - name: media gid: 9000 # SSH keys for backup purposes backup_ssh_keys: - name: backup@domain.tld date: 2020-01 type: ssh-ed25519 key: AAAA...ZZZZ # Administrative users admin_users: - name: example uid: 501 add_groups: - wireshark - media shell: /bin/bash ssh_keys: - name: example@domain.tld date: 2020-01 type: ssh-ed25519 key: AAAA...ZZZZ # Non-mailhost postfix relay and domain information (for cron emails, etc.) postfix_relay: "" postfix_domain: "" # File used to determine if the Postfix main.cf configuration should not be installed # Ensure this file is created in a later role for hosts that need their own main.cf configuration # to avoid this role overwriting it in the future. postfix_mailhost_flag_file: "/etc/postfix/mailhost"