group_vars/all.yml

debian_repo_base: http://ftp.sh.cvut.cz/debian/
hostname: nas.dawnflash.cz
timezone: Europe/Prague
locale: C.UTF-8

manage_network: true
manage_containers: true
certbot_flags: ""

ntp_servers:
  - tik.cesnet.cz
  - tak.cesnet.cz
  - time.ufe.cz
  - lxn.ujf.cas.cz
  - ntp.nic.cz
  - ntpm.fit.vutbr.cz

network:
  ipv4: 192.168.0.115
  ipv6: 2001:1ae9:31b:7600::abcd
  nameservers:
    - 1.1.1.1
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001
  uplink: enp8s0
  netplan: uplink.yaml
  wireguard:
    wg0:
      network:
        ipv4: 10.10.2.0/24
        ipv6: fd0c::/120
      interface:
        port: 51820
        ipv4: 10.10.2.1/24
        ipv6: fd0c::1/120
        private_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33303039393134633235313862333834623330333834613538633163393930373231323239336232
          6561386236656336323735616132393339326231633932650a376261393835363736316331356162
          32653566613864653866376138393532376533623132346463323862636137316132653161303436
          3935386364663039320a646430396430353739333933626166316233383932616538323036363435
          30393665393661333636373238653839346532303362663565336262336461316639643963333332
          3662373338356535343231653761323261663431656438643237
      peers:
        # Dawn
        - public_key: Z5TjfQC/AjnjBqiATbmAXoSM6F0AmVTt4YisotOAw34=
          ipv4: 10.10.2.2/32
          ipv6: fd0c::2/128
          preshared_key: !vault |
            $ANSIBLE_VAULT;1.1;AES256
            61313431373737336438666237363865343138336162643538663136373335366561653665383831
            6138366639363631323333343666386365646331626237370a643330353265646462616363393134
            66636139643333653330343236333662346164383536656133356135363065346166663636353035
            6563393464636465310a613736376365353634306662343434373239363334623334366534623830
            61376130313833636135643138386264633338376633613061346136613836323866393335653137
            3633323561663363333565656633396465663962353362333466

zpool_name: Master
private_dir: /root/.private
ssd_storage:
  root: /ssd-data
  # <root>/<dir> owned by root:root
  root_dirs: []
  # <root>/<dir> owned by unprivileged user (used for docker containers)
  unprivileged_dirs:
    - bitwarden
    - grafana
    - jellyfin

docker:
  ipv6_cidr: "2001:db8:1::/64"
  stacks:
    - main

ssh:
  pubkeys:
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5692OdhpKwg1NfL2eU34F/F5fTs80L3R8Jh+3ibU6S dawnmeow@nas
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGPWHaD9juzifk6TRW648maJSBZTUZur+5Y5lwSJxlD adam@luna
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyH0XS5sGe4TpqFvlBW0xqtvVTtwdyi2kThcCbaUXFz adam@op7p
  root_key:
    algo: ed25519

# ---- bertvv.samba ------
samba_apple_extensions: true
# this breaks share root browsing
samba_mitigate_cve_2017_7494: false
samba_shares_root: /{{ zpool_name }}
samba_users:
  - name: "{{ unprivileged_user.name }}"
    password: "{{ unprivileged_user.password | quote }}"

_share_defaults: &share_defaults
  owner: "{{ unprivileged_user.name }}"
  group: "{{ unprivileged_user.group }}"
  directory_mode: "0755"
  force_directory_mode: "0755"
  create_mode: "0644"
  force_create_mode: "0644"
  browseable: true
  writable: true

samba_shares:
  - name: Backup
    <<: *share_defaults
  - name: Media
    <<: *share_defaults
  - name: Random
    <<: *share_defaults

homepage:
  title: NAS server of Dawn and 🐈
nginx:
  paths:
    html: /var/www/nas
  basic_auth:
    # <realm>.htpasswd | users need keys: name, password, salt
    common:
      - unprivileged_user # this is a top-level variable name
  ssl_key: /etc/letsencrypt/live/{{ hostname }}/privkey.pem
  ssl_cert: /etc/letsencrypt/live/{{ hostname }}/fullchain.pem
  tls_protocols: TLSv1.2 TLSv1.3
  tls_ciphers: ECDH+AESGCM:CHACHA20
  proxy:
    plex:
      port: 32400
    jellyfin:
      port: 8096
    tautulli:
      port: 8181
    ombi:
      port: 3579
    bazarr:
      port: 6767
    radarr:
      port: 7878
      locations:
        - path: /signalr
          http: 1.1
          headers:
            Upgrade: $http_upgrade
            Connection: $http_connnection
    lidarr:
      port: 8686
      locations:
        - path: /signalr
          http: 1.1
          headers:
            Upgrade: $http_upgrade
            Connection: $http_connnection
    prowlarr:
      port: 9696
      locations:
        - path: /signalr
          http: 1.1
          headers:
            Upgrade: $http_upgrade
            Connection: $http_connnection
    readarr:
      port: 8787
      locations:
        - path: /signalr
          http: 1.1
          headers:
            Upgrade: $http_upgrade
            Connection: $http_connnection
    sonarr:
      port: 8989
    qbittorrent:
      host: 172.20.0.1
      port: 58847
    nzbget:
      port: 6789
    prometheus:
      port: 9090
      basic_auth: common
    grafana:
      port: 3000
    netdata:
      port: 19999
      basic_auth: common
    bitwarden:
      port: 12004
      locations:
        - path: /notifications/hub/negotiate
        - path: /notifications/hub
          port: 12005
          headers:
            Upgrade: $http_upgrade
            Connection: '"upgrade"'
      extra:
        client_max_body_size: 128M
    syncthing:
      port: 8384
      basic_auth: common

apt_gpg_keys:
  armor:
    docker:
      gpg: https://download.docker.com/linux/debian/gpg
      repo: https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
    netdata:
      gpg: https://packagecloud.io/netdata/netdata-edge/gpgkey
      repo: https://packagecloud.io/netdata/netdata-edge/debian {{ ansible_distribution_release }} main
  binary:
    mkvtoolnix:
      gpg: https://mkvtoolnix.download/gpg-pub-moritzbunkus.gpg
      repo: https://mkvtoolnix.download/debian/ {{ ansible_distribution_release }} main

netdata:
  frequency: 2 # collect every N seconds
  ram_cache_size: 64 # MB
  disk_cache_size: 8192 # MB

prometheus:
  frequency: 10s
  storage_path: "{{ ssd_storage.root }}/prometheus/metrics2"

email:
  from: robot
  recipients:
    main: adamzahumensky@gmail.com
    extra:
      - volek@adamv.cz
  relay:
    host: mail.e-kom.cz:465
    user: zahumensky@e-kom.cz
    pass: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      37356539326635393065633830356339643861323732663431383732623132643039376334366234
      6463306262346230373734356464333133353165336263300a323233373563356639376661366531
      34343165623662663636396333393231393936623565336239613032366534386532363561613634
      3063383661306165610a336436363937626638353630386235656337333034336136363033326265
      3364

unprivileged_user:
  name: snekurr
  salt: NvpGkzGFwHWCKp57
  group: users
  password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    31633834363933616362333734623830346338636633343535353965326562613966656565623661
    3039666366356630653663323038313265626562346661360a643762656336313638626531653533
    61653133376535613761396139653830306664633032326166383262383766336632336133616236
    6639346665383862340a643061386237346466323236373166343534366635306365633934366630
    65386564646362633037336235336331396662636133363462353838666336363230376166636330
    3531643732313362323063343530643832663332303966626436

root:
  salt: Vm8Djzy8uTNF7rVo
  password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    61393934393039383135343061383262303362643138616437373636343134373236656635306665
    6461663335666530393530623634373264303531383538370a633032343038396133353835643464
    33363032313138623563353133666635616565626263623361323836376662313061346337303664
    3763353465336165340a633538633937303130636238376233353439666239333063663232626337
    33663038653738363530373934356234353863343531626332656635623566643765613032316633
    3531316631376439393634363135353030616234663637663232

bitwarden:
  admin_token: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    35643139633134616330396332366565386333383530313435376236393532373137346430306336
    3532363137356130643638326563643733336466353732330a316639396330626539373466653564
    62303362396264653366653838623432366332616636396563303261313930616539346431303338
    3334356536383135390a393535353966393833366665373139656631643031363061613532356633
    34393637373965623165393466623234613731383065636438393235643061333038366335396635
    30393832356536396138613964363339653331313730316161363938396636343361656337613134
    62623062333535643031303837356235316432646361386334313538363564653736393135363536
    61306631393133383266

cloudflare:
  zone: dawnflash.cz
  token: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    62316263373139646462336362343264366436386566653036386233336366393863336437613733
    6235363963393330353237623136353330616432653535320a333063323034653237313131373063
    37633262653961393930356431613730646636656265313638643332366339353037333730353936
    3164303737376131660a386630343465323737613531353438383262396363333461653561623037
    37613663383036353034623964326361373530333361306662373931323938343931376565666239
    3562383531323036343933616466323139626434613435363665

telegram:
  chat: "-568805803"
  token: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    33616664666530373665623065643066306435386363386631396462326664623735653866376338
    3033366363643034376334303637313331633039616236330a373634623636326535326665366664
    38666633323739386238323861393839386136306131666532643932663032653633666166663062
    6637313533663065620a626136366230326538623233393466396139343332333063343335376131
    64323336363963386232383435373430373937316365366332643932333535636634646563376566
    3238303066353866666534623865383462653338623536306437