ansible_become_method: community.general.doas ansible_become_password: unused root_authorized_keys: | {% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %} sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue {% else %} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma {% endif %} managed_users: - name: dustin comment: Dustin C. Hatch uid: 3000016 groups: - wheel - name: jenkins comment: Jenkins uid: 3000018 groups: - wheel doas_authorized_ssh_keys: | sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins sshca_url: https://sshca.pyrocufflink.blue ssh_trusted_user_ca_keys: >- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue certbot_account_email: dustin@hatch.name smtp: mode: relay host: mail.pyrocufflink.blue dch_networks: jazz: description: Legacy network vlan_id: 1 ipv4_address: 172.31.0.0/27 router_iface: vlan1 dns_search: - pyrocufflink.jazz dns_servers: - fd99:8cd7:6528:fe1e::4:1 - fd99:8cd7:6528:fe1e::3:1 dns_servers_v4: - 172.30.0.4 sla_id: 1 ntp_servers: - tyrande.pyrocufflink.jazz mgmt: description: Management network vlan_id: 10 router_iface: vlan10 ipv4_address: 172.30.0.240/28 ntp_servers: - dc0.pyrocufflink.blue dns_servers_v4: - 172.30.0.4 blue: description: pyrocufflink.blue AD domain members only vlan_id: 30 ipv4_address: 172.30.0.0/26 ipv6_address: fd99:8cd7:6528:fe1e::/64 router_iface: vlan30 dns_search: - pyrocufflink.blue dns_servers: - fd99:8cd7:6528:fe1e::4:1 - fd99:8cd7:6528:fe1e::3:1 dns_servers_v4: - 172.30.0.4 sla_id: 30 ntp_servers: - dc0.pyrocufflink.blue red: description: Non-domain member machines vlan_id: 101 ipv4_address: 172.31.1.0/24 router_iface: vlan101 dns_servers: - fd99:8cd7:6528:fe1e::4:1 - fd99:8cd7:6528:fe1e::3:1 dns_servers_v4: - 172.30.0.4 sla_id: 101 ntp_servers: - dc0.pyrocufflink.blue guest: description: Guest Wi-Fi vlan_id: 100 ipv4_address: 172.24.100.0/24 router_iface: vlan100 dmz: description: DMZ vlan_id: 254 router_iface: vlan254 firemon_networks: - 192.168.0.0/16 - 172.16.0.0/20 - 172.24.16.0/20 - 172.28.33.0/24 - 10.64.11.0/24 promtail_clients: - url: https://loki.pyrocufflink.blue/loki/api/v1/push tls_config: ca_file: /etc/promtail/ca.crt promtail_ca: | -----BEGIN CERTIFICATE----- MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5 WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6 oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ irIa697nfe4KiXIMwHlAMS1+1QZohFDC -----END CERTIFICATE----- dnf_automatic_email_from: dnf@pyrocufflink.net dnf_automatic_email_to: gyrfalcon@ebonfire.com dnf_automatic_email_host: mail.pyrocufflink.blue dnf_automatic_schedule: >- {{ ['Mon', 'Tue', 'Wed', 'Thu'] | random(seed=inventory_hostname) | string }} *-*-* 04:00:00 America/Chicago fluent_bit_filters: # Avoid log amplification from logging the result of sending logs! - name: grep match: host.fluent-bit.service exclude: message \[output:http:victorialogs\] .+, HTTP status=200$ - name: rewrite_tag alias: ntfy match: host.* rule: transport kernel ntfy true - name: grep match: ntfy alias: ntfy.filter regex: message ^md - name: lua alias: ntfy.populate match: ntfy code: | function ntfy_transform(tag, timestamp, record) record["topic"] = "alerts" record["tags"] = { record["hostname"], record["syslog_identifier"], } return 1, timestamp, record end call: ntfy_transform - name: record_modifier alias: ntfy.clean match: ntfy allowlist_key: - message - tags - topic fluent_bit_outputs: - name: http alias: victorialogs match: host.* host: logs.pyrocufflink.blue port: 443 tls: true tls.verify: true tls.verify_hostname: true tls.ca_file: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt uri: /insert/jsonline?_stream_fields=hostname,systemd_unit&_msg_field=message&_time_field=date format: json_lines json_date_format: iso8601 log_response_payload: false - name: http alias: ntfy workers: 1 match: ntfy host: ntfy.pyrocufflink.blue port: 443 tls: true tls.verify: true tls.verify_hostname: true uri: / format: json_lines json_date_key: false log_response_payload: false