205 lines
5.6 KiB
YAML
205 lines
5.6 KiB
YAML
ansible_become_method: community.general.doas
|
|
ansible_become_password: unused
|
|
|
|
root_authorized_keys: |
|
|
{% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %}
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue
|
|
{% else %}
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
|
|
{% endif %}
|
|
|
|
|
|
managed_users:
|
|
- name: dustin
|
|
comment: Dustin C. Hatch
|
|
uid: 3000016
|
|
groups:
|
|
- wheel
|
|
- name: jenkins
|
|
comment: Jenkins
|
|
uid: 3000018
|
|
groups:
|
|
- wheel
|
|
|
|
doas_authorized_ssh_keys: |
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
|
|
|
|
sshca_url: https://sshca.pyrocufflink.blue
|
|
ssh_trusted_user_ca_keys: >-
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
|
|
|
|
certbot_account_email: dustin@hatch.name
|
|
smtp:
|
|
mode: relay
|
|
host: mail.pyrocufflink.blue
|
|
|
|
dch_networks:
|
|
jazz:
|
|
description: Legacy network
|
|
vlan_id: 1
|
|
ipv4_address: 172.31.0.0/27
|
|
router_iface: vlan1
|
|
dns_search:
|
|
- pyrocufflink.jazz
|
|
dns_servers:
|
|
- fd99:8cd7:6528:fe1e::4:1
|
|
- fd99:8cd7:6528:fe1e::3:1
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
sla_id: 1
|
|
ntp_servers:
|
|
- tyrande.pyrocufflink.jazz
|
|
|
|
mgmt:
|
|
description: Management network
|
|
vlan_id: 10
|
|
router_iface: vlan10
|
|
ipv4_address: 172.30.0.240/28
|
|
ntp_servers:
|
|
- dc0.pyrocufflink.blue
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
|
|
blue:
|
|
description: pyrocufflink.blue AD domain members only
|
|
vlan_id: 30
|
|
ipv4_address: 172.30.0.0/26
|
|
ipv6_address: fd99:8cd7:6528:fe1e::/64
|
|
router_iface: vlan30
|
|
dns_search:
|
|
- pyrocufflink.blue
|
|
dns_servers:
|
|
- fd99:8cd7:6528:fe1e::4:1
|
|
- fd99:8cd7:6528:fe1e::3:1
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
sla_id: 30
|
|
ntp_servers:
|
|
- dc0.pyrocufflink.blue
|
|
|
|
red:
|
|
description: Non-domain member machines
|
|
vlan_id: 101
|
|
ipv4_address: 172.31.1.0/24
|
|
router_iface: vlan101
|
|
dns_servers:
|
|
- fd99:8cd7:6528:fe1e::4:1
|
|
- fd99:8cd7:6528:fe1e::3:1
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
sla_id: 101
|
|
ntp_servers:
|
|
- dc0.pyrocufflink.blue
|
|
|
|
guest:
|
|
description: Guest Wi-Fi
|
|
vlan_id: 100
|
|
ipv4_address: 172.24.100.0/24
|
|
router_iface: vlan100
|
|
|
|
dmz:
|
|
description: DMZ
|
|
vlan_id: 254
|
|
router_iface: vlan254
|
|
|
|
|
|
firemon_networks:
|
|
- 192.168.0.0/16
|
|
- 172.16.0.0/20
|
|
- 172.24.16.0/20
|
|
- 172.28.33.0/24
|
|
- 10.64.11.0/24
|
|
|
|
promtail_clients:
|
|
- url: https://loki.pyrocufflink.blue/loki/api/v1/push
|
|
tls_config:
|
|
ca_file: /etc/promtail/ca.crt
|
|
promtail_ca: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
|
|
QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
|
|
AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
|
|
WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
|
|
VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
|
|
NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
|
|
Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
|
|
oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
|
|
ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
|
|
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
|
|
-----END CERTIFICATE-----
|
|
|
|
dnf_automatic_email_from: dnf@pyrocufflink.net
|
|
dnf_automatic_email_to: gyrfalcon@ebonfire.com
|
|
dnf_automatic_email_host: mail.pyrocufflink.blue
|
|
|
|
dnf_automatic_schedule: >-
|
|
{{ ['Mon', 'Tue', 'Wed', 'Thu']
|
|
| random(seed=inventory_hostname)
|
|
| string
|
|
}} *-*-* 04:00:00 America/Chicago
|
|
|
|
fluent_bit_filters:
|
|
# Avoid log amplification from logging the result of sending logs!
|
|
- name: grep
|
|
match: host.fluent-bit.service
|
|
exclude: message \[output:http:victorialogs\] .+, HTTP status=200$
|
|
- name: rewrite_tag
|
|
alias: ntfy
|
|
match: host.*
|
|
rule: transport kernel ntfy true
|
|
- name: grep
|
|
match: ntfy
|
|
alias: ntfy.filter
|
|
regex: message ^md
|
|
- name: lua
|
|
alias: ntfy.populate
|
|
match: ntfy
|
|
code: |
|
|
function ntfy_transform(tag, timestamp, record)
|
|
record["topic"] = "alerts"
|
|
record["tags"] = {
|
|
record["hostname"],
|
|
record["syslog_identifier"],
|
|
}
|
|
return 1, timestamp, record
|
|
end
|
|
call: ntfy_transform
|
|
- name: record_modifier
|
|
alias: ntfy.clean
|
|
match: ntfy
|
|
allowlist_key:
|
|
- message
|
|
- tags
|
|
- topic
|
|
fluent_bit_outputs:
|
|
- name: http
|
|
alias: victorialogs
|
|
match: host.*
|
|
host: logs.pyrocufflink.blue
|
|
port: 443
|
|
tls: true
|
|
tls.verify: true
|
|
tls.verify_hostname: true
|
|
tls.ca_file: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt
|
|
uri: /insert/jsonline?_stream_fields=hostname,systemd_unit&_msg_field=message&_time_field=date
|
|
format: json_lines
|
|
json_date_format: iso8601
|
|
log_response_payload: false
|
|
- name: http
|
|
alias: ntfy
|
|
workers: 1
|
|
match: ntfy
|
|
host: ntfy.pyrocufflink.blue
|
|
port: 443
|
|
tls: true
|
|
tls.verify: true
|
|
tls.verify_hostname: true
|
|
uri: /
|
|
format: json_lines
|
|
json_date_key: false
|
|
log_response_payload: false
|