configpolicy/group_vars/all.yml

ansible_become_method: community.general.doas
ansible_become_password: unused

root_authorized_keys: |
  {% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %}
  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue
  {% else %}
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
  {% endif %}


managed_users:
- name: dustin
  comment: Dustin C. Hatch
  uid: 3000016
  groups:
  - wheel
- name: jenkins
  comment: Jenkins
  uid: 3000018
  groups:
  - wheel

doas_authorized_ssh_keys: |
  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins

sshca_url: https://sshca.pyrocufflink.blue
ssh_trusted_user_ca_keys: >-
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue

certbot_account_email: dustin@hatch.name
smtp:
  mode: relay
  host: mail.pyrocufflink.blue

dch_networks:
  jazz:
    description: Legacy network
    vlan_id: 1
    ipv4_address: 172.31.0.0/27
    router_iface: vlan1
    dns_search:
    - pyrocufflink.jazz
    dns_servers:
    - fd99:8cd7:6528:fe1e::4:1
    - fd99:8cd7:6528:fe1e::3:1
    dns_servers_v4:
    - 172.30.0.4
    sla_id: 1
    ntp_servers:
    - tyrande.pyrocufflink.jazz

  mgmt:
    description: Management network
    vlan_id: 10
    router_iface: vlan10
    ipv4_address: 172.30.0.240/28
    ntp_servers:
    - dc0.pyrocufflink.blue
    dns_servers_v4:
    - 172.30.0.4

  blue:
    description: pyrocufflink.blue AD domain members only
    vlan_id: 30
    ipv4_address: 172.30.0.0/26
    ipv6_address: fd99:8cd7:6528:fe1e::/64
    router_iface: vlan30
    dns_search:
    - pyrocufflink.blue
    dns_servers:
    - fd99:8cd7:6528:fe1e::4:1
    - fd99:8cd7:6528:fe1e::3:1
    dns_servers_v4:
    - 172.30.0.4
    sla_id: 30
    ntp_servers:
    - dc0.pyrocufflink.blue

  red:
    description: Non-domain member machines
    vlan_id: 101
    ipv4_address: 172.31.1.0/24
    router_iface: vlan101
    dns_servers:
    - fd99:8cd7:6528:fe1e::4:1
    - fd99:8cd7:6528:fe1e::3:1
    dns_servers_v4:
    - 172.30.0.4
    sla_id: 101
    ntp_servers:
    - dc0.pyrocufflink.blue

  guest:
    description: Guest Wi-Fi
    vlan_id: 100
    ipv4_address: 172.24.100.0/24
    router_iface: vlan100

  dmz:
    description: DMZ
    vlan_id: 254
    router_iface: vlan254


firemon_networks:
- 192.168.0.0/16
- 172.16.0.0/20
- 172.24.16.0/20
- 172.28.33.0/24
- 10.64.11.0/24

promtail_clients:
- url: https://loki.pyrocufflink.blue/loki/api/v1/push
  tls_config:
    ca_file: /etc/promtail/ca.crt
promtail_ca: |
  -----BEGIN CERTIFICATE-----
  MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
  QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
  AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
  WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
  VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
  NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
  Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
  oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
  ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
  irIa697nfe4KiXIMwHlAMS1+1QZohFDC
  -----END CERTIFICATE-----

dnf_automatic_email_from: dnf@pyrocufflink.net
dnf_automatic_email_to: gyrfalcon@ebonfire.com
dnf_automatic_email_host: mail.pyrocufflink.blue

dnf_automatic_schedule: >-
  {{ ['Mon', 'Tue', 'Wed', 'Thu']
     | random(seed=inventory_hostname)
     | string
  }} *-*-* 04:00:00 America/Chicago

fluent_bit_ntfy_common_filters:
- name: lua
  alias: ntfy.populate
  match: ntfy
  code: |
    function ntfy_transform(tag, timestamp, record)
        record["topic"] = "alerts"
        record["tags"] = {
          record["hostname"],
          record["syslog_identifier"],
        }
        return 1, timestamp, record
    end
  call: ntfy_transform
- name: record_modifier
  alias: ntfy.clean
  match: ntfy
  allowlist_key:
  - message
  - tags
  - topic

fluent_bit_common_filters:
- name: record_modifier
  match: '*'
  record:
  - hostname ${HOSTNAME}
# Avoid log amplification from logging the result of sending logs!
- name: grep
  match: host.fluent-bit.service
  exclude: message \[output:http:.+\] .+, HTTP status=200$

fluent_bit_default_filters: '{{ fluent_bit_common_filters }}'

fluent_bit_filters: '{{ fluent_bit_default_filters }}'

fluent_bit_output_template_victorialogs:
  host: logs.pyrocufflink.blue
  port: 443
  tls: true
  tls.verify: true
  tls.verify_hostname: true
  tls.ca_file: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt
  format: json_lines
  json_date_format: iso8601
  log_response_payload: false

_fluent_bit_output_systemd:
  name: http
  alias: victorialogs
  match: host.*
  uri: /insert/jsonline?_stream_fields=hostname,systemd_unit&_msg_field=message&_time_field=date

fluent_bit_output_systemd: >-
  {{ _fluent_bit_output_systemd | combine(fluent_bit_output_template_victorialogs) }}

fluent_bit_output_ntfy:
  name: http
  alias: ntfy
  workers: 1
  match: ntfy
  host: ntfy.pyrocufflink.blue
  port: 443
  tls: true
  tls.verify: true
  tls.verify_hostname: true
  uri: /
  format: json_lines
  json_date_key: false
  log_response_payload: false

fluent_bit_main_outputs:
- '{{ fluent_bit_output_systemd }}'

fluent_bit_outputs: '{{ fluent_bit_main_outputs }}'