diff --git a/TODO.md b/TODO.md index b1a75ed..298ed07 100644 --- a/TODO.md +++ b/TODO.md @@ -1,4 +1,3 @@ # TODO * EasyRSA tasks -* Variables documentation diff --git a/group_vars/README.md b/group_vars/README.md index 18d23c0..36904c3 100644 --- a/group_vars/README.md +++ b/group_vars/README.md @@ -1,3 +1,796 @@ # Variables -Soon. +Senstivie data should be encrypted using +[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html). + +## bacula_catalog_name + +Name of the Bacula catalog. + +```yaml +bacula_catalog_name: HomeCatalog +``` + +## bacula_clients + +List of Bacula Clients. + +```yaml +bacula_clients: + - name: pilote-fd + address: localhost + catalog: HomeCatalog + password: *** + file_retention: 60 days + job_retention: 6 months + autoprune: 'yes' + - name: vps-fd + address: 192.168.0.1 + catalog: HomeCatalog + password: *** + file_retention: 60 days + job_retention: 6 months + autoprune: 'yes' + - name: storage1-fd + address: 192.168.0.2 + catalog: HomeCatalog + password: *** + file_retention: 60 days + job_retention: 6 months + autoprune: 'yes' +``` + +## bacula_device_archive_device + +Directory of the Device where to store Bacula backups. + +```yaml +bacula_device_archive_device: /storage/bacula/backup +``` + +## bacula_device_name + +Name of the Bacula Device. + +```yaml +bacula_device_name: FileStorage +``` + +## bacula_director_address + +Address of the Bacula director. + +```yaml +bacula_director_address: 127.0.0.1 +``` + +## bacula_director_name + +Name of the Bacula director. + +```yaml +bacula_director_name: pilote-dir +``` + +## bacula_director_password + +Password of the Bacula director. + +```yaml +bacula_director_password: *** +``` + +## bacula_filedaemon_address + +Address of the Bacula Client (File Daemon). + +```yaml +bacula_filedaemon_address: 127.0.0.1 +``` + +## bacula_filedaemon_name + +Name of the Bacula Client (File Daemon). + +```yaml +bacula_filedaemon_name: pilote-fd +``` + +## bacula_filedaemon_password + +Password of the Bacula Client (File Daemon). + +```yaml +bacula_filedaemon_password: *** +``` + +## bacula_filesets + +List of Bacula File Sets. + +```yaml +bacula_filesets: + - name: DebianFileSet + include: + options: + signature: MD5 + compression: GZIP + files: + - /etc + - /var/log + - /root + - /home + exclude: + files: + - '*~' + - name: CatalogFileSet + include: + options: + signature: MD5 + compression: GZIP + files: + - /var/lib/bacula/bacula.sql + - name: InfluxDBFileSet + include: + options: + signature: MD5 + files: + - /var/lib/bacula/influxdb + - name: GrafanaFileSet + include: + options: + signature: MD5 + files: + - /var/lib/bacula/grafana +``` + +## bacula_jobs + +List of Bacula Jobs. + +```yaml +bacula_jobs: + - name: BackupPilote + client: pilote-fd + fileset: DebianFileSet + - name: BackupStorage1 + client: storage1-fd + fileset: DebianFileSet + - name: BackupStorage2 + client: storage2-fd + fileset: DebianFileSet + - name: BackupStorage3 + client: storage3-fd + fileset: DebianFileSet + - name: BackupCatalog + client: pilote-fd + level: Full + fileset: CatalogFileSet + schedule: DefaultScheduleAfterBackup + run_before_job: /etc/bacula/scripts/make_catalog_backup.pl HomeCatalog + run_after_job: /etc/bacula/scripts/delete_catalog_backup + priority: 11 # run after main backup + - name: BackupInfluxDB + client: storage1-fd + fileset: InfluxDBFileSet + schedule: DefaultScheduleAfterBackup + client_run_before_job: /etc/bacula/scripts/influxdb-backup %l + client_run_after_job: /etc/bacula/scripts/influxdb-cleanup + priority: 11 # run after main backup + - name: BackupGrafana + client: storage1-fd + level: Full + fileset: GrafanaFileSet + schedule: DefaultScheduleAfterBackup + client_run_before_job: /etc/bacula/scripts/grafana-backup + client_run_after_job: /etc/bacula/scripts/grafana-cleanup + priority: 11 # run after main backup + - name: RestoreFiles + type: Restore + client: storage1-fd + storage: storage1-sd + fileset: DebianFileSet # required but not used + pool: FullFile # required but not used + messages: Standard + where: /storage/bacula/restore +``` + +## bacula_pools + +List of Bacula Pools. + +```yaml +bacula_pools: + - name: FullFile + pool_type: Backup + recycle: 'yes' + auto_prune: 'yes' + volume_retention: 10 years + storage: storage1-sd + maximum_volume_bytes: 1G + maximum_volumes: 100 + labelformat: Full- + - name: DiffFile + pool_type: Backup + recycle: 'yes' + auto_prune: 'yes' + volume_retention: 6 weeks + storage: storage1-sd + maximum_volume_bytes: 1G + maximum_volumes: 100 + labelformat: Diff- + - name: IncrFile + pool_type: Backup + recycle: 'yes' + auto_prune: 'yes' + volume_retention: 3 weeks + storage: storage1-sd + maximum_volume_bytes: 1G + maximum_volumes: 100 + labelformat: Incr- +``` + +## bacula_schedules + +List of Bacula Schedules. + +```yaml +bacula_schedules: + - name: DefaultSchedule + runs: + - datetime: 1st sun at 0:00 + job_overrides: + level: Full + - datetime: 2nd-5th sun at 0:00 + job_overrides: + level: Differential + - datetime: mon-sat at 0:00 + job_overrides: + level: Incremental + - name: DefaultScheduleAfterBackup + runs: + - datetime: sun-sat at 0:00 + job_overrides: + level: Full +``` + +## bacula_storage_address + +Address of the Bacula Storage. + +```yaml +bacula_storage_address: 127.0.0.1 +``` + +## bacula_storage_name + +Name of the Bacula Storage. + +```yaml +bacula_storage_name: storage1-sd +``` + +## bacula_storage_password + +Password of the Bacula Storage. + +```yaml +bacula_storage_password: *** +``` + +## bacula_storages + +List of Bacula Storages. + +```yaml +bacula_storages: + - name: storage1-sd + address: 192.168.0.2 + password: *** + device: FileStorage + media_type: File +``` + +## hostname + +Name of the remote host. + +```yaml +hostname: pilote +``` + +## local_subnet + +Local subnet where the remote host lives. + +```yaml +local_subnet: 192.168.0.0/24 +``` + +## mosquitto_passwords + +List of usernames and passwords to defined mosquitto users. + +```yaml +mosquitto_passwords: + - user: telegraf + hash: '$***' + - user: nagios + hash: '$***' +``` + +See [mosquitto_passwd](https://mosquitto.org/man/mosquitto_passwd-1.html) +command to generate the hash file. + +## nagios_commands + +List of Nagios commands. + +```yaml +nagios_commands: + - command_name: check_nrpe_nossl + command_line: /usr/lib/nagios/plugins/check_nrpe -2 -H '$HOSTADDRESS$' -c '$ARG1$' -n + - command_name: check_https_vhost_certificate + command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$' +``` + +## nagios_contact_groups + +List of Nagios contact groups. + +```yaml +nagios_contact_groups: + - contactgroup_name: admins + alias: Nagios Administrators + members: + - admin + - telegram +``` + +## nagios_contacts + +List of Nagios contacts. + +```yaml +nagios_contacts: + - contact_name: admin + use: generic-contact + alias: Nagios Admin + email: noreply@nonexistant.com + host_notifications_enabled: 0 + service_notifications_enabled: 0 + - contact_name: telegram + use: generic-contact + alias: Telegram notifications + pager: 000000000 + email: noreply@nonexistant.com + service_notification_commands: notify-service-by-telegram + host_notification_commands: notify-host-by-telegram +``` + +## nagios_hostgroups + +List of Nagios host groups. + +```yaml +nagios_hostgroups: + - hostgroup_name: linux-servers + alias: Linux servers + members: + - pilote + - vps + - storage1 + - storage2 + - storage3 + - hostgroup_name: web-servers + alias: Web servers + members: + - vps +``` + +## nagios_hosts + +List of Nagios hosts. + +```yaml +nagios_hosts: + - use: home-host + host_name: pilote + alias: pilote + address: 127.0.0.1 + - use: home-host + host_name: vps + alias: vps + address: 10.8.0.1 +``` + +## nagios_host_templates + +List of Nagios host templates. + +```yaml +nagios_host_templates: + - name: home-host + use: generic-host + check_command: check-host-alive + contact_groups: admins + notification_options: + - d + - u + - r + check_interval: 5 + retry_interval: 5 # retry every 5 minutes + max_check_attempts: 12 # alert at 1 hour (12x5 minutes) + notification_interval: 720 # resend notifications every 12 hours +``` + +## nagios_htdigest_users + +List of users for basic authentication. + +```yaml +nagios_htdigest_users: + - name: admin + hash: '...' +``` + +## nagios_service_dependencies + +List of Nagios service dependencies. + +```yaml +nagios_service_dependencies: + - host_name: pilote + service_description: ovhcloud_voip + dependent_host_name: pilote + dependent_service_description: ovhcloud_ping + execution_failure_criteria: u + notification_failure_criteria: u +``` + +## nagios_services + +List of Nagios services. + +```yaml +nagios_services: + - use: home-service + hostgroup_name: linux-servers + service_description: load + check_command: check_nrpe_nossl!check_load + - use: home-service + hostgroup_name: web-servers + service_description: https_monitoring_tld_certificate + check_command: check_https_vhost_certificate!monitoring.tld!1 +``` + +## nagios_service_templates + +List of Nagios service templates. + +```yaml +nagios_service_templates: + - name: home-service + use: generic-service + contact_groups: admins + check_interval: 5 + retry_interval: 5 # retry every 5 minutes + max_check_attempts: 12 # alert at 1 hour (12x5 minutes) + notification_interval: 720 # 12 hours + - name: public-service + use: generic-service + contact_groups: admins + check_interval: 1 + retry_interval: 1 # retry every minute + max_check_attempts: 3 # alert after 3 minutes + notification_interval: 60 # 1 hour +``` + +## nagios_telegram_auth_key + +Key used to authenticate to the Telegram API. See [how to create a +bot](https://core.telegram.org/bots#3-how-do-i-create-a-bot). + +```yaml +nagios_telegram_auth_key: '***' +``` + +## nagios_telegram_chat_id + +Unique identifier for the target chat or username of the target channel (in the +format `@channelusername`). See [API +specifications](https://core.telegram.org/bots/api#sendmessage). + +```yaml +nagios_telegram_chat_id: 000000000 +``` + +## nrpe_allowed_hosts + +List of IP addresses or ranges allowed to talk to the NRPE daemon. + +```yaml +nrpe_allowed_hosts: + - 10.8.0.0/24 + - 127.0.0.1 +``` + +## nrpe_commands + +List of NRPE commands. + +```yaml +nrpe_commands: + - name: check_load + line: /usr/lib/nagios/plugins/check_load -r -w 1,1,1 -c 4,4,4 + - name: check_openvpn + line: '/usr/lib/nagios/plugins/check_procs -c 1: -C openvpn' + - name: check_openvpn_cert + line: >- + /opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity + --ignore-incomplete-chain --allow-empty-san --ignore-sct --warning 15 --critical 1 +``` + +## nrpe_opts + +Options for the NRPE daemon. + +```yaml +nrpe_opts: '-n' # Disable TLS +``` + +## openvpn_ca + +Content of the certificate of the Certificate Authority (CA) used to certify +VPN connections. + +```yaml +openvpn_ca: | + -----BEGIN CERTIFICATE----- +``` + +## openvpn_cert + +Content of the certificate used to authenticate to the VPN server. + +```yaml +openvpn_cert: | + -----BEGIN CERTIFICATE----- +``` + +## openvpn_key + +Content of the private key used to authenticate to the VPN server. + +```yaml +openvpn_key: +``` + +## openvpn_remote_host + +Hostname or IP address of the remote VPN server. + +```yaml +openvpn_remote_host: vpn.fqdn +``` + +## openvpn_subnet + +Subnet used by OpenVPN to group clients. + +```yaml +openvpn_subnet: 10.8.0.0/24 +``` + +## openvpn_ta + +Content of the OpenVPN static key used for TLS authentication. + +```yaml +openvpn_ta: +``` + +## ovh_application_key + +Application key used to authenticate to the OVH API. + +```yaml +ovh_application_key: deadbeef +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## ovh_application_secret + +Application secret used to authenticate to the OVH API. + +```yaml +ovh_application_secret: deadbeef +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## ovh_consumer_key + +Consumer key used to authenticate to the OVH API. + +```yaml +ovh_consumer_key: deadbeef +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## ovh_endpoint + +Endpoint of the OVH API. + +```yaml +ovh_endpoint: ovh-eu +``` + +See [first steps with the OVHcloud +APIs](https://help.ovhcloud.com/csm/en-gb-api-getting-started-ovhcloud-api?id=kb_article_view&sysparm_article=KB0042784). + +## serial2mqtt_host + +Hostname or IP address used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_host: localhost +``` + +## serial2mqtt_interface + +Name of the serial interface name used by serial2mqtt to gather metrics +produced by the Arduino board. + +```yaml +serial2mqtt_interface: /dev/ttyACM0 +``` + +## serial2mqtt_password + +Password used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_password: *** +``` +## serial2mqtt_port + +Port used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_port: 1883 +``` + +## serial2mqtt_topic_prefix + +Add this prefix to topic names on the MQTT broker for serial2mqtt messages. + +```yaml +serial2mqtt_topic_prefix: sensors +``` + +## serial2mqtt_username + +Username used by serial2mqtt to send messages to the MQTT broker. + +```yaml +serial2mqtt_username: telegraf +``` + +## ssh_authorized_keys + +List of SSH authorized keys. + +```yaml +ssh_authorized_keys: + - user: root + key: ssh-ed25519 hash + comment: desktop +``` + +Used by +[ansible.posix.authorized_keys](https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html) +module. + +## telegraf_influxdb_database + +Name of the InfluxDB database used by telegraf to send metrics. + +```yaml +telegraf_influxdb_database: metrics +``` + +## telegraf_influxdb_password + +Password of the InfluxDB user used by telegraf to send metrics. + +```yaml +telegraf_influxdb_password: *** +``` + +## telegraf_influxdb_urls + +List of InfluxDB endpoints used by telegraf to send metrics. + +```yaml +telegraf_influxdb_urls: + - https://192.168.0.1:8088 +``` + +## telegraf_influxdb_username + +Name of the InfluxDB user used by telegraf to send metrics. + +```yaml +telegraf_influxdb_username: telegraf +``` + +## telegraf_mqtt_consumer_password + +Password used to authenticate to the MQTT broker for telegraf. + +```yaml +telegraf_mqtt_consumer_password: *** +``` + +## telegraf_mqtt_consumer_servers + +List of MQTT brokers for telegraf. + +```yaml +telegraf_mqtt_consumer_servers: + - tcp://localhost:1883 +``` + +## telegraf_mqtt_consumer_topics + +List of MQTT topics to consume for telegraf. + +```yaml +telegraf_mqtt_consumer_topics: + - sensors/humidity + - sensors/temperature +``` + +## telegraf_mqtt_consumer_username + +Name used to authenticate to the MQTT broker for telegraf. + +```yaml +telegraf_mqtt_consumer_username: telegraf +``` + +## telegraf_ping_ip + +IP address of the host to ping for latency metrics. + +```yaml +telegraf_ping_ip: 192.168.0.1 +``` + +## timezone + +Alias of the time zone. + +```yaml +timezone: Europe/Brussels +``` + +## users + +List of users to configure on the remote host. + +```yaml +users: + - name: root + password: hash +``` + +Used by +[ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html) +module.