ansible-pilote/group_vars
Julien Riou 19a7af377e
feat: Manage EasyRSA CA and certificates
Signed-off-by: Julien Riou <julien@riou.xyz>
2024-05-13 18:15:02 +02:00
..
README.md feat: Manage EasyRSA CA and certificates 2024-05-13 18:15:02 +02:00

Variables

Senstivie data should be encrypted using ansible-vault.

bacula_catalog_name

Name of the Bacula catalog.

bacula_catalog_name: HomeCatalog

bacula_clients

List of Bacula Clients.

bacula_clients:
  - name: pilote-fd
    address: localhost
    catalog: HomeCatalog
    password: ***
    file_retention: 60 days
    job_retention: 6 months
    autoprune: 'yes'
  - name: vps-fd
    address: 192.168.0.1
    catalog: HomeCatalog
    password: ***
    file_retention: 60 days
    job_retention: 6 months
    autoprune: 'yes'
  - name: storage1-fd
    address: 192.168.0.2
    catalog: HomeCatalog
    password: ***
    file_retention: 60 days
    job_retention: 6 months
    autoprune: 'yes'

bacula_device_archive_device

Directory of the Device where to store Bacula backups.

bacula_device_archive_device: /storage/bacula/backup

bacula_device_name

Name of the Bacula Device.

bacula_device_name: FileStorage

bacula_director_address

Address of the Bacula director.

bacula_director_address: 127.0.0.1

bacula_director_name

Name of the Bacula director.

bacula_director_name: pilote-dir

bacula_director_password

Password of the Bacula director.

bacula_director_password: ***

bacula_filedaemon_address

Address of the Bacula Client (File Daemon).

bacula_filedaemon_address: 127.0.0.1

bacula_filedaemon_name

Name of the Bacula Client (File Daemon).

bacula_filedaemon_name: pilote-fd

bacula_filedaemon_password

Password of the Bacula Client (File Daemon).

bacula_filedaemon_password: ***

bacula_filesets

List of Bacula File Sets.

bacula_filesets:
  - name: DebianFileSet
    include:
      options:
        signature: MD5
        compression: GZIP
      files:
        - /etc
        - /var/log
        - /root
        - /home
    exclude:
      files:
        - '*~'
  - name: CatalogFileSet
    include:
      options:
        signature: MD5
        compression: GZIP
      files:
        - /var/lib/bacula/bacula.sql
  - name: InfluxDBFileSet
    include:
      options:
        signature: MD5
      files:
        - /var/lib/bacula/influxdb
  - name: GrafanaFileSet
    include:
      options:
        signature: MD5
      files:
        - /var/lib/bacula/grafana

bacula_jobs

List of Bacula Jobs.

bacula_jobs:
  - name: BackupPilote
    client: pilote-fd
    fileset: DebianFileSet
  - name: BackupStorage1
    client: storage1-fd
    fileset: DebianFileSet
  - name: BackupStorage2
    client: storage2-fd
    fileset: DebianFileSet
  - name: BackupStorage3
    client: storage3-fd
    fileset: DebianFileSet
  - name: BackupCatalog
    client: pilote-fd
    level: Full
    fileset: CatalogFileSet
    schedule: DefaultScheduleAfterBackup
    run_before_job: /etc/bacula/scripts/make_catalog_backup.pl HomeCatalog
    run_after_job: /etc/bacula/scripts/delete_catalog_backup
    priority: 11  # run after main backup
  - name: BackupInfluxDB
    client: storage1-fd
    fileset: InfluxDBFileSet
    schedule: DefaultScheduleAfterBackup
    client_run_before_job: /etc/bacula/scripts/influxdb-backup %l
    client_run_after_job: /etc/bacula/scripts/influxdb-cleanup
    priority: 11  # run after main backup
  - name: BackupGrafana
    client: storage1-fd
    level: Full
    fileset: GrafanaFileSet
    schedule: DefaultScheduleAfterBackup
    client_run_before_job: /etc/bacula/scripts/grafana-backup
    client_run_after_job: /etc/bacula/scripts/grafana-cleanup
    priority: 11  # run after main backup
  - name: RestoreFiles
    type: Restore
    client: storage1-fd
    storage: storage1-sd
    fileset: DebianFileSet  # required but not used
    pool: FullFile  # required but not used
    messages: Standard
    where: /storage/bacula/restore

bacula_pools

List of Bacula Pools.

bacula_pools:
  - name: FullFile
    pool_type: Backup
    recycle: 'yes'
    auto_prune: 'yes'
    volume_retention: 10 years
    storage: storage1-sd
    maximum_volume_bytes: 1G
    maximum_volumes: 100
    labelformat: Full-
  - name: DiffFile
    pool_type: Backup
    recycle: 'yes'
    auto_prune: 'yes'
    volume_retention: 6 weeks
    storage: storage1-sd
    maximum_volume_bytes: 1G
    maximum_volumes: 100
    labelformat: Diff-
  - name: IncrFile
    pool_type: Backup
    recycle: 'yes'
    auto_prune: 'yes'
    volume_retention: 3 weeks
    storage: storage1-sd
    maximum_volume_bytes: 1G
    maximum_volumes: 100
    labelformat: Incr-

bacula_schedules

List of Bacula Schedules.

bacula_schedules:
  - name: DefaultSchedule
    runs:
      - datetime: 1st sun at 0:00
        job_overrides:
          level: Full
      - datetime: 2nd-5th sun at 0:00
        job_overrides:
          level: Differential
      - datetime: mon-sat at 0:00
        job_overrides:
          level: Incremental
  - name: DefaultScheduleAfterBackup
    runs:
      - datetime: sun-sat at 0:00
        job_overrides:
          level: Full

bacula_storage_address

Address of the Bacula Storage.

bacula_storage_address: 127.0.0.1

bacula_storage_name

Name of the Bacula Storage.

bacula_storage_name: storage1-sd

bacula_storage_password

Password of the Bacula Storage.

bacula_storage_password: ***

bacula_storages

List of Bacula Storages.

bacula_storages:
  - name: storage1-sd
    address: 192.168.0.2
    password: ***
    device: FileStorage
    media_type: File

easyrsa_ca_dir

Path to the CA directory to create.

easyrsa_ca_dir: /var/lib/easyrsa

easyrsa_clients

List of client hostnames that will have RSA certificates.

easyrsa_clients:
  - pilote
  - storage1
  - storage2
  - storage3
  - vps

hostname

Name of the remote host.

hostname: pilote

local_subnet

Local subnet where the remote host lives.

local_subnet: 192.168.0.0/24

mosquitto_passwords

List of usernames and passwords to defined mosquitto users.

mosquitto_passwords:
  - user: telegraf
    hash: '$***'
  - user: nagios
    hash: '$***'

See mosquitto_passwd command to generate the hash file.

nagios_commands

List of Nagios commands.

nagios_commands:
  - command_name: check_nrpe_nossl
    command_line: /usr/lib/nagios/plugins/check_nrpe -2 -H '$HOSTADDRESS$' -c '$ARG1$' -n
  - command_name: check_https_vhost_certificate
    command_line: /usr/lib/nagios/plugins/check_http --ssl --sni -I '$HOSTADDRESS$' -H '$ARG1$' -C '$ARG2$'

nagios_contact_groups

List of Nagios contact groups.

nagios_contact_groups:
  - contactgroup_name: admins
    alias: Nagios Administrators
    members:
      - admin
      - telegram

nagios_contacts

List of Nagios contacts.

nagios_contacts:
  - contact_name: admin
    use: generic-contact
    alias: Nagios Admin
    email: noreply@nonexistant.com
    host_notifications_enabled: 0
    service_notifications_enabled: 0
  - contact_name: telegram
    use: generic-contact
    alias: Telegram notifications
    pager: 000000000
    email: noreply@nonexistant.com
    service_notification_commands: notify-service-by-telegram
    host_notification_commands: notify-host-by-telegram

nagios_hostgroups

List of Nagios host groups.

nagios_hostgroups:
  - hostgroup_name: linux-servers
    alias: Linux servers
    members:
      - pilote
      - vps
      - storage1
      - storage2
      - storage3
  - hostgroup_name: web-servers
    alias: Web servers
    members:
      - vps

nagios_hosts

List of Nagios hosts.

nagios_hosts:
  - use: home-host
    host_name: pilote
    alias: pilote
    address: 127.0.0.1
  - use: home-host
    host_name: vps
    alias: vps
    address: 10.8.0.1

nagios_host_templates

List of Nagios host templates.

nagios_host_templates:
  - name: home-host
    use: generic-host
    check_command: check-host-alive
    contact_groups: admins
    notification_options:
      - d
      - u
      - r
    check_interval: 5
    retry_interval: 5  # retry every 5 minutes
    max_check_attempts: 12  # alert at 1 hour (12x5 minutes)
    notification_interval: 720  # resend notifications every 12 hours

nagios_htdigest_users

List of users for basic authentication.

nagios_htdigest_users:
  - name: admin
    hash: '...'

nagios_service_dependencies

List of Nagios service dependencies.

nagios_service_dependencies:
  - host_name: pilote
    service_description: ovhcloud_voip
    dependent_host_name: pilote
    dependent_service_description: ovhcloud_ping
    execution_failure_criteria: u
    notification_failure_criteria: u

nagios_services

List of Nagios services.

nagios_services:
  - use: home-service
    hostgroup_name: linux-servers
    service_description: load
    check_command: check_nrpe_nossl!check_load
  - use: home-service
    hostgroup_name: web-servers
    service_description: https_monitoring_tld_certificate
    check_command: check_https_vhost_certificate!monitoring.tld!1

nagios_service_templates

List of Nagios service templates.

nagios_service_templates:
  - name: home-service
    use: generic-service
    contact_groups: admins
    check_interval: 5
    retry_interval: 5  # retry every 5 minutes
    max_check_attempts: 12  # alert at 1 hour (12x5 minutes)
    notification_interval: 720  # 12 hours
  - name: public-service
    use: generic-service
    contact_groups: admins
    check_interval: 1
    retry_interval: 1  # retry every minute
    max_check_attempts: 3  # alert after 3 minutes
    notification_interval: 60  # 1 hour

nagios_telegram_auth_key

Key used to authenticate to the Telegram API. See how to create a bot.

nagios_telegram_auth_key: '***'

nagios_telegram_chat_id

Unique identifier for the target chat or username of the target channel (in the format @channelusername). See API specifications.

nagios_telegram_chat_id: 000000000

nrpe_allowed_hosts

List of IP addresses or ranges allowed to talk to the NRPE daemon.

nrpe_allowed_hosts:
  - 10.8.0.0/24
  - 127.0.0.1

nrpe_commands

List of NRPE commands.

nrpe_commands:
  - name: check_load
    line: /usr/lib/nagios/plugins/check_load -r -w 1,1,1 -c 4,4,4
  - name: check_openvpn
    line: '/usr/lib/nagios/plugins/check_procs -c 1: -C openvpn'
  - name: check_openvpn_cert
    line: >-
      /opt/check_ssl_cert/check_ssl_cert -f /etc/openvpn/client.crt --ignore-maximum-validity
      --ignore-incomplete-chain  --allow-empty-san --ignore-sct --warning 15 --critical 1      

nrpe_opts

Options for the NRPE daemon.

nrpe_opts: '-n'  # Disable TLS

openvpn_ca

Content of the certificate of the Certificate Authority (CA) used to certify VPN connections.

openvpn_ca: |
  -----BEGIN CERTIFICATE-----  

openvpn_cert

Content of the certificate used to authenticate to the VPN server.

openvpn_cert: |
  -----BEGIN CERTIFICATE-----  

openvpn_key

Content of the private key used to authenticate to the VPN server.

openvpn_key:

openvpn_remote_host

Hostname or IP address of the remote VPN server.

openvpn_remote_host: vpn.fqdn

openvpn_subnet

Subnet used by OpenVPN to group clients.

openvpn_subnet: 10.8.0.0/24

openvpn_ta

Content of the OpenVPN static key used for TLS authentication.

openvpn_ta:

ovh_application_key

Application key used to authenticate to the OVH API.

ovh_application_key: deadbeef

See first steps with the OVHcloud APIs.

ovh_application_secret

Application secret used to authenticate to the OVH API.

ovh_application_secret: deadbeef

See first steps with the OVHcloud APIs.

ovh_consumer_key

Consumer key used to authenticate to the OVH API.

ovh_consumer_key: deadbeef

See first steps with the OVHcloud APIs.

ovh_endpoint

Endpoint of the OVH API.

ovh_endpoint: ovh-eu

See first steps with the OVHcloud APIs.

serial2mqtt_host

Hostname or IP address used by serial2mqtt to send messages to the MQTT broker.

serial2mqtt_host: localhost

serial2mqtt_interface

Name of the serial interface name used by serial2mqtt to gather metrics produced by the Arduino board.

serial2mqtt_interface: /dev/ttyACM0

serial2mqtt_password

Password used by serial2mqtt to send messages to the MQTT broker.

serial2mqtt_password: ***

serial2mqtt_port

Port used by serial2mqtt to send messages to the MQTT broker.

serial2mqtt_port: 1883

serial2mqtt_topic_prefix

Add this prefix to topic names on the MQTT broker for serial2mqtt messages.

serial2mqtt_topic_prefix: sensors

serial2mqtt_username

Username used by serial2mqtt to send messages to the MQTT broker.

serial2mqtt_username: telegraf

ssh_authorized_keys

List of SSH authorized keys.

ssh_authorized_keys:
  - user: root
    key: ssh-ed25519 hash
    comment: desktop

Used by ansible.posix.authorized_keys module.

telegraf_influxdb_database

Name of the InfluxDB database used by telegraf to send metrics.

telegraf_influxdb_database: metrics

telegraf_influxdb_password

Password of the InfluxDB user used by telegraf to send metrics.

telegraf_influxdb_password: ***

telegraf_influxdb_urls

List of InfluxDB endpoints used by telegraf to send metrics.

telegraf_influxdb_urls:
  - https://192.168.0.1:8088

telegraf_influxdb_username

Name of the InfluxDB user used by telegraf to send metrics.

telegraf_influxdb_username: telegraf

telegraf_mqtt_consumer_password

Password used to authenticate to the MQTT broker for telegraf.

telegraf_mqtt_consumer_password: ***

telegraf_mqtt_consumer_servers

List of MQTT brokers for telegraf.

telegraf_mqtt_consumer_servers:
  - tcp://localhost:1883

telegraf_mqtt_consumer_topics

List of MQTT topics to consume for telegraf.

telegraf_mqtt_consumer_topics:
  - sensors/humidity
  - sensors/temperature

telegraf_mqtt_consumer_username

Name used to authenticate to the MQTT broker for telegraf.

telegraf_mqtt_consumer_username: telegraf

telegraf_ping_ip

IP address of the host to ping for latency metrics.

telegraf_ping_ip: 192.168.0.1

timezone

Alias of the time zone.

timezone: Europe/Brussels

users

List of users to configure on the remote host.

users:
  - name: root
    password: hash

Used by ansible.builtin.user module.