initial version for whawty-auth app (WIP)

2 files changed, 152 insertions, 0 deletions

diff --git a/inventory/host_vars/ch-apps/vars.yml b/inventory/host_vars/ch-apps/vars.yml
new file mode 100644
index 00000000..e0a92644
--- /dev/null
+++ b/inventory/host_vars/ch-apps/vars.yml
@@ -0,0 +1,118 @@
+---
+install_jumphost: ch-jump
+
+system_lvm_volume_size_root: 4G
+install:
+  vm:
+    memory: 12G
+    numcpus: 8
+    autostart: True
+    virtiofs:
+      music:
+        src: /srv/storage/music
+        dest: /srv/music
+        mnt_opts: ro
+  disks:
+    primary: /dev/sda
+    scsi:
+      sda:
+        type: zfs
+        name: root
+        size: 25g
+      sdb:
+        type: zfs
+        name: data
+        size: 100g
+        properties:
+          'syncoid:sync': 'false'
+  interfaces:
+  - bridge: br-svc
+    name: svc0
+
+network:
+  nameservers: "{{ network_zones.svc.dns }}"
+  domain: "{{ host_domain }}"
+  systemd_link:
+    interfaces: "{{ install.interfaces }}"
+  primary: &_network_primary_
+    name: svc0
+    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
+    gateway: "{{ network_zones.svc.gateway }}"
+    static_routes:
+    - destination: "{{ network_zones.lan.prefix }}"
+      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
+  interfaces:
+  - *_network_primary_
+
+
+apt_repo_components:
+- main
+- contrib  ## for zfs
+
+spreadspace_apt_repo_components:
+  - container
+  - prometheus
+
+
+ssh_keys_root_extra:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjZEFZLrl2KIqYl/GU8Vkp7mlhAbFbjwf4Ht9zQRmI8 ZFS Backup syncoid@epimetheus
+
+
+prometheus_exporters_extra:
+  - standalone-kubelet
+
+prometheus_job_multitarget_blackbox__probe:
+  ch-mon:
+  - instance: "ssh-{{ inventory_hostname }}"
+    target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
+    module: ssh_banner
+
+
+zfs_arc_size:
+  min: 512MB
+  max: 2GB
+
+zfs_pools:
+  storage:
+    mountpoint: /srv/storage
+    create_vdevs: /dev/sdb
+    properties:
+      ashift: 12
+      autotrim: "on"
+
+zfs_sanoid_modules:
+  storage:
+    use_template: production
+    recursive: yes
+    process_children_only: yes
+  storage/docker:
+    use_template: ignore
+    recursive: yes
+  storage/kubelet:
+    use_template: ignore
+    recursive: yes
+
+
+docker_pkg_provider: docker-com
+
+docker_storage:
+  type: zfs
+  pool: storage
+  name: docker
+  properties:
+    quota: 10G
+    'syncoid:sync': 'false'
+
+kubelet_storage:
+  type: zfs
+  pool: storage
+  name: kubelet
+  properties:
+    quota: 10G
+    'syncoid:sync': 'false'
+
+kubernetes_version: 1.28.2
+kubernetes_cri_tools_pkg_version: 1.26.0-00
+kubernetes_container_runtime: docker
+kubernetes_standalone_max_pods: 42
+kubernetes_standalone_cni_variant: with-portmap
diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml
new file mode 100644
index 00000000..fe6bcea0
--- /dev/null
+++ b/inventory/host_vars/ch-apps/whawty.yml
@@ -0,0 +1,34 @@
+---
+whawty_auth_instances:
+  test:
+    version: 0.2-rc8
+    port: 3080
+    store:
+      default: 1
+      params:
+      - id: 1
+        argon2id:
+          time: 1
+          memory: 65536
+          threads: 4
+          length: 32
+    hostnames:
+    - passwd.example.com
+    tls:
+      certificate_provider: selfsigned
+      cert:
+        organization_name: "chaos-at-home"
+        organizational_unit_name: "ansible"
+        key_usage:
+        - digitalSignature
+        - keyAgreement
+        key_usage_critical: yes
+        extended_key_usage:
+        - serverAuth
+        extended_key_usage_critical: yes
+        create_subject_key_identifier: yes
+        not_after: +52w
+        renew_margin: +42d
+    sync:
+      port: 3022
+      authorized_keys: "{{ users.equinox.ssh }}"