blob: a61eb68ae8e27140bfd4bb5611bd00826a204208 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
---
install_jumphost: ch-jump
install:
vm:
memory: 2G
numcpus: 2
autostart: True
disks:
primary: /dev/sda
scsi:
sda:
type: zfs
name: root
size: 10g
interfaces:
- bridge: br-svc
name: svc0
network:
nameservers: "{{ network_zones.svc.dns }}"
domain: "{{ host_domain }}"
systemd_link:
interfaces: "{{ install.interfaces }}"
primary: &_network_primary_
name: svc0
address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
gateway: "{{ network_zones.svc.gateway }}"
static_routes:
- destination: "{{ network_zones.lan.prefix }}"
gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
interfaces:
- *_network_primary_
ntp_variant: systemd-timesyncd
acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
spreadspace_apt_repo_components:
- main
- prometheus
prometheus_exporters_extra:
- ssl
prometheus_job_multitarget_blackbox__probe:
ch-mon:
- svc_kind: ssh
svc_name: "{{ inventory_hostname }}"
target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
module: ssh_banner
- svc_kind: https
svc_name: "login.chaos-at-home.org"
target: "https://{{ network_services.http.addr }}/login"
module: "http_tls_2xx"
hostname: "login.chaos-at-home.org"
prometheus_job_multitarget_ssl__probe:
ch-http-proxy:
- instance: "sslcert-apps-publish-{{ inventory_hostname }}"
target: "/etc/ssl/apps-publish-*/*.pem"
module: file
whawty_auth_store_instances:
chaos-at-home:
config: "{{ whawty_auth_store__chaos_at_home | combine({'basedir': '/var/lib/whawty/auth/chaos-at-home'}) }}"
permissions:
file-mode: "0600"
dir-mode: "0700"
sync:
type: client
hostname: 192.168.32.1
port: 3022
user: sync
prometheus: yes
whawty_nginx_sso_backends:
chaos-at-home:
port: 1234
login_url: https://login.chaos-at-home.org/login
whawty_nginx_sso_logins:
chaos-at-home:
hostname: login.chaos-at-home.org
tls:
certificate_provider: acmetool
certificate_config:
request:
challenge:
http-self-test: false
config:
cookie:
domain: ".chaos-at-home.org"
name: __Secure-chaos-at-home-sso
secure: yes
expire: 167h
keys:
- name: 2023-11
ed25519:
private-key-data: "{{ vault_whawty_nginx_sso_login_keys['chaos-at-home']['2023-11'] }}"
backend:
bolt: {}
auth:
whawty:
store: /etc/whawty/auth/store-chaos-at-home.yml
autoreload: yes
remote-upgrades:
url: https://127.0.0.1/api/update
http-host: passwd.chaos-at-home.org
tls:
server-name: passwd.chaos-at-home.org
web:
listen: 127.0.0.1:1234
login:
title: "chaoSSO login"
revocations:
tokens: "{{ vault_whawty_nginx_sso_sync_tokens['chaos-at-home'] | dict2items | map(attribute='value') }}"
prometheus:
listen: 127.0.0.1:1235
prometheus_job_multitarget_whawty_nginx_sso:
ch-http-proxy:
- instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home"
instance_name: chaos-at-home
|
