connectivity

8.2 KB•YML

main.yml

8.2 KB • 211 lines • yaml

1---
2# ========================================
3# CONNECTIVITY ROLE DEFAULT CONFIGURATION
4# ========================================
5# Default variables for connectivity device automation
6# Override in host_vars or group_vars as needed
7
8# ========================================
9# DOCKER FRAMEWORK CONFIGURATION
10# ========================================
11# Docker directory structure and permissions
12connectivity_docker_base_path: /docker
13connectivity_docker_owner: ansible
14connectivity_docker_group: users
15connectivity_docker_mode: "0775"
16connectivity_docker_sgid: true  # Set group sticky bit for inheritance
17
18# Service directories to create under /docker
19connectivity_docker_service_directories:
20  - wireguard
21  - nginx-proxy
22  - pihole
23  - unbound
24
25# ========================================
26# WIREGUARD VPN CONFIGURATION
27# ========================================
28connectivity_wireguard_enabled: true
29connectivity_wireguard_service_name: wg-easy
30connectivity_wireguard_container_name: wg-easy
31connectivity_wireguard_image: weejewel/wg-easy
32connectivity_wireguard_image_tag: latest
33
34# Network configuration
35connectivity_wireguard_port: 51820
36connectivity_wireguard_web_port: 51821
37connectivity_wireguard_subnet: 10.8.0.0/24
38connectivity_wireguard_dns: 1.1.1.1,1.0.0.1
39
40# WireGuard settings (override with vault-encrypted values)
41connectivity_wireguard_password: "changeme_secure_admin_password"  # Vault encrypt this
42connectivity_wireguard_host: "{{ ansible_default_ipv4.address }}"  # External IP/FQDN
43connectivity_wireguard_device_name: eth0
44
45# Client configuration
46connectivity_wireguard_default_allowed_ips: 0.0.0.0/0,::/0
47connectivity_wireguard_default_persistent_keepalive: 25
48connectivity_wireguard_max_clients: 10
49
50# ========================================
51# NGINX PROXY MANAGER CONFIGURATION
52# ========================================
53connectivity_nginx_proxy_enabled: true
54connectivity_nginx_proxy_service_name: nginx-proxy-manager
55connectivity_nginx_proxy_container_name: nginx-proxy-manager
56connectivity_nginx_proxy_image: jc21/nginx-proxy-manager
57connectivity_nginx_proxy_image_tag: latest
58
59# Port configuration
60connectivity_nginx_proxy_admin_port: 81
61connectivity_nginx_proxy_http_port: 80
62connectivity_nginx_proxy_https_port: 443
63
64# Database configuration
65connectivity_nginx_proxy_db_enabled: true
66connectivity_nginx_proxy_db_container_name: nginx-proxy-db
67connectivity_nginx_proxy_db_image: jc21/mariadb-aria
68connectivity_nginx_proxy_db_image_tag: latest
69connectivity_nginx_proxy_db_name: npm
70connectivity_nginx_proxy_db_user: npm
71connectivity_nginx_proxy_db_password: "changeme_db_password"  # Vault encrypt this
72connectivity_nginx_proxy_db_root_password: "changeme_root_password"  # Vault encrypt this
73
74# ========================================
75# DNS STACK CONFIGURATION (Pi-hole + Unbound)
76# ========================================
77connectivity_dns_stack_enabled: true
78
79# Pi-hole configuration
80connectivity_pihole_enabled: true
81connectivity_pihole_service_name: pihole
82connectivity_pihole_container_name: pihole
83connectivity_pihole_image: pihole/pihole
84connectivity_pihole_image_tag: latest
85
86# Pi-hole network settings
87connectivity_pihole_web_port: 8080
88connectivity_pihole_dns_port: 53
89connectivity_pihole_dhcp_port: 67
90
91# Pi-hole admin settings
92connectivity_pihole_password: "changeme_pihole_admin"  # Vault encrypt this
93connectivity_pihole_timezone: UTC
94connectivity_pihole_dns_servers: 127.0.0.1#5335  # Points to Unbound
95
96# Pi-hole feature toggles
97connectivity_pihole_dhcp_enabled: false
98connectivity_pihole_ipv6_enabled: false
99connectivity_pihole_conditional_forwarding: false
100
101# Unbound configuration
102connectivity_unbound_enabled: true
103connectivity_unbound_service_name: unbound
104connectivity_unbound_container_name: unbound
105connectivity_unbound_image: mvance/unbound
106connectivity_unbound_image_tag: latest
107
108# Unbound DNS settings
109connectivity_unbound_port: 5335
110connectivity_unbound_interface: 0.0.0.0
111connectivity_unbound_access_control:
112  - "127.0.0.0/8 allow"
113  - "10.0.0.0/8 allow"
114  - "172.16.0.0/12 allow"
115  - "192.168.0.0/16 allow"
116
117# Upstream DNS servers for Unbound
118connectivity_unbound_forward_zone_servers:
119  - 1.1.1.1@853
120  - 1.0.0.1@853
121  - 8.8.8.8@853
122  - 8.8.4.4@853
123
124# ========================================
125# SERVICE ORCHESTRATION
126# ========================================
127# Service startup order and dependencies
128connectivity_service_startup_delay: 10  # Seconds between service starts
129connectivity_service_health_check_retries: 5
130connectivity_service_health_check_delay: 10
131
132# Docker Compose configuration
133connectivity_docker_compose_version: "3.8"
134connectivity_docker_compose_project_name: connectivity
135
136# Restart policies
137connectivity_default_restart_policy: unless-stopped
138connectivity_database_restart_policy: always
139
140# ========================================
141# NETWORKING CONFIGURATION
142# ========================================
143# Host networking settings
144connectivity_network_name: connectivity
145connectivity_subnet: 172.20.0.0/24
146
147# Port mapping for services
148connectivity_exposed_ports:
149  wireguard_udp: "{{ connectivity_wireguard_port }}:{{ connectivity_wireguard_port }}/udp"
150  wireguard_web: "{{ connectivity_wireguard_web_port }}:51821/tcp"
151  nginx_admin: "{{ connectivity_nginx_proxy_admin_port }}:81/tcp"
152  nginx_http: "{{ connectivity_nginx_proxy_http_port }}:80/tcp"
153  nginx_https: "{{ connectivity_nginx_proxy_https_port }}:443/tcp"
154  pihole_web: "{{ connectivity_pihole_web_port }}:80/tcp"
155  pihole_dns: "{{ connectivity_pihole_dns_port }}:53/udp"
156  pihole_dns_tcp: "{{ connectivity_pihole_dns_port }}:53/tcp"
157
158# ========================================
159# LOGGING AND MONITORING
160# ========================================
161# Container logging configuration
162connectivity_log_driver: json-file
163connectivity_log_max_size: 10m
164connectivity_log_max_file: 3
165
166# Volume configuration
167connectivity_persistent_volumes:
168  wireguard_config: "{{ connectivity_docker_base_path }}/wireguard/config:/etc/wireguard"
169  nginx_data: "{{ connectivity_docker_base_path }}/nginx-proxy/data:/data"
170  nginx_letsencrypt: "{{ connectivity_docker_base_path }}/nginx-proxy/letsencrypt:/etc/letsencrypt"
171  pihole_config: "{{ connectivity_docker_base_path }}/pihole/config:/etc/pihole"
172  pihole_dnsmasq: "{{ connectivity_docker_base_path }}/pihole/dnsmasq.d:/etc/dnsmasq.d"
173  unbound_config: "{{ connectivity_docker_base_path }}/unbound/config:/opt/unbound/etc/unbound"
174
175# ========================================
176# SECURITY CONFIGURATION
177# ========================================
178# Firewall rules for connectivity services
179connectivity_firewall_rules:
180  - { port: "{{ connectivity_wireguard_port }}", proto: "udp", rule: "allow", comment: "WireGuard VPN" }
181  - { port: "{{ connectivity_wireguard_web_port }}", proto: "tcp", rule: "allow", comment: "WireGuard Web UI" }
182  - { port: "{{ connectivity_nginx_proxy_admin_port }}", proto: "tcp", rule: "allow", comment: "Nginx Proxy Manager Admin" }
183  - { port: "{{ connectivity_nginx_proxy_http_port }}", proto: "tcp", rule: "allow", comment: "HTTP Proxy" }
184  - { port: "{{ connectivity_nginx_proxy_https_port }}", proto: "tcp", rule: "allow", comment: "HTTPS Proxy" }
185  - { port: "{{ connectivity_pihole_web_port }}", proto: "tcp", rule: "allow", comment: "Pi-hole Web Interface" }
186  - { port: "{{ connectivity_pihole_dns_port }}", proto: "udp", rule: "allow", comment: "Pi-hole DNS" }
187  - { port: "{{ connectivity_pihole_dns_port }}", proto: "tcp", rule: "allow", comment: "Pi-hole DNS TCP" }
188
189# Security headers for Nginx
190connectivity_security_headers_enabled: true
191connectivity_hsts_max_age: 31536000
192
193# ========================================
194# BACKUP AND MAINTENANCE
195# ========================================
196# Backup configuration for connectivity services
197connectivity_backup_enabled: false
198connectivity_backup_retention_days: 7
199connectivity_backup_schedule: "0 3 * * 0"  # Weekly on Sunday at 3 AM
200connectivity_backup_path: "{{ connectivity_docker_base_path }}/backups"
201
202# Service directories to backup
203connectivity_backup_directories:
204  - "{{ connectivity_docker_base_path }}/wireguard/config"
205  - "{{ connectivity_docker_base_path }}/nginx-proxy/data"
206  - "{{ connectivity_docker_base_path }}/pihole/config"
207  - "{{ connectivity_docker_base_path }}/unbound/config"
208
209# Update configuration
210connectivity_auto_update_enabled: false
211connectivity_auto_update_schedule: "0 4 * * 1"  # Weekly on Monday at 4 AM

1--- 2# ======================================== 3# CONNECTIVITY ROLE DEFAULT CONFIGURATION 4# ======================================== 5# Default variables for connectivity device automation 6# Override in host_vars or group_vars as needed 7 8# ======================================== 9# DOCKER FRAMEWORK CONFIGURATION 10# ======================================== 11# Docker directory structure and permissions 12connectivity_docker_base_path: /docker 13connectivity_docker_owner: ansible 14connectivity_docker_group: users 15connectivity_docker_mode: "0775" 16connectivity_docker_sgid: true # Set group sticky bit for inheritance 17 18# Service directories to create under /docker 19connectivity_docker_service_directories: 20 - wireguard 21 - nginx-proxy 22 - pihole 23 - unbound 24 25# ======================================== 26# WIREGUARD VPN CONFIGURATION 27# ======================================== 28connectivity_wireguard_enabled: true 29connectivity_wireguard_service_name: wg-easy 30connectivity_wireguard_container_name: wg-easy 31connectivity_wireguard_image: weejewel/wg-easy 32connectivity_wireguard_image_tag: latest 33 34# Network configuration 35connectivity_wireguard_port: 51820 36connectivity_wireguard_web_port: 51821 37connectivity_wireguard_subnet: 10.8.0.0/24 38connectivity_wireguard_dns: 1.1.1.1,1.0.0.1 39 40# WireGuard settings (override with vault-encrypted values) 41connectivity_wireguard_password: "changeme_secure_admin_password" # Vault encrypt this 42connectivity_wireguard_host: "{{ ansible_default_ipv4.address }}" # External IP/FQDN 43connectivity_wireguard_device_name: eth0 44 45# Client configuration 46connectivity_wireguard_default_allowed_ips: 0.0.0.0/0,::/0 47connectivity_wireguard_default_persistent_keepalive: 25 48connectivity_wireguard_max_clients: 10 49 50# ======================================== 51# NGINX PROXY MANAGER CONFIGURATION 52# ======================================== 53connectivity_nginx_proxy_enabled: true 54connectivity_nginx_proxy_service_name: nginx-proxy-manager 55connectivity_nginx_proxy_container_name: nginx-proxy-manager 56connectivity_nginx_proxy_image: jc21/nginx-proxy-manager 57connectivity_nginx_proxy_image_tag: latest 58 59# Port configuration 60connectivity_nginx_proxy_admin_port: 81 61connectivity_nginx_proxy_http_port: 80 62connectivity_nginx_proxy_https_port: 443 63 64# Database configuration 65connectivity_nginx_proxy_db_enabled: true 66connectivity_nginx_proxy_db_container_name: nginx-proxy-db 67connectivity_nginx_proxy_db_image: jc21/mariadb-aria 68connectivity_nginx_proxy_db_image_tag: latest 69connectivity_nginx_proxy_db_name: npm 70connectivity_nginx_proxy_db_user: npm 71connectivity_nginx_proxy_db_password: "changeme_db_password" # Vault encrypt this 72connectivity_nginx_proxy_db_root_password: "changeme_root_password" # Vault encrypt this 73 74# ======================================== 75# DNS STACK CONFIGURATION (Pi-hole + Unbound) 76# ======================================== 77connectivity_dns_stack_enabled: true 78 79# Pi-hole configuration 80connectivity_pihole_enabled: true 81connectivity_pihole_service_name: pihole 82connectivity_pihole_container_name: pihole 83connectivity_pihole_image: pihole/pihole 84connectivity_pihole_image_tag: latest 85 86# Pi-hole network settings 87connectivity_pihole_web_port: 8080 88connectivity_pihole_dns_port: 53 89connectivity_pihole_dhcp_port: 67 90 91# Pi-hole admin settings 92connectivity_pihole_password: "changeme_pihole_admin" # Vault encrypt this 93connectivity_pihole_timezone: UTC 94connectivity_pihole_dns_servers: 127.0.0.1#5335 # Points to Unbound 95 96# Pi-hole feature toggles 97connectivity_pihole_dhcp_enabled: false 98connectivity_pihole_ipv6_enabled: false 99connectivity_pihole_conditional_forwarding: false 100 101# Unbound configuration 102connectivity_unbound_enabled: true 103connectivity_unbound_service_name: unbound 104connectivity_unbound_container_name: unbound 105connectivity_unbound_image: mvance/unbound 106connectivity_unbound_image_tag: latest 107 108# Unbound DNS settings 109connectivity_unbound_port: 5335 110connectivity_unbound_interface: 0.0.0.0 111connectivity_unbound_access_control: 112 - "127.0.0.0/8 allow" 113 - "10.0.0.0/8 allow" 114 - "172.16.0.0/12 allow" 115 - "192.168.0.0/16 allow" 116 117# Upstream DNS servers for Unbound 118connectivity_unbound_forward_zone_servers: 119 - 1.1.1.1@853 120 - 1.0.0.1@853 121 - 8.8.8.8@853 122 - 8.8.4.4@853 123 124# ======================================== 125# SERVICE ORCHESTRATION 126# ======================================== 127# Service startup order and dependencies 128connectivity_service_startup_delay: 10 # Seconds between service starts 129connectivity_service_health_check_retries: 5 130connectivity_service_health_check_delay: 10 131 132# Docker Compose configuration 133connectivity_docker_compose_version: "3.8" 134connectivity_docker_compose_project_name: connectivity 135 136# Restart policies 137connectivity_default_restart_policy: unless-stopped 138connectivity_database_restart_policy: always 139 140# ======================================== 141# NETWORKING CONFIGURATION 142# ======================================== 143# Host networking settings 144connectivity_network_name: connectivity 145connectivity_subnet: 172.20.0.0/24 146 147# Port mapping for services 148connectivity_exposed_ports: 149 wireguard_udp: "{{ connectivity_wireguard_port }}:{{ connectivity_wireguard_port }}/udp" 150 wireguard_web: "{{ connectivity_wireguard_web_port }}:51821/tcp" 151 nginx_admin: "{{ connectivity_nginx_proxy_admin_port }}:81/tcp" 152 nginx_http: "{{ connectivity_nginx_proxy_http_port }}:80/tcp" 153 nginx_https: "{{ connectivity_nginx_proxy_https_port }}:443/tcp" 154 pihole_web: "{{ connectivity_pihole_web_port }}:80/tcp" 155 pihole_dns: "{{ connectivity_pihole_dns_port }}:53/udp" 156 pihole_dns_tcp: "{{ connectivity_pihole_dns_port }}:53/tcp" 157 158# ======================================== 159# LOGGING AND MONITORING 160# ======================================== 161# Container logging configuration 162connectivity_log_driver: json-file 163connectivity_log_max_size: 10m 164connectivity_log_max_file: 3 165 166# Volume configuration 167connectivity_persistent_volumes: 168 wireguard_config: "{{ connectivity_docker_base_path }}/wireguard/config:/etc/wireguard" 169 nginx_data: "{{ connectivity_docker_base_path }}/nginx-proxy/data:/data" 170 nginx_letsencrypt: "{{ connectivity_docker_base_path }}/nginx-proxy/letsencrypt:/etc/letsencrypt" 171 pihole_config: "{{ connectivity_docker_base_path }}/pihole/config:/etc/pihole" 172 pihole_dnsmasq: "{{ connectivity_docker_base_path }}/pihole/dnsmasq.d:/etc/dnsmasq.d" 173 unbound_config: "{{ connectivity_docker_base_path }}/unbound/config:/opt/unbound/etc/unbound" 174 175# ======================================== 176# SECURITY CONFIGURATION 177# ======================================== 178# Firewall rules for connectivity services 179connectivity_firewall_rules: 180 - { port: "{{ connectivity_wireguard_port }}", proto: "udp", rule: "allow", comment: "WireGuard VPN" } 181 - { port: "{{ connectivity_wireguard_web_port }}", proto: "tcp", rule: "allow", comment: "WireGuard Web UI" } 182 - { port: "{{ connectivity_nginx_proxy_admin_port }}", proto: "tcp", rule: "allow", comment: "Nginx Proxy Manager Admin" } 183 - { port: "{{ connectivity_nginx_proxy_http_port }}", proto: "tcp", rule: "allow", comment: "HTTP Proxy" } 184 - { port: "{{ connectivity_nginx_proxy_https_port }}", proto: "tcp", rule: "allow", comment: "HTTPS Proxy" } 185 - { port: "{{ connectivity_pihole_web_port }}", proto: "tcp", rule: "allow", comment: "Pi-hole Web Interface" } 186 - { port: "{{ connectivity_pihole_dns_port }}", proto: "udp", rule: "allow", comment: "Pi-hole DNS" } 187 - { port: "{{ connectivity_pihole_dns_port }}", proto: "tcp", rule: "allow", comment: "Pi-hole DNS TCP" } 188 189# Security headers for Nginx 190connectivity_security_headers_enabled: true 191connectivity_hsts_max_age: 31536000 192 193# ======================================== 194# BACKUP AND MAINTENANCE 195# ======================================== 196# Backup configuration for connectivity services 197connectivity_backup_enabled: false 198connectivity_backup_retention_days: 7 199connectivity_backup_schedule: "0 3 * * 0" # Weekly on Sunday at 3 AM 200connectivity_backup_path: "{{ connectivity_docker_base_path }}/backups" 201 202# Service directories to backup 203connectivity_backup_directories: 204 - "{{ connectivity_docker_base_path }}/wireguard/config" 205 - "{{ connectivity_docker_base_path }}/nginx-proxy/data" 206 - "{{ connectivity_docker_base_path }}/pihole/config" 207 - "{{ connectivity_docker_base_path }}/unbound/config" 208 209# Update configuration 210connectivity_auto_update_enabled: false 211connectivity_auto_update_schedule: "0 4 * * 1" # Weekly on Monday at 4 AM