jack
66b70827df
Syncthing removal (was already decided, now fully removed): - roles/base/tasks/firewall.yml: remove 3 UFW rules (ports 22000/21027) - inventory/group_vars/all/main.yml: remove domain_sync, domain_mon, syncthing_basic_auth_htpasswd - roles/services/templates/env.j2: remove DOMAIN_SYNC - roles/services/templates/authelia/configuration.yml.j2: remove Syncthing 2FA rule - roles/services/tasks/directories.yml: remove syncthing/config and syncthing/data dirs - roles/services/defaults/main.yml: remove syncthing_image - roles/services/tasks/main.yml: remove syncthing image pull Security hardening: - inventory/group_vars/all/main.yml: move cloudflare_zone_id to vault - inventory/group_vars/all/vault.yml: add vault_cloudflare_zone_id .gitignore improvements: - add *.env, acme.json, *.log, editor dirs, venv, temp files Documentation (new): - docs/STATUS.md: all services, servers, known issues - docs/BACKLOG.md: prioritized task list, done/todo - docs/DECISIONS.md: architecture decisions and rationale - CLAUDE.md: rewritten with read-first docs, rules, full arch reference Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
58 lines
2.9 KiB
YAML
58 lines
2.9 KiB
YAML
---
|
|
# Non-secret variables
|
|
domain_base: "csrx.ru"
|
|
|
|
# Derived domains
|
|
domain_vault: "vault.{{ domain_base }}"
|
|
domain_git: "git.{{ domain_base }}"
|
|
domain_plane: "plane.{{ domain_base }}"
|
|
domain_traefik: "traefik.{{ domain_base }}"
|
|
domain_dashboard: "dash.{{ domain_base }}"
|
|
domain_auth: "auth.{{ domain_base }}"
|
|
domain_status: "status.{{ domain_base }}"
|
|
domain_wiki: "wiki.{{ domain_base }}"
|
|
domain_n8n: "n8n.{{ domain_base }}"
|
|
domain_webmail: "webmail.{{ domain_base }}"
|
|
|
|
# Service paths
|
|
services_root: /opt/services
|
|
deploy_user: deploy
|
|
deploy_group: deploy
|
|
|
|
# Secrets (from vault)
|
|
acme_email: "{{ vault_acme_email }}"
|
|
vaultwarden_admin_token: "{{ vault_vaultwarden_admin_token }}"
|
|
forgejo_db_password: "{{ vault_forgejo_db_password }}"
|
|
plane_db_password: "{{ vault_plane_db_password }}"
|
|
plane_secret_key: "{{ vault_plane_secret_key }}"
|
|
plane_minio_password: "{{ vault_plane_minio_password }}"
|
|
traefik_dashboard_htpasswd: "{{ vault_traefik_dashboard_htpasswd }}"
|
|
forgejo_runner_token: "{{ vault_forgejo_runner_token }}"
|
|
grafana_admin_password: "{{ vault_grafana_admin_password }}"
|
|
alertmanager_telegram_token: "{{ vault_alertmanager_telegram_token }}"
|
|
alertmanager_telegram_chat_id: "{{ vault_alertmanager_telegram_chat_id }}"
|
|
authelia_jwt_secret: "{{ vault_authelia_jwt_secret }}"
|
|
authelia_session_secret: "{{ vault_authelia_session_secret }}"
|
|
authelia_storage_key: "{{ vault_authelia_storage_key }}"
|
|
authelia_admin_password_hash: "{{ vault_authelia_admin_password_hash }}"
|
|
crowdsec_bouncer_key: "{{ vault_crowdsec_bouncer_key }}"
|
|
s3_access_key: "{{ vault_s3_access_key }}"
|
|
s3_secret_key: "{{ vault_s3_secret_key }}"
|
|
cloudflare_dns_api_token: "{{ vault_cloudflare_dns_api_token }}"
|
|
cloudflare_zone_id: "{{ vault_cloudflare_zone_id }}"
|
|
outline_secret_key: "{{ vault_outline_secret_key }}"
|
|
outline_utils_secret: "{{ vault_outline_utils_secret }}"
|
|
outline_db_password: "{{ vault_outline_db_password }}"
|
|
n8n_encryption_key: "{{ vault_n8n_encryption_key }}"
|
|
n8n_jwt_secret: "{{ vault_n8n_jwt_secret }}"
|
|
mailserver_noreply_password: "{{ vault_mailserver_noreply_password }}"
|
|
snappymail_admin_password: "{{ vault_snappymail_admin_password }}"
|
|
mailserver_admin_password: "{{ vault_mailserver_admin_password }}"
|
|
mailserver_jack_password: "{{ vault_mailserver_jack_password }}"
|
|
|
|
# Server IPs (used for cross-server Traefik routing)
|
|
ip_main: "87.249.49.32"
|
|
ip_tools: "85.193.83.9"
|
|
|
|
# CI/CD deploy key (public key — not a secret)
|
|
ci_deploy_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdr9mRSSUqt7Ym4wA5RpVyz76wEXSOtVfh2/yCSMIbg ci-deploy@forgejo-runner"
|