-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yml.sample
322 lines (241 loc) · 8.19 KB
/
config.yml.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
---
####################
# General settings #
####################
general:
# Set the hostname of the server
hostname: homeserver
# Web domain name of the server
domain: homeserver.example.com
# Set the timezone
timezone: Etc/UTC
# Configure which package updates are installed automatically
# If set to "security", only security updates will be installed
# If set to "all", all updates will be installed
# If set to "none", no updates will be installed
auto_update_packages: security
# DNS servers to use for non-local lookups
upstream_dns_servers:
- '1.1.1.1'
- '1.0.0.1'
- '2606:4700:4700::1111'
- '2606:4700:4700::1001'
users:
worker: worker
nas: nas
####################
# Storage settings #
####################
storage:
# Directory in which application data will be stored
data_dir: /data
# Directory in which NAS will be mounted
nas_dir: /nas
# Directory for Docker images
docker_dir: /var/lib/docker
# Define LVM volumes
vg: pool
volumes:
root:
mount: /
size: 64G
fs: ext4
nas:
mount: /nas
size: 50G
fs: ext4
data:
mount: /data
size: 100G
fs: ext4
################
# DDNS options #
################
ddns_enabled: no
# Cloudflare zone to which the server's domain belongs
ddns_cloudflare_zone: example.com
# This token requires the Zone/Zone/Read permission for all zones, and
# Zone/DNS/Edit permission for the zone containing the domain for the server.
ddns_cloudflare_api_token: <your_cloudflare_api_token>
######################
# DNS server options #
######################
dnsmasq_enabled: yes
dnsmasq_custom_hosts:
- name: "{{ general.domain }}"
ip: "{{ ansible_default_ipv4.address }}"
- name: ".{{ general.domain }}"
ip: "{{ ansible_default_ipv4.address }}"
#################
# Samba options #
#################
# See https://github.com/vladgh/ansible-collection-vladgh-samba
samba_guest_account: "{{ users.nas }}"
samba_shares_root: "{{ storage.nas_dir }}"
samba_manage_directories: no
samba_netbios_name: "{{ general.hostname | split('.') | first }}"
samba_server_string: Home NAS
# Just run as a standalone SMB server, not a WINS or AD server
samba_wins_support: no
samba_domain_master: no
samba_preferred_master: no
samba_local_master: yes
# Treat unknown users as guests, but treat bad passwords as errors.
# See https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
samba_map_to_guest: Bad User
samba_shares:
- name: Dump
comment: A place for files to go
public: yes
writeable: yes
- name: Media
comment: Media to be streamed using Jellyfin
public: yes
writable: yes
############################
# Minecraft server options #
############################
minecraft_server_enabled: yes
minecraft_server_env:
# Server properties
SERVER_PORT: "25565"
ENFORCE_SECURE_PROFILE: "false"
ONLINE_MODE: "true"
ENABLE_COMMAND_BLOCK: "true"
ENABLE_QUERY: "true"
# Enable automatically pausing when nobody is online
EXEC_DIRECTLY: "false"
ENABLE_AUTOPAUSE: "true"
MAX_TICK_TIME: "-1" # See https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
AUTOPAUSE_TIMEOUT_EST: "600" # Pause 10 minutes after last player disconnects
AUTOPAUSE_TIMEOUT_INIT: "60" # Pause 1 minute after startup if inactive
# Server settings
TYPE: fabric
VERSION: "1.20.4"
INIT_MEMORY: "512M"
MAX_MEMORY: "1G"
######################
# Authentik settings #
######################
# After Authentik is enabled, go to https://<hostname>:9443/if/flow/initial-setup/
authentik_enabled: yes
# Traefik routing options for Authentik
authentik_routing:
enabled: true
subdomain: authentik
# See https://docs.goauthentik.io/docs/installation/configuration for documentation.
# Use Ansible Vault to encrypt the secret_* variables.
authentik_env:
# PostgreSQL root password
PG_PASS: "{{ secret_authentik_pg_pass }}"
# Credentials for the Authentik "akadmin" user during initial setup.
# Use Ansible Vault to store an encrypted password here.
AUTHENTIK_BOOTSTRAP_EMAIL: "{{ secret_authentik_bootstrap_email }}"
AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ secret_authentik_bootstrap_password }}"
####################
# Traefik settings #
####################
traefik_enabled: yes
traefik_ports:
http: 80
https: 443
metrics: 8090
# See https://doc.traefik.io/traefik/https/acme/ for information on how to
# configure the provider and environment variables.
traefik_acme_dns:
enabled: no
provider: cloudflare
# Email for Let's Encrypt, used to receive expiry notifications.
# This doesn't need to be encrypted, but doing so hides it from bots scraping
# GitHub for credentials.
email: <your_email>
# This is sensitive and must be encrypted, e.g. using Ansible Vault.
env:
# This API token needs Zone/Zone/Read permissions for all zones, and
# Zone/DNS/Edit permissions for the zone containing the domain for the
# server.
CF_DNS_API_TOKEN: <your_cloudflare_api_token>
######################
# Tailscale settings #
######################
tailscale_enabled: false
# Subnets to route traffic to
tailscale_routes:
- "10.0.0.0/24"
# Use Ansible Vault to put your encrypted auth key here
tailscale_auth_key: "{{ undef() }}"
###################
# Homarr settings #
###################
homarr_enabled: true
homarr_routing:
enabled: true
homepage: true
# OIDC settings for Authentik
homarr_env:
AUTH_PROVIDER: oidc
AUTH_OIDC_CLIENT_NAME: Authentik
AUTH_OIDC_CLIENT_ID: "{{ secret_homarr_oidc_client_id }}"
AUTH_OIDC_CLIENT_SECRET: "{{ secret_homarr_oidc_client_secret }}"
AUTH_OIDC_SCOPE_OVERWRITE: openid email profile groups
AUTH_OIDC_ADMIN_GROUP: Administrators
AUTH_OIDC_URI: >-
https://{{ authentik_routing.subdomain | default('auth') }}.{{ general.domain }}/application/o/homarr
AUTH_LOGOUT_REDIRECT_URL: >-
https://{{ authentik_routing.subdomain | default('auth') }}.{{ general.domain }}/application/o/homarr/end-session/
##################
# Minio settings #
##################
minio_enabled: true
minio_routing:
enabled: true
api_subdomain: s3
ui_subdomain: minio
# Use Ansible Vault to put your encrypted credentials here
minio_root_user: "{{ undef() }}"
minio_root_password: "{{ undef() }}"
# Environment variables to configure integration with Authentik using OpenID Connect.
# Currently, this requires manual setup in the Authentik UI.
# Use Ansible Vault to put your encrypted client ID and secret below.
minio_env:
MINIO_IDENTITY_OPENID_CONFIG_URL: "https://{{ authentik_routing.subdomain | default('auth') }}.{{ general.domain }}\
/application/o/minio/.well-known/openid-configuration"
MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ secret_minio_openid_client_id }}"
MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ secret_minio_openid_client_secret }}"
MINIO_IDENTITY_OPENID_CLAIM_NAME: policy
MINIO_IDENTITY_OPENID_DISPLAY_NAME: Log in with Authentik
MINIO_IDENTITY_OPENID_SCOPES: openid,profile,email,minio
MINIO_IDENTITY_OPENID_REDIRECT_URI: >-
{{ minio_routing.ui_subdomain | default('minio') }}.{{ general.domain }}/oauth_callback
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC: "on"
MINIO_IDENTITY_OPENID_CLAIM_USERINFO: "on"
MINIO_IDENTITY_OPENID_COMMENT: "Authentik"
######################
# Bitwarden settings #
######################
bitwarden_enabled: true
#####################
# Jellyfin settings #
#####################
jellyfin_enabled: yes
jellyfin_enable_vaapi: false
jellyfin_admin_username: "{{ secret_jellyfin_admin_username }}"
jellyfin_admin_password: "{{ secret_jellyfin_admin_password }}"
jellyfin_oidc_client_id: "{{ secret_jellyfin_oidc_client_id }}"
jellyfin_oidc_client_secret: "{{ secret_jellyfin_oidc_client_secret }}"
#######################
# Monitoring settings #
#######################
monitoring_enabled: yes
monitoring_prometheus_routing_private: yes
monitoring_grafana_routing_private: no
# Grafana SSO settings
monitoring_grafana_sso: yes
monitoring_grafana_sso_only: yes
monitoring_grafana_client_id: "{{ secret_monitoring_grafana_client_id }}"
monitoring_grafana_client_secret: "{{ secret_monitoring_grafana_client_secret }}"
############################
# Healthchecks.io settings #
############################
healthchecksio_enabled: no
# vim: ft=yaml