Files
a13labs.infra/ansible/host_vars/dev-01.lab.alexpires.me.yml
T
alexandre.pires b4f4fe2f07 Refactor SteamOS session management and launcher scripts
- Removed obsolete launch_desktop.sh and launch_session.sh scripts.
- Introduced new steam-launcher script to handle Steam launching and session tracking.
- Added steam-short-session-tracker for monitoring short Steam sessions and triggering repairs.
- Created steamos and steamos-session scripts for managing the SteamOS session.
- Implemented steamos-session-select for switching between Gamescope and Plasma sessions.
- Updated SDDM configuration for autologin and session management.
- Added new systemd services and targets for managing Gamescope and Steam sessions.
- Created desktop entries and icons for ALVR and SteamOS shortcuts.
- Enhanced logging and error handling across scripts.
- Cleaned up unused systemd slice and service files.
- Updated Ansible playbook to reflect new configurations and file structures.
2025-12-01 17:25:18 +01:00

143 lines
4.0 KiB
YAML

hostname: dev-01.lab.alexpires.me
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
# Users
login_users:
- username: "{{ ansible_user }}"
comment: "Managed by Ansible"
sudoer: true
sudoer_root_only: true
sudoer_no_password: true
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
password_disabled: true
- username: operator
comment: "Managed by Ansible"
sudoer: true
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "10.5.5.5/32" # Wireguard VPN (Laptop)
- "10.19.4.0/24" # local network
sshd_admin_net: "10.19.4.0/24" # local network
sshd_allow_groups: "{{ ansible_user }} users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
# Due to an issue increase the number of max auth tries
sshd_max_auth_tries: 10
# Firewall ports
ufw_enable: true
fw_allowed_ports:
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # SSH Access (VPN device)
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # SSH Access (local network)
- { rule: "allow", port: "16443", proto: "tcp", from: "10.5.5.5/32" } # Kubernetes API (Laptop)
- { rule: "allow", port: "16443", proto: "tcp", from: "10.19.4.0/24" } # Kubernetes API (local network)
- { rule: "allow", port: "139", proto: "tcp", from: "10.19.4.0/24" } # Samba (local network only)
- { rule: "allow", port: "445", proto: "tcp", from: "10.19.4.0/24" } # Samba (local network only)
- { rule: "allow", port: "11434", proto: "tcp", from: "10.19.4.0/24" } # Ollama (local network only)
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.5/32" } # Ollama (Laptop)
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.2/32" } # Ollama (Contabo VPN)
- { rule: "allow", port: "9090", proto: "tcp", from: "10.5.5.2/32" } # Prometheus (Contabo VPN)
- { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.2/32" } # HTTPS (Contabo VPN)
- { rule: "allow", port: "53", proto: "udp", from: "10.19.4.0/24" } # DNS (local network)
- { rule: "allow", port: "53", proto: "udp", from: "10.5.5.2/32" } # DNS (Contabo VPN)
ufw_outgoing_traffic:
- 9 # For Wake-on-LAN
- 22 # SSH
- 53 # DNS
- 80 # HTTP
- 123 # NTP
- 443 # HTTPS
- 465 # SMTPS
- 853 # DNS over TLS
- 10250 # Kubelet
- 8880 # Kokoro-FastAPI
- 11434 # Ollama
- 16443 # Kubernetes API
- 8188 # comfyui
- 4443
- 9443
- 993 # IMAPS
- 9090 # Prometheus
ufw_default_forward_policy: "ACCEPT"
fw_loopback_traffic_deny: false
ipv4_sysctl_settings:
net.ipv4.ip_forward: 1
disable_ipv6: true
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
custom_hosts_acls: true
# fail2ban
fail2ban_jails:
ssh:
enabled: true
port: "{{ sshd_port }}"
filter: "sshd"
logpath: "/var/log/auth.log"
maxretry: 5
findtime: 600
bantime: 3600
# aide
install_aide: true
aide_exclude:
- "!/var/lib/snapd"
- "!/srv"
misc_modules_blocklist:
- bluetooth
- bnep
- btusb
- can
- cpia2
- firewire-core
- floppy
- ksmbd
- n_hdlc
- net-pf-31
- pcspkr
- soundcore
- thunderbolt
- usb-midi
- uvcvideo
- v4l2_common
# Unattended upgrades
unattended_reboot: true
unattended_reboot_time: "04:30"
# Duo Security
duo_users: ["*", "!provision"]
duo_api_hostname: api-7cda1654.duosecurity.com
# Kubernetes specific settings
microk8s_allowed_hosts:
- 10.19.4.0/24
- 10.5.5.5
microk8s_alt_names: "{{ hostname }}"
microk8s_certmgr_letsencrypt_issuer_email: c.alexandre.pires@alexpires.me
# HTTP-01 Let's encrypt issuer is disable in dev
microk8s_certmgr_letsencrypt_http01: false
# DNS-01 issuer is enabled in dev
microk8s_certmgr_letsencrypt_dns01: true
microk8s_cloudns_auth_id: "{{ lookup('env', 'CLOUDNS_AUTH_ID') }}"
microk8s_cloudns_auth_password: "{{ lookup('env', 'CLOUDNS_PASSWORD') }}"
microk8s_encryption_secret: "{{ lookup('env', 'MICROK8S_ENCRYPTION_SECRET') }}"
microk8s_users:
- username: operator
enabled: true
# podman services settings
persistent_data: "/srv"