---
timezone: Europe/Amsterdam
base_packages_common:
- apt-transport-https
- ca-certificates
- curl
- git
- gnupg
- python3
- rsync
- ssl-cert
- sudo
- unzip
docker_enabled: true
bun_enabled: true
nginx_enabled: true
certbot_enabled: true
wireguard_enabled: true
fail2ban_enabled: true
gitea_enabled: true
mailserver_enabled: true
ssh_admin_groups:
- sudo
ssh_admin_users:
- name: twirre
shell: /bin/bash
groups: "{{ ssh_admin_groups }}"
authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSmroAJ4SDziZtwg+PCNITuhPim8oseq/sNwW0jTLJc twirre@gwen
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfapo7P0vmwkTdD9kkHaalk9U+JYIZuCp/hFTnPRqTp twirre@ben
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoC9Wp3nOI2a/u6G+7iKdF1WMJYdXr/RRp2uzGXJWio bob@bob
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDTD4O3ABkThFXaUpuKE14eRZYYqCBns1/MY7EAsLmlq iPhone
ssh_packages:
- openssh-server
backupagent_enabled: true
backupagent:
name: backupagent
shell: /bin/sh
authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoC9Wp3nOI2a/u6G+7iKdF1WMJYdXr/RRp2uzGXJWio bob@bob
sudo_commands:
- /usr/bin/rsync
docker_packages:
- docker.io
- docker-compose-v2
bun_version: "1.3.10"
bun_arch_map:
x86_64: x64
aarch64: aarch64
bun_install_root: "/opt/bun/{{ bun_version }}"
bun_bin_path: /usr/local/bin/bun
certbot_packages:
- certbot
- python3-certbot-nginx
certbot_email: admin@twirre.io
certbot_manage_certificates: false
certbot_certificates:
- name: twirre.io
domains:
- twirre.io
- name: twirre.me
domains:
- twirre.me
- name: git.twirre.io
domains:
- git.twirre.io
- name: lagrange.meulenbelt.nl
domains:
- lagrange.meulenbelt.nl
- name: map.twirre.io
domains:
- map.twirre.io
- name: chat.twirre.io
domains:
- chat.twirre.io
- name: overleaf.twirre.io
domains:
- overleaf.twirre.io
- name: mail.twirre.io
domains:
- mail.twirre.io
fail2ban_ignoreip:
- 127.0.0.1/8
- ::1
- 10.0.0.0/24
fail2ban_bantime: 15m
fail2ban_findtime: 24h
fail2ban_maxretry: 3
wireguard_interface:
name: wg0
address:
- 10.0.0.1/32
listen_port: 51820
private_key: "{{ vault_wireguard_private_key | default('') }}"
peers:
- name: bob
public_key: 4PjCLHHodDBCqRRjc8qvhwiT/oTElL+e5wnbiLN5N1c=
preshared_key: "{{ vault_wireguard_bob_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.2/32
persistent_keepalive: 25
- name: ben
public_key: pqEEPBsVPVsNALuYHC3nggwmAAeAcB+6NXhh/z+MazU=
preshared_key: "{{ vault_wireguard_ben_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.3/32
- name: iPhone
public_key: /pZPnxXHBPxfYvJPwtPMmy09cOHIPATamVEloPJj/n0=
preshared_key: "{{ vault_wireguard_iPhone_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.6/32
- name: iPad
public_key: GKTAOHRoRTTWayaHYype2QCO1o02UxNCHYrZDfvh1ns=
preshared_key: "{{ vault_wireguard_iPad_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.7/32
- name: alternate1
public_key: 8BcmHZgxXJosvbeq/cpb6qYkOZXqmTbryS17j9ZsXTo=
preshared_key: "{{ vault_wireguard_alternate1_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.8/32
- name: alternate2
public_key: Dy7zzlR9/oLXElABRlZYH4SifWMq2qHsh7m1XIWS2kU=
preshared_key: "{{ vault_wireguard_alternate2_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.9/32
- name: alternate3
public_key: RKgTlbAI0Rp72geRPK9ViReGREGNI097fu8mDQQe1Xo=
preshared_key: "{{ vault_wireguard_alternate3_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.10/32
- name: alternate4
public_key: JsI1ldD5f+2cqX6oLUGYt72JELFy4eDTb3N6Q9VFBgU=
preshared_key: "{{ vault_wireguard_alternate4_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.11/32
- name: alternate5
public_key: OFvhjnpc9NtBUTrgRDU9Ya8G+WaoiHKHAxWy9v9N5nY=
preshared_key: "{{ vault_wireguard_alternate5_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.12/32
- name: bill
public_key: upNSfWXN9pvUGcX5G6xFniClJAmlv6WatpVxIsJ2/lg=
preshared_key: "{{ vault_wireguard_bill_preshared_key | default('') }}"
allowed_ips:
- 10.0.0.13/32
srv_root: /srv
twirre_io_files:
visible_dir: /var/lib/twirre-io/files
hidden_dir: /var/lib/twirre-io/hfiles
bun_apps:
- name: twirre-io
repo: git@github.com:TwirreM/twirre.io.git
version: main
deploy_user: twirre-io
deploy_group: twirre-io
path: /srv/twirre/twirre.io
service_name: twirre_io
entrypoint: index.ts
port: 14014
git_ssh_key: "{{ vault_twirre_io_deploy_key | default('') }}"
env:
PORT: "14014"
ORIGIN: https://twirre.io
RPNAME: Twirre IO
RPID: twirre.io
SQLITE_PATH: /var/lib/twirre-io/app.sqlite3
VISIBLE_FILE_DIR: "{{ twirre_io_files.visible_dir }}"
HIDDEN_FILE_DIR: "{{ twirre_io_files.hidden_dir }}"
non_vault_env_keys:
- VISIBLE_FILE_DIR
- HIDDEN_FILE_DIR
extra_directories:
- path: "{{ twirre_io_files.visible_dir }}"
- path: "{{ twirre_io_files.hidden_dir }}"
- name: twirre-me
repo: git@github.com:TwirreM/twirre.me.git
version: main
deploy_user: twirre-me
deploy_group: twirre-me
path: /srv/twirre/twirre.me
service_name: twirre_me
entrypoint: index.ts
port: 13013
git_ssh_key: "{{ vault_twirre_me_deploy_key | default('') }}"
env:
PORT: "13013"
gitea:
service_user: gitea
service_group: docker
path: /srv/gitea
compose_project_name: gitea
domain: git.twirre.io
http_bind_address: 127.0.0.1
http_port: 3000
ssh_port: 2222
image: docker.gitea.com/gitea:1.25.4
data_dir: /srv/gitea/data
mailserver:
service_user: mailstack
service_group: docker
path: /srv/mail
compose_project_name: mailserver
image: ghcr.io/docker-mailserver/docker-mailserver:15.1.0
hostname: mail.twirre.io
env:
ENABLE_SPAMASSASSIN: "0"
ENABLE_FAIL2BAN: "1"
SSL_TYPE: letsencrypt
PERMIT_DOCKER: host
tls_root_path: /etc/letsencrypt
nginx_sites:
- name: twirre.me
server_names:
- twirre.me
default_server: true
acme_managed: true
upstream_host: 127.0.0.1
upstream_port: 13013
- name: twirre.io
server_names:
- twirre.io
acme_managed: true
upstream_host: 127.0.0.1
upstream_port: 14014
static_locations:
- path: /files/
alias: "{{ twirre_io_files.visible_dir }}/"
autoindex: true
- path: /hfiles/
alias: "{{ twirre_io_files.hidden_dir }}/"
- name: git.twirre.io
server_names:
- git.twirre.io
acme_managed: true
upstream_host: 127.0.0.1
upstream_port: 3000
- name: lagrange.meulenbelt.nl
server_names:
- lagrange.meulenbelt.nl
acme_managed: true
static_root: /srv/lagrange
- name: map.twirre.io
server_names:
- map.twirre.io
acme_managed: true
upstream_host: 10.0.0.2
upstream_port: 8123
- name: chat.twirre.io
server_names:
- chat.twirre.io
acme_managed: true
websocket: true
upstream_host: 10.0.0.2
upstream_port: 14607
- name: overleaf.twirre.io
server_names:
- overleaf.twirre.io
acme_managed: true
upstream_host: 10.0.0.2
upstream_port: 18009
- name: mail.twirre.io
server_names:
- mail.twirre.io
acme_only: true
static_sites:
- name: lagrange
owner: www-data
group: www-data
path: /srv/lagrange
files:
- path: index.html
content: |
In aanbouw
In aanbouw