sysconfig/group_vars/all.yml

---
# Custom variables ────────────────────────────────────────────────────────────

rootfs: btrfs

username: follie

# See roles/user/defaults/main.yml for a list of accepted shells
usershell: fish

repository: https://mirror.math.princeton.edu/pub/alpinelinux

# Additional kernel command-line parameters (added to the bootloader)
additional_kernel_parameters:
  - init_on_free=1
  - page_alloc.shuffle=1
  - lockdown=integrity

# Disable access to /sys/firmware/efi/efivars
disable_uefi_access: true

# 'seatd' or 'elogind'
seat_manager: seatd

# acpid implementation to use when elogind is not present
# 'busybox' or 'acpid'
acpid_daemon: busybox

# busybox's mdev, skarnet's mdevd or eudev's udev
device_manager: mdevd

# Should polkit be used for stuff
# (have no effect when seat_manager == 'elogind')
polkit: false

# Should be a file name in /usr/share/consolefonts/
console_font: ter-h22b.psf.gz

# 'dnscrypt-proxy' or 'unbound'
dns_resolver: dnscrypt-proxy

dnscrypt:
  adblock: true
  server_names:
    - quad9-doh-ip4-port443-filter-pri
    - quad9-doh-ip6-port443-filter-pri
    - quad9-dnscrypt-ip4-filter-pri
    - cloudflare-security
    - cloudflare-security-ipv6
  ephemeral_keys: true
  tls_disable_session_tickets: true
  tls_cipher_suite: [52392, 49199]
  bootstrap_resolvers:
    - 9.9.9.9:53
    - 1.1.1.1:53
  netprobe_address: 1.1.1.1:53
  local_doh:
    enabled: false
    listen_addresses:
      - 127.0.0.1:3012
    path: '/dns-query'
  anonymized_dns: # not compatible with DoH and ODoH servers
    enabled: false
    routes:
      - server_name: '*'
        via:
          - anon-tiarap
          - anon-tiarap-ipv6
          - anon-cs-tokyo
          - anon-cs-sk

unbound_upstream_nameservers:
  - 9.9.9.9@853#dns.quad9.net
  - 149.112.112.112@853#dns.quad9.net
  - 2620:fe::fe@853#dns.quad9.net
  - 2620:fe::9@853#dns.quad9.net
  - 1.1.1.1@853#cloudflare-dns.com
  - 1.0.0.1@853#cloudflare-dns.com
  - 2606:4700:4700::1111@853#cloudflare-dns.com
  - 2606:4700:4700::1001@853#cloudflare-dns.com

# 'virtlockd' and 'virtlogd' will always be started. Don't list them here
libvirt_daemons:
  - virtinterfaced
  - virtnetworkd
  - virtnodedevd
  - virtqemud
  - virtstoraged

# For libvirt's NAT firewall rules
# IPv6 is optional (https://wiki.gentoo.org/wiki/QEMU/KVM_IPv6_Support)
libvirt_bridges:
  - name: virbr0
    ip4: 192.168.122.0/24

# Public facing network interfaces
# https://wiki.alpinelinux.org/wiki/Configure_Networking
network_interfaces:
  - name: eth0
    ip4_type: dhcp
    ip6_type: auto

# Punching holes on the machine
# 546/UDP (IPv6 link-local client) is hardcoded (opened) so don't specify it here
opened_ports:
  tcp: []
  udp: []

# 'podman' or 'nerdctl'
rootless_container_cli: podman

# earlyoom kills processes on its own so make it optional
earlyoom:
  set_priority: true
  mem_min_percent: 5,2
  swap_min_percent: 10,5

# Configure waydroid base image
waydroid:
  rom_type: lineage # lineage, bliss
  system_type: VANILLA # FOSS, GAPPS, VANILLA

# Secrets encrypted with ansible-vault ────────────────────────────────────────

password: '{{ vault_password }}'
Getting started 2022-01-14 19:46:59 +01:00			`---`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`# Custom variables ────────────────────────────────────────────────────────────`

Getting started 2022-01-14 19:46:59 +01:00			`rootfs: btrfs`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00
Getting started 2022-01-14 19:46:59 +01:00			`username: follie`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00
user: make shell configurable, update new realtime config 2022-05-16 11:24:58 +02:00			`# See roles/user/defaults/main.yml for a list of accepted shells`
			`usershell: fish`

Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`repository: https://mirror.math.princeton.edu/pub/alpinelinux`

Move hardcoded variable use_polkit to main playbook group_vars/ should be used for changeable variables. Also rename `kernel_parameters` variable to `additional_kernel_parameters` (expect other bootloaders configuration to come :v) 2022-08-18 14:56:44 +02:00			`# Additional kernel command-line parameters (added to the bootloader)`
			`additional_kernel_parameters:`
Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`- init_on_free=1`
			`- page_alloc.shuffle=1`
			`- lockdown=integrity`

fstab: add switch to enable/disable efivarfs mount Don't use noefi kernel parameter here as we want to switch on the fly 2022-08-21 10:47:03 +02:00			`# Disable access to /sys/firmware/efi/efivars`
			`disable_uefi_access: true`

Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`# 'seatd' or 'elogind'`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`seat_manager: seatd`

acpi: add normal acpid variant Busybox's acpid doesn't support netlink 2022-08-07 11:33:21 +02:00			`# acpid implementation to use when elogind is not present`
			`# 'busybox' or 'acpid'`
			`acpid_daemon: busybox`

roles: add devd role Make device_manager configurable on setup (mdev, mdevd, udev) utilizing the new introduced 'setup-devd' script. 2022-05-20 18:55:40 +02:00			`# busybox's mdev, skarnet's mdevd or eudev's udev`
			`device_manager: mdevd`

Move hardcoded variable use_polkit to main playbook group_vars/ should be used for changeable variables. Also rename `kernel_parameters` variable to `additional_kernel_parameters` (expect other bootloaders configuration to come :v) 2022-08-18 14:56:44 +02:00			`# Should polkit be used for stuff`
			`# (have no effect when seat_manager == 'elogind')`
Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`polkit: false`
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00
essential: make console font configurable 2022-02-17 17:33:22 +01:00			`# Should be a file name in /usr/share/consolefonts/`
			`console_font: ter-h22b.psf.gz`

Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`# 'dnscrypt-proxy' or 'unbound'`
			`dns_resolver: dnscrypt-proxy`

			`dnscrypt:`
			`adblock: true`
			`server_names:`
			`- quad9-doh-ip4-port443-filter-pri`
			`- quad9-doh-ip6-port443-filter-pri`
			`- quad9-dnscrypt-ip4-filter-pri`
dns: add cloudflare Sometimes cloudflare has better latency than quad9 (for me) 2022-07-19 17:36:13 +02:00			`- cloudflare-security`
			`- cloudflare-security-ipv6`
Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`ephemeral_keys: true`
			`tls_disable_session_tickets: true`
			`tls_cipher_suite: [52392, 49199]`
			`bootstrap_resolvers:`
			`- 9.9.9.9:53`
			`- 1.1.1.1:53`
dns: add cloudflare Sometimes cloudflare has better latency than quad9 (for me) 2022-07-19 17:36:13 +02:00			`netprobe_address: 1.1.1.1:53`
Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`local_doh:`
			`enabled: false`
			`listen_addresses:`
			`- 127.0.0.1:3012`
			`path: '/dns-query'`
			`anonymized_dns: # not compatible with DoH and ODoH servers`
			`enabled: false`
			`routes:`
			`- server_name: '*'`
			`via:`
			`- anon-tiarap`
			`- anon-tiarap-ipv6`
			`- anon-cs-tokyo`
			`- anon-cs-sk`

unbound: make upstream dns servers configurable 2022-01-28 17:43:31 +01:00			`unbound_upstream_nameservers:`
			`- 9.9.9.9@853#dns.quad9.net`
			`- 149.112.112.112@853#dns.quad9.net`
			`- 2620:fe::fe@853#dns.quad9.net`
			`- 2620:fe::9@853#dns.quad9.net`
dns: add cloudflare Sometimes cloudflare has better latency than quad9 (for me) 2022-07-19 17:36:13 +02:00			`- 1.1.1.1@853#cloudflare-dns.com`
			`- 1.0.0.1@853#cloudflare-dns.com`
			`- 2606:4700:4700::1111@853#cloudflare-dns.com`
			`- 2606:4700:4700::1001@853#cloudflare-dns.com`
Getting started 2022-01-14 19:46:59 +01:00
Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`# 'virtlockd' and 'virtlogd' will always be started. Don't list them here`
			`libvirt_daemons:`
			`- virtinterfaced`
			`- virtnetworkd`
			`- virtnodedevd`
			`- virtqemud`
			`- virtstoraged`

Convert networking stuff to templates - unbound: add `network_interfaces` variable to control /etc/network/interfaces (check interfaces(5)) - nftables: add `libvirt_bridges` and `opened_ports` to dynamically generate firewall rules 2022-04-04 08:27:06 +02:00			`# For libvirt's NAT firewall rules`
			`# IPv6 is optional (https://wiki.gentoo.org/wiki/QEMU/KVM_IPv6_Support)`
			`libvirt_bridges:`
			`- name: virbr0`
			`ip4: 192.168.122.0/24`

			`# Public facing network interfaces`
			`# https://wiki.alpinelinux.org/wiki/Configure_Networking`
			`network_interfaces:`
			`- name: eth0`
			`ip4_type: dhcp`
			`ip6_type: auto`

roles: add waydroid; nftables: refactor firewall rules 2022-05-10 18:13:35 +02:00			`# Punching holes on the machine`
Convert networking stuff to templates - unbound: add `network_interfaces` variable to control /etc/network/interfaces (check interfaces(5)) - nftables: add `libvirt_bridges` and `opened_ports` to dynamically generate firewall rules 2022-04-04 08:27:06 +02:00			`# 546/UDP (IPv6 link-local client) is hardcoded (opened) so don't specify it here`
			`opened_ports:`
			`tcp: []`
			`udp: []`

roles: add 'container' role with podman/nerdctl option Also enable cgroup v2 explicitly for openrc 2022-03-28 20:15:28 +02:00			`# 'podman' or 'nerdctl'`
			`rootless_container_cli: podman`

roles: add earlyoom role 2022-07-23 13:43:38 +02:00			`# earlyoom kills processes on its own so make it optional`
			`earlyoom:`
			`set_priority: true`
			`mem_min_percent: 5,2`
			`swap_min_percent: 10,5`

roles: add waydroid; nftables: refactor firewall rules 2022-05-10 18:13:35 +02:00			`# Configure waydroid base image`
			`waydroid:`
			`rom_type: lineage # lineage, bliss`
Tons of cool things - unbound: rename role to 'dns', add dnscrypt-proxy tasks - devd: add sample udev rules - apparmor: move kernel parameters to group_vars 2022-06-19 20:27:32 +02:00			`system_type: VANILLA # FOSS, GAPPS, VANILLA`
roles: add waydroid; nftables: refactor firewall rules 2022-05-10 18:13:35 +02:00
Fix some regressions + tasks revision DETAILS: - consolefont: moved to essential role - unbound: copy the config only after everything is set up correctly (or else the validation will complain trusted-key.key and the root hints are not in the chroot) - essential: start dbus service before handling seat management (elogind and seatd services depend on dbus) - use full-path for commands (avoid potential polluted PATH attack) - apk: use '>-' for the package list. See NOTES NOTES: - '\|' (literal) interprets new lines with a line break - '>' (folded) produces a single line with a '\n' at the end - '>-' (folded_strip) creates a single line without a line break in the end - '>' (folded scalars) joins all the lines with a space (doesn't preserve numeric, boolean and other non-string types) Check https://adminswerk.de/multi-line-string-yaml-ansible-II/ for some problems on using multiple lines variables 2022-02-14 06:55:43 +01:00			`# Secrets encrypted with ansible-vault ────────────────────────────────────────`

Big chunk of changes - essential: - make polkit optional - move /etc/hosts file to unbound role - libvirt: - make libvirt daemons configurable - delete the firewall patch. Hardcode the rules by default (for now) so that the playbook is compatible with `ansible-core` - user: add pam_limits file (moved from dotfiles repository) - sysctl: role deleted. The task was moved to essential role - fstab: new role for /run, /tmp, /proc mounts - add seatd as a 'seat_manager' option - cron: use find command to restraint deleted files in /var/tmp 2022-02-11 18:39:35 +01:00			`password: '{{ vault_password }}'`