---
# Choices of components ────────────────────────────────────────────────────────────
# NOTE: verified with `requirements/accepted_variables.yml`, so keep them as top-level

snapshot_tool: btrbk

initramfs_generator: mkinitfs

usershell: fish

seat_manager: seatd

dhcp_client: udhcpc

# acpid implementation to use when elogind is not present
acpid_daemon: busybox

device_manager: udev

crond_provider: cronie

syslog_provider: busybox

ntp_client: ntpsec

dns_resolver: dnscrypt-proxy

sudo_provider: doas

# Configurations ───────────────────────────────────────────────────────────────────

repository: https://ftp.udx.icscoe.jp/Linux/alpine

username: follie

# Don't specify "seat" or "polkitd" group here
usergroups: [wheel, input, audio, video, libvirt, users, pipewire]

# Commands the wheel group is allowed to run without password
nopasswd_commands: [halt, reboot, poweroff, pm-suspend, dhcp_release]

# Public NTP pools: https://www.ntppool.org/en/use.html
# Public NTS-enabled servers: https://github.com/jauderho/nts-servers
ntp_opts:
  # NOTE: peer option isn't available in ntpsec.
  # Also, we are just the NTP client => no need to exchange time with anyone
  pools: []
  servers:
    - time.cloudflare.com
    - ntpmon.dcs1.biz
    - nts.netnod.se
    - ntp.zeitgitter.net
    - virginia.time.system76.com
    - ntp3.fau.de
    - gps.ntp.br
  # include 'nts' option on each server directive (common NTP pools don't support NTS yet)
  nts_enabled: true

dnscrypt:
  adblock: true
  server_names:
    - quad9-doh-ip4-port443-filter-pri
    - quad9-doh-ip6-port443-filter-pri
    - quad9-dnscrypt-ip4-filter-pri
    - cloudflare-security
    - cloudflare-security-ipv6
  bootstrap_resolvers: [9.9.9.9:53, 1.1.1.1:53]
  netprobe_address: 1.1.1.1:53
  local_doh:
    enabled: false
    listen_addresses: [127.0.0.1:3012]
    path: '/dns-query'
  anonymized_dns: # not compatible with DoH and ODoH servers
    enabled: false
    routes:
      - server_name: '*'
        via:
          - anon-tiarap
          - anon-tiarap-ipv6
          - anon-cs-tokyo
          - anon-cs-sk

unbound_upstream_nameservers:
  - 9.9.9.9@853#dns.quad9.net
  - 149.112.112.112@853#dns.quad9.net
  - 2620:fe::fe@853#dns.quad9.net
  - 2620:fe::9@853#dns.quad9.net
  - 1.1.1.1@853#cloudflare-dns.com
  - 1.0.0.1@853#cloudflare-dns.com
  - 2606:4700:4700::1111@853#cloudflare-dns.com
  - 2606:4700:4700::1001@853#cloudflare-dns.com

# Enable/Disable access to /sys/firmware/efi/efivars
disable_uefi_access: false

# Should polkit be used
# NOTE: have no effect when seat_manager == 'elogind'
use_polkit: false

# Should be a file name existed inside /usr/share/consolefonts/
console_font: ter-h22b.psf.gz

# 'virtlockd' and 'virtlogd' will always be started so don't list them here
libvirt_daemons:
  - virtinterfaced
  - virtnetworkd
  - virtnodedevd
  - virtqemud
  - virtstoraged
  - virtproxyd

# Whether to use `iwd` or `eiwd`
iwd_without_dbus: false

# RFC 7217: generate a stable IPv6 link-local address for SLAAC
# NOTE: this is the default for dhcpcd (slaac private), and `stable-privacy` flag doesn't appear in `ip a` in this case
ipv6_stable_privacy_addr: true

# Public facing network interfaces to configured
# - ip4_addr, ip6_addr should include netmask (e.g. 192.168.1.10/24)
# - don't include wireless interfaces here as they should use dhcp with iwctl
# - udhcpc: https://wiki.alpinelinux.org/wiki/Configure_Networking
network_interfaces:
  - name: eth0
    ip4_type: dhcp
    ip6_type: auto

# Punching holes on the machine
# 546/UDP (IPv6 link-local client) is hardcoded (opened) so don't specify it here
opened_ports:
  tcp: []
  udp: []

# earlyoom kills processes on its own so make it optional
earlyoom:
  set_priority: true
  mem_min_percent: 5,2
  swap_min_percent: 10,5

# auditd by default rotates its logfile when reaching file size limit
auditd_logrotate_daily: false

# Configuration for filesystem snapshot tools ─────────────────────────────────

snapper:
  - name: home
    subvolume: /home
    pre_post_cleanup:
      enabled: true
    number_cleanup:
      enabled: false
    timeline:
      cleanup_enabled: true
      min_age: 1800
      hourly: 8
      daily: 4
      weekly: 2
      monthly: 0
      yearly: 0
  - name: root
    subvolume: /
    pre_post_cleanup:
      enabled: true
      min_age: 900
    number_cleanup:
      enabled: true
      min_age: 1800
      limit: 10-30
      limit_important: 10
    timeline:
      cleanup_enabled: false

# NOTE: some caveats to reduce config complexity
# - use the same targets for all subvolumes in each volume definition
# - use the same global retention policy for snapshot/backup/archive
# - there's only 1 global ssh config, 1 global crontab
btrbk:
  cron:
    hourly: snapshot
    daily: resume
  options:
    lockfile: /var/lock/btrbk.lock
    logfile: /var/log/btrbk.log
    syslog: cron
    timestamp_format: long
    snapshot:
      min_age: 6h
      policy: 16h 8d 4w 2m
  volumes:
    - path: /mnt/root
      snapshot_dir: '@snapshots'
      subvolumes: ['@home', '@']
    - path: /mnt/media
      snapshot_dir: '@snapshots'
      subvolumes: ['@']

# See /etc/sanoid/sanoid.defaults.conf file for all config options
sanoid:
  templates:
    production:
      frequent_period: 30
      hourly: 16
      daily: 8
      weekly: 4
      monthly: 2
      autosnap: 'yes'
      autoprune: 'yes'
  datasets:
    rpool/ALPINE/root:
      use_template: production
    rpool/ALPINE/home:
      use_template: production
      frequent_period: 15

zrepl:

# Secrets encrypted with ansible-vault ────────────────────────────────────────

password: '{{ vault_password }}'