220 lines
5.9 KiB
YAML
220 lines
5.9 KiB
YAML
---
|
|
# Choices of components ────────────────────────────────────────────────────────────
|
|
# NOTE: verified with `requirements/accepted_variables.yml`, so keep them as top-level
|
|
|
|
snapshot_tool: btrbk
|
|
|
|
initramfs_generator: mkinitfs
|
|
|
|
usershell: fish
|
|
|
|
seat_manager: seatd
|
|
|
|
dhcp_client: udhcpc
|
|
|
|
# acpid implementation to use when elogind is not present
|
|
acpid_daemon: busybox
|
|
|
|
device_manager: udev
|
|
|
|
crond_provider: cronie
|
|
|
|
syslog_provider: busybox
|
|
|
|
ntp_client: ntpsec
|
|
|
|
dns_resolver: dnscrypt-proxy
|
|
|
|
sudo_provider: doas
|
|
|
|
# Configurations ───────────────────────────────────────────────────────────────────
|
|
|
|
repository: https://ftp.udx.icscoe.jp/Linux/alpine
|
|
|
|
username: follie
|
|
|
|
# Don't specify "seat" or "polkitd" group here
|
|
usergroups: [wheel, input, audio, video, libvirt, users, pipewire]
|
|
|
|
# Commands the wheel group is allowed to run without password
|
|
nopasswd_commands: [halt, reboot, poweroff, pm-suspend, dhcp_release]
|
|
|
|
# Public NTP pools: https://www.ntppool.org/en/use.html
|
|
# Public NTS-enabled servers: https://github.com/jauderho/nts-servers
|
|
ntp_opts:
|
|
# NOTE: peer option isn't available in ntpsec.
|
|
# Also, we are just the NTP client => no need to exchange time with anyone
|
|
pools: []
|
|
servers:
|
|
- time.cloudflare.com
|
|
- ntpmon.dcs1.biz
|
|
- nts.netnod.se
|
|
- ntp.zeitgitter.net
|
|
- virginia.time.system76.com
|
|
- ntp3.fau.de
|
|
- gps.ntp.br
|
|
# include 'nts' option on each server directive (common NTP pools don't support NTS yet)
|
|
nts_enabled: true
|
|
|
|
dnscrypt:
|
|
adblock: true
|
|
server_names:
|
|
- quad9-doh-ip4-port443-filter-pri
|
|
- quad9-doh-ip6-port443-filter-pri
|
|
- quad9-dnscrypt-ip4-filter-pri
|
|
- cloudflare-security
|
|
- cloudflare-security-ipv6
|
|
bootstrap_resolvers: [9.9.9.9:53, 1.1.1.1:53]
|
|
netprobe_address: 1.1.1.1:53
|
|
local_doh:
|
|
enabled: false
|
|
listen_addresses: [127.0.0.1:3012]
|
|
path: '/dns-query'
|
|
anonymized_dns: # not compatible with DoH and ODoH servers
|
|
enabled: false
|
|
routes:
|
|
- server_name: '*'
|
|
via:
|
|
- anon-tiarap
|
|
- anon-tiarap-ipv6
|
|
- anon-cs-tokyo
|
|
- anon-cs-sk
|
|
|
|
unbound_upstream_nameservers:
|
|
- 9.9.9.9@853#dns.quad9.net
|
|
- 149.112.112.112@853#dns.quad9.net
|
|
- 2620:fe::fe@853#dns.quad9.net
|
|
- 2620:fe::9@853#dns.quad9.net
|
|
- 1.1.1.1@853#cloudflare-dns.com
|
|
- 1.0.0.1@853#cloudflare-dns.com
|
|
- 2606:4700:4700::1111@853#cloudflare-dns.com
|
|
- 2606:4700:4700::1001@853#cloudflare-dns.com
|
|
|
|
# Enable/Disable access to /sys/firmware/efi/efivars
|
|
disable_uefi_access: false
|
|
|
|
# Should polkit be used
|
|
# NOTE: have no effect when seat_manager == 'elogind'
|
|
use_polkit: false
|
|
|
|
# Should be a file name existed inside /usr/share/consolefonts/
|
|
console_font: ter-h22b.psf.gz
|
|
|
|
# 'virtlockd' and 'virtlogd' will always be started so don't list them here
|
|
libvirt_daemons:
|
|
- virtinterfaced
|
|
- virtnetworkd
|
|
- virtnodedevd
|
|
- virtqemud
|
|
- virtstoraged
|
|
- virtproxyd
|
|
|
|
# Whether to use `iwd` or `eiwd`
|
|
iwd_without_dbus: false
|
|
|
|
# RFC 7217: generate a stable IPv6 link-local address for SLAAC
|
|
# NOTE: this is the default for dhcpcd (slaac private), and `stable-privacy` flag doesn't appear in `ip a` in this case
|
|
ipv6_stable_privacy_addr: true
|
|
|
|
# Public facing network interfaces to configured
|
|
# - ip4_addr, ip6_addr should include netmask (e.g. 192.168.1.10/24)
|
|
# - don't include wireless interfaces here as they should use dhcp with iwctl
|
|
# - udhcpc: https://wiki.alpinelinux.org/wiki/Configure_Networking
|
|
network_interfaces:
|
|
- name: eth0
|
|
ip4_type: dhcp
|
|
ip6_type: auto
|
|
|
|
# Punching holes on the machine
|
|
# 546/UDP (IPv6 link-local client) is hardcoded (opened) so don't specify it here
|
|
opened_ports:
|
|
tcp: []
|
|
udp: []
|
|
|
|
# earlyoom kills processes on its own so make it optional
|
|
earlyoom:
|
|
set_priority: true
|
|
mem_min_percent: 5,2
|
|
swap_min_percent: 10,5
|
|
|
|
# auditd by default rotates its logfile when reaching file size limit
|
|
auditd_logrotate_daily: false
|
|
|
|
# Configuration for filesystem snapshot tools ─────────────────────────────────
|
|
|
|
snapper:
|
|
- name: home
|
|
subvolume: /home
|
|
pre_post_cleanup:
|
|
enabled: true
|
|
number_cleanup:
|
|
enabled: false
|
|
timeline:
|
|
cleanup_enabled: true
|
|
min_age: 1800
|
|
hourly: 8
|
|
daily: 4
|
|
weekly: 2
|
|
monthly: 0
|
|
yearly: 0
|
|
- name: root
|
|
subvolume: /
|
|
pre_post_cleanup:
|
|
enabled: true
|
|
min_age: 900
|
|
number_cleanup:
|
|
enabled: true
|
|
min_age: 1800
|
|
limit: 10-30
|
|
limit_important: 10
|
|
timeline:
|
|
cleanup_enabled: false
|
|
|
|
# NOTE: some caveats to reduce config complexity
|
|
# - use the same targets for all subvolumes in each volume definition
|
|
# - use the same global retention policy for snapshot/backup/archive
|
|
# - there's only 1 global ssh config, 1 global crontab
|
|
btrbk:
|
|
cron:
|
|
hourly: snapshot
|
|
daily: resume
|
|
options:
|
|
lockfile: /var/lock/btrbk.lock
|
|
logfile: /var/log/btrbk.log
|
|
syslog: cron
|
|
timestamp_format: long
|
|
snapshot:
|
|
min_age: 6h
|
|
policy: 16h 8d 4w 2m
|
|
volumes:
|
|
- path: /mnt/root
|
|
snapshot_dir: '@snapshots'
|
|
subvolumes: ['@home', '@']
|
|
- path: /mnt/media
|
|
snapshot_dir: '@snapshots'
|
|
subvolumes: ['@']
|
|
|
|
# See /etc/sanoid/sanoid.defaults.conf file for all config options
|
|
sanoid:
|
|
templates:
|
|
production:
|
|
frequent_period: 30
|
|
hourly: 16
|
|
daily: 8
|
|
weekly: 4
|
|
monthly: 2
|
|
autosnap: 'yes'
|
|
autoprune: 'yes'
|
|
datasets:
|
|
rpool/ALPINE/root:
|
|
use_template: production
|
|
rpool/ALPINE/home:
|
|
use_template: production
|
|
frequent_period: 15
|
|
|
|
zrepl:
|
|
|
|
# Secrets encrypted with ansible-vault ────────────────────────────────────────
|
|
|
|
password: '{{ vault_password }}'
|