145 lines
4.2 KiB
YAML
145 lines
4.2 KiB
YAML
---
|
|
# Choices of components ────────────────────────────────────────────────────────────
|
|
# NOTE: verified with `reqirements/accepted_variables.yml`, so keep them as top-level
|
|
|
|
snapshot_tool: btrbk
|
|
|
|
initramfs_generator: mkinitfs
|
|
|
|
usershell: fish
|
|
|
|
seat_manager: seatd
|
|
|
|
dhcp_client: udhcpc
|
|
|
|
# acpid implementation to use when elogind is not present
|
|
acpid_daemon: busybox
|
|
|
|
device_manager: udev
|
|
|
|
crond_provider: cronie
|
|
|
|
syslog_provider: busybox
|
|
|
|
ntp_client: ntpsec
|
|
|
|
dns_resolver: dnscrypt-proxy
|
|
|
|
# Configurations ───────────────────────────────────────────────────────────────────
|
|
|
|
repository: https://ftp.udx.icscoe.jp/Linux/alpine
|
|
|
|
rootfs: btrfs
|
|
|
|
username: follie
|
|
|
|
# Don't specify "seat" or "polkitd" group here
|
|
usergroups: [wheel, input, audio, video, libvirt, users, pipewire]
|
|
|
|
# Public NTP pools: https://www.ntppool.org/en/use.html
|
|
# Public NTS-enabled servers: https://github.com/jauderho/nts-servers
|
|
ntp_opts:
|
|
# NOTE: peer option isn't available in ntpsec.
|
|
# Also, we are just the NTP client => no need to exchange time with anyone
|
|
pools: []
|
|
servers:
|
|
- time.cloudflare.com
|
|
- ntpmon.dcs1.biz
|
|
- nts.netnod.se
|
|
- ntp.zeitgitter.net
|
|
- virginia.time.system76.com
|
|
- ntp3.fau.de
|
|
- gps.ntp.br
|
|
# include 'nts' option on each server directive (common NTP pools don't support NTS yet)
|
|
nts_enabled: true
|
|
|
|
dnscrypt:
|
|
adblock: true
|
|
server_names:
|
|
- quad9-doh-ip4-port443-filter-pri
|
|
- quad9-doh-ip6-port443-filter-pri
|
|
- quad9-dnscrypt-ip4-filter-pri
|
|
- cloudflare-security
|
|
- cloudflare-security-ipv6
|
|
ephemeral_keys: true
|
|
tls_disable_session_tickets: true
|
|
tls_cipher_suite: [52392, 49199]
|
|
bootstrap_resolvers: [9.9.9.9:53, 1.1.1.1:53]
|
|
netprobe_address: 1.1.1.1:53
|
|
local_doh:
|
|
enabled: false
|
|
listen_addresses: [127.0.0.1:3012]
|
|
path: '/dns-query'
|
|
anonymized_dns: # not compatible with DoH and ODoH servers
|
|
enabled: false
|
|
routes:
|
|
- server_name: '*'
|
|
via:
|
|
- anon-tiarap
|
|
- anon-tiarap-ipv6
|
|
- anon-cs-tokyo
|
|
- anon-cs-sk
|
|
|
|
unbound_upstream_nameservers:
|
|
- 9.9.9.9@853#dns.quad9.net
|
|
- 149.112.112.112@853#dns.quad9.net
|
|
- 2620:fe::fe@853#dns.quad9.net
|
|
- 2620:fe::9@853#dns.quad9.net
|
|
- 1.1.1.1@853#cloudflare-dns.com
|
|
- 1.0.0.1@853#cloudflare-dns.com
|
|
- 2606:4700:4700::1111@853#cloudflare-dns.com
|
|
- 2606:4700:4700::1001@853#cloudflare-dns.com
|
|
|
|
# Enable/Disable access to /sys/firmware/efi/efivars
|
|
disable_uefi_access: false
|
|
|
|
# Should polkit be used
|
|
# NOTE: have no effect when seat_manager == 'elogind'
|
|
polkit: false
|
|
|
|
# Should be a file name existed inside /usr/share/consolefonts/
|
|
console_font: ter-h22b.psf.gz
|
|
|
|
# 'virtlockd' and 'virtlogd' will always be started so don't list them here
|
|
libvirt_daemons:
|
|
- virtinterfaced
|
|
- virtnetworkd
|
|
- virtnodedevd
|
|
- virtqemud
|
|
- virtstoraged
|
|
|
|
# Whether to use `iwd` or `eiwd`
|
|
iwd_without_dbus: false
|
|
|
|
# RFC 7217: generate a stable IPv6 link-local address for SLAAC
|
|
# NOTE: this is the default for dhcpcd (slaac private), and `stable-privacy` flag doesn't appear in `ip a` in this case
|
|
ipv6_stable_privacy_addr: true
|
|
|
|
# Public facing network interfaces to configured
|
|
# - ip4_addr, ip6_addr should include netmask (e.g. 192.168.1.10/24)
|
|
# - don't include wireless interfaces here as they should use dhcp with iwctl
|
|
# - udhcpc: https://wiki.alpinelinux.org/wiki/Configure_Networking
|
|
network_interfaces:
|
|
- name: eth0
|
|
ip4_type: dhcp
|
|
ip6_type: auto
|
|
|
|
# Punching holes on the machine
|
|
# 546/UDP (IPv6 link-local client) is hardcoded (opened) so don't specify it here
|
|
opened_ports:
|
|
tcp: []
|
|
udp: []
|
|
|
|
# earlyoom kills processes on its own so make it optional
|
|
earlyoom:
|
|
set_priority: true
|
|
mem_min_percent: 5,2
|
|
swap_min_percent: 10,5
|
|
|
|
# auditd by default rotates its logfile when reaching file size limit
|
|
auditd_logrotate_daily: false
|
|
|
|
# Secrets encrypted with ansible-vault ────────────────────────────────────────
|
|
|
|
password: '{{ vault_password }}'
|