sysconfig/group_vars/all.yml

---
# Choices of components ────────────────────────────────────────────────────────────
# NOTE: verified with `reqirements/accepted_variables.yml`, so keep them as top-level

snapshot_tool: btrbk

initramfs_generator: mkinitfs

usershell: fish

seat_manager: seatd

dhcp_client: udhcpc

# acpid implementation to use when elogind is not present
acpid_daemon: busybox

device_manager: udev

crond_provider: cronie

syslog_provider: busybox

ntp_client: ntpsec

dns_resolver: dnscrypt-proxy

# Configurations ───────────────────────────────────────────────────────────────────

repository: https://ftp.udx.icscoe.jp/Linux/alpine

rootfs: btrfs

username: follie

# Don't specify "seat" or "polkitd" group here
usergroups: [wheel, input, audio, video, libvirt, users, pipewire]

# Public NTP pools: https://www.ntppool.org/en/use.html
# Public NTS-enabled servers: https://github.com/jauderho/nts-servers
ntp_opts:
  # NOTE: peer option isn't available in ntpsec.
  # Also, we are just the NTP client => no need to exchange time with anyone
  pools: []
  servers:
    - time.cloudflare.com
    - ntpmon.dcs1.biz
    - nts.netnod.se
    - ntp.zeitgitter.net
    - virginia.time.system76.com
    - ntp3.fau.de
    - gps.ntp.br
  # include 'nts' option on each server directive (common NTP pools don't support NTS yet)
  nts_enabled: true

dnscrypt:
  adblock: true
  server_names:
    - quad9-doh-ip4-port443-filter-pri
    - quad9-doh-ip6-port443-filter-pri
    - quad9-dnscrypt-ip4-filter-pri
    - cloudflare-security
    - cloudflare-security-ipv6
  ephemeral_keys: true
  tls_disable_session_tickets: true
  tls_cipher_suite: [52392, 49199]
  bootstrap_resolvers: [9.9.9.9:53, 1.1.1.1:53]
  netprobe_address: 1.1.1.1:53
  local_doh:
    enabled: false
    listen_addresses: [127.0.0.1:3012]
    path: '/dns-query'
  anonymized_dns: # not compatible with DoH and ODoH servers
    enabled: false
    routes:
      - server_name: '*'
        via:
          - anon-tiarap
          - anon-tiarap-ipv6
          - anon-cs-tokyo
          - anon-cs-sk

unbound_upstream_nameservers:
  - 9.9.9.9@853#dns.quad9.net
  - 149.112.112.112@853#dns.quad9.net
  - 2620:fe::fe@853#dns.quad9.net
  - 2620:fe::9@853#dns.quad9.net
  - 1.1.1.1@853#cloudflare-dns.com
  - 1.0.0.1@853#cloudflare-dns.com
  - 2606:4700:4700::1111@853#cloudflare-dns.com
  - 2606:4700:4700::1001@853#cloudflare-dns.com

# Enable/Disable access to /sys/firmware/efi/efivars
disable_uefi_access: false

# Should polkit be used
# NOTE: have no effect when seat_manager == 'elogind'
polkit: false

# Should be a file name existed inside /usr/share/consolefonts/
console_font: ter-h22b.psf.gz

# 'virtlockd' and 'virtlogd' will always be started so don't list them here
libvirt_daemons:
  - virtinterfaced
  - virtnetworkd
  - virtnodedevd
  - virtqemud
  - virtstoraged

# Whether to use `iwd` or `eiwd`
iwd_without_dbus: false

# RFC 7217: generate a stable IPv6 link-local address for SLAAC
# NOTE: this is the default for dhcpcd (slaac private), and `stable-privacy` flag doesn't appear in `ip a` in this case
ipv6_stable_privacy_addr: true

# Public facing network interfaces to configured
# - ip4_addr, ip6_addr should include netmask (e.g. 192.168.1.10/24)
# - don't include wireless interfaces here as they should use dhcp with iwctl
# - udhcpc: https://wiki.alpinelinux.org/wiki/Configure_Networking
network_interfaces:
  - name: eth0
    ip4_type: dhcp
    ip6_type: auto

# Punching holes on the machine
# 546/UDP (IPv6 link-local client) is hardcoded (opened) so don't specify it here
opened_ports:
  tcp: []
  udp: []

# earlyoom kills processes on its own so make it optional
earlyoom:
  set_priority: true
  mem_min_percent: 5,2
  swap_min_percent: 10,5

# auditd by default rotates its logfile when reaching file size limit
auditd_logrotate_daily: false

# Secrets encrypted with ansible-vault ────────────────────────────────────────

password: '{{ vault_password }}'