88 lines
3.2 KiB
YAML
88 lines
3.2 KiB
YAML
---
|
|
- name: generic tests for all the roles
|
|
hosts: all
|
|
vars:
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
hostname: example.org
|
|
hostname_aliases:
|
|
- example
|
|
nftables_output_policy: accept
|
|
nftables_input_rules:
|
|
- tcp dport ssh ct state new limit rate 15/minute accept comment "Accept SSH on port 22 but avoid brute force"
|
|
- tcp dport { http, https } accept comment "Accept HTTP (ports 80, 443)"
|
|
- tcp dport { submission, imaps } accept comment "Accept SSMTP and IMAPS"
|
|
iptables_output_policy: accept
|
|
iptables_rules:
|
|
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
- -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
- -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
|
admin_user: administrator
|
|
admin_password: the_secret_password
|
|
admin_key_file: ~/.ssh/test/id_rsa.pub
|
|
snake_oil_cert_domains:
|
|
- example.org
|
|
- example2.org
|
|
- mail.example.org
|
|
nginx_vhosts:
|
|
- servername: example.org
|
|
serveralias:
|
|
- www.example.org
|
|
- www2.example.org
|
|
acme_challenges: /tmp/acme
|
|
ssl_certificate: /var/lib/snakeoil/certs/example.org/fullchain.pem
|
|
ssl_certificate_key: /var/lib/snakeoil/certs/example.org/privkey.pem
|
|
ssl_trusted_certificate: /var/lib/snakeoil/certs/example.org/fullchain.pem
|
|
- servername: example2.org
|
|
serveralias:
|
|
- www.example2.org
|
|
- www2.example2.org
|
|
ssl_certificate: /var/lib/snakeoil/certs/example2.org/fullchain.pem
|
|
ssl_certificate_key: /var/lib/snakeoil/certs/example2.org/privkey.pem
|
|
ssl_trusted_certificate: /var/lib/snakeoil/certs/example2.org/fullchain.pem
|
|
dehydrated_email: test@example.org
|
|
dehydrated_domains:
|
|
- example.org www.example.org
|
|
- example2.org
|
|
users_list:
|
|
- username: eriol
|
|
password: !
|
|
key: ~/.ssh/test/id_rsa.pub
|
|
key_options: 'command="/usr/bin/date"'
|
|
- username: melchisedec
|
|
state: absent
|
|
remove: true
|
|
roles:
|
|
# - ../roles/apt_dist_upgrade
|
|
# - ../roles/common
|
|
- ../roles/hostname
|
|
# - ../roles/nftables
|
|
# - ../roles/iptables
|
|
# - ../roles/sshd
|
|
# - ../roles/fail2ban
|
|
# - ../roles/snake_oil_cert
|
|
# - ../roles/users
|
|
# - ../roles/dehydrated
|
|
# - ../roles/nginx
|
|
# - ../roles/admin
|
|
# - ../roles/docker
|
|
# - {role: ../roles/mailserver}
|
|
# - {role: ../roles/weechat}
|
|
# Uncomment to test wikijs role: it's commented since the tarball that we
|
|
# have to download is more than 60MB.
|
|
# - {role: ../roles/wikijs, become: true, wikijs_db_type: sqlite}
|
|
# - ../roles/adguardhome
|
|
# - {role: ../roles/n8n, become: true}
|
|
# - {role: ../roles/beehive,
|
|
# become: true,
|
|
# beehive_bind: 10.10.10.10:8181,
|
|
# beehive_canonical_url: http://10.10.10.10:8181}
|
|
# - {role: ../roles/homeassistant, become: true}
|
|
- ../roles/mosquitto
|
|
# - {role: ../roles/generate_ca, become: true}
|
|
# - {role: ../roles/generate_certificate, become: true}
|
|
# - {role: ../roles/gitea, become: true}
|
|
# - ../roles/dokku
|
|
# The easy ports sequece is just for test. Also don't disable strict IP
|
|
# filtering on production.
|
|
# - {role: ../roles/knockd, ports: [3333, 4444, 5555], network_interface: eth1, filter_ip: ""}
|