Possible Vars
data/users/
---
first_name: Anton Tobias
last_name: Mustermann
full_name: Anton Tobias Mustermann
mail_address: antontobias.mustermann@perfact.de
mail_virtual:
- amustermann@perfact.de
- mustermann@perfact.de
- amu@perfact.de
- antontobias.mustermann@perfact-innovation.de
- otheradress@perfact.de
# unique user id for all systems with ldap from 2023:
posixuserid: 1546 # must be unique
ssh_keys:
# one pub-key transferred from pffile for access to perfact@systems":
pffile: "ssh-rsa AAAA... First.Last@PerFact.DE"
# list of pup-key stored on the laptop for initial connect_perfact connections
# these keys are forced to "no-pty"
laptop:
- "ssh-rsa AAAA... username@username.laptop"
# departments of employee. controls ssh-acces to systems
departments:
- project_realization
- internal
- internalit
- internal_prod
- key_account
# for mail signatures
## required parameter:
# signature for user will only be generated if
# position or position_eng ist set
position: # signature text english
position_eng: # signature text german
## optional parameter:
signature_name: # if the name in the signature is not
# `first_name` `last_name`, e.g "i.V. Max Mustermann",
# "Dr. Max Mustermann or if the name contains umlaute.
telefon_extention: # the extention of the local phone number @ perfact
mobil: # in the form: "Mobile: +49 1nn nnn nnn nn"
evo: True # generates a signature for Perfact Evolution
data/hosts/
All possible variables for hosts
---
phonehome:
# pub-key for phonehome connection:
# all keys are prepended by no-ptx
# if option permitopen is not given, it defaults to permitopen="127.0.0.1:1"
# if option permitlisten is not given, it defaults to permitlisten="localhost:*"
ssh-key: (ssh-rsa|ecdsa-...) ... zop@systemname # (preferred: name of ssh-connection)
port: 10xxx
# allow ssh-access to this host for user not granted by department:
ssh_allow_user_access:
- mmusterfrau
- anotheruser
# list of ssh-pup-key (keys without users) for ssh perfact@system
extra_ssh_keys:
- "ssh-rsa AAAAB... M.Muserfrau@Perfct.DE"
- ....
# more keys for user pfremote - only at system pf-phonehome-2020-prod
extra_ssh_keys_pfremote:
- 'ssh-rsa ...'
- 'ecdsa-sha2-nistp521 ...'
- 'ssh-ed25519 ...'
# ansibles uses ssh ansible_user@system
ansible_user: perfact # defaults to perfact
# if there is no sshd to connect to (example: nolte-dashboard-01/2)
no_sshd: true # (defaults to false)
# Perfact-Facts:
pfsystemid: xxxxxxxx # used to setup new systems
pfsystemname: pf-phonehome-2020-prod # example, no default
# usage of the phonehome-cheker:
perfact_phonehome_checker:
use_checker: true # create config and check phonehome connection for this host (default: false)
alert_cycles: 5 # (defaults to 5)
# postfix
# relay host - defaults to mail.perfact.de
postfix_smtp_relay_host = smtp-dmz.perfact.de # for server in perfact-DNZ
postfix_smtp_hostname = pf-phonehome-2020-prod.perfact.de # example, no default
# mailname
postfix_smtp_mailname = pf-phonehome-2020-prod.perfact.de # example, no default
# controlling pffirewall
firewall_int_dev: 'ens18' # example, no default
firewall_int_net: '192.168.51.0/24' # example, no default
firewall_clientRules:
- '$INT_IP 192.168.51.1 "53"' # example, no default
firewall_serverRules:
# allow ssh-server
- '$INT_IP $ANY_NET "22" tcp' # example, no default
firewall_customRules:
# custom defenied rules
- 'iptables -A FORWARD ....' # example, no default
# for Monit
monit_start_delay: 180 # delay the first check seconds - defaults to 180
monit_smtp_server: smtp-dmz.perfact.de # defalts to "mail.perfact.de, mail02.perfact.de, mail01.perfact.de"
monit_root_device: /dev/mapper/ubuntu--vg-ubuntu--lv
monit_boot_device: /dev/vda2
monit_backup_device: /dev/system/backup # defaults to NULL
# either dump or borg, defaults to borg
pfbackup_type = borg
# should database be backed up ? defaults to True
pfbackup_includedb = True
# vars used for BackupPC on pf-backup
quadrant_backup:
# possible vars
# use ip or ssh_hostname if systemname cannot be be solved by dns
ssh_hostname: # Hostname or IP for ssh-connection defaults to ansible-systemname
ip: # ip-address for /etc/hosts if systemname cannot be solved by DNS
ssh_port: 22 # defaults to 22
ssh_user: userwithsshaccess # defaults to root
database_backup: true # (defaults to False)
BackupExcludes: # list of dirs or files not to backup
- '/dir1_not_to_backup'
- '/dir2_not_to_backup'
DisableBackupExcludeDefaults:
no # don't use default exclude-list
backuppc_client_conf: # additional parameters for BackupPC
param1: value # without trailing "-" it is a dictionary
param2: value
PingMaxMsec: 1
PingMaxMsec: 45
BackupFilesOnly: "{ '/vol/backup/pf-gate' => [ '' ] }"
ClientNameAlias: "'hostname'"
# limit io to avoid high system load or traffic in Bytes/s
# 100 Mbit/s ~ 100000 Byte/s
RsyncArgsExtra: "[ '--bwlimit=20000' ]"
RsyncArgsExtra: "[ '--bwlimit=5000000' ]"
#
# if host cannot be resolved and you want to disable the check
NmbLookupCmd: "'/usr/bin/true'"
NmbLookupFindHostCmd: "'/usr/bin/true'"
PingCmd: "'/usr/bin/true'"
DumpPreUserCmd: # defaults to '$sshPath -q -x -l root $host /opt/perfact/custom/backuppc-pg_basebackup.sh'
# Attention: the single quotes have to be surrunded by double quotes:
DumpPreUserCmd: "'$sshPath -q -x -l root $host /opt/perfact/custom/backuppc-pg_basebackup-custom.sh'"
DumpPostUserCmd: # defaults to '$sshPath -q -x -l root $host /opt/perfact/custom/backuppc-pg_basebackup-remove.sh'
rear_install: true # install REAR (defaults to false)
# variables to include software that is installed on server
software:
measure # install measure and config
database # configure measure for database
haproxy # configure measure for haproxy
ema # configure measure for ema
clamav # configure measure for clamav
# only for ldap servers:
# purge ldap config and deploy ldap schemes - remove afterwards before going live
init_ldap: true
# put init data to system - remove afterwards before going live
init_users: true
# ldap
ldap_basedn: "dc=perfact,dc=de"
# only for perfact-mail-[devel|prod]
# volume /vol/mail
vg_name_mail: system
vol_mail_size: 1G