mash-playbook/roles/mash/playbook_base/defaults/main.yml

83 lines
4.4 KiB
YAML

---
# Controls the identifier for this MASH stack.
# This affects user/groups, systemd service names, container names, container networks, base installation path, etc.
mash_playbook_identifier: mash
mash_playbook_user_username: "{{ mash_playbook_identifier }}"
mash_playbook_user_groupname: "{{ mash_playbook_identifier }}"
mash_playbook_user_home: "{{ mash_playbook_base_path }}"
# By default, the playbook creates the user (`mash_playbook_user_username`)
# and group (`mash_playbook_user_groupname`) with a random id.
# To use a specific user/group id, override these variables.
mash_playbook_uid: ~
mash_playbook_gid: ~
# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
mash_playbook_generic_secret_key: ''
# Controls the prefix used for all service identifiers.
# This affects systemd service names, container names, container networks, etc.
mash_playbook_service_identifier_prefix: "{{ mash_playbook_identifier }}-"
# Controls the prefix of the base directory for all services.
# Example: `/mash/{PREFIX}traefik`.
# If `mash_playbook_identifier` is the default (mash), we intentionally use an empty prefix.
mash_playbook_service_base_directory_name_prefix: "{{ '' if mash_playbook_identifier == 'mash' else (mash_playbook_identifier + '-') }}"
# Controls the base path where all services will be installed
mash_playbook_base_path: "/{{ mash_playbook_identifier }}"
mash_playbook_base_path_mode: "750"
# The architecture that your server runs.
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
# Not all architectures support all services, so your experience (on non-amd64) may vary.
mash_playbook_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else ('arm64' if ansible_architecture == 'aarch64' else ('arm32' if ansible_architecture.startswith('armv') else '')) }}"
# Specifies the type of reverse-proxy used by the playbook.
#
# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is,
# as well as how all other services are configured.
#
# Valid options and a description of their behavior:
#
# - `playbook-managed-traefik`
# - the playbook will run a managed Traefik instance (mash-traefik)
# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
#
# - `other-traefik-container`
# - this playbook will not install Traefik
# - nevertheless, the playbook expects that you would install Traefik yourself via other means
# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure entrypoints, etc.)
# - you need to set `mash_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
#
# - `none`
# - no reverse-proxy will be installed
# - no port exposure will be done for any of the container services
# - it's up to you to expose the ports you want, etc.
mash_playbook_reverse_proxy_type: none
# Controls whether to install Docker or not
# Also see `devture_docker_sdk_for_python_installation_enabled`.
mash_playbook_docker_installation_enabled: false
# Controls whether to attach Traefik labels to services.
# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook,
# yet still use Traefik installed in another way.
mash_playbook_traefik_labels_enabled: "{{ mash_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
# Controls the additional network that reverse-proxyable services will be connected to.
mash_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled | default(false) else '' }}"
# Controls whether various services should expose metrics publicly.
# If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.
mash_playbook_metrics_exposure_enabled: false
mash_playbook_metrics_exposure_hostname: ''
mash_playbook_metrics_exposure_path_prefix: /metrics
mash_playbook_metrics_exposure_http_basic_auth_enabled: false
# See https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
mash_playbook_metrics_exposure_http_basic_auth_users: ''