581 lines
15 KiB
YAML
581 lines
15 KiB
YAML
|
---
|
||
|
# Three hosts are defined but the quickstart script filters using an environment variable
|
||
|
# so only one host is provisioned at a time by quickstart.
|
||
|
all:
|
||
|
vars:
|
||
|
ansible_winrm_transport: credssp
|
||
|
ansible_winrm_server_cert_validation: ignore
|
||
|
children:
|
||
|
desktop:
|
||
|
children:
|
||
|
nix:
|
||
|
hosts:
|
||
|
standard:
|
||
|
ansible_connection: local
|
||
|
vars:
|
||
|
ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') }}"
|
||
|
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||
|
qubes:
|
||
|
vars:
|
||
|
ansible_connection: qubes
|
||
|
ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') | default('') }}"
|
||
|
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') | default('user') }}"
|
||
|
ansible_python_interpreter: /usr/bin/python3
|
||
|
qubes:
|
||
|
dom0_vm: dom0
|
||
|
hosts:
|
||
|
dom0:
|
||
|
blank:
|
||
|
qubes:
|
||
|
vm_type: TemplateVM
|
||
|
children:
|
||
|
qubes-vms:
|
||
|
vars:
|
||
|
install_grub_theme: false
|
||
|
install_plymouth_theme: false
|
||
|
memory: 512
|
||
|
maxmem: 4096
|
||
|
vcpus: 2
|
||
|
children:
|
||
|
system-vms:
|
||
|
template-vms:
|
||
|
net-vms:
|
||
|
proxy-vms:
|
||
|
app-vms:
|
||
|
standalone-vms:
|
||
|
windows:
|
||
|
hosts:
|
||
|
standard:
|
||
|
ansible_connection: winrm
|
||
|
vars:
|
||
|
ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') }}"
|
||
|
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||
|
|
||
|
app-vms:
|
||
|
vars:
|
||
|
qubes:
|
||
|
maxmem: 2048
|
||
|
memory: 512
|
||
|
_netvm: sys-firewall
|
||
|
vm_type: AppVM
|
||
|
children:
|
||
|
app-dvms:
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: gray
|
||
|
template_for_dispvms: true
|
||
|
hosts:
|
||
|
anon-dvm:
|
||
|
qubes:
|
||
|
template: anon-tmpl
|
||
|
template_vm: anon-tmpl
|
||
|
dev-dvm:
|
||
|
qubes:
|
||
|
template: dev-tmpl
|
||
|
template_vm: dev-tmpl
|
||
|
media-dvm:
|
||
|
qubes:
|
||
|
template: media-tmpl
|
||
|
template_vm: media-tmpl
|
||
|
office-dvm:
|
||
|
qubes:
|
||
|
template: office-tmpl
|
||
|
template_vm: office-tmpl
|
||
|
services-dvm:
|
||
|
qubes:
|
||
|
template: services-tmpl
|
||
|
template_vm: services-tmpl
|
||
|
util-dvm:
|
||
|
qubes:
|
||
|
template: util-tmpl
|
||
|
template_vm: util-tmpl
|
||
|
web-dvm:
|
||
|
qubes:
|
||
|
template: web-tmpl
|
||
|
template_vm: web-tmpl
|
||
|
primary-dvm-templates:
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: gray
|
||
|
template_for_dispvms: true
|
||
|
hosts:
|
||
|
debian-11-dvm:
|
||
|
qubes:
|
||
|
template: debian-11
|
||
|
template_vm: debian-11
|
||
|
debian-11-base-dvm:
|
||
|
qubes:
|
||
|
template: debian-11-base
|
||
|
template_vm: debian-11-base
|
||
|
fedora-36-dvm:
|
||
|
qubes:
|
||
|
template: fedora-36
|
||
|
template_vm: fedora-36
|
||
|
fedora-36-base-dvm:
|
||
|
qubes:
|
||
|
template: fedora-36-base
|
||
|
template_vm: fedora-36-base
|
||
|
net-dvm:
|
||
|
randomize_mac_address: true
|
||
|
qubes:
|
||
|
template: net-tmpl
|
||
|
template_vm: net-tmpl
|
||
|
standard-vms:
|
||
|
hosts:
|
||
|
crypto:
|
||
|
qubes:
|
||
|
_netvm: sys-vpn-proton
|
||
|
template: crypto-tmpl
|
||
|
template_vm: crypto-tmpl
|
||
|
dev:
|
||
|
persistent_docker_volumes: true
|
||
|
qubes:
|
||
|
maxmem: 8192
|
||
|
_netvm: sys-vpn-proton
|
||
|
template: dev-tmpl
|
||
|
template_vm: dev-tmpl
|
||
|
vcpus: 4
|
||
|
gpg:
|
||
|
qubes:
|
||
|
label: green
|
||
|
template: gpg-tmpl
|
||
|
template_vm: gpg-tmpl
|
||
|
kubernetes:
|
||
|
persistent_docker_volumes: true
|
||
|
qubes:
|
||
|
autostart: true
|
||
|
maxmem: 8192
|
||
|
_netvm: sys-vpn-pritunl
|
||
|
template: kubernetes-tmpl
|
||
|
template_vm: kubernetes-tmpl
|
||
|
vcpus: 4
|
||
|
vm_type: NetVM
|
||
|
volume:
|
||
|
private: 10
|
||
|
personal:
|
||
|
persistent_docker_volumes: true
|
||
|
qubes:
|
||
|
maxmem: 8192
|
||
|
_netvm: sys-vpn-proton
|
||
|
template: personal-tmpl
|
||
|
template_vm: personal-tmpl
|
||
|
vcpus: 4
|
||
|
# pritunl-server:
|
||
|
# qubes:
|
||
|
# # _netvm: opnsense
|
||
|
# _netvm: sys-firewall
|
||
|
# template_vm: pritunl-server-tmpl
|
||
|
# provision:
|
||
|
# qubes:
|
||
|
# _netvm: sys-vpn-pritunl
|
||
|
# template_vm: provision-tmpl
|
||
|
remote:
|
||
|
qubes:
|
||
|
_netvm: sys-vpn-pritunl
|
||
|
template: remote-tmpl
|
||
|
template_vm: remote-tmpl
|
||
|
swarm:
|
||
|
persistent_docker_volumes: true
|
||
|
qubes:
|
||
|
autostart: true
|
||
|
maxmem: 8192
|
||
|
_netvm: sys-vpn-pritunl
|
||
|
template: swarm-tmpl
|
||
|
template_vm: swarm-tmpl
|
||
|
vcpus: 4
|
||
|
volume:
|
||
|
private: 10
|
||
|
vault:
|
||
|
qubes:
|
||
|
label: green
|
||
|
template: vault-tmpl
|
||
|
template_vm: vault-tmpl
|
||
|
work:
|
||
|
persistent_docker_volumes: true
|
||
|
qubes:
|
||
|
maxmem: 8192
|
||
|
_netvm: sys-vpn-pritunl
|
||
|
template: work-tmpl
|
||
|
template_vm: work-tmpl
|
||
|
vcpus: 4
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: purple
|
||
|
template_vm: fedora-36-base
|
||
|
|
||
|
specialty-vms:
|
||
|
vars:
|
||
|
qubes:
|
||
|
vm_type: AppVM
|
||
|
hosts:
|
||
|
api:
|
||
|
qubes:
|
||
|
label: orange
|
||
|
template: provision-tmpl
|
||
|
template_vm: provision-tmpl
|
||
|
maas:
|
||
|
qubes:
|
||
|
label: orange
|
||
|
# _netvm: opnsense
|
||
|
template: provision-tmpl
|
||
|
template_vm: provision-tmpl
|
||
|
mirror:
|
||
|
qubes:
|
||
|
label: orange
|
||
|
template: docker-tmpl
|
||
|
template_vm: docker-tmpl
|
||
|
pfsense:
|
||
|
pritunl:
|
||
|
qubesos-build:
|
||
|
qubes:
|
||
|
template: fedora-32
|
||
|
template_vm: fedora-32
|
||
|
seconion:
|
||
|
|
||
|
net-vms:
|
||
|
hosts:
|
||
|
# opnsense:
|
||
|
# ansible_password: "{{ lookup('env', 'OPNSENSE_PASSWORD') }}"
|
||
|
# ansible_user: "{{ lookup('env', 'OPNSENSE_USER') }}"
|
||
|
# qubes:
|
||
|
# _netvm: none
|
||
|
# pcidevs: '{{ sys_net_pcidevs | default([]) }}'
|
||
|
# provides_network: true
|
||
|
# template: opnsense-tmpl
|
||
|
# template_vm: opnsense-tmpl
|
||
|
# volume:
|
||
|
# root: 40g
|
||
|
# TODO - Add Security Onion to stack.
|
||
|
# Note - Ideally it should be run on another offline computer passively tapped into the Ethernet but in the spirit of mashing everything into one computer.. leaving this as a note for now -- PRs weldome
|
||
|
# seconion:
|
||
|
# ansible_password: "{{ lookup('env', 'SECONION_PASSWORD') }}"
|
||
|
# ansible_user: "{{ lookup('env', 'SECONION_USER') }}"
|
||
|
# qubes:
|
||
|
# template: seconion-tmpl
|
||
|
# template_vm: seconion-tmpl
|
||
|
# volume:
|
||
|
# root: 400g
|
||
|
vars:
|
||
|
ansible_connection: ssh
|
||
|
qubes:
|
||
|
autostart: true
|
||
|
label: orange
|
||
|
memory: 4096
|
||
|
maxmem: 8192
|
||
|
virt_mode: hvm
|
||
|
vm_type: NetVM
|
||
|
|
||
|
proxy-vms:
|
||
|
children:
|
||
|
vpn-dvms:
|
||
|
hosts:
|
||
|
vpn-pritunl-dvm:
|
||
|
qubes:
|
||
|
template: vpn-pritunl-tmpl
|
||
|
template_vm: vpn-pritunl-tmpl
|
||
|
vpn-proton-dvm:
|
||
|
qubes:
|
||
|
template: vpn-proton-tmpl
|
||
|
template_vm: vpn-proton-tmpl
|
||
|
vpn-nm-dvm:
|
||
|
qubes:
|
||
|
template: vpn-nm-tmpl
|
||
|
template_vm: vpn-nm-tmpl
|
||
|
vpn-tailscale-dvm:
|
||
|
qubes:
|
||
|
template: vpn-tailscale-tmpl
|
||
|
template_vm: vpn-tailscale-tmpl
|
||
|
vpn-warp-dvm:
|
||
|
qubes:
|
||
|
template: vpn-warp-tmpl
|
||
|
template_vm: vpn-warp-tmpl
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: gray
|
||
|
memory: 256
|
||
|
maxmem: 1024
|
||
|
_netvm: sys-firewall
|
||
|
provides_network: true
|
||
|
template_for_dispvms: true
|
||
|
vm_type: AppVM
|
||
|
|
||
|
template-vms:
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: black
|
||
|
_netvm: None
|
||
|
vm_type: TemplateVM
|
||
|
children:
|
||
|
primary-templates:
|
||
|
children:
|
||
|
primary-templates-base:
|
||
|
hosts:
|
||
|
debian-11-base:
|
||
|
qubes:
|
||
|
source: debian-11
|
||
|
fedora-36-base:
|
||
|
qubes:
|
||
|
source: fedora-36
|
||
|
vars:
|
||
|
volume:
|
||
|
root: 20
|
||
|
private: 5
|
||
|
primary-templates-docker:
|
||
|
hosts:
|
||
|
debian-11-docker:
|
||
|
qubes:
|
||
|
source: debian-11-base
|
||
|
fedora-36-docker:
|
||
|
qubes:
|
||
|
source: fedora-36-base
|
||
|
primary-templates-full:
|
||
|
hosts:
|
||
|
debian-11-full:
|
||
|
qubes:
|
||
|
source: debian-11-base
|
||
|
fedora-36-full:
|
||
|
qubes:
|
||
|
source: fedora-36-base
|
||
|
vars:
|
||
|
volume:
|
||
|
root: 24
|
||
|
private: 8
|
||
|
primary-templates-stock:
|
||
|
hosts:
|
||
|
archlinux:
|
||
|
debian-11:
|
||
|
debian-12:
|
||
|
fedora-32:
|
||
|
fedora-36:
|
||
|
fedora-36-xfce:
|
||
|
jammy:
|
||
|
vars:
|
||
|
apply_theme: true
|
||
|
common_software_packages:
|
||
|
- snapd
|
||
|
- qubes-snapd-helper
|
||
|
primary-templates-minimal:
|
||
|
hosts:
|
||
|
debian-11-minimal:
|
||
|
fedora-36-minimal:
|
||
|
whonix-gw-16:
|
||
|
install_updates: false
|
||
|
whonix-ws-16:
|
||
|
install_updates: false
|
||
|
vars:
|
||
|
apply_theme: true
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: red
|
||
|
standard-templates:
|
||
|
hosts:
|
||
|
anon-tmpl:
|
||
|
crypto-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-docker
|
||
|
dev-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-full
|
||
|
# full_terminal_profile: true
|
||
|
# include_pii_dotfiles: true
|
||
|
docker-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-docker
|
||
|
gpg-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36
|
||
|
net-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36
|
||
|
kubernetes-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-docker
|
||
|
media-tmpl:
|
||
|
personal-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-full
|
||
|
# pritunl-server-tmpl:
|
||
|
# qubes:
|
||
|
# source: debian-10
|
||
|
office-tmpl:
|
||
|
provision-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-docker
|
||
|
remote-tmpl:
|
||
|
services-tmpl:
|
||
|
swarm-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-docker
|
||
|
util-tmpl:
|
||
|
vpn-tmpl:
|
||
|
qubes:
|
||
|
source: debian-11-base
|
||
|
vault-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36
|
||
|
web-tmpl:
|
||
|
work-tmpl:
|
||
|
qubes:
|
||
|
source: fedora-36-full
|
||
|
vars:
|
||
|
qubes:
|
||
|
source: fedora-36-base
|
||
|
vpn-templates:
|
||
|
hosts:
|
||
|
vpn-pritunl-tmpl:
|
||
|
vpn-proton-tmpl:
|
||
|
vpn-nm-tmpl:
|
||
|
vpn-tailscale-tmpl:
|
||
|
vpn-warp-tmpl:
|
||
|
vars:
|
||
|
qubes:
|
||
|
source: vpn-tmpl
|
||
|
# desktop-hvm-templates:
|
||
|
# hosts:
|
||
|
# # TODO Add version numbers in these template names
|
||
|
# archlinux-desktop-tmpl:
|
||
|
# centos-desktop-tmpl:
|
||
|
# debian-desktop-tmpl:
|
||
|
# debian-server-tmpl:
|
||
|
# fedora-desktop-tmpl:
|
||
|
# macos-desktop-tmpl:
|
||
|
# ubuntu-desktop-tmpl:
|
||
|
# windows-desktop-tmpl:
|
||
|
# ansible_connection: winrm
|
||
|
# vars:
|
||
|
# # SSH connection is unnecessary since templates are loaded from vagrantup.com or via the qubes-packer.yml playbook
|
||
|
# # ansible_connection: ssh
|
||
|
# # ansible_password: "{{ lookup('env', 'VAGRANT_PASSWORD') }}"
|
||
|
# # ansible_user: "{{ lookup('env', 'VAGRANT_USER') }}"
|
||
|
# qubes:
|
||
|
# kernel: ''
|
||
|
# source: blank
|
||
|
# virt_mode: hvm
|
||
|
# volume:
|
||
|
# root: 40g
|
||
|
misc-hvm-templates:
|
||
|
hosts:
|
||
|
# opnsense-tmpl:
|
||
|
# ansible_password: "{{ lookup('env', 'OPNSENSE_PASSWORD') }}"
|
||
|
# ansible_user: "{{ lookup('env', 'OPNSENSE_USER') }}"
|
||
|
# qubes:
|
||
|
# _netvm: None
|
||
|
# provides_network: true
|
||
|
# pcidevs: '{{ sys_net_pcidevs | default([]) }}'
|
||
|
# source: opnsense-22.7
|
||
|
# volume:
|
||
|
# root: 40g
|
||
|
# seconion-tmpl:
|
||
|
# ansible_password: "{{ lookup('env', 'SECONION_PASSWORD') }}"
|
||
|
# ansible_user: "{{ lookup('env', 'SECONION_USER') }}"
|
||
|
# volume:
|
||
|
# root: 10g
|
||
|
vars:
|
||
|
ansible_connection: ssh
|
||
|
qubes:
|
||
|
kernel: ''
|
||
|
virt_mode: hvm
|
||
|
|
||
|
standalone-vms:
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: blue
|
||
|
memory: 2048
|
||
|
maxmem: 8192
|
||
|
kernel: ''
|
||
|
vcpus: 4
|
||
|
virt_mode: hvm
|
||
|
vm_type: StandaloneVM
|
||
|
children:
|
||
|
# desktop-standalone-vms:
|
||
|
# hosts:
|
||
|
# # By default, only initialize standalones for the fully loaded environments
|
||
|
# # If you just want a default ubuntu HVM, for instance, then qvm-clone from the
|
||
|
# # `ubuntu-desktop-base-tmpl` TemplateVM
|
||
|
# archlinux-desktop:
|
||
|
# qubes:
|
||
|
# source: archlinux-desktop-tmpl
|
||
|
# centos-desktop:
|
||
|
# qubes:
|
||
|
# source: centos-desktop-tmpl
|
||
|
# debian-desktop:
|
||
|
# qubes:
|
||
|
# source: debian-desktop-tmpl
|
||
|
# debian-server:
|
||
|
# qubes:
|
||
|
# source: debian-server-tmpl
|
||
|
# fedora-desktop:
|
||
|
# qubes:
|
||
|
# source: fedora-desktop-tmpl
|
||
|
# macos-desktop:
|
||
|
# qubes:
|
||
|
# source: macos-desktop-tmpl
|
||
|
# ubuntu-desktop:
|
||
|
# qubes:
|
||
|
# source: ubuntu-desktop-tmpl
|
||
|
# windows-desktop:
|
||
|
# ansible_connection: winrm
|
||
|
# qubes:
|
||
|
# source: windows-desktop-tmpl
|
||
|
# vars:
|
||
|
# ansible_connection: ssh
|
||
|
# ansible_password: "{{ lookup('env', 'VAGRANT_PASSWORD') }}"
|
||
|
# ansible_user: "{{ lookup('env', 'VAGRANT_USER') }}"
|
||
|
# qubes:
|
||
|
# _netvm: sys-vpn-proton
|
||
|
# volume:
|
||
|
# root: 50g
|
||
|
unikernel-vms:
|
||
|
hosts:
|
||
|
mirage-firewall:
|
||
|
mirage_compile_from_source: false
|
||
|
qubes:
|
||
|
kernel: mirage-firewall
|
||
|
kernelopts: ''
|
||
|
memory: 64
|
||
|
maxmem: 64
|
||
|
provides_network: true
|
||
|
source: blank
|
||
|
vcpus: 1
|
||
|
virt_mode: pvh
|
||
|
label: green
|
||
|
vm_type: StandaloneVM
|
||
|
# TODO qvm-features mirage-firewall qubes-firewall 1
|
||
|
# TODO qvm-features mirage-firewall no-default-kernelopts 1
|
||
|
|
||
|
system-vms:
|
||
|
hosts:
|
||
|
anon-whonix:
|
||
|
qubes:
|
||
|
_netvm: sys-whonix
|
||
|
template_vm: whonix-ws-16
|
||
|
debian-11:
|
||
|
qubes:
|
||
|
vm_type: TemplateVM
|
||
|
debian-11-dvm:
|
||
|
qubes:
|
||
|
_netvm: sys-firewall
|
||
|
template_for_dispvms: true
|
||
|
sys-firewall:
|
||
|
# Next three are where the SwitchHosts program gets installed along with hostctl and default profiles
|
||
|
hostsfile_default_loopback: true
|
||
|
install_hostctl: true
|
||
|
install_switchhosts: true
|
||
|
qubes:
|
||
|
_netvm: sys-net
|
||
|
vm_type: ProxyVM
|
||
|
sys-net:
|
||
|
sys-usb:
|
||
|
sys-whonix:
|
||
|
qubes:
|
||
|
_netvm: sys-firewall
|
||
|
template_vm: whonix-gw-16
|
||
|
whonix-ws-16-dvm:
|
||
|
qubes:
|
||
|
_netvm: sys-firewall
|
||
|
template_vm: whonix-ws-16
|
||
|
vars:
|
||
|
qubes:
|
||
|
label: red
|
||
|
vm_type: AppVM
|