--- # Three hosts are defined but the quickstart script filters using an environment variable # so only one host is provisioned at a time by quickstart. all: vars: ansible_winrm_transport: credssp ansible_winrm_server_cert_validation: ignore children: desktop: children: nix: hosts: standard: ansible_connection: local vars: ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') }}" ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" qubes: vars: ansible_connection: qubes # ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') | default() }}" # ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" ansible_python_interpreter: /usr/bin/python3 qubes: dom0_vm: dom0 hosts: dom0: blank: qubes: vm_type: TemplateVM children: vms: vars: install_grub_theme: false install_plymouth_theme: false memory: 512 maxmem: 4096 vcpus: 2 children: system-vms: # template-vms: # net-vms: # proxy-vms: # app-dvms: # app-vms: # standalone-vms: windows: hosts: standard: ansible_connection: winrm vars: ansible_password: "{{ lookup('env', 'ANSIBLE_PASSWORD') }}" ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" app-vms: vars: qubes: maxmem: 2048 memory: 512 netvm_vm: sys-firewall vm_type: AppVM children: app-dvms: vars: qubes: label: gray template_for_dispvms: true hosts: anon-dvm: qubes: template: anon-tmpl template_vm: anon-tmpl dev-dvm: qubes: template: dev-tmpl template_vm: dev-tmpl media-dvm: qubes: template: media-tmpl template_vm: media-tmpl office-dvm: qubes: template: office-tmpl template_vm: office-tmpl util-dvm: qubes: template: util-tmpl template_vm: util-tmpl web-dvm: qubes: template: web-tmpl template_vm: web-tmpl primary-dvm-templates: vars: qubes: label: gray template_for_dispvms: true hosts: debian-11-dvm: qubes: template_vm: debian-11-base fedora-36-dvm: qubes: template: fedora-36-base template_vm: fedora-36-base net-dvm: randomize_mac_address: true qubes: template: net-tmpl template_vm: net-tmpl standard-vms: hosts: crypto: qubes: _netvm: sys-vpn-proton template: crypto-tmpl template_vm: crypto-tmpl dev: persistent_docker_volumes: true qubes: maxmem: 8192 _netvm: sys-vpn-proton template: dev-tmpl template_vm: dev-tmpl vcpus: 4 volume: private: 30 root: 30 gpg: qubes: label: green template: gpg-tmpl template_vm: gpg-tmpl kubernetes: persistent_docker_volumes: true qubes: autostart: true maxmem: 8192 _netvm: sys-vpn-pritunl template: kubernetes-tmpl template_vm: kubernetes-tmpl vcpus: 4 vm_type: NetVM volume: root: 100 personal: persistent_docker_volumes: true qubes: maxmem: 8192 _netvm: sys-vpn-proton template: personal-tmpl template_vm: personal-tmpl vcpus: 4 volume: private: 20 root: 40 # pritunl-server: # qubes: # # _netvm: opnsense # _netvm: sys-firewall # template_vm: pritunl-server-tmpl # provision: # qubes: # _netvm: sys-vpn-pritunl # template_vm: provision-tmpl remote: qubes: _netvm: sys-vpn-pritunl template: remote-tmpl template_vm: remote-tmpl swarm: persistent_docker_volumes: true qubes: autostart: true maxmem: 8192 _netvm: sys-vpn-pritunl template: swarm-tmpl template_vm: swarm-tmpl vcpus: 4 vault: qubes: label: green template: vault-tmpl template_vm: vault-tmpl work: persistent_docker_volumes: true qubes: maxmem: 8192 _netvm: sys-vpn-pritunl template: work-tmpl template_vm: work-tmpl vcpus: 4 volume: private: 30 root: 30 vars: qubes: label: purple template_vm: fedora-36-base specialty-vms: vars: qubes: vm_type: AppVM hosts: api: qubes: label: orange template: provision-tmpl template_vm: provision-tmpl maas: qubes: label: orange # _netvm: opnsense template: provision-tmpl template_vm: provision-tmpl mirror: qubes: label: orange template: docker-tmpl template_vm: docker-tmpl pritunl: qubesos-build: qubes: template: fedora-32 template_vm: fedora-32 net-vms: hosts: # opnsense: # ansible_password: "{{ lookup('env', 'OPNSENSE_PASSWORD') }}" # ansible_user: "{{ lookup('env', 'OPNSENSE_USER') }}" # qubes: # _netvm: none # pcidevs: '{{ sys_net_pcidevs | default([]) }}' # provides_network: true # template: opnsense-tmpl # template_vm: opnsense-tmpl # volume: # root: 40g # TODO - Add Security Onion to stack. # Note - Ideally it should be run on another offline computer passively tapped into the Ethernet but in the spirit of mashing everything into one computer.. leaving this as a note for now -- PRs weldome # seconion: # ansible_password: "{{ lookup('env', 'SECONION_PASSWORD') }}" # ansible_user: "{{ lookup('env', 'SECONION_USER') }}" # qubes: # template: seconion-tmpl # template_vm: seconion-tmpl # volume: # root: 400g vars: ansible_connection: ssh qubes: autostart: true label: orange memory: 4096 maxmem: 8192 virt_mode: hvm vm_type: NetVM proxy-vms: children: vpn-dvms: hosts: vpn-pritunl-dvm: qubes: template: vpn-pritunl-tmpl template_vm: vpn-pritunl-tmpl vpn-proton-dvm: qubes: template: vpn-proton-tmpl template_vm: vpn-proton-tmpl vpn-nm-dvm: qubes: template: vpn-nm-tmpl template_vm: vpn-nm-tmpl vpn-tailscale-dvm: qubes: template: vpn-tailscale-tmpl template_vm: vpn-tailscale-tmpl vpn-warp-dvm: qubes: template: vpn-warp-tmpl template_vm: vpn-warp-tmpl vars: qubes: label: gray memory: 256 maxmem: 1024 netvm_vm: sys-firewall provides_network: true template_for_dispvms: true vm_type: AppVM template-vms: vars: qubes: label: black netvm_vm: None vm_type: TemplateVM children: primary-templates: children: primary-templates-base: hosts: debian-11-base: qubes: source: debian-11 fedora-36-base: qubes: source: fedora-36 vars: volume: root: 14 private: 5 primary-templates-docker: hosts: debian-11-docker: qubes: source: debian-11-base fedora-36-docker: qubes: source: fedora-36-base primary-templates-full: hosts: debian-11-full: qubes: source: debian-11-base fedora-36-full: qubes: source: fedora-36-base primary-templates-stock: hosts: archlinux: debian-11: debian-11-backup: debian-12: fedora-32: fedora-36: fedora-36-xfce: jammy: vars: apply_theme: true common_software_packages: - snapd - qubes-snapd-helper primary-templates-minimal: hosts: debian-11-minimal: fedora-36-minimal: whonix-gw-16: install_updates: false whonix-ws-16: install_updates: false vars: apply_theme: true vars: qubes: label: red standard-templates: hosts: anon-tmpl: crypto-tmpl: dev-tmpl: qubes: source: fedora-36-full # full_terminal_profile: true # include_pii_dotfiles: true docker-tmpl: qubes: source: fedora-36-docker gpg-tmpl: qubes: source: fedora-36 net-tmpl: qubes: source: fedora-36 kubernetes-tmpl: qubes: source: fedora-36-docker media-tmpl: personal-tmpl: qubes: source: fedora-36-full # pritunl-server-tmpl: # qubes: # source: debian-10 office-tmpl: provision-tmpl: remote-tmpl: swarm-tmpl: qubes: source: fedora-36-docker util-tmpl: vpn-tmpl: qubes: source: debian-11-base vault-tmpl: qubes: source: feodra-36 web-tmpl: work-tmpl: qubes: fedora-36-full vars: qubes: source: fedora-36-base vpn-templates: hosts: vpn-pritunl-tmpl: vpn-proton-tmpl: vpn-nm-tmpl: vpn-tailscale-tmpl: vpn-warp-tmpl: vars: qubes: source: vpn-tmpl # desktop-hvm-templates: # hosts: # # TODO Add version numbers in these template names # archlinux-desktop-tmpl: # centos-desktop-tmpl: # debian-desktop-tmpl: # debian-server-tmpl: # fedora-desktop-tmpl: # macos-desktop-tmpl: # ubuntu-desktop-tmpl: # windows-desktop-tmpl: # ansible_connection: winrm # vars: # # SSH connection is unnecessary since templates are loaded from vagrantup.com or via the qubes-packer.yml playbook # # ansible_connection: ssh # # ansible_password: "{{ lookup('env', 'VAGRANT_PASSWORD') }}" # # ansible_user: "{{ lookup('env', 'VAGRANT_USER') }}" # qubes: # kernel: '' # source: blank # virt_mode: hvm # volume: # root: 40g misc-hvm-templates: hosts: # opnsense-tmpl: # ansible_password: "{{ lookup('env', 'OPNSENSE_PASSWORD') }}" # ansible_user: "{{ lookup('env', 'OPNSENSE_USER') }}" # qubes: # netvm_vm: None # provides_network: true # pcidevs: '{{ sys_net_pcidevs | default([]) }}' # source: opnsense-22.7 # volume: # root: 40g # seconion-tmpl: # ansible_password: "{{ lookup('env', 'SECONION_PASSWORD') }}" # ansible_user: "{{ lookup('env', 'SECONION_USER') }}" # volume: # root: 10g vars: ansible_connection: ssh qubes: kernel: '' virt_mode: hvm standalone-vms: vars: qubes: label: blue memory: 2048 maxmem: 8192 kernel: '' vcpus: 4 virt_mode: hvm vm_type: StandaloneVM children: # desktop-standalone-vms: # hosts: # # By default, only initialize standalones for the fully loaded environments # # If you just want a default ubuntu HVM, for instance, then qvm-clone from the # # `ubuntu-desktop-base-tmpl` TemplateVM # archlinux-desktop: # qubes: # source: archlinux-desktop-tmpl # centos-desktop: # qubes: # source: centos-desktop-tmpl # debian-desktop: # qubes: # source: debian-desktop-tmpl # debian-server: # qubes: # source: debian-server-tmpl # fedora-desktop: # qubes: # source: fedora-desktop-tmpl # macos-desktop: # qubes: # source: macos-desktop-tmpl # ubuntu-desktop: # qubes: # source: ubuntu-desktop-tmpl # windows-desktop: # ansible_connection: winrm # qubes: # source: windows-desktop-tmpl # vars: # ansible_connection: ssh # ansible_password: "{{ lookup('env', 'VAGRANT_PASSWORD') }}" # ansible_user: "{{ lookup('env', 'VAGRANT_USER') }}" # qubes: # _netvm: sys-vpn-proton # volume: # root: 50g unikernel-vms: hosts: mirage-firewall: mirage_compile_from_source: false qubes: kernel: mirage-firewall kernelopts: '' memory: 64 maxmem: 64 provides_network: true source: blank vcpus: 1 virt_mode: pvh label: green vm_type: StandaloneVM # TODO qvm-features mirage-firewall qubes-firewall 1 # TODO qvm-features mirage-firewall no-default-kernelopts 1 system-vms: hosts: anon-whonix: qubes: netvm_vm: sys-whonix template_vm: whonix-ws-16 debian-11: qubes: vm_type: TemplateVM debian-11-dvm: qubes: netvm_vm: sys-firewall template_for_dispvms: true sys-firewall: # Next three are where the SwitchHosts program gets installed along with hostctl and default profiles hostsfile_default_loopback: true install_hostctl: true install_switchhosts: true qubes: netvm_vm: sys-net vm_type: ProxyVM sys-net: sys-usb: sys-whonix: qubes: netvm_vm: sys-firewall template_vm: whonix-gw-16 whonix-ws-16-dvm: qubes: netvm_vm: sys-firewall template_vm: whonix-ws-16 vars: qubes: label: red vm_type: AppVM