183 lines
5.4 KiB
Plaintext
183 lines
5.4 KiB
Plaintext
# Central YAML Source of Truth for Nathan's Lab (2026)
|
|
# Edit and commit this file; Ansible playbooks should read this as canonical.
|
|
lab_name: "nathan-lab-2026"
|
|
canonical_source: "ansible/group_vars/all.yml"
|
|
|
|
networks:
|
|
main:
|
|
vlan: 1
|
|
cidr: "10.0.0.0/24"
|
|
dhcp_pool: "10.0.0.100-10.0.0.240"
|
|
gateway: "10.0.0.1"
|
|
purpose: "Family / wired / main SSID"
|
|
|
|
infra:
|
|
vlan: 10
|
|
cidr: "10.0.10.0/24"
|
|
reserved: "10.0.10.2-10.0.10.50"
|
|
purpose: "Management / Proxmox / NAS / Heimdall mgmt"
|
|
|
|
iot:
|
|
vlan: 50
|
|
cidr: "10.0.50.0/24"
|
|
dhcp_pool: "10.0.50.100-10.0.50.199"
|
|
purpose: "IoT devices (Omada)"
|
|
|
|
guest:
|
|
vlan: 30
|
|
cidr: "10.0.30.0/24"
|
|
dhcp_pool: "10.0.30.100-10.0.30.200"
|
|
purpose: "Guest WiFi (isolated)"
|
|
|
|
compute:
|
|
vlan: 200
|
|
cidr: "10.0.200.0/24"
|
|
purpose: "Swarm / AI grid / ephemeral compute"
|
|
|
|
lab_hosts:
|
|
er7212pc:
|
|
role: gateway
|
|
current_ip: "10.0.0.2"
|
|
desired_ip: "10.0.0.2"
|
|
note: "DHCP + Omada controller"
|
|
|
|
pve01:
|
|
role: proxmox
|
|
current_ip: "10.0.0.201"
|
|
desired_ip: "10.0.10.11"
|
|
|
|
pve02:
|
|
role: proxmox
|
|
current_ip: "10.0.0.202"
|
|
desired_ip: "10.0.10.12"
|
|
|
|
pve03:
|
|
role: proxmox
|
|
current_ip: "10.0.0.203"
|
|
desired_ip: "10.0.10.13"
|
|
|
|
pve04:
|
|
role: proxmox
|
|
current_ip: "10.0.0.204"
|
|
desired_ip: "10.0.10.14"
|
|
|
|
swarm-manager-1:
|
|
current_ip: "10.0.0.211"
|
|
desired_ip: "10.0.200.11"
|
|
|
|
swarm-manager-2:
|
|
current_ip: "10.0.0.212"
|
|
desired_ip: "10.0.200.12"
|
|
|
|
swarm-manager-3:
|
|
current_ip: "10.0.0.213"
|
|
desired_ip: "10.0.200.13"
|
|
|
|
swarm-worker-1:
|
|
current_ip: "10.0.0.221"
|
|
desired_ip: "10.0.200.21"
|
|
|
|
swarm-worker-2:
|
|
current_ip: "10.0.0.222"
|
|
desired_ip: "10.0.200.22"
|
|
|
|
swarm-worker-3:
|
|
current_ip: "10.0.0.223"
|
|
desired_ip: "10.0.200.23"
|
|
|
|
ai-lenovo:
|
|
current_ip: "10.0.0.220"
|
|
desired_ip: "10.0.200.20"
|
|
|
|
synology:
|
|
current_ip: "10.0.0.249"
|
|
desired_ip: "10.0.10.40"
|
|
|
|
terramaster:
|
|
current_ip: "10.0.0.250"
|
|
desired_ip: "10.0.10.41"
|
|
|
|
waldorf:
|
|
current_ip: "10.0.0.251"
|
|
desired_ip: "10.0.200.30"
|
|
|
|
watchtower:
|
|
current_ip: "10.0.0.200"
|
|
desired_ip: "10.0.10.200"
|
|
|
|
heimdall:
|
|
role: beelink
|
|
current_ip: null
|
|
desired_ip:
|
|
mgmt: "10.0.10.2"
|
|
lan: "10.0.0.50"
|
|
|
|
# === MONITORING INFRASTRUCTURE ===
|
|
# Environment-specific configuration for monitoring stack
|
|
monitoring:
|
|
stack_user: "chester"
|
|
heimdall_redis: "10.0.0.151:6379"
|
|
watchtower_ip: "10.0.0.200"
|
|
grafana_domain: "grafana.castaldifamily.com"
|
|
uptime_domain: "status.castaldifamily.com"
|
|
dozzle_domain: "logs.castaldifamily.com"
|
|
authentik_host: "https://sso.castaldifamily.com"
|
|
# grafana_admin_password: DEFINE IN VAULT
|
|
|
|
# === EDGE ROUTING TOPOLOGY ===
|
|
# Canonical ingress model: Traefik runs on a dedicated edge host outside Swarm.
|
|
# Swarm and standalone hosts publish routes through traefik-kop agents.
|
|
edge_routing:
|
|
ingress_mode: "external-traefik"
|
|
edge_host:
|
|
name: "heimdall"
|
|
ip: "10.0.0.151"
|
|
ssh_port: 22
|
|
http_port: 80
|
|
https_port: 443
|
|
integration:
|
|
# Watchtower-hosted traefik-kop instance (publishes Watchtower container routes)
|
|
agent_image: "ghcr.io/jittering/traefik-kop:latest"
|
|
redis_addr: "10.0.0.151:6379"
|
|
bind_ip: "10.0.0.200" # Watchtower IP — correct for routes originating on Watchtower
|
|
swarm:
|
|
# Swarm-hosted traefik-kop instance (publishes Swarm service routes)
|
|
# bind_ip MUST be a Swarm node IP — the Swarm routing mesh makes published
|
|
# ports available on ALL nodes, so Traefik routes inbound requests here.
|
|
bind_ip: "10.0.0.211" # swarm-manager-1; any Swarm node IP is valid via routing mesh
|
|
proxy_network: "proxy-net" # Swarm overlay network; separate from heimdall's bridge of same name
|
|
stack_deploy_target: "swarm-manager-1"
|
|
migration_rules:
|
|
deploy_traefik_in_swarm: false
|
|
use_external_proxy_network: true
|
|
notes:
|
|
- "Services should attach to swarm overlay proxy-net for east-west traffic."
|
|
- "Ingress is terminated by external Traefik at 10.0.0.151 via traefik-kop updates."
|
|
|
|
# === SERVICE SECRETS (set via: ansible-vault encrypt_string) ===
|
|
vault_gitea_db_password: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
62323135663563386162633134616430633034366465376439663133346634616639376431356165
|
|
6361376530363938656235623330396530643631616266330a323962373736383339353064633634
|
|
36636664383530386539366137666632393134366435356634383061643566366335376164656531
|
|
6464333566326261610a306366346638366439333535393161643066643234653165636636623832
|
|
3135
|
|
|
|
vlan_defaults:
|
|
dns_domain: "home.lab"
|
|
ntp_servers:
|
|
- "10.0.10.2"
|
|
|
|
# Plex bootstrap claim token — used only on first server claim.
|
|
vault_plex_claim: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
65626432323737386462666132336161303635633438326432666631383339663835356238343838
|
|
3533306232623437376263353161633530646533343739300a323730643330386633626661353234
|
|
31643631346666666431666534613539333835623562306335376534626463633936643838323666
|
|
6432626262323231660a323965393163366230363838623165643532356438393863346361656162
|
|
63323966386333323236353861623333623339626538396565643965323562383636
|
|
|
|
# Usage notes:
|
|
# - Treat this file as the single source of truth for IPs and VLANs.
|
|
# - Ansible playbooks should read `networks` and `lab_hosts` to render configs,
|
|
# update `inventory/hosts.ini`, and generate DHCP reservation templates. |