--- # ============================================================================= # SOVEREIGN DEPLOYMENT CONFIGURATION # All variables for this deployment are defined here. # ============================================================================= # Base domain - all services are subdomains of this base_domain: "example.com" # ============================================================================= # BRANDING # Applied across all services that support custom branding. # ============================================================================= # Display name shown in service UIs and email subjects tenant_name: "Example Corp" # Path to a logo image on the Ansible control machine (PNG or SVG recommended). # Leave empty to use each service's default logo. # Example: "files/logo.png" tenant_logo_local_path: "" # Primary brand colour (hex). Used for backgrounds, buttons, and highlights. tenant_primary_color: "#2563eb" # Accent / secondary colour (hex). tenant_accent_color: "#1e40af" # Base directory for all service data sovereign_base_dir: /opt/sovereign # Traefik traefik_acme_email: "admin@{{ base_domain }}" traefik_domain: "traefik.{{ base_domain }}" traefik_dashboard_password: "changeme" # htpasswd hash # Authentik authentik_domain: "auth.{{ base_domain }}" authentik_version: "2024.10.5" authentik_secret_key: "change-me-to-a-50-char-random-string" authentik_db_password: "changeme_authentik_db" authentik_admin_email: "admin@{{ base_domain }}" authentik_admin_password: "changeme_admin" # Graylog graylog_domain: "logs.{{ base_domain }}" graylog_version: "6.0" graylog_password_secret: "changeme_graylog_secret_min_16_chars" # min 16 chars graylog_root_password_sha2: "changeme_sha256_of_password" # echo -n yourpassword | sha256sum graylog_host: "127.0.0.1" # host IP reachable from containers graylog_gelf_port: 12201 # Stalwart Mail stalwart_domain: "mail.{{ base_domain }}" stalwart_admin_password: "changeme_mail_admin" stalwart_version: "latest" # Roundcube roundcube_domain: "webmail.{{ base_domain }}" roundcube_version: "latest" roundcube_db_password: "changeme_roundcube_db" roundcube_des_key: "changeme_24_char_des_key____" # Wazuh wazuh_domain: "wazuh.{{ base_domain }}" wazuh_version: "4.9.0" wazuh_admin_password: "changeme_wazuh_admin" wazuh_api_password: "changeme_wazuh_api" # WireGuard / Headscale wireguard_domain: "vpn.{{ base_domain }}" headscale_domain: "headscale.{{ base_domain }}" headscale_version: "0.23.0" wireguard_port: 51820 headscale_noise_private_key: "" # generated on first run # Matrix / Element matrix_domain: "matrix.{{ base_domain }}" element_domain: "chat.{{ base_domain }}" matrix_version: "v1.118.0" matrix_registration_secret: "changeme_registration_secret" matrix_db_password: "changeme_matrix_db" # Jitsi jitsi_domain: "meet.{{ base_domain }}" jitsi_version: "stable-9753" jitsi_jicofo_auth_password: "changeme_jicofo" jitsi_jvb_auth_password: "changeme_jvb" jitsi_jibri_recorder_password: "changeme_jibri_recorder" jitsi_jibri_xmpp_password: "changeme_jibri_xmpp" jitsi_turn_secret: "changeme_turn" # MinIO minio_domain: "s3.{{ base_domain }}" minio_console_domain: "minio.{{ base_domain }}" minio_version: "latest" minio_root_user: "minioadmin" minio_root_password: "changeme_minio" minio_nextcloud_bucket: "nextcloud" minio_nextcloud_access_key: "nextcloud" minio_nextcloud_secret_key: "changeme_nextcloud_s3" # Nextcloud nextcloud_domain: "cloud.{{ base_domain }}" nextcloud_version: "29" nextcloud_admin_user: "admin" nextcloud_admin_password: "changeme_nextcloud" nextcloud_db_password: "changeme_nextcloud_db" nextcloud_db_root_password: "changeme_nextcloud_db_root" # Vaultwarden vaultwarden_domain: "vault.{{ base_domain }}" vaultwarden_version: "latest" vaultwarden_admin_token: "changeme_vaultwarden_admin_token" vaultwarden_db_password: "changeme_vaultwarden_db" # Forgejo forgejo_domain: "git.{{ base_domain }}" forgejo_version: "latest" forgejo_db_password: "changeme_forgejo_db" forgejo_secret_key: "changeme_forgejo_secret" forgejo_internal_token: "changeme_forgejo_internal_token" forgejo_lfs_jwt_secret: "changeme_forgejo_lfs_jwt" forgejo_admin_user: "admin" forgejo_admin_password: "changeme_forgejo_admin" forgejo_admin_email: "admin@{{ base_domain }}" forgejo_ssh_port: 2222 # Uptime Kuma uptimekuma_domain: "status.{{ base_domain }}" uptimekuma_version: "1" # Automatisch automatisch_domain: "automate.{{ base_domain }}" automatisch_version: "latest" automatisch_db_password: "changeme_automatisch_db" # Generate each with: openssl rand -base64 36 # WARNING: these keys encrypt stored credentials — changing them after first # deployment will break all existing integrations. automatisch_encryption_key: "changeme_automatisch_encryption_key_base64_36" automatisch_webhook_secret_key: "changeme_automatisch_webhook_secret_base64_36" automatisch_app_secret_key: "changeme_automatisch_app_secret_base64_36" # Twenty CRM twenty_domain: "crm.{{ base_domain }}" twenty_version: "latest" twenty_app_secret: "changeme_twenty_app_secret_min_32_chars_random" twenty_db_password: "changeme_twenty_db" twenty_oidc_client_secret: "changeme_twenty_oidc_secret" # set in Authentik after creating the OAuth2 app # Website website_nginx_version: "alpine" # SMTP (for services that send email) smtp_host: "stalwart" smtp_port: 587 smtp_from: "noreply@{{ base_domain }}" smtp_user: "noreply@{{ base_domain }}" smtp_password: "changeme_smtp" smtp_tls: "starttls" # DNS / BIND9 — authoritative nameserver bind_version: "9.18-22.04_beta" # dns_server_ip must be the public IPv4 address of this server. # Register ns1.{{ base_domain }} as a glue record at your domain registrar # pointing to this IP, then set your domain's nameservers to ns1.{{ base_domain }}. dns_server_ip: "changeme_server_public_ip" dns_ns_hostname: "ns1.{{ base_domain }}" dns_ttl: 3600 # DKIM — retrieve the public key from the Stalwart admin UI at # mail.{{ base_domain }} → Settings → DKIM keys after first deployment. # Leave empty to skip the DKIM TXT record until the key is available. stalwart_dkim_selector: "default" stalwart_dkim_public_key: "" # e.g. "MIGfMA0GCSqGSIb3DQEB..." # DMARC — email authentication policy dmarc_policy: "quarantine" # none | quarantine | reject dmarc_rua: "mailto:dmarc-reports@{{ base_domain }}" dmarc_ruf: "mailto:dmarc-forensics@{{ base_domain }}"