Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.allthingslinux.org/llms.txt

Use this file to discover all available pages before exploring further.

All variables are defined in ansible/inventory/group_vars/. Shared defaults live in all/vars.yml, per-environment overrides in <env>/vars.yml, and secrets in all/vault.yml (encrypted).

Global variables (all/vars.yml)

Domain and identity

VariableDefaultDescription
pubnix_domainatl.shPrimary domain for all services
admin_emailadmin@allthingslinux.orgUsed for Let’s Encrypt registration and alerts

System

VariableDefaultDescription
timezoneUTCServer timezone
ntp_servers[0.pool.ntp.org, 1.pool.ntp.org]NTP time sources
pubnix_groupusersPrimary group for pubnix user accounts
default_shell/bin/bashDefault shell for new accounts

Resource limits (PAM)

Set in /etc/security/limits.conf:
VariableDefaultDescription
user_nproc_limit100Max processes per user
user_nofile_limit1024Max open file descriptors
user_as_limit8000000Max address space (KB)
user_rss_limit8000000Max resident set size (KB)

Resource limits (systemd cgroups)

Applied via per-user systemd slices:
VariableDefaultDescription
user_cpu_quota200%CPU quota (200% = 2 cores)
user_memory_max1.5GMemory limit per user
user_tasks_max200Max tasks (processes + threads)

Disk quotas

VariableDefaultDescription
quota_soft5GSoft limit (triggers grace period warning)
quota_hard6GHard limit (writes fail)

Backup

VariableDefaultDescription
backup_retention_daily7Daily backups to keep
backup_retention_weekly4Weekly backups to keep
backup_retention_monthly6Monthly backups to keep
backup_paths/home, /etc, /var/spool/cronDirectories to back up

Monitoring

VariableDefaultDescription
node_exporter_version1.8.2Prometheus Node Exporter version

Role defaults

Each role defines its own defaults in roles/<role>/defaults/main.yml.

Security role

VariableDefaultDescription
ssh_ports[22, 2222]SSH listening ports
ssh_permit_root_loginprohibit-passwordRoot login policy
ssh_password_authenticationnoDisable password auth
ssh_max_auth_tries3Max auth attempts per connection
ssh_login_grace_time30Seconds to complete auth
ssh_client_alive_interval300Keepalive interval (seconds)
ssh_client_alive_count_max2Missed keepalives before disconnect
ssh_allow_groupspubnix root sudoGroups allowed to SSH
fail2ban_bantime3600Ban duration (seconds)
fail2ban_findtime600Detection window (seconds)
fail2ban_maxretry5Failures before ban
firewall_allowed_tcp_portsSee belowOpen TCP ports
firewall_rate_limit_sshtrueRate-limit SSH connections
Firewall ports: 22, 2222, 70, 80, 443, 1965, 21, 40000:40100

Services role

VariableDefaultDescription
tilde_docrootpublic_htmlUser web directory name
nginx_server_tokensoffHide nginx version
nginx_client_max_body_size64mMax upload size
gemini_port1965Molly-brown listening port
gemini_capsule_root/var/geminiGemini DocBase path
gopher_port70Gophernicus listening port
gopher_hostname{{ pubnix_domain }}Hostname in gopher links
gopher_root/var/gopherGopher document root
gopher_user_dirpublic_gopherUser gopher directory name

FTP role

VariableDefaultDescription
ftp_port21FTP control port
pasv_min_port40000Passive range start
pasv_max_port40100Passive range end
ftp_tls_certLet’s Encrypt fullchainTLS certificate path
ftp_tls_keyLet’s Encrypt privkeyTLS private key path

Per-environment overrides

Dev (dev/vars.yml)

ftp_tls_cert: /etc/ssl/certs/molly-brown.crt
ftp_tls_key: /etc/ssl/private/molly-brown.key
Uses the self-signed cert from the Gemini role since Let’s Encrypt isn’t available in the Vagrant VM.

Staging (staging/vars.yml)

No overrides currently — uses all defaults.

Production (prod/vars.yml)

No overrides currently — uses all defaults.

Vault secrets (all/vault.yml)

Encrypted with Ansible Vault. Edit with: 
just vault-edit
Contains Borgmatic repository credentials, Cloudflare API tokens, and other secrets consumed by roles. Never commit this file unencrypted.