dezky/infrastructure/production/host/config.env.example

# ─────────────────────────────────────────────────────────────
# Dezky production host configuration
#
# Copy to `config.env` and fill in real values. `config.env` is
# gitignored — it holds host-specific values, not the repo's source
# of truth. Both bootstrap.sh and firewall/firewall.sh source this.
# ─────────────────────────────────────────────────────────────

# --- Management allowlist -------------------------------------------------
# Source addresses allowed to reach SSH (22) and the k3s API (6443).
# Everything else on those ports is dropped. Accepts a comma-separated
# list of single IPs and/or CIDRs (e.g. home + office, or a /29 block,
# or a v6 /64 prefix) — the firewall treats these as nftables interval sets.
#
# NOTE: residential IPs can change. If yours is dynamic, prefer a small
# prefix here, and remember Hetzner's KVM/LARA console is always reachable
# out-of-band if you ever lock yourself out (see README).
MGMT_ALLOW_V4="203.0.113.10, 203.0.113.11"   # REQUIRED — management IPv4(s)/CIDR(s)
MGMT_ALLOW_V6=""                              # optional — management IPv6(s)/prefix (empty to skip)

# --- Server identity ------------------------------------------------------
SERVER_HOSTNAME="node1.dezky.eu"   # FQDN set on the box
SERVER_PUBLIC_IPV4=""              # AX41 primary IPv4 (fill after provisioning)
SERVER_PUBLIC_IPV6=""              # AX41 primary IPv6 (fill after provisioning)

# --- Admin (non-root) user ------------------------------------------------
ADMIN_USER="dezky"                 # created with sudo; root SSH login is then disabled
ADMIN_SSH_PUBKEY=""                # REQUIRED — your SSH public key (the WHOLE line, e.g. "ssh-ed25519 AAAA... you@home")

# --- SSH ------------------------------------------------------------------
SSH_PORT="22"                      # keep 22 unless you have a reason; obscurity is not security

# --- k3s networking (defaults; change ONLY if you customise k3s CIDRs) ----
K3S_POD_CIDR="10.42.0.0/16"        # flannel pod network — accepted to/from host
K3S_SERVICE_CIDR="10.43.0.0/16"    # cluster service network — accepted to/from host

# --- Rancher Custom-cluster registration (SECRET) -------------------------
# From Rancher → Cluster Management → <cluster> → Registration tab. Create the
# cluster with the **K3s** distribution first. Token + checksum are secrets.
RANCHER_SERVER_URL="https://rancher.example.com"
RANCHER_NODE_TOKEN=""                          # REQUIRED — node registration token
RANCHER_CA_CHECKSUM=""                          # REQUIRED — CA checksum from the same command
RANCHER_NODE_ROLES="--etcd --controlplane --worker"   # single node = all three
RANCHER_INSECURE_FETCH="true"                   # true if Rancher is reached by IP / self-signed cert

# --- Stalwart mail (host service) -----------------------------------------
# SECRETS — platform-api (k3s) must use the SAME admin password + webhook secret.
STALWART_VERSION="latest"          # pin to a release tag after first install
STALWART_ADMIN_PASSWORD=""         # REQUIRED — openssl rand -hex 24
STALWART_WEBHOOK_SECRET=""         # REQUIRED — openssl rand -hex 32

# --- Restic backups (host) ------------------------------------------------
# Storage Box is SSH/SFTP on PORT 23, key auth. STORE RESTIC_PASSWORD OFFLINE.
RESTIC_PASSWORD=""                 # REQUIRED — openssl rand -hex 32 (save offline!)
BACKUP_PRIMARY_REPO=""             # sftp:<user>@<user>.your-storagebox.de:/dezky
BACKUP_DR_REPO=""                  # sftp:<user>@<user>.your-storagebox.de:/dezky  (Helsinki box)
BACKUP_PATHS="/opt/stalwart/data /opt/stalwart/etc /var/lib/rancher/k3s/server/db/snapshots /var/lib/rancher/k3s/storage"
BACKUP_RETENTION="--keep-daily 7 --keep-weekly 4 --keep-monthly 6"
BACKUP_HEALTHCHECK_URL=""          # optional dead-man's-switch base URL