Variables & Vault¶
Variables follow standard Ansible precedence: host_vars overrides group_vars.
group_vars/all/vars.yml¶
Shared variables applied to every host.
| Variable | Value | Purpose |
|---|---|---|
timezone |
Australia/Adelaide |
System timezone |
locale |
en_AU.UTF-8 |
System locale |
dns_servers |
1.1.1.1, 9.9.9.9 |
Cloudflare + Quad9 DNS (matches UDM DHCP config) |
ssh_port |
22 |
SSH port |
ssh_permit_root_login |
prohibit-password |
Key-only root access |
ssh_password_authentication |
no |
Disable password auth |
zfs_pool |
stash |
ZFS pool name |
zfs_dataset |
stash/rodneystash |
Media dataset |
nfs_export_path |
/stash |
NFS export path |
nfs_allowed_network |
192.168.1.0/24 |
NFS permitted subnet |
docker_compose_dir |
/opt/mediaserver |
Compose file location |
common_packages |
curl, wget, htop, vim, git, tmux… | Base packages on all hosts |
host_vars¶
proxfold.yml¶
| Variable | Value | Purpose |
|---|---|---|
server_model |
Dell PowerEdge R430 | Hardware reference |
proxmox_repo |
trixie pve-no-subscription | Community repo URL (PVE 9) |
proxmox_enterprise_repo_disabled |
true |
Disable enterprise repo |
zfs_arc_max_bytes |
15032385536 |
ZFS ARC cap (14 GB) |
zfs_scrub_schedule |
monthly |
Scrub frequency |
nfs_server |
true |
Enable NFS server role |
nvidia_driver_version |
550.163.01 |
Pinned driver version |
nvidia_nvenc_patch |
true |
Apply keylase NVENC patch |
nvidia_persistence_daemon |
true |
Enable nvidia-persistenced |
ipmi_fan_fix |
true |
Apply IPMI fan speed fix |
ipmi_fan_speed_percent |
20 |
Fan speed target (%) |
arrstack.yml¶
| Variable | Value | Purpose |
|---|---|---|
nfs_client |
true |
Enable NFS client mount |
nfs_mounts[0].src |
192.168.1.250:/stash |
NFS source |
nfs_mounts[0].path |
/stash |
Local mount point |
docker_daemon_config |
json-file logging, overlay2 | Docker daemon settings |
media_stack_containers |
sonarr, radarr, prowlarr, qbittorrent, seerr | Health-checked containers |
mediabot_dir |
/opt/mediabot |
MediaBot working directory |
mediabot_repo |
github.com/rampantlemming/mediabot |
MediaBot source repo |
plex.yml¶
| Variable | Value | Purpose |
|---|---|---|
plex_media_path |
/mnt/plex |
Symlink destination |
plex_zfs_mount |
/stash/rodneystash |
ZFS source mount |
plex_data_zfs_dataset |
stash/plex-data |
ZFS dataset for Plex data directory |
plex_data_zfs_quota |
100G |
Quota on the Plex data dataset |
plex_data_mount |
/stash/plex-data |
Mount point for Plex data inside LXC |
nvidia_transcoding |
true |
Flag GPU passthrough |
nginx.yml¶
Intentionally minimal — only common, security, and docker roles apply. Reverse proxy config is managed through the NPM UI. Caddy migration is planned.
group_vars/all/vault.yml¶
Encrypted with Ansible Vault. Contains sensitive credentials referenced elsewhere via vault_ prefixed variables.
Warning
Never commit unencrypted secrets. The vault password file is excluded via .gitignore. The vault contains API keys, webhook URLs, and VPN credentials — treat the password file with care.
Variables stored in vault:
| Variable | Purpose |
|---|---|
vault_discord_webhook_url |
Discord notification webhook |
vault_discord_bot_token |
MediaBot Discord bot token |
vault_sonarr_api_key |
Sonarr API key |
vault_radarr_api_key |
Radarr API key |
vault_prowlarr_api_key |
Prowlarr API key |
vault_seerr_api_key |
Seerr API key |
vault_protonvpn_wireguard_key |
ProtonVPN WireGuard private key |
vault_anthropic_api_key |
Anthropic API key |
Working with the vault¶
# Edit vault contents
ansible-vault edit group_vars/all/vault.yml
# Re-key (change vault password)
ansible-vault rekey group_vars/all/vault.yml
# Run playbook with vault password file
ansible-playbook playbooks/site.yml --vault-password-file ~/.vault_pass