FF-RGB/ansible
4
2
Fork 1
Code Issues 3 Pull Requests Activity

Compare commits

base: FF-RGB:master
Branches Tags
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal
..
compare: FF-RGB:ntp-chrony-proposal
Branches Tags
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal

2 Commits
master ... ntp-chrony

Author SHA1 Message Date
Jan-Jonas Sämann
42bb310ca1 Update .drone.yml
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-07-31 22:46:26 +02:00
Jan-Jonas Sämann
f5cc5cea9c Use chrony to lock kvm virtualized vm to host rtc
Some checks failed
continuous-integration/drone/push Build is failing
Details 
Chrony uses PHC via VirtIO PTP on KVM to sync the virtial mashines time to
the hosts RTC within nanoseconds. Ntpd is still used for anything else
not virtualized on kvm.
 2020-09-04 18:36:50 +02:00
153 changed files with 2162 additions and 4782 deletions
Show Stats Expand all files Collapse all files

4
.ansible-lint
View File

@ -1,4 +0,0 @@
skip_list:
- meta-no-info
- package-latest
- risky-file-permissions

2
.drone.yml
View File

@ -8,4 +8,4 @@ steps:
- name: lint
image: cytopia/ansible-lint:latest
commands:
- ansible-lint
- ansible-lint -x305,403,701

1
.gitignore vendored
View File

@ -2,4 +2,3 @@
__pycache__
site.retry
*.pyc
ff-ansible.code-workspace

4
README.md
View File

@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
## Requirements
The python packages netaddr and passlib are required on the host running ansible.
The python package netaddr is required on the host running ansible.
The vault password must be stored in `.vault_pass`.
The *only* supported distributions to deploy roles on is debian buster.
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
## Running Ansible

1
ansible.cfg
View File

@ -1,6 +1,5 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
library = ./library
nocows = 1

38
group_vars/all/vars.yml
View File

@ -2,20 +2,6 @@
acertmgr_mode: webdir
dnsdist_targets:
- gw11.regensburg.freifunk.net:8053
- gw21.regensburg.freifunk.net:8053
- gw31.regensburg.freifunk.net:8053
- resolver.regensburg.freifunk.net:8053
dns_slaves:
- 195.201.117.207
- 2a01:4f8:1c0c:7dda::1
- 213.166.224.14
- 2a02:958:0:1::e
- 213.166.225.14
- 2a02:958:0:1::1:e
fastd_targets:
- gw11.regensburg.freifunk.net:9281
- gw21.regensburg.freifunk.net:9281
@ -39,24 +25,21 @@ gre_matrix:
- { id: 26, a: gw21, b: gw31 }
# - { id: 33, a: gw22, b: gw31 }
netbox_domain: netbox.regensburg.freifunk.net
netbox_domain: netbox.ffrgb
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
node_targets:
- ns1.regensburg.freifunk.net:9100
- stats.regensburg.freifunk.net:9100
- tiles.regensburg.freifunk.net:9100
- gw11.regensburg.freifunk.net:9100
- gw21.regensburg.freifunk.net:9100
- gw31.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100
- resolver.regensburg.freifunk.net:9100
- netbox.regensburg.freifunk.net:9100
- stats.ffrgb:9100
- unms.ffrgb:9100
- unifi.ffrgb:9100
- tiles.ffrgb:9100
ntp_servers:
- 0.de.pool.ntp.org
@ -64,10 +47,6 @@ ntp_servers:
- 2.de.pool.ntp.org
- 3.de.pool.ntp.org
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -75,17 +54,8 @@ pve_targets:
- pve01.ffrgb
- pve02.ffrgb
searxng_domain: sx.regensburg.freifunk.net
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
site: ffrgb
site_domain: regensburg.freifunk.net
speedtest_domain: speed.regensburg.freifunk.net
speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
speedtest_secret: "{{ vault_speedtest_secret }}"
tileserver_domain: tiles.regensburg.freifunk.net
web_services:
- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }
- { id: tiles, domain: tiles.regensburg.freifunk.net }

269
group_vars/all/vault.yml
View File

@ -1,137 +1,134 @@
$ANSIBLE_VAULT;1.1;AES256
31633832313136353531623833383865383736333164376632363635333439613763643062663632
3736376165623664376436643138653435393239636333370a643363343061303436613238373237
36653730376133363061333536626436363366393335303932663736316631633630323634353531
3734353134396561660a616339303762313430616234383138326438383432646564356662393536
61376161343965656365646238393261356133326131613730343234336139366461333032396531
38653031363934623231336661363233393562383434323633353139336530383432383736353937
65633935373261653134653839353233643439616266613531373938393231643736333436353234
65646665626531323566326561353333666535666430613961666232646632303662343832643661
35373166323439623137383164663838393766326237336234326635383930323365326431343338
61343434363961633532656466653732626135306334303634383235643531396535326536636264
37343930623235363632623963346637363964666664636266373137363037383036633233643130
30323036653637656131623332613463303937323133653064623333396534336661306432323536
38373534303235323230306139663736663430633463663166393033613435616662336335643137
32366439333661313930636234346265306233393966623832613834623263356337356162396335
34353362613163323936613930666339303839393431303461363565623561363034306538396237
38326263303033376435623037653365636362653831623066653263623236613566623962313266
34336233343530366236313131323962666163383035633361333637343732356338626265613338
36643663336161663636343864623864323735613838373562376431643338346662393731373833
38313839393433626630363635323232373534303437656561316231653536306264386331333666
36323330626164363730643337623262303335333438303432373465343235303836366362383336
39666631363362383338616536666432373738336131653765353635373365623030393365636630
38303033306664356162316262346434343239646230663062643566336132613535393835366236
66306435653364323335623665316264646631383066373837653536316135316130393766356162
33326431643162383539323161626163316532373831386334643761636630616162666236613766
38633738333331616336363736396635306630363561613966656538633432363661313432373731
39303764303362336536396130613637653530376437333336613465643539396330623261356534
64633761643065313038656261326638343032353832376262653135663162353434323936353862
31663738353965303963353962626534303333303037336431373631396635363938326133336330
63353333616664663934636433653434626162323064653430666565613061623239613561643838
66356662303137383639336432633432636235306165306339623632316134306431376163616465
32636132656232303162333238393837383731633931363865356634643736326139313638333230
39316662306432333333333266333234646539646532316536383932666435366136346138626136
64373362366239633964616638363666656564323436636432663937666565653436613465366461
65376562303639363332636532386535386365656636346365333330386132383637636239653730
63333361303037393936653064336439653932373739336564333132303639343835376633666631
66613138343730636563626131623437343232303964626562633332303761626331383662373531
39663463656361303236666661356564373432333062303363313532333938633337363536343930
37376464393438613564653465353037313536626466643131336133336161316437316433663032
62633465613634373238383937643037346336336135353230386538353933616436646534366435
31323363666266373662626362663164653863326239303462363739383730643962333230343733
37393831383666393064626437323861353739363762346330666436356466316464393838366133
34653131653838643063396633346132336439393132353661373063623865643465306238326538
63313366386263623333636636376637383536353663643266653431626365666139393764663633
62366234376231393261646366383733633565303433353631343239313362646161663433653632
61303231616366386435666232353531306331613638633531613364663130643433336232633164
64373131303135316135376339353366313635653466663765323931616232333539333639623033
39626233316430303062336234623966376564386365613265363866666636626435306664336636
39346139316331306333666332393631306433623365303064383831643864336634303737633434
39303364633530343531373964353335333832636433313865303765393665633838316531343035
34666237353834613337353063666333353764666431376235393534613534363163333732373061
36663537363938373235326537326139366562656264393930653630383332383466333435386233
32613737303431333537326264343065306361653562633064393762643161313666663262313236
65386430306432653563623666646439376163383433653561333461383933383835373563396137
62383861393963313534616437663465333834663235356439363735633133623365383839613037
34303465363033313739373631363261313130616663336662346132653239313562386664353432
64373961663563393362303166633630343665663437373562613461343266646332313963653965
39363632313864343437333038623364323161376237386333616636303364373964343464643330
31613431313562353862306236623233636264653635643264333364336533623036356530343465
33366131333365393333373062623666663065316666363736633562363934336534313464353239
30666365303330363962653731626266376433666135333435313236386163653336386134633630
65336335346539666431643036636663643936326635636438636438646230353962646335396461
64623238343632346265376537323462316162633437633463656235626366666235653231303736
34316166363139336536396631663435386434396336346331663333353338353466346433393062
31343662316464356663356539303934633336613335373732353165366266303837303364616537
31356135313732633232343362663932656363633162623539323938643239383333306638346236
36666564323336346234313239656463626138313364656637353434303266613232353334666539
34666437356531393933656338373834303130663132303433376338643833643236333639663530
32653536643035303536353431623463353762393539363634636566396134353362633038333831
33633632666331666665373664633138323536633264653339663463326236343862656563323835
66633038346237356638646133626239336233633261626464626238636363666431646661366337
32396137303664363734666238346636653531666461306335343636303861653533356266643833
39633939666534663033336462336633636264336133633630366166356163306539613830636432
66326661646430366332363530333338373136656234613030616338383531313138666435313562
33346262353934636564613730396536333731653036303333343039393534643837663234346234
30303032623565316234343834303061303333346539636138343334663131646463363863663062
31343432383238623733346563323533636466346538616334646338366465356165613434623730
37323930623539353764643939643963353238646230396337633362363664613431303032656639
38613961633439613837636531653163383633373263343235303766613736616636613066316463
63346337383864363562373562643636343764626433383634643064313831373833356132393737
39356534623536373066663933356535356532636332343661333166663433666433363661343861
63393734656534363761313862613364616161303735323563656265323362313061343332346238
35353534663137653466396432353437333739363631373332316165663964653335363034636131
33363933333764306265306161336165306234616161313466393233363431363061633730653437
65313636366162303763663530386239343833626139643439306161623066313638323361353831
63323531353939356337613865663737373661343362353362326637666666383535633030626163
36386464326134333965623262356532353161316533626331623266623630383331313037376365
37353164306433633563386436653235616661366639343035306533643732326232366537633635
33306338386561353564643537353736663434663931343263333764633961666464373461346335
65323462313761653361343236326632393835613538616436666534363366626637376262326462
32366530383439646137383737303634613136396135633136316233326230323466383932616630
66316561333961346130306531623936376636646330373237623034633135303630353566333037
34656233316663656661623731633034643332336631356436653134366162396336643331623135
65646466633236393036383639623066663963653431343836626664383431363663653535383565
64333432343561623633316232623864386161376163333238623066636533353330336566313835
66653265346331393238343862353162383234303334626261643065656637386434636564663665
63616339663261616534376661393837343335373638366264323732353032363731376332653936
64393262346230636366336133616366646533373530356235316561643232333664343462386539
38396665626131646234613466396334346431316638333436633637353836313933656134383031
38633838323163383536323735626132323565643136663030643436303363333264373061663430
65613836313531636264633333346331343038373466653231613830383435386364636237303965
65663635633732663636333764623133373864356363313535333136613039313035663633386338
61343930323665616464643235396232393134373537616635663231343763346434626665393966
31613835666563333261373533316364346538393438636636633862353431333030623933663130
31626337303733373034666562363064373936656435636637356365386363346664306134376339
37383335646339636265656134383432396438383732303066396636373834373037663062336335
61346438636134333763346265653766396165626365633237373466346438363330633562353731
61313630373137303131326134613264356462333363643463643861666239623937636535336536
30313234623936316439643164316139386366336630616266653338383337653561656337343837
66613234363738306235316632316666376231306561653865353636373835646263393932316134
30313433613664306533386133376232323737633934396135626532323830346336353631383539
38666264343962646237313332396535643863393535303437346262613861646663303037333736
63326534313964613663376635306162653639623735633139326161323232653462343063383036
39616233613664626161663131383366663435626432626663623638646163666535316461383531
39663130646564373563323965386331353036366230343635363266323864623633663333656561
33353131623065623839396634653735396262656261323963363261643761373137616232666665
39643835383034383439393638363438633931323437613365643935383766333535643537633633
63633133303166326432613932396331356263626166343436386463376537656231656438313563
30653664383935383161303865363338393933363334653631616432643037626433356561636634
34316436383462386331393231633161383362666532363561326631613137656464306262313034
35636334623861323836326265396664373461313034343231316261616330313938333263666665
39616163346632623764666337313561626233636363343036363331663932616530346230653663
62373661306566373638383962356563323430613262326534663663383162396263306335613462
39326162663161663264626437353064306238646664376666336534326263313061393133373636
33346161376136636536393264363332633561373037326566313137366265383635376366343036
30613763633264303536396535303236353138393032336461666131356464343930656665326535
64393130376166383538353866323265303562326239626233636237626664346631646264386439
65383730333534656361366438316536613138303334343665396438336164663064373838323534
64626631363131663462303131333735633337653335623939383264363163633765326438313965
32623662383464316133623538616139623433336435316166346336663761343536393662393733
35333938383137383863653966363837366639303634616239643235653932643132323033373238
38323734353563383133333538316236393162636237313061363663303764343533626466373137
32656561383633633166386437653361313363666334636639353833323461663030313736613831
30613832306137323637653330306637323530613935333263373338346430393265333839636566
39336662326637363038653734323230626234346433313830656264633732666430663265383031
65313864386637303563636239646633393335616231613531633762326430633231343264363236
32346662623562356432
33336336363031356335646231313439663164663337323062393465653638346538613762323532
3130356238303530316134623963616261663162393061300a653332613538633462353265353965
63653131386233643635343732346336653164303236626666613963353963616634653939623135
3231653165646661300a326563353632613937663137323562663364623133306338346633643832
38613536373436643539623064386566653738316532666166333538656664623966376639363962
63636332636331633762326539653863313233633032663063633136356562353737383365316238
62633432363661613162616230313437306439376265623563343564343532366266616536346432
38376465626236316434613631336465626363663263613232313662336133396434336437656464
34323863643366326633613632636662353232323563616138356537613762666561393133383265
65313162396434396662613131333261643966313366326435373831393338656361643733343837
64316462393361336630623563386336323138653833636464623163343134393033303865326161
33323461333334616333336466636436383764303362396561333830626137333462333564316364
38393437666662346630663137643132626133383965353030663632636237663433383462326165
30376436643137333361383839306537613535653564306164643363643330613031363630633964
62396238396530306431633362343739633230383934373364303733366136633136363761303762
33373165323939343063633965623733363934363330353662623134653438303337636161343132
66393361363838323731303564653834316265333363303662376630333930346534363133363861
62396533666365303065333330363066343238386438636661633233363831343838316131353633
38643764386166656632313938386133366233366130626636323330326466376566613563383561
62383038336566356533643336393430353365623932376161393438653465653962383130363433
34393437343238383634323432633134353664386136633533383463616235326239383966633431
36363532623932326432366330343332376264666537333234333234616638653830363633313465
38343038666336353634633238356662666338646661646265306564633861333461336231313834
64663166356432376564633163303636643963323032393737383537323639616333373133626264
32303466316562666338356235376133653833623936373131373237393334393665306561366636
66623437663334326631353132303030663236393762336639313861663962353363653831373563
62386633306463306634633862326632313063393362353438623437376138363433623934666162
37373662393437363965623162303934333230343962626233366630396531326665383065386161
65663666356431366335633339366637303137353765656638316535613933343237656563663863
65313230616338653030343034663937666134653336383732393538396337326238343761323137
30626138666262666465393036363133356563653437376666376366613635306162653739396531
64613664626663626462343737626266636132313366393861313436383137313765623165333734
35333036633234303733373161626331363333393062613933623931356234363735663165386338
61333961666638326134396431393335633435666135383738376335623135663934356437623062
66323833353065653866613264663262653731373865656363666466303330356563356434343161
34363564363564393132326264626134383630653437626536623166363965306363653539336461
36366538383134376564376665336231663532656464393832346166653462306235666139633265
34663235353765316633333865313439663736323462653232633362633333663539613934346136
31363536303338633333393064366234643762396364356539363966623936663764353161383136
34383432386537646566653964313731623761316161663136386532663332333262313861613932
35356566303364326436306235323463623331613663383031343335323537346530653637663939
34613333323738303731636362323735346561343332376137616339386163346134646566353231
65656264626131306130663761663763336464306563313835633432333761623633666433613830
63356265343839396162363333646630346364643661303331663236306535306465626435326662
62313963663636363366356132616239323632623733656137316663303031356631323235353634
64613035346633313366633138353737303565303434363139616466636163323137346238623562
61333066633833303232333934373039623762323435333261633835356466303564666132656362
62613939323735343163376165653634333834353334663532383866313232663533643138663766
31353138356562386135366130373063306538633465323363313361316438366631366463323730
62393637353931653930303230626665303066646539663338363133613431306532623865343531
64366263653062643334336132336466383563636630323539373336343330616531323962326537
64306535623135396537363735633039636335623561343435613864656330376631613434613866
31393166633361633063323538623361653135306539346366383264336634353633626136663731
35383332373338333935376438346232326236613430306533316561333438383238306666346465
36356235373466303536346363393661393838336331313536383662353438333662366563353038
66383237613132613636356461653037373437336264626539333763643261326239313065336463
34323361613565663336343131613530616462633331653134613431393839303364363831303337
39393732646234383936316637343066633761636231326639663239306231303834306631393933
32323335666262666232363638306562353866353338646234353631323533316532383235336632
33643934343836366631336666643730656137626466666232396535356664313132383838363832
39613664643761653461326234643539643831616537363836656561303562633064613238383233
33616336666462333461343766383063353361313032643230636132343631613636666636666639
38386136656565653439323162363035623665623139326366326431343861393664636664363934
61353761326136346636393261663335383664646531616366363436306461313063646264356561
63393931313266633734616362376630616535396635343363326361653434353631303836326433
64313533646331336338353533643031316638386330626362313938623736316134633062393930
31306332623364393839313761353564313563326462313637663635663661396638373130363866
30326263383730356135663433623138663239363765363664636133653462653262393766363966
37303862363131646236333134366664653061343735303035383663383539353732313935313933
37323461343530306632626631373238333636303135653535626631343862663639306136323363
30343731356434333030303332636637363364643363666136353266383138613066353732326665
32366234373864663333323035306334613937656666396437646335383839663336633364613338
63306635663762373331646535373638343436376431646564666239633631376465623730353935
66383262623838376339373735396131303434616132373832633061616132393931643830633864
37663931613633656339383062336462383661363463323632396636633965373439383938626635
38336330383139653365653664383934663838306531373164626136613338343861353262663431
30653265333065663664646564376466303838373961626436396631356366363832613930346664
34643962363862643732653631333665366134343332313863316164323465383138386262336336
32343365386362346237656361386163323062376232346137336365363731396639346137343735
62633436643265636262376639383635336536353131666661326238653339626666383562323763
63373636636530306461633035616163643962633033363565323164343034633666346133343638
37613463333461373663336630313834316333366466336539333135356338343731636231663530
38623738636534333762376434336336326166373363643864316233343735386234616663636534
32393838623939343536346634633339613837373735353565313138333864383632383533396264
36363430356237636235316631313664336265633333313137373861666333663865393065393531
30386335613531353837363738366232313036343731343566306166646466353164336136393330
65323933613266363739363231663563656437396231316666303437633564613465313937383038
32643465346130323738336364356331663163323236333764653566306664623164626437363465
34333165343034633135336234633765336333623333643632353335656238393863623062623665
39393434643538373633653630353963346132663366656532303764333838336562663735613737
39363865353736663263303565336263643333613238336462313839323738373063393639303531
34633739366531326666633634366230363431303663383432323463643665316136643434343839
66313030623561366431353863633666636262336637636235326434366536393830343433336462
34666631343862346239346434666462613836343161663234646439643562316564666632316665
66376137313231376433333163396564343435303434326235626239336237653332316232343361
30666531393863616132323837333931323534633561626263333534646530623433613633383061
36393361613736393333633166346465363762336232303530393262666366303763303862383632
30336437313339643861663635623334323330653030396432623932613433343836626238373530
35353535366237663865333832356661613635353138356438386333323734386237626532343665
31373061616234633336386661323164663934336464316364343036633336376234656263346530
64333336383861396261316436636638653934643463666263346430366238663663383834313266
65396434313161333532323036336538653830303232343364656365353339623165346164393039
62356561366461643831656466316266616335646163303438353735393830636434386335623632
32623835613262653566306561333835316334613633613138643235343265376238343932363264
65666334633663366338306566346433626431656131393233393661396361366365333733303130
38353435396462636633336238373131386562333063386235366233633030663861316161653362
36306431663639663137313762396338323933663036343130633438326435383934633861343262
39623431326362643833353532336233653664643733323432326466666165373333313266626565
38656465623362323966333238336262323563353038666635666137303064663333363730633335
31306139323831366363346331383834646635316166393334326535323339363038353365353538
31356164656235373536323830333135333931373764636439363135316532613530333734613964
66393233383132623536643664643862336162396630383932383731626233643966636437393461
30356262393661623737653439633336656635323134613336626336343666363138303931323064
36366333393330333365663965646664333561646434306463333135653130646337623035393434
66636261346534653263356230633838633033373566623138626264656236336630373634636430
39633136666565343332663330323937393565643338663433656466323535613064326233626637
63393064363434393634333863363761643433326438336634306438376235393632643332346339
63306437336431613535356138336666613862343437306330393566346332666534646230313265
66663839333730636538343630363933353039343064316330666631646565386438613232383031
63393963333063343437383130356331356162616266383231383535313530393264323232623934
30363861373261303966613361336335356233306530343435313730393166383536323937373666
33613033633530393933333265306265626632663266383834666334336364623864333735343735
35316132636333323566666339333039653862666264353638336336356334393030663733306264
61613661613166366238646264343239393735653437383539343731373266386238323532643739
38643262343666656661356338623035343934383765313939363537393434623965623437363239
61653034656535313937316639663166386432623034383864356465623032353636643737326336
38376436343133643263336435636638356465396566623037633334643863643165663765383161
33653530643836343334643734346335653131366439336139646131396237323862323132616339
35383739633133643864646163616661633032666532663861393638343232323437363263663435
65626561303137353330646162326464666236653633346636333864333366323336613638393365
36396262306266396638613736626637633163343938366130363133303535613131383562393333
63643830666437663931633231336432303561326231366639376130303564663564363766343834
3934

11
host_vars/gw11.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.32.11/19
batman_ipv6: fdef:f10f:1337:cafe::11/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:11::11/64
global_ipv6: 2a00:9d80:6000:0101::11/64
nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 11
site_code: ffrgb_cty
nat_pool: 194.156.22.12-194.156.22.13
ntp_server: true

7
host_vars/gw12.regensburg.freifunk.net
View File

@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 12
site_code: ffrgb_cty
ntp_server: true

11
host_vars/gw21.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.64.21/19
batman_ipv6: fdef:f20f:1337:cafe::21/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:21::21/64
global_ipv6: 2a00:9d80:6000:0102::21/64
nextnode4: 10.90.64.1
nextnode6: fdef:f20f:1337:cafe::1
mtu: 1312
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
fastd_port: 10020
gateway_id: 21
site_code: ffrgb_uml
nat_pool: 194.156.22.22-194.156.22.23
ntp_server: true

7
host_vars/gw22.regensburg.freifunk.net
View File

@ -10,13 +10,6 @@ mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 22
site_code: ffrgb_uml
ntp_server: true

11
host_vars/gw31.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.96.31/19
batman_ipv6: fdef:f30f:1337:cafe::31/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:31::31/64
global_ipv6: 2a00:9d80:6000:0103::31/64
nextnode4: 10.90.96.1
nextnode6: fdef:f30f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3120917
mesh_wg_port: 20030
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
fastd_port: 10030
gateway_id: 31
site_code: ffrgb_tst
nat_pool: 194.156.22.32-194.156.22.33
ntp_server: true

3
host_vars/resolver.regensburg.freifunk.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

31
host_vars/stats.regensburg.freifunk.net
View File

@ -1,31 +0,0 @@
---
grafana_rendering: True
# yanic needs this
site_code: ffrgb_cty
yanic_publisher: true
yanic_repondd_enable: false
yanic_respondd_interface: ens18
yanic_respondd_ip: true
yanic_nodes_prune_after: 60d
yanic_nodes_offline_after: 5m
yanic_meshviewer_enable: false
yanic_nodelist_enable: true
yanic_database_delete_after: 720d
yanic_dbc_repondd_enable: false
yanic_influxdb:
- enable: true
host: http://127.0.0.1:8086
database: ffrgb
username: "admin"
password: "{{ vault_yanic_influx_pw }}"

9
hosts
View File

@ -2,12 +2,9 @@
gw11.regensburg.freifunk.net
gw21.regensburg.freifunk.net
gw31.regensburg.freifunk.net
netbox.regensburg.freifunk.net
ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net
sx.regensburg.freifunk.net
tiles.regensburg.freifunk.net
web.regensburg.freifunk.net
stats.ffrgb ansible_host=10.90.224.100
unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103
netbox.ffrgb ansible_host=10.90.224.104

4
library/fastd_key
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python3
#!/usr/bin/env python
EXAMPLES = '''
# Generates a fastd key
@ -23,7 +23,7 @@ if __name__ == '__main__':
# create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
# generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
handle.write('secret "%s";\n' % secret)
changed = True

121
roles/apt/files/unattended-upgrades.conf
View File

@ -1,7 +1,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...". A
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -19,73 +19,50 @@
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// Python regular expressions, matching packages to exclude from upgrading
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
@ -93,29 +70,19 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
Acquire::http::Dl-Limit "200";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

1
roles/apt/tasks/main.yml
View File

@ -8,7 +8,6 @@
name:
- apt-transport-https
- debian-goodies
- gnupg2
- lsof
- unattended-upgrades

2
roles/arp_cache/tasks/main.yml → roles/arp-cache/tasks/main.yml
View File

@ -8,4 +8,4 @@
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

6
roles/common/handlers/main.yml
View File

@ -1,13 +1,7 @@
---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald
service: name=systemd-journald state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs
command: update-initramfs -u -k all

79
roles/common/tasks/Debian.yml
View File

@ -1,79 +0,0 @@
---
- name: Install misc software
apt:
name:
- ca-certificates
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- wget
- zsh
- fail2ban
- name: Install software on KVM VMs
apt:
name:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: Enable serial console on KVM VMs
lineinfile:
path: "/etc/default/grub"
state: "present"
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
notify: update-grub
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

25
roles/common/tasks/Proxmox.yml
View File

@ -1,25 +0,0 @@
---
- name: Install misc software
apt:
name:
- dnsutils
- htop
- ipmitool
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh

11
roles/common/tasks/chrony.yml
View File

@ -1,11 +0,0 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

84
roles/common/tasks/main.yml
View File

@ -1,21 +1,75 @@
---
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
- name: Install misc software
apt: name={{ item }}
with_items:
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
- name: Install software on KVM VMs
apt: name={{ item }}
with_items:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Setup chrony
include: chrony.yml
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: use new-style network interface names
file: path=/etc/systemd/network/{{ item }} state=absent
with_items:
- 50-virtio-kernel-names.link
- 99-default.link
notify: update-initramfs
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

53
roles/common/templates/chrony.conf.j2
View File

@ -1,53 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 10.90.0.0/16
allow 2001:678:ddc::/48
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

2
roles/dhcpd/defaults/main.yml
View File

@ -2,5 +2,5 @@
dhcpd_interfaces: br-{{ site_code }}
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
name_server: "{{ batman_ipv4 | ipaddr('address') }}"

2
roles/dhcpd/templates/dhcpd.conf.j2
View File

@ -2,7 +2,7 @@
# option definitions common to all supported networks...
option domain-name "{{ site_domain }}";
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
option domain-name-servers {{nextnode4}}, {{ name_server }};
local-address {{ batman_ipv4 | ipaddr('address') }};

6
roles/dns_split/handlers/main.yml → roles/dns/handlers/main.yml
View File

@ -1,13 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name={{ item }} state=restarted
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

28
roles/dns/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install powerdns
apt: name={{ item }}
with_items:
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
tags: dns
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- pdns
- pdns-recursor

0
roles/dns_split/templates/bind/90.10.in-addr.arpa.zone.j2 → roles/dns/templates/bind/90.10.in-addr.arpa.zone.j2
View File

0
roles/dns_split/templates/bind/ffrgb.zone.j2 → roles/dns/templates/bind/ffrgb.zone.j2
View File

0
roles/dns_split/templates/bindbackend.conf.j2 → roles/dns/templates/bindbackend.conf.j2
View File

6
roles/dns_split/templates/pdns.conf.j2 → roles/dns/templates/pdns.conf.j2
View File

@ -12,6 +12,12 @@ launch=bind
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

10
roles/dns_split/templates/recursor.conf.j2 → roles/dns/templates/recursor.conf.j2
View File

@ -25,17 +25,19 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
#################################
# local-port port to listen on
#
local-port=5353
local-port=53
#################################
# query-local-address Source IP address for sending queries
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
#
query-local-address=::,0.0.0.0
{% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %}
#################################
# quiet Suppress logging of questions and answers

4
roles/dns_auth/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Restart powerdns
service: name=pdns state=restarted

22
roles/dns_auth/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Install powerdns
apt:
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
- name: Start the powerdns services
service: name=pdns state=started enabled=yes

35
roles/dns_auth/templates/pdns.conf.j2
View File

@ -1,35 +0,0 @@
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
#################################
# dname-processing If we should support DNAME records
#
# dname-processing=no
dname-processing=yes
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify=
# security-poll-suffix Domain name from which to query security update notifications
#
security-poll-suffix=

10
roles/dns_resolver/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name=pdns-recursor state=restarted
- name: Restart dnsdist
service: name=dnsdist state=restarted

4
roles/dns_resolver/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

35
roles/dns_resolver/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-recursor
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Configure powerdns
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
notify: Restart powerdns
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns-recursor

15
roles/dns_resolver/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

24
roles/dns_resolver/templates/dnsdist.conf.j2
View File

@ -1,24 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
addLocal('{{ ansible_default_ipv6.address }}')
setACL({'0.0.0.0/0', '::/0'})
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

53
roles/dns_resolver/templates/recursor.conf.j2
View File

@ -1,53 +0,0 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
#
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=5353
#################################
# query-local-address Source IP address for sending queries
#
query-local-address=::,0.0.0.0
#################################
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns

47
roles/dns_split/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

15
roles/dns_split/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

20
roles/dns_split/templates/dnsdist.conf.j2
View File

@ -1,20 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

17
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes
- docker-ce
- docker-ce-cli
- containerd.io
- python-docker

4
roles/exit-ip/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
conntrack_max: 131072
fastd_instances: 3

0
roles/exit_ip/handlers/main.yml → roles/exit-ip/handlers/main.yml
View File

0
roles/exit_ip/tasks/main.yml → roles/exit-ip/tasks/main.yml
View File

6
roles/exit_ip/templates/rules.v4.j2 → roles/exit-ip/templates/rules.v4.j2
View File

@ -4,14 +4,12 @@
:INPUT ACCEPT [1:136]
:OUTPUT ACCEPT [2:472]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [1124:131621]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [1151:175226]

6
roles/exit_ip/templates/rules.v6.j2 → roles/exit-ip/templates/rules.v6.j2
View File

@ -1,13 +1,9 @@
# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
COMMIT

5
roles/exit_ip/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
conntrack_max: 131072
fastd_instances: 3
nat_pool: "{{ ansible_default_ipv4.address }}"

0
roles/fastd_exporter/defaults/main.yml → roles/fastd-exporter/defaults/main.yml
View File

0
roles/fastd_exporter/files/fastd-exporter.service → roles/fastd-exporter/files/fastd-exporter.service
View File

0
roles/fastd_exporter/handlers/main.yml → roles/fastd-exporter/handlers/main.yml
View File

0
roles/fastd_exporter/tasks/main.yml → roles/fastd-exporter/tasks/main.yml
View File

0
roles/fastd_exporter/templates/fastd-exporter.j2 → roles/fastd-exporter/templates/fastd-exporter.j2
View File

1
roles/fastd/templates/fastd.conf.j2
View File

@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
method "null";
method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes;

7
roles/git/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install git
apt: name=git
- name: Install ca-certificates
apt: name=ca-certificates

3
roles/grafana/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
grafana_rendering: False

34
roles/grafana/tasks/main.yml
View File

@ -1,38 +1,10 @@
---
- name: Retrieve Grafana Key and avoid apt_key
block:
- name: grafana |no apt key
ansible.builtin.get_url:
url: https://apt.grafana.com/gpg.key
dest: /usr/share/keyrings/grafana.key
- name: Enable grafana apt-key
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Enable grafana repository
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana
apt: name=grafana
- name: Install grafana rendering dependencies
apt:
name:
- libxdamage1
- libxext6
- libxi6
- libxtst6
- libnss3
- libnss3
- libcups2
- libxss1
- libxrandr2
- libasound2
- libatk1.0-0
- libatk-bridge2.0-0
- libpangocairo-1.0-0
- libpango-1.0-0
- libcairo2
- libatspi2.0-0
- libgtk3.0-cil
- libgdk3.0-cil
- libx11-xcb-dev
when: grafana_rendering

0
roles/root_keys/tasks/main.yml → roles/gw-admin-ssh-keys/tasks/main.yml
View File

23
roles/influxdb/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
- name: Import Influxdb GPG siging key with store
ansible.builtin.get_url:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: /etc/apt/trusted.gpg.d/influxdb.key
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
ansible.builtin.command:
argv:
- gpg
- --dearmor
- /etc/apt/trusted.gpg.d/influxdb.key
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
- name: Enable InfluxDB repository
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
state: present
- name: Install influxdb
apt: name=influxdb

6
roles/interfaces/files/networking.service → roles/mesh-interfaces/files/networking.service
View File

@ -1,9 +1,8 @@
[Unit]
Description=Network initialization
Description=ifupdown2 networking initialization
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
DefaultDependencies=no
After=local-fs.target network-pre.target
Before=shutdown.target network.target network-online.target
Before=network.target shutdown.target network-online.target
Conflicts=shutdown.target
[Service]
@ -11,7 +10,6 @@ Type=oneshot
RemainAfterExit=yes
SyslogIdentifier=networking
TimeoutStopSec=30s
EnvironmentFile=/etc/default/networking
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

0
roles/interfaces/handlers/main.yml → roles/mesh-interfaces/handlers/main.yml
View File

7
roles/interfaces/tasks/main.yml → roles/mesh-interfaces/tasks/main.yml
View File

@ -1,13 +1,10 @@
---
- name: Install dependencies
apt:
name:
- bridge-utils
apt: name=python-pkg-resources
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
- name: Install ifupdown2
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
apt: name=ifupdown2 state=latest
- name: Uninstall ifupdown
apt: name=ifupdown state=absent

0
roles/interfaces/templates/backbone.conf.j2 → roles/mesh-interfaces/templates/backbone.conf.j2
View File

16
roles/interfaces/templates/mesh.conf.j2 → roles/mesh-interfaces/templates/mesh.conf.j2
View File

@ -14,8 +14,6 @@ iface br-{{ site_code }}
{% if global_ipv6 is defined %}
address {{ global_ipv6 }}
{% endif %}
#
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# bat-{{ site_code }}
auto bat-{{ site_code }}
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
hwaddress f2:00:90:00:{{ gateway_id }}:20
mtu 1500
#
batman-hop-penalty 5
batman-ifaces dmy-{{ site_code }}
batman-ifaces-ignore-regex .*_.*
batman-routing-algo {{ batman_algo }}
#
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
# TODO use batman-xyz instead of batctl
# see /usr/share/ifupdown2/addons/batman_adv.py
#
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# dmy-{{ site_code }}

1
roles/mesh_wg/files/ping
View File

@ -1 +0,0 @@
OK

4
roles/mesh_wg/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Reload interfaces
command: /sbin/ifreload -a

25
roles/mesh_wg/tasks/main.yml
View File

@ -1,25 +0,0 @@
---
- name: Install wireguard
apt: name=wireguard-tools
- name: Create wireguard config directory
file:
path: /etc/wireguard
state: directory
mode: 0700
- name: Configure wireguard options
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
notify: Reload interfaces
- name: Configure mesh interfaces
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
notify: Reload interfaces
- name: Install wgskex
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
- name: Install ping endpoint
copy: src=ping dest=/var/www/html/ping

21
roles/mesh_wg/templates/mesh_wg.conf.j2
View File

@ -1,21 +0,0 @@
# {{ ansible_managed }}
# vx-{{ site_code }}
auto vx-{{ site_code }}
iface vx-{{ site_code }}
mtu 1350
vxlan-physdev wg-{{ site_code }}
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
up ip link set vx-{{ site_code }} up
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
down ip link set vx-{{ site_code }} down
post-down ip -6 link del vx-{{ site_code }}
# wg-{{ site_code }}
auto wg-{{ site_code }}
iface wg-{{ site_code }}
address fe80::{{ gateway_id }}/128
ipv6-addrgen no
pre-up ip link add dev wg-{{ site_code }} type wireguard
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
post-up ip link set wg-{{ site_code }} mtu 1420

3
roles/mesh_wg/templates/wg.conf.j2
View File

@ -1,3 +0,0 @@
[Interface]
PrivateKey = {{ mesh_wg_privkey }}
ListenPort = {{ mesh_wg_port }}

2
roles/netbox/defaults/main.yml
View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 4.1.8
netbox_version: 2.8.7

13
roles/netbox/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart netbox
service: name=netbox state=restarted
- name: Restart netbox-rq
service: name=netbox-rq state=restarted

124
roles/netbox/tasks/main.yml
View File

@ -15,7 +15,7 @@
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python3-setuptools
- python-setuptools
- python3-dev
- python3-pip
- python3-venv
@ -25,128 +25,52 @@
apt:
name:
- postgresql
- python3-psycopg2
- python-psycopg2
- name: Configure PostgreSQL user
postgresql_user:
name: "{{ netbox_dbuser }}"
password: "{{ netbox_dbpass }}"
- name: Configure PostgreSQL database
postgresql_db: name={{ netbox_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db:
name: "{{ netbox_dbname }}"
owner: "{{ netbox_dbuser }}"
- name: Configure PostgreSQL user
postgresql_user: db={{ netbox_dbname }} name={{ netbox_dbuser }} password={{ netbox_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
# TODO configure redis?
- name: Unpack netbox
unarchive:
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
dest: /opt
remote_src: yes
creates: "/opt/netbox-{{ netbox_version }}"
register: netbox_unarchive
unarchive: src=https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz dest=/opt remote_src=yes creates=/opt/netbox-{{ netbox_version }}
# TODO user/group/chown?
- name: Configure netbox
template:
src: configuration.py.j2
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
template: src=configuration.py.j2 dest=/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py owner={{ netbox_user }} group={{ netbox_group }}
- name: Configure gunicorn
template:
src: gunicorn.py.j2
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
- name: Netbox file permissions
file:
path: "/opt/netbox-{{ netbox_version }}"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
recurse: yes
- name: Fix psycopg variant
lineinfile:
path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
regexp: '^psycopg\[.*,pool\]==(.*)$'
line: 'psycopg[binary,pool]==\1'
backrefs: yes
register: netbox_psycopg_fix
- name: Run upgrade script
command:
cmd: ./upgrade.sh
chdir: "/opt/netbox-{{ netbox_version }}"
become: true
become_user: "{{ netbox_user }}"
when: netbox_unarchive.changed or netbox_psycopg_fix.changed
- name: Install venv
pip: requirements=/opt/netbox-{{ netbox_version }}/requirements.txt virtualenv=/opt/netbox-{{ netbox_version }}/venv virtualenv_command="/usr/bin/python3 -m venv"
# TODO - still manual work
# * Create a super user
# * Migrate media files
- name: Install netbox housekeeping cronjob
template:
src: netbox-housekeeping.sh.j2
dest: /etc/cron.daily/netbox-housekeeping.sh
mode: 0755
# * Run Database Migrations
# * Create a Super User
# * Collect Static Files
# * Gunicorn Configuration
# * systemd Configuration
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt -days 730 -subj "/CN={{ netbox_domain }}" creates=/etc/nginx/ssl/{{ netbox_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ netbox_domain }}"
when: "'kitchen' in group_names"
- name: Configure certificate manager for netbox
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
notify: Run acertmgr
#- name: Configure certificate manager for netbox
# template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
# notify: Run acertmgr
- name: Configure vhost
template:
src: vhost.j2
dest: /etc/nginx/sites-available/netbox
owner: root
mode: "0644"
template: src=vhost.j2 dest=/etc/nginx/sites-available/netbox
notify: Restart nginx
- name: Enable vhost
file:
src: /etc/nginx/sites-available/netbox
dest: /etc/nginx/sites-enabled/netbox
state: link
file: src=/etc/nginx/sites-available/netbox dest=/etc/nginx/sites-enabled/netbox state=link
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- netbox
- netbox-rq
notify:
- Reload systemd
- Restart netbox
- Restart netbox-rq
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- netbox
- netbox-rq

84
roles/netbox/templates/configuration.py.j2
View File

@ -33,10 +33,8 @@ REDIS = {
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 0,
'DEFAULT_TIMEOUT': 300,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
},
'caching': {
'HOST': 'localhost',
@ -46,10 +44,8 @@ REDIS = {
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 1,
'DEFAULT_TIMEOUT': 300,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
}
}
@ -69,13 +65,32 @@ SECRET_KEY = '{{ netbox_secret }}'
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ('John Doe', 'jdoe@example.com'),
# ['John Doe', 'jdoe@example.com'],
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# URL schemes that are allowed within links in NetBox
ALLOWED_URL_SCHEMES = (
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
)
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
BANNER_TOP = ''
BANNER_BOTTOM = ''
# Text to include on the login page above the login form. HTML is allowed.
BANNER_LOGIN = ''
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
CACHE_TIMEOUT = 900
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
CHANGELOG_RETENTION = 90
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@ -104,6 +119,10 @@ EMAIL = {
'FROM_EMAIL': '',
}
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
ENFORCE_GLOBAL_UNIQUE = False
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
@ -126,18 +145,22 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox but not make any changes.
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
LOGIN_REQUIRED = True
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# Setting this to True will display a "maintenance mode" banner at the top of every page.
MAINTENANCE_MODE = False
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
# all objects by specifying "?limit=0".
MAX_PAGE_SIZE = 1000
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
@ -155,6 +178,20 @@ LOGIN_TIMEOUT = None
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
NAPALM_USERNAME = ''
NAPALM_PASSWORD = ''
# NAPALM timeout (in seconds). (Default: 30)
NAPALM_TIMEOUT = 30
# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
# be provided as a dictionary.
NAPALM_ARGS = {}
# Determine how many objects to display per page within a list. (Default: 50)
PAGINATE_COUNT = 50
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
@ -167,13 +204,24 @@ PLUGINS = []
# }
# }
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
# prefer IPv4 instead.
PREFER_IPV4 = False
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
RELEASE_CHECK_TIMEOUT = 24 * 3600
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
@ -184,16 +232,10 @@ RELEASE_CHECK_URL = None
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.

16
roles/netbox/templates/gunicorn.py.j2
View File

@ -1,16 +0,0 @@
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
bind = '127.0.0.1:8001'
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
# n is the number of CPU cores present.
workers = 5
# Number of threads per worker process
threads = 3
# Timeout (in seconds) for a request to complete
timeout = 120
# The maximum number of requests a worker can handle before being respawned
max_requests = 5000
max_requests_jitter = 500

9
roles/netbox/templates/netbox-housekeeping.sh.j2
View File

@ -1,9 +0,0 @@
#!/bin/sh
# This shell script invokes NetBox's housekeeping management command, which
# intended to be run nightly. This script can be copied into your system's
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
# within the cron configuration file.
#
# If NetBox has been installed into a nonstandard location, update the paths
# below.
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

21
roles/netbox/templates/netbox-rq.service.j2
View File

@ -1,21 +0,0 @@
[Unit]
Description=NetBox Request Queue Worker
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

22
roles/netbox/templates/netbox.service.j2
View File

@ -1,22 +0,0 @@
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

4
roles/netbox/templates/vhost.j2
View File

@ -10,7 +10,7 @@ server {
}
location / {
return 301 https://$host$request_uri;
return 301 https://{{ netbox_domain }}$request_uri;
}
}
@ -30,9 +30,9 @@ server {
location / {
client_max_body_size 32M;
proxy_pass http://localhost:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8001;
}
}

3
roles/nginx/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
nginx_anonymize: False

25
roles/nginx/templates/nginx.conf.j2 → roles/nginx/files/nginx.conf
View File

@ -47,32 +47,7 @@ http {
# Logging Settings
##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log;
##

4
roles/nginx/tasks/main.yml
View File

@ -30,7 +30,7 @@
- /etc/nginx/dhparam.pem
- name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
notify: Restart nginx
- name: Configure default vhost
@ -41,7 +41,7 @@
- name: Ensure network and dns are available before nginx
lineinfile:
dest: /lib/systemd/system/nginx.service
line: "After=network-online.target remote-fs.target nss-lookup.target"
line: "After=network-online.target nss-lookup.target"
regexp: "^After="
- name: Start nginx

2
roles/node_exporter/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
node_exporter_version: 1.2.0
node_exporter_version: 1.0.1
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

2
roles/node_exporter/files/node_exporter
View File

@ -1 +1 @@
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
OPTIONS=""

21
roles/node_exporter/tasks/main.yml
View File

@ -9,27 +9,6 @@
- name: Configure node_exporter
copy: src=node_exporter dest=/etc/default/node_exporter
- name: Create configuration directory
file: path=/etc/node_exporter state=directory
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
notify: Restart node_exporter
- name: Ensure correct certificate permissions
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
notify: Restart node_exporter
- name: Configure node_exporter TLS
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
notify: Restart node_exporter
- name: Install systemd unit
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
notify:

6
roles/node_exporter/templates/web-config.yml.j2
View File

@ -1,6 +0,0 @@
tls_server_config:
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
basic_auth_users:
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

10
roles/ntp/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Restart ntp
service: name=ntp state=restarted
- name: Restart ntpd
service: name=ntpd state=restarted
- name: Restart chrony
service: name=chrony state=restarted

34
roles/ntp/tasks/chrony.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Use chronyd to lock time via PHC to hosts RTC
- name: Install chrony
apt:
name: chrony
state: latest
install_recommends: no
- name: Load kmod ptp_kvm at boot time
blockinfile:
path: /etc/modules-load.d/ptp_kvm.conf
create: yes
owner: root
mode: '0400'
block: |
# Load VirtIO PTP driver for chrony
ptp_kvm
register: load_ptp_kvm
when:
- ansible_virtualization_role == 'guest'
- ansible_virtualization_type == 'kvm'
- name: Load kmod ptp_kvm
modprobe:
name: ptp_kvm
state: present
when: not (load_ptp_kvm is skipped)
- name: Configure chronyd
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
notify: Restart chrony

16
roles/ntp/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
# Select best time source
# * on kvm sync to hypervisor rtc within nanoseconds accuracy
# * on anything else use ntpd wich supports only milliseconds accuracy
- name: Setup chrony
include_tasks: chrony.yml
register: ntp_use_chrony
when:
- ansible_virtualization_role == 'guest'
- ansible_virtualization_type == 'kvm'
- name: Setup ntpd
include_tasks: ntp.yml
when:
- ntp_use_chrony is skipped

11
roles/ntp/tasks/ntp.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Install ntp
apt: name=ntp
- name: Configure ntp
template: src=ntp.conf.j2 dest=/etc/ntp.conf
notify: Restart ntp
- name: Start the ntp service
service: name=ntp state=started enabled=yes

27
roles/ntp/templates/chrony.conf.j2 Normal file
View File

@ -0,0 +1,27 @@
# {{ ansible_managed }}
{% if not (load_ptp_kvm is skipped) %}
refclock PHC /dev/ptp0 poll 2
{% elif ntp_servers is defined %}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% else %}
pool 2.debian.pool.ntp.org iburst
{% endif %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
makestep 1 3
# Do not allow chronyc for security reasons
cmdport 0

17
roles/ntp/templates/ntp.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

9
roles/prometheus/tasks/main.yml
View File

@ -6,7 +6,7 @@
- name: Install dependencies
apt:
name:
- python3-pip
- python-setuptools
- python3-setuptools
- virtualenv
@ -22,13 +22,6 @@
- Reload systemd
- Restart prometheus-pve-exporter
- name: Configure prometheus retention
lineinfile:
path: /etc/default/prometheus
regexp: '^ARGS=.*$'
line: 'ARGS="--storage.tsdb.retention.time=365d"'
notify: Restart prometheus
- name: Configure prometheus
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
notify: Restart prometheus

17
roles/prometheus/templates/prometheus.yml.j2
View File

@ -27,29 +27,12 @@ rule_files:
scrape_configs:
{% if node_targets is defined %}
- job_name: node
scheme: https
basic_auth:
username: prometheus
password: {{ prometheus_node_pass }}
tls_config:
insecure_skip_verify: true
static_configs:
- targets:
{% for target in node_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if dnsdist_targets is defined %}
- job_name: dnsdist
basic_auth:
username: prometheus
password: {{ prometheus_dnsdist_pass }}
static_configs:
- targets:
{% for target in dnsdist_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if fastd_targets is defined %}
- job_name: fastd
static_configs:

2
roles/radvd/templates/radvd.conf.j2
View File

@ -19,6 +19,6 @@ interface br-{{ site_code }} {
AdvRouterAddr on;
};
{% endif %}
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
};
};

Some files were not shown because too many files have changed in this diff Show More