FF-RGB
/
ansible
4
2
Fork 1
Code Issues 3 Pull Requests Activity

Compare commits

base: FF-RGB:master
Branches Tags
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal
..
compare: FF-RGB:ntp-chrony-proposal
Branches Tags
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal

2 Commits
master ... ntp-chrony

Author SHA1 Message Date
Jan 42bb310ca1 Update .drone.yml
continuous-integration/drone/push Build is failing Details
2021-07-31 22:46:26 +02:00
Jan f5cc5cea9c Use chrony to lock kvm virtualized vm to host rtc
continuous-integration/drone/push Build is failing Details 
Chrony uses PHC via VirtIO PTP on KVM to sync the virtial mashines time to
the hosts RTC within nanoseconds. Ntpd is still used for anything else
not virtualized on kvm.
 2020-09-04 18:36:50 +02:00
122 changed files with 2053 additions and 4051 deletions
Show Stats Expand all files Collapse all files

4
.ansible-lint
View File

@ -1,4 +0,0 @@
skip_list:
- meta-no-info
- package-latest
- risky-file-permissions

2
.drone.yml
View File

@ -8,4 +8,4 @@ steps:
- name: lint
image: cytopia/ansible-lint:latest
commands:
- ansible-lint
- ansible-lint -x305,403,701

1
.gitignore vendored
View File

@ -2,4 +2,3 @@
__pycache__
site.retry
*.pyc
ff-ansible.code-workspace

4
README.md
View File

@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
## Requirements
The python packages netaddr and passlib are required on the host running ansible.
The python package netaddr is required on the host running ansible.
The vault password must be stored in `.vault_pass`.
The *only* supported distributions to deploy roles on is debian buster.
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
## Running Ansible

1
ansible.cfg
View File

@ -1,6 +1,5 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
library = ./library
nocows = 1

23
group_vars/all/vars.yml
View File

@ -2,20 +2,6 @@
acertmgr_mode: webdir
dnsdist_targets:
- gw11.regensburg.freifunk.net:8053
- gw21.regensburg.freifunk.net:8053
- gw31.regensburg.freifunk.net:8053
- resolver.regensburg.freifunk.net:8053
dns_slaves:
- 195.201.117.207
- 2a01:4f8:1c0c:7dda::1
- 213.166.224.14
- 2a02:958:0:1::e
- 213.166.225.14
- 2a02:958:0:1::1:e
fastd_targets:
- gw11.regensburg.freifunk.net:9281
- gw21.regensburg.freifunk.net:9281
@ -49,14 +35,11 @@ node_targets:
- gw11.regensburg.freifunk.net:9100
- gw21.regensburg.freifunk.net:9100
- gw31.regensburg.freifunk.net:9100
- ns1.regensburg.freifunk.net:9100
- resolver.regensburg.freifunk.net:9100
- stats.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100
- stats.ffrgb:9100
- unms.ffrgb:9100
- unifi.ffrgb:9100
- tiles.ffrgb:9100
- netbox.ffrgb:9100
ntp_servers:
- 0.de.pool.ntp.org
@ -64,10 +47,6 @@ ntp_servers:
- 2.de.pool.ntp.org
- 3.de.pool.ntp.org
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"

283
group_vars/all/vault.yml
View File

@ -1,151 +1,134 @@
$ANSIBLE_VAULT;1.1;AES256
36396532616163303161303134326565316637343336613531663031376439303930306532373063
3765313339353437393633373035663661623461343132380a373536646632346364663662626665
37373532633937623030393735383164376233383838613635353565333763626430616630636536
6635373636383462610a326662393234333166373834323834353537363239616639343531616339
63383939313735653364383137346166306639633637636137353832666333633963633363663265
39356136613639643135633534636264393838376431336462363030363463643232663534313261
64373861313135623264316135646234376230653863633863366538353736653964363137303533
63623730396338643738313432343962666461653136333361383033623161376662346165626338
33356162376536303363343363343830383365323737636334323632306261336538356639306632
39333166353830386537383033396465343461396330386238653961386237336234376533633931
64653331326263343063306230653265643731323732353437643161383238376664636562383561
31376561373130636561366333306139636533363933313566363537363238343462323539313439
30393035643138666435393237383039623735353963353039323966666130393638306565333631
64653432623664346637656134643963323233376535333731653466633064306365306164643337
61306661356531623737386439373465636339643435343838393863333034383437343832383134
64666332613865306438643830376665623435376632373362356363343339363533303433313939
33623636616334646536663333383031396666376562366335656666363233636265643435383334
39656432383035323334373639326535306237643336663232633566663837663466383331336261
32383238353137333731386331623264633338373964653261643865353162623232393930333432
38323065343865643135653535623934613634636465333865353465326139613130376134396132
62366539396432633935663930663063363536393331393666616438396231643938306139313033
31623237646135633237343566646436363864303334373861306430626131366430666634303862
34663163373263366561306336336535656465326633613535343665343361373936346431363538
34303565336132646461656135623463373832396533316132313139303133303565616434663138
62663561663530363834623130313464623465653139343033313132366665636535666639323162
62316666643532353166373430633832643434356664346337633738623739353835313539666130
66633931306330363532363630626162353066316565643235636162393532393234646230363131
37666166393666313661663863643866656236313935356131313230313861636631643034643662
64393866633064383164643365363038626536663831393432363661383736306663356563313734
63363363363531623634363835363364303137646335373662313764323263306539386435663631
39396234623064636531653063326562383235333865393935376265393932633763613838343733
34353663313462313437316534663239353535313434646431663862393561613264626634643864
31633734633963346634376165343435666538313932343230343237363839323764633835623337
62653466376265343639343064366461653964303337363561306138363534613036376338373266
65376432396234383661653330613465623735373834393836646439616634613865323236666264
31336363373063346231376164663930336539633363306633393938643234373065343164613738
30343831383432343931336633633830653736303061383634666337613930396262393334663561
38343232613361333564653362306139346130643530373938366332396535636630353536646336
37623962353933326561346636303338333934356230356363303938613566343365626431633134
35636432396166653835643234396662663463313063636564663835326366613739313531356431
36353664316461396366356233623236373230616534393136626231376436343538326163623764
66306264643562316563323062323637383131363062373362613061363736353430363137623161
32356630363866383064626538313739663335633235646435663134396537316165383334333464
33626430303630663565396665383265313663643264616566646639376134646233336332373264
33613462663539666432646666303533343837636438373261303232663864626566373732316339
64646564633930653437646137656466343135326562626531353265666134656665396163636534
33343135393237363234336363656263666530396635386132663530386631363066663234363265
66343264343837396165626138373835656237626236626130316134303131353539313732666463
30373661666232646438393662653535373433353762376264666536306130613531616462313830
35626461633538343261623636373236333336636436343438626338316236373039303737386438
39316433353739633264336535653561383039313734646139393961653537313562633266363338
38336236363166393964336461323430393639393866653337366564636538396338656339626136
35396566616634656137653438306136663831326166663338323531336364646332646162323430
38383234653565623062636135333136613039663362623230366364343635356234386631373664
33373965393033336235356266336331306366613065396139316363316133616265646232623762
32346331616236663231326631366364393735303163626335643730656233353236636633303939
63383965353137363062313265623733313338613966643563363466396333356262643065363666
66346333366566376336366662363632623536356564313334343135633136663632656262323334
64336135373163383339336664346632646535386536386361386336363138373130316438663062
37353231663130303838333932323532653365323238333737643866356163383032393934346530
33636565326138613963396432323838663037366463343633613730613339343266373233393063
38656264613530373262333937313037373431326665356339313638323334346464623936643035
33616630336464396531396365366462333265313239323966633563656332373164623536303963
31633437343130613039303131363264623232633232656332653138333161666233376233316639
33386636336263333463636438383231666466373934323235326366356263633563393664383939
35326562656166616264313937636432643265636565623335326237333432343238383536303735
38643333383834343633366366373639323738613433326665633362316563306161386230653363
33386463323765663838326331666433313563343266623063363962373961333064343964393439
38633036376138383936663031343835353865333635653861653131383535343939356631656532
62656464623263626464613365386234353632303734643631633435626133383538376136643335
31333430643839666238373561643966633334653361373336306266383631663537303265316564
37633633363933353931653830306663393766303363333535313737346239613366326536653530
34643166663333663066373735376266306635306132383134653161646337333161356234366533
34323461653763386636653665353362323565396535326366663639313437616663376332616630
33323531623935383639623635323662636239386631623361613066616134396565306565393161
62313235316264663261306461623032373938336661653534383835303638333831613232316564
65333135383761373937626534663633633936396532313263396338393462623830396538313464
61333966373930626135663839633766383332656564366639386130323061363137333065653433
36313434326234386466643730663939376461633334646133363763303561373862633565663634
65646237346636636230313136633136623236646239323937373163616230636264326534373263
36333035643663626239306363636635336237373761333239363937633932363936663832396438
34346662633265326365383866383864356563393431363137333564326466613832666663633539
33666638393337336633613032623739633836663831353762653437323733336230396333643733
65663462346166653534323533376431356535316238363639613636383663306635343836376365
64363765393863363038363739353239633934343138636564343562316131313933616363356237
66306230613863633038313161613861653138656433623031313534666139393535383163366339
36393138323838656139653163393965356131633961623930623637663839383564633534336565
30643334353537306637636263633331306162316565633630303636323833636234336264316361
36613833653565613562363763336633323236393836653466356638646166333661653431376463
32363638616433643264323938616262383663653334323931346639633836333462333663376364
32663838663534626565376661656663643162626137363431363461313864623732613764333664
39626232333534326364613838376434666635313731646533363635386230333036336533633034
31323132343230646631626131663436356263626563323934643765666462343234653038383564
64393739663035636266663539326661303262383966323634333234363233656465396665613636
38623063336337383931343931333565623261313638613235633230623638623863616238316662
33376135646535656434323732656362343834663530316437333630373230303136303137306637
31343266386535346362383032376635386132636138333765616361653463316239303536316262
35623062316533656661356462643864383536303835346235353339663238386532343064636233
66363566623663353265616434336163396336336263613030623134653361363732323738313363
61343232656233363433626334306433626566616537376537663930613738386663393035373533
64656639326165666138343361613637653166316330393665643533333466613861653232333138
66316464336465653062376261643238323761383161623933353433613266646537623639396666
32343735323833383365313539333138656230306134343631666232653965663264656635343061
38353162383364323538366666666365316432393939333663366664356364633939653837346431
35383063393664656539393763313735663638343863616431306566356332343935653631646536
66643130613266636331663762303962643434653532336531396165303638303831393561376633
36613537333163633837666530356163343733313631633962326365363063663261333061376135
39363532366638343430643664663863653666663064386562616434313831633032316238393963
38346564306438653865663937633037373961636630653530643936326333316433636334333935
65326434316435313364666364613138306630356234393839313031373536336539623132653634
30336332323932323863353139303835643865313466356637303032393437636531313330666536
34333565376635633863303066376330313362303836366666313530336430343939313466633135
32373238363031396665656536646236393133376435633638303238636663313738353532393236
38633831633039616430343932343066303837303161653166623761343033386437303231393931
65353334666164343337363035616162383635623838343662323430326639633834366666393663
31356138366666333563653738653032646633316537326333306133333435623132306236373963
37326435373064386131383938353465373239323434366339343364646565393131643335366530
35346465616330346232656239643165663438386339663136336362356437653334326335666564
38326436623239393833393838656335336565666536386164356535633363363836323966343663
66323563616564623165373730353238353063393362653964316338333932636333353064333761
61626432383233323630626465393461393130363232383565646631343464363138323763656637
35653964386434653335666335373932646133653966626430656636626461646263383464643666
61396265333465343039653333646661383165356335633532623165323364363630386335373935
34363739636432366565366265373038643633613739363266653531623032333030303437346665
63333666623536353238616636633065393562623566376461336262363665323866376666303930
66393533353766373732326231373732663766393034326538643063393037316239653838333738
35636539393966343866613932663230663638653862643934616539393436383639356339633133
32643836356136353436623738613133353631313936643165376265373638343838396665356166
39303661646265653436396131613536386236613938323739363863633766303365636466376637
38353837633239643166383931323961383362343831633835643930613465346335656566326434
63303565366161373062343162616536653165373537363331353639303230663265643335356330
30333263623431666135393931626431626362366562626431623434613633643062373961663361
65343135353536643863316161326635333038643634396230353465646238356234653034323638
39353365306230313031336337313637336233623865666439653861643637663732386461333432
61333831306539303439373634376566363861393830333665366238666364653637343364313865
30643564363739346566636565636363386533663434653761386565316266333436623031333134
33616464323165393331326665633235326231623365373236303335353837663739373165346139
65633066343530303335336362343838356565343638313133646339353235633661636361303934
65636332383130333036316138393235353363623061613130383431323735626136636334343439
39363764386639626432366534363839613366336139363439343066333933366537373333336465
32363334326463323261303562633034383233653438643764633231373761326334336561623832
37663763343933386165313665646234626263616136343366663834323739343934343833616336
38616636396438386539303637646134393865363235616465613665616439653730613039306265
36366433356362363537653838626133656430333132666635306137663134333139323565363531
33656433393031386537353766366638393433363031616632323962353933666232653563313830
38656565376630396235656533313731656666363762386339613534613236656533366161653866
61633965366135376264316264393964343035306330623739643338306362633838373434306335
34313636373930623663666362633736653363353461616639323261646235653266383837393036
34626466623666643465326465343833336338343964666537623431313639656136373339643834
6531336131373761336363393133626166376263663037666231
33336336363031356335646231313439663164663337323062393465653638346538613762323532
3130356238303530316134623963616261663162393061300a653332613538633462353265353965
63653131386233643635343732346336653164303236626666613963353963616634653939623135
3231653165646661300a326563353632613937663137323562663364623133306338346633643832
38613536373436643539623064386566653738316532666166333538656664623966376639363962
63636332636331633762326539653863313233633032663063633136356562353737383365316238
62633432363661613162616230313437306439376265623563343564343532366266616536346432
38376465626236316434613631336465626363663263613232313662336133396434336437656464
34323863643366326633613632636662353232323563616138356537613762666561393133383265
65313162396434396662613131333261643966313366326435373831393338656361643733343837
64316462393361336630623563386336323138653833636464623163343134393033303865326161
33323461333334616333336466636436383764303362396561333830626137333462333564316364
38393437666662346630663137643132626133383965353030663632636237663433383462326165
30376436643137333361383839306537613535653564306164643363643330613031363630633964
62396238396530306431633362343739633230383934373364303733366136633136363761303762
33373165323939343063633965623733363934363330353662623134653438303337636161343132
66393361363838323731303564653834316265333363303662376630333930346534363133363861
62396533666365303065333330363066343238386438636661633233363831343838316131353633
38643764386166656632313938386133366233366130626636323330326466376566613563383561
62383038336566356533643336393430353365623932376161393438653465653962383130363433
34393437343238383634323432633134353664386136633533383463616235326239383966633431
36363532623932326432366330343332376264666537333234333234616638653830363633313465
38343038666336353634633238356662666338646661646265306564633861333461336231313834
64663166356432376564633163303636643963323032393737383537323639616333373133626264
32303466316562666338356235376133653833623936373131373237393334393665306561366636
66623437663334326631353132303030663236393762336639313861663962353363653831373563
62386633306463306634633862326632313063393362353438623437376138363433623934666162
37373662393437363965623162303934333230343962626233366630396531326665383065386161
65663666356431366335633339366637303137353765656638316535613933343237656563663863
65313230616338653030343034663937666134653336383732393538396337326238343761323137
30626138666262666465393036363133356563653437376666376366613635306162653739396531
64613664626663626462343737626266636132313366393861313436383137313765623165333734
35333036633234303733373161626331363333393062613933623931356234363735663165386338
61333961666638326134396431393335633435666135383738376335623135663934356437623062
66323833353065653866613264663262653731373865656363666466303330356563356434343161
34363564363564393132326264626134383630653437626536623166363965306363653539336461
36366538383134376564376665336231663532656464393832346166653462306235666139633265
34663235353765316633333865313439663736323462653232633362633333663539613934346136
31363536303338633333393064366234643762396364356539363966623936663764353161383136
34383432386537646566653964313731623761316161663136386532663332333262313861613932
35356566303364326436306235323463623331613663383031343335323537346530653637663939
34613333323738303731636362323735346561343332376137616339386163346134646566353231
65656264626131306130663761663763336464306563313835633432333761623633666433613830
63356265343839396162363333646630346364643661303331663236306535306465626435326662
62313963663636363366356132616239323632623733656137316663303031356631323235353634
64613035346633313366633138353737303565303434363139616466636163323137346238623562
61333066633833303232333934373039623762323435333261633835356466303564666132656362
62613939323735343163376165653634333834353334663532383866313232663533643138663766
31353138356562386135366130373063306538633465323363313361316438366631366463323730
62393637353931653930303230626665303066646539663338363133613431306532623865343531
64366263653062643334336132336466383563636630323539373336343330616531323962326537
64306535623135396537363735633039636335623561343435613864656330376631613434613866
31393166633361633063323538623361653135306539346366383264336634353633626136663731
35383332373338333935376438346232326236613430306533316561333438383238306666346465
36356235373466303536346363393661393838336331313536383662353438333662366563353038
66383237613132613636356461653037373437336264626539333763643261326239313065336463
34323361613565663336343131613530616462633331653134613431393839303364363831303337
39393732646234383936316637343066633761636231326639663239306231303834306631393933
32323335666262666232363638306562353866353338646234353631323533316532383235336632
33643934343836366631336666643730656137626466666232396535356664313132383838363832
39613664643761653461326234643539643831616537363836656561303562633064613238383233
33616336666462333461343766383063353361313032643230636132343631613636666636666639
38386136656565653439323162363035623665623139326366326431343861393664636664363934
61353761326136346636393261663335383664646531616366363436306461313063646264356561
63393931313266633734616362376630616535396635343363326361653434353631303836326433
64313533646331336338353533643031316638386330626362313938623736316134633062393930
31306332623364393839313761353564313563326462313637663635663661396638373130363866
30326263383730356135663433623138663239363765363664636133653462653262393766363966
37303862363131646236333134366664653061343735303035383663383539353732313935313933
37323461343530306632626631373238333636303135653535626631343862663639306136323363
30343731356434333030303332636637363364643363666136353266383138613066353732326665
32366234373864663333323035306334613937656666396437646335383839663336633364613338
63306635663762373331646535373638343436376431646564666239633631376465623730353935
66383262623838376339373735396131303434616132373832633061616132393931643830633864
37663931613633656339383062336462383661363463323632396636633965373439383938626635
38336330383139653365653664383934663838306531373164626136613338343861353262663431
30653265333065663664646564376466303838373961626436396631356366363832613930346664
34643962363862643732653631333665366134343332313863316164323465383138386262336336
32343365386362346237656361386163323062376232346137336365363731396639346137343735
62633436643265636262376639383635336536353131666661326238653339626666383562323763
63373636636530306461633035616163643962633033363565323164343034633666346133343638
37613463333461373663336630313834316333366466336539333135356338343731636231663530
38623738636534333762376434336336326166373363643864316233343735386234616663636534
32393838623939343536346634633339613837373735353565313138333864383632383533396264
36363430356237636235316631313664336265633333313137373861666333663865393065393531
30386335613531353837363738366232313036343731343566306166646466353164336136393330
65323933613266363739363231663563656437396231316666303437633564613465313937383038
32643465346130323738336364356331663163323236333764653566306664623164626437363465
34333165343034633135336234633765336333623333643632353335656238393863623062623665
39393434643538373633653630353963346132663366656532303764333838336562663735613737
39363865353736663263303565336263643333613238336462313839323738373063393639303531
34633739366531326666633634366230363431303663383432323463643665316136643434343839
66313030623561366431353863633666636262336637636235326434366536393830343433336462
34666631343862346239346434666462613836343161663234646439643562316564666632316665
66376137313231376433333163396564343435303434326235626239336237653332316232343361
30666531393863616132323837333931323534633561626263333534646530623433613633383061
36393361613736393333633166346465363762336232303530393262666366303763303862383632
30336437313339643861663635623334323330653030396432623932613433343836626238373530
35353535366237663865333832356661613635353138356438386333323734386237626532343665
31373061616234633336386661323164663934336464316364343036633336376234656263346530
64333336383861396261316436636638653934643463666263346430366238663663383834313266
65396434313161333532323036336538653830303232343364656365353339623165346164393039
62356561366461643831656466316266616335646163303438353735393830636434386335623632
32623835613262653566306561333835316334613633613138643235343265376238343932363264
65666334633663366338306566346433626431656131393233393661396361366365333733303130
38353435396462636633336238373131386562333063386235366233633030663861316161653362
36306431663639663137313762396338323933663036343130633438326435383934633861343262
39623431326362643833353532336233653664643733323432326466666165373333313266626565
38656465623362323966333238336262323563353038666635666137303064663333363730633335
31306139323831366363346331383834646635316166393334326535323339363038353365353538
31356164656235373536323830333135333931373764636439363135316532613530333734613964
66393233383132623536643664643862336162396630383932383731626233643966636437393461
30356262393661623737653439633336656635323134613336626336343666363138303931323064
36366333393330333365663965646664333561646434306463333135653130646337623035393434
66636261346534653263356230633838633033373566623138626264656236336630373634636430
39633136666565343332663330323937393565643338663433656466323535613064326233626637
63393064363434393634333863363761643433326438336634306438376235393632643332346339
63306437336431613535356138336666613862343437306330393566346332666534646230313265
66663839333730636538343630363933353039343064316330666631646565386438613232383031
63393963333063343437383130356331356162616266383231383535313530393264323232623934
30363861373261303966613361336335356233306530343435313730393166383536323937373666
33613033633530393933333265306265626632663266383834666334336364623864333735343735
35316132636333323566666339333039653862666264353638336336356334393030663733306264
61613661613166366238646264343239393735653437383539343731373266386238323532643739
38643262343666656661356338623035343934383765313939363537393434623965623437363239
61653034656535313937316639663166386432623034383864356465623032353636643737326336
38376436343133643263336435636638356465396566623037633334643863643165663765383161
33653530643836343334643734346335653131366439336139646131396237323862323132616339
35383739633133643864646163616661633032666532663861393638343232323437363263663435
65626561303137353330646162326464666236653633346636333864333366323336613638393365
36396262306266396638613736626637633163343938366130363133303535613131383562393333
63643830666437663931633231336432303561326231366639376130303564663564363766343834
3934

9
host_vars/gw11.regensburg.freifunk.net
View File

@ -3,20 +3,13 @@
batman_ipv4: 10.90.32.11/19
batman_ipv6: fdef:f10f:1337:cafe::11/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:11::11/64
global_ipv6: 2a00:9d80:6000:0101::11/64
nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 11
site_code: ffrgb_cty
ntp_server: true

7
host_vars/gw12.regensburg.freifunk.net
View File

@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 12
site_code: ffrgb_cty
ntp_server: true

9
host_vars/gw21.regensburg.freifunk.net
View File

@ -3,20 +3,13 @@
batman_ipv4: 10.90.64.21/19
batman_ipv6: fdef:f20f:1337:cafe::21/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:21::21/64
global_ipv6: 2a00:9d80:6000:0102::21/64
nextnode4: 10.90.64.1
nextnode6: fdef:f20f:1337:cafe::1
mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 21
site_code: ffrgb_uml
ntp_server: true

7
host_vars/gw22.regensburg.freifunk.net
View File

@ -10,13 +10,6 @@ mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 22
site_code: ffrgb_uml
ntp_server: true

11
host_vars/gw31.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.96.31/19
batman_ipv6: fdef:f30f:1337:cafe::31/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:31::31/64
global_ipv6: 2a00:9d80:6000:0103::31/64
nextnode4: 10.90.96.1
nextnode6: fdef:f30f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3120917
mesh_wg_port: 20030
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
fastd_port: 10030
gateway_id: 31
site_code: ffrgb_tst
nat_pool: 194.156.22.32-194.156.22.33
ntp_server: true

3
host_vars/resolver.regensburg.freifunk.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

31
host_vars/stats.regensburg.freifunk.net
View File

@ -1,31 +0,0 @@
---
grafana_rendering: True
# yanic needs this
site_code: ffrgb_cty
yanic_publisher: true
yanic_repondd_enable: false
yanic_respondd_interface: ens18
yanic_respondd_ip: true
yanic_nodes_prune_after: 60d
yanic_nodes_offline_after: 5m
yanic_meshviewer_enable: false
yanic_nodelist_enable: true
yanic_database_delete_after: 720d
yanic_dbc_repondd_enable: false
yanic_influxdb:
- enable: true
host: http://127.0.0.1:8086
database: ffrgb
username: "admin"
password: "{{ vault_yanic_influx_pw }}"

4
hosts
View File

@ -2,10 +2,8 @@
gw11.regensburg.freifunk.net
gw21.regensburg.freifunk.net
gw31.regensburg.freifunk.net
ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net
web.regensburg.freifunk.net
stats.ffrgb ansible_host=10.90.224.100
unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103

4
library/fastd_key
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python3
#!/usr/bin/env python
EXAMPLES = '''
# Generates a fastd key
@ -23,7 +23,7 @@ if __name__ == '__main__':
# create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
# generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
handle.write('secret "%s";\n' % secret)
changed = True

121
roles/apt/files/unattended-upgrades.conf
View File

@ -1,7 +1,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...". A
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -19,73 +19,50 @@
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// Python regular expressions, matching packages to exclude from upgrading
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
@ -93,29 +70,19 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
Acquire::http::Dl-Limit "200";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

1
roles/apt/tasks/main.yml
View File

@ -8,7 +8,6 @@
name:
- apt-transport-https
- debian-goodies
- gnupg2
- lsof
- unattended-upgrades

2
roles/arp_cache/tasks/main.yml → roles/arp-cache/tasks/main.yml
View File

@ -8,4 +8,4 @@
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

53
roles/common/tasks/main.yml
View File

@ -1,39 +1,38 @@
---
- name: Install misc software
apt:
name:
- ca-certificates
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
apt: name={{ item }}
with_items:
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
- name: Install software on KVM VMs
apt:
name:
- acpid
- qemu-guest-agent
apt: name={{ item }}
with_items:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh
@ -52,8 +51,8 @@
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:

2
roles/dhcpd/defaults/main.yml
View File

@ -2,5 +2,5 @@
dhcpd_interfaces: br-{{ site_code }}
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
name_server: "{{ batman_ipv4 | ipaddr('address') }}"

2
roles/dhcpd/templates/dhcpd.conf.j2
View File

@ -2,7 +2,7 @@
# option definitions common to all supported networks...
option domain-name "{{ site_domain }}";
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
option domain-name-servers {{nextnode4}}, {{ name_server }};
local-address {{ batman_ipv4 | ipaddr('address') }};

6
roles/dns_split/handlers/main.yml → roles/dns/handlers/main.yml
View File

@ -1,13 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name={{ item }} state=restarted
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

28
roles/dns/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install powerdns
apt: name={{ item }}
with_items:
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
tags: dns
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- pdns
- pdns-recursor

0
roles/dns_split/templates/bind/90.10.in-addr.arpa.zone.j2 → roles/dns/templates/bind/90.10.in-addr.arpa.zone.j2
View File

0
roles/dns_split/templates/bind/ffrgb.zone.j2 → roles/dns/templates/bind/ffrgb.zone.j2
View File

0
roles/dns_split/templates/bindbackend.conf.j2 → roles/dns/templates/bindbackend.conf.j2
View File

6
roles/dns_split/templates/pdns.conf.j2 → roles/dns/templates/pdns.conf.j2
View File

@ -12,6 +12,12 @@ launch=bind
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

10
roles/dns_resolver/templates/recursor.conf.j2 → roles/dns/templates/recursor.conf.j2
View File

@ -16,15 +16,21 @@ config-dir=/etc/powerdns
# dnssec=process-no-validate
dnssec=off
#################################
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
# forward-zones=
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
#################################
# local-port port to listen on
#
local-port=5353
local-port=53
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing

4
roles/dns_auth/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Restart powerdns
service: name=pdns state=restarted

22
roles/dns_auth/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Install powerdns
apt:
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
- name: Start the powerdns services
service: name=pdns state=started enabled=yes

35
roles/dns_auth/templates/pdns.conf.j2
View File

@ -1,35 +0,0 @@
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
#################################
# dname-processing If we should support DNAME records
#
# dname-processing=no
dname-processing=yes
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify=
# security-poll-suffix Domain name from which to query security update notifications
#
security-poll-suffix=

10
roles/dns_resolver/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name=pdns-recursor state=restarted
- name: Restart dnsdist
service: name=dnsdist state=restarted

4
roles/dns_resolver/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

35
roles/dns_resolver/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-recursor
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Configure powerdns
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
notify: Restart powerdns
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns-recursor

15
roles/dns_resolver/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

24
roles/dns_resolver/templates/dnsdist.conf.j2
View File

@ -1,24 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
addLocal('{{ ansible_default_ipv6.address }}')
setACL({'0.0.0.0/0', '::/0'})
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

47
roles/dns_split/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

15
roles/dns_split/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

20
roles/dns_split/templates/dnsdist.conf.j2
View File

@ -1,20 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

54
roles/dns_split/templates/recursor.conf.j2
View File

@ -1,54 +0,0 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
#
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
# forward-zones=
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=5353
#################################
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns

17
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes
- docker-ce
- docker-ce-cli
- containerd.io
- python-docker

4
roles/exit-ip/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
conntrack_max: 131072
fastd_instances: 3

0
roles/exit_ip/handlers/main.yml → roles/exit-ip/handlers/main.yml
View File

0
roles/exit_ip/tasks/main.yml → roles/exit-ip/tasks/main.yml
View File

6
roles/exit_ip/templates/rules.v4.j2 → roles/exit-ip/templates/rules.v4.j2
View File

@ -4,14 +4,12 @@
:INPUT ACCEPT [1:136]
:OUTPUT ACCEPT [2:472]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [1124:131621]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [1151:175226]

6
roles/exit_ip/templates/rules.v6.j2 → roles/exit-ip/templates/rules.v6.j2
View File

@ -1,13 +1,9 @@
# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
COMMIT

5
roles/exit_ip/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
conntrack_max: 131072
fastd_instances: 3
nat_pool: "{{ ansible_default_ipv4.address }}"

0
roles/fastd_exporter/defaults/main.yml → roles/fastd-exporter/defaults/main.yml
View File

0
roles/fastd_exporter/files/fastd-exporter.service → roles/fastd-exporter/files/fastd-exporter.service
View File

0
roles/fastd_exporter/handlers/main.yml → roles/fastd-exporter/handlers/main.yml
View File

0
roles/fastd_exporter/tasks/main.yml → roles/fastd-exporter/tasks/main.yml
View File

0
roles/fastd_exporter/templates/fastd-exporter.j2 → roles/fastd-exporter/templates/fastd-exporter.j2
View File

1
roles/fastd/templates/fastd.conf.j2
View File

@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
method "null";
method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes;

7
roles/git/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install git
apt: name=git
- name: Install ca-certificates
apt: name=ca-certificates

3
roles/grafana/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
grafana_rendering: False

34
roles/grafana/tasks/main.yml
View File

@ -1,38 +1,10 @@
---
- name: Retrieve Grafana Key and avoid apt_key
block:
- name: grafana |no apt key
ansible.builtin.get_url:
url: https://apt.grafana.com/gpg.key
dest: /usr/share/keyrings/grafana.key
- name: Enable grafana apt-key
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Enable grafana repository
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana
apt: name=grafana
- name: Install grafana rendering dependencies
apt:
name:
- libxdamage1
- libxext6
- libxi6
- libxtst6
- libnss3
- libnss3
- libcups2
- libxss1
- libxrandr2
- libasound2
- libatk1.0-0
- libatk-bridge2.0-0
- libpangocairo-1.0-0
- libpango-1.0-0
- libcairo2
- libatspi2.0-0
- libgtk3.0-cil
- libgdk3.0-cil
- libx11-xcb-dev
when: grafana_rendering

0
roles/root_keys/tasks/main.yml → roles/gw-admin-ssh-keys/tasks/main.yml
View File

23
roles/influxdb/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
- name: Import Influxdb GPG siging key with store
ansible.builtin.get_url:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: /etc/apt/trusted.gpg.d/influxdb.key
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
ansible.builtin.command:
argv:
- gpg
- --dearmor
- /etc/apt/trusted.gpg.d/influxdb.key
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
- name: Enable InfluxDB repository
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
state: present
- name: Install influxdb
apt: name=influxdb

6
roles/interfaces/files/networking.service → roles/mesh-interfaces/files/networking.service
View File

@ -1,9 +1,8 @@
[Unit]
Description=Network initialization
Description=ifupdown2 networking initialization
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
DefaultDependencies=no
After=local-fs.target network-pre.target
Before=shutdown.target network.target network-online.target
Before=network.target shutdown.target network-online.target
Conflicts=shutdown.target
[Service]
@ -11,7 +10,6 @@ Type=oneshot
RemainAfterExit=yes
SyslogIdentifier=networking
TimeoutStopSec=30s
EnvironmentFile=/etc/default/networking
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

0
roles/interfaces/handlers/main.yml → roles/mesh-interfaces/handlers/main.yml
View File

7
roles/interfaces/tasks/main.yml → roles/mesh-interfaces/tasks/main.yml
View File

@ -1,13 +1,10 @@
---
- name: Install dependencies
apt:
name:
- bridge-utils
apt: name=python-pkg-resources
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
- name: Install ifupdown2
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
apt: name=ifupdown2 state=latest
- name: Uninstall ifupdown
apt: name=ifupdown state=absent

0
roles/interfaces/templates/backbone.conf.j2 → roles/mesh-interfaces/templates/backbone.conf.j2
View File

16
roles/interfaces/templates/mesh.conf.j2 → roles/mesh-interfaces/templates/mesh.conf.j2
View File

@ -14,8 +14,6 @@ iface br-{{ site_code }}
{% if global_ipv6 is defined %}
address {{ global_ipv6 }}
{% endif %}
#
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# bat-{{ site_code }}
auto bat-{{ site_code }}
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
hwaddress f2:00:90:00:{{ gateway_id }}:20
mtu 1500
#
batman-hop-penalty 5
batman-ifaces dmy-{{ site_code }}
batman-ifaces-ignore-regex .*_.*
batman-routing-algo {{ batman_algo }}
#
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
# TODO use batman-xyz instead of batctl
# see /usr/share/ifupdown2/addons/batman_adv.py
#
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# dmy-{{ site_code }}

1
roles/mesh_wg/files/ping
View File

@ -1 +0,0 @@
OK

4
roles/mesh_wg/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Reload interfaces
command: /sbin/ifreload -a

25
roles/mesh_wg/tasks/main.yml
View File

@ -1,25 +0,0 @@
---
- name: Install wireguard
apt: name=wireguard-tools
- name: Create wireguard config directory
file:
path: /etc/wireguard
state: directory
mode: 0700
- name: Configure wireguard options
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
notify: Reload interfaces
- name: Configure mesh interfaces
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
notify: Reload interfaces
- name: Install wgskex
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
- name: Install ping endpoint
copy: src=ping dest=/var/www/html/ping

21
roles/mesh_wg/templates/mesh_wg.conf.j2
View File

@ -1,21 +0,0 @@
# {{ ansible_managed }}
# vx-{{ site_code }}
auto vx-{{ site_code }}
iface vx-{{ site_code }}
mtu 1350
vxlan-physdev wg-{{ site_code }}
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
up ip link set vx-{{ site_code }} up
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
down ip link set vx-{{ site_code }} down
post-down ip -6 link del vx-{{ site_code }}
# wg-{{ site_code }}
auto wg-{{ site_code }}
iface wg-{{ site_code }}
address fe80::{{ gateway_id }}/128
ipv6-addrgen no
pre-up ip link add dev wg-{{ site_code }} type wireguard
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
post-up ip link set wg-{{ site_code }} mtu 1420

3
roles/mesh_wg/templates/wg.conf.j2
View File

@ -1,3 +0,0 @@
[Interface]
PrivateKey = {{ mesh_wg_privkey }}
ListenPort = {{ mesh_wg_port }}

2
roles/netbox/defaults/main.yml
View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 3.7.8
netbox_version: 2.8.7

13
roles/netbox/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart netbox
service: name=netbox state=restarted
- name: Restart netbox-rq
service: name=netbox-rq state=restarted

116
roles/netbox/tasks/main.yml
View File

@ -15,7 +15,7 @@
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python3-setuptools
- python-setuptools
- python3-dev
- python3-pip
- python3-venv
@ -25,120 +25,52 @@
apt:
name:
- postgresql
- python3-psycopg2
- python-psycopg2
- name: Configure PostgreSQL user
postgresql_user:
name: "{{ netbox_dbuser }}"
password: "{{ netbox_dbpass }}"
- name: Configure PostgreSQL database
postgresql_db: name={{ netbox_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db:
name: "{{ netbox_dbname }}"
owner: "{{ netbox_dbuser }}"
- name: Configure PostgreSQL user
postgresql_user: db={{ netbox_dbname }} name={{ netbox_dbuser }} password={{ netbox_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
# TODO configure redis?
- name: Unpack netbox
unarchive:
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
dest: /opt
remote_src: yes
creates: "/opt/netbox-{{ netbox_version }}"
register: netbox_unarchive
unarchive: src=https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz dest=/opt remote_src=yes creates=/opt/netbox-{{ netbox_version }}
# TODO user/group/chown?
- name: Configure netbox
template:
src: configuration.py.j2
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
template: src=configuration.py.j2 dest=/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py owner={{ netbox_user }} group={{ netbox_group }}
- name: Configure gunicorn
template:
src: gunicorn.py.j2
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
- name: Netbox file permissions
file:
path: "/opt/netbox-{{ netbox_version }}"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
recurse: yes
- name: Run upgrade script
command:
cmd: ./upgrade.sh
chdir: "/opt/netbox-{{ netbox_version }}"
become: true
become_user: "{{ netbox_user }}"
when: netbox_unarchive.changed
- name: Install venv
pip: requirements=/opt/netbox-{{ netbox_version }}/requirements.txt virtualenv=/opt/netbox-{{ netbox_version }}/venv virtualenv_command="/usr/bin/python3 -m venv"
# TODO - still manual work
# * Create a super user
# * Migrate media files
- name: Install netbox housekeeping cronjob
template:
src: netbox-housekeeping.sh.j2
dest: /etc/cron.daily/netbox-housekeeping.sh
mode: 0755
# * Run Database Migrations
# * Create a Super User
# * Collect Static Files
# * Gunicorn Configuration
# * systemd Configuration
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt -days 730 -subj "/CN={{ netbox_domain }}" creates=/etc/nginx/ssl/{{ netbox_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ netbox_domain }}"
when: "'kitchen' in group_names"
- name: Configure certificate manager for netbox
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
notify: Run acertmgr
#- name: Configure certificate manager for netbox
# template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
# notify: Run acertmgr
- name: Configure vhost
template:
src: vhost.j2
dest: /etc/nginx/sites-available/netbox
owner: root
mode: "0644"
template: src=vhost.j2 dest=/etc/nginx/sites-available/netbox
notify: Restart nginx
- name: Enable vhost
file:
src: /etc/nginx/sites-available/netbox
dest: /etc/nginx/sites-enabled/netbox
state: link
file: src=/etc/nginx/sites-available/netbox dest=/etc/nginx/sites-enabled/netbox state=link
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- netbox
- netbox-rq
notify:
- Reload systemd
- Restart netbox
- Restart netbox-rq
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- netbox
- netbox-rq

84
roles/netbox/templates/configuration.py.j2
View File

@ -33,10 +33,8 @@ REDIS = {
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 0,
'DEFAULT_TIMEOUT': 300,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
},
'caching': {
'HOST': 'localhost',
@ -46,10 +44,8 @@ REDIS = {
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 1,
'DEFAULT_TIMEOUT': 300,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
}
}
@ -69,13 +65,32 @@ SECRET_KEY = '{{ netbox_secret }}'
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ('John Doe', 'jdoe@example.com'),
# ['John Doe', 'jdoe@example.com'],
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# URL schemes that are allowed within links in NetBox
ALLOWED_URL_SCHEMES = (
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
)
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
BANNER_TOP = ''
BANNER_BOTTOM = ''
# Text to include on the login page above the login form. HTML is allowed.
BANNER_LOGIN = ''
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
CACHE_TIMEOUT = 900
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
CHANGELOG_RETENTION = 90
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@ -104,6 +119,10 @@ EMAIL = {
'FROM_EMAIL': '',
}
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
ENFORCE_GLOBAL_UNIQUE = False
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
@ -126,18 +145,22 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox but not make any changes.
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
LOGIN_REQUIRED = True
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# Setting this to True will display a "maintenance mode" banner at the top of every page.
MAINTENANCE_MODE = False
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
# all objects by specifying "?limit=0".
MAX_PAGE_SIZE = 1000
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
@ -155,6 +178,20 @@ LOGIN_TIMEOUT = None
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
NAPALM_USERNAME = ''
NAPALM_PASSWORD = ''
# NAPALM timeout (in seconds). (Default: 30)
NAPALM_TIMEOUT = 30
# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
# be provided as a dictionary.
NAPALM_ARGS = {}
# Determine how many objects to display per page within a list. (Default: 50)
PAGINATE_COUNT = 50
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
@ -167,13 +204,24 @@ PLUGINS = []
# }
# }
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
# prefer IPv4 instead.
PREFER_IPV4 = False
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
RELEASE_CHECK_TIMEOUT = 24 * 3600
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
@ -184,16 +232,10 @@ RELEASE_CHECK_URL = None
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.

16
roles/netbox/templates/gunicorn.py.j2
View File

@ -1,16 +0,0 @@
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
bind = '127.0.0.1:8001'
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
# n is the number of CPU cores present.
workers = 5
# Number of threads per worker process
threads = 3
# Timeout (in seconds) for a request to complete
timeout = 120
# The maximum number of requests a worker can handle before being respawned
max_requests = 5000
max_requests_jitter = 500

9
roles/netbox/templates/netbox-housekeeping.sh.j2
View File

@ -1,9 +0,0 @@
#!/bin/sh
# This shell script invokes NetBox's housekeeping management command, which
# intended to be run nightly. This script can be copied into your system's
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
# within the cron configuration file.
#
# If NetBox has been installed into a nonstandard location, update the paths
# below.
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

21
roles/netbox/templates/netbox-rq.service.j2
View File

@ -1,21 +0,0 @@
[Unit]
Description=NetBox Request Queue Worker
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

22
roles/netbox/templates/netbox.service.j2
View File

@ -1,22 +0,0 @@
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

2
roles/netbox/templates/vhost.j2
View File

@ -30,9 +30,9 @@ server {
location / {
client_max_body_size 32M;
proxy_pass http://localhost:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8001;
}
}

3
roles/nginx/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
nginx_anonymize: False

25
roles/nginx/templates/nginx.conf.j2 → roles/nginx/files/nginx.conf
View File

@ -47,32 +47,7 @@ http {
# Logging Settings
##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log;
##

4
roles/nginx/tasks/main.yml
View File

@ -30,7 +30,7 @@
- /etc/nginx/dhparam.pem
- name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
notify: Restart nginx
- name: Configure default vhost
@ -41,7 +41,7 @@
- name: Ensure network and dns are available before nginx
lineinfile:
dest: /lib/systemd/system/nginx.service
line: "After=network-online.target remote-fs.target nss-lookup.target"
line: "After=network-online.target nss-lookup.target"
regexp: "^After="
- name: Start nginx

2
roles/node_exporter/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
node_exporter_version: 1.2.0
node_exporter_version: 1.0.1
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

2
roles/node_exporter/files/node_exporter
View File

@ -1 +1 @@
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
OPTIONS=""

21
roles/node_exporter/tasks/main.yml
View File

@ -9,27 +9,6 @@
- name: Configure node_exporter
copy: src=node_exporter dest=/etc/default/node_exporter
- name: Create configuration directory
file: path=/etc/node_exporter state=directory
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
notify: Restart node_exporter
- name: Ensure correct certificate permissions
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
notify: Restart node_exporter
- name: Configure node_exporter TLS
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
notify: Restart node_exporter
- name: Install systemd unit
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
notify:

6
roles/node_exporter/templates/web-config.yml.j2
View File

@ -1,6 +0,0 @@
tls_server_config:
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
basic_auth_users:
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

6
roles/ntp/handlers/main.yml
View File

@ -1,4 +1,10 @@
---
- name: Restart ntp
service: name=ntp state=restarted
- name: Restart ntpd
service: name=ntpd state=restarted
- name: Restart chrony
service: name=chrony state=restarted

34
roles/ntp/tasks/chrony.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Use chronyd to lock time via PHC to hosts RTC
- name: Install chrony
apt:
name: chrony
state: latest
install_recommends: no
- name: Load kmod ptp_kvm at boot time
blockinfile:
path: /etc/modules-load.d/ptp_kvm.conf
create: yes
owner: root
mode: '0400'
block: |
# Load VirtIO PTP driver for chrony
ptp_kvm
register: load_ptp_kvm
when:
- ansible_virtualization_role == 'guest'
- ansible_virtualization_type == 'kvm'
- name: Load kmod ptp_kvm
modprobe:
name: ptp_kvm
state: present
when: not (load_ptp_kvm is skipped)
- name: Configure chronyd
template:
src: chrony.conf.j2
dest: /etc/chrony/chrony.conf
notify: Restart chrony

21
roles/ntp/tasks/main.yml
View File

@ -1,11 +1,16 @@
---
# Select best time source
# * on kvm sync to hypervisor rtc within nanoseconds accuracy
# * on anything else use ntpd wich supports only milliseconds accuracy
- name: Install chrony
apt: name=chrony
- name: Setup chrony
include_tasks: chrony.yml
register: ntp_use_chrony
when:
- ansible_virtualization_role == 'guest'
- ansible_virtualization_type == 'kvm'
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes
- name: Setup ntpd
include_tasks: ntp.yml
when:
- ntp_use_chrony is skipped

11
roles/ntp/tasks/ntp.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Install ntp
apt: name=ntp
- name: Configure ntp
template: src=ntp.conf.j2 dest=/etc/ntp.conf
notify: Restart ntp
- name: Start the ntp service
service: name=ntp state=started enabled=yes

46
roles/ntp/templates/chrony.conf.j2
View File

@ -1,53 +1,27 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
# {{ ansible_managed }}
{% if not (load_ptp_kvm is skipped) %}
refclock PHC /dev/ptp0 poll 2
{% elif ntp_servers is defined %}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% else %}
pool 2.debian.pool.ntp.org iburst
{% endif %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 10.90.0.0/16
allow 2001:678:ddc::/48
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC
# Do not allow chronyc for security reasons
cmdport 0

17
roles/ntp/templates/ntp.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

9
roles/prometheus/tasks/main.yml
View File

@ -6,7 +6,7 @@
- name: Install dependencies
apt:
name:
- python3-pip
- python-setuptools
- python3-setuptools
- virtualenv
@ -22,13 +22,6 @@
- Reload systemd
- Restart prometheus-pve-exporter
- name: Configure prometheus retention
lineinfile:
path: /etc/default/prometheus
regexp: '^ARGS=.*$'
line: 'ARGS="--storage.tsdb.retention.time=365d"'
notify: Restart prometheus
- name: Configure prometheus
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
notify: Restart prometheus

17
roles/prometheus/templates/prometheus.yml.j2
View File

@ -27,29 +27,12 @@ rule_files:
scrape_configs:
{% if node_targets is defined %}
- job_name: node
scheme: https
basic_auth:
username: prometheus
password: {{ prometheus_node_pass }}
tls_config:
insecure_skip_verify: true
static_configs:
- targets:
{% for target in node_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if dnsdist_targets is defined %}
- job_name: dnsdist
basic_auth:
username: prometheus
password: {{ prometheus_dnsdist_pass }}
static_configs:
- targets:
{% for target in dnsdist_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if fastd_targets is defined %}
- job_name: fastd
static_configs:

2
roles/radvd/templates/radvd.conf.j2
View File

@ -19,6 +19,6 @@ interface br-{{ site_code }} {
AdvRouterAddr on;
};
{% endif %}
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
};
};

2
roles/respondd/defaults/main.yml
View File

@ -4,4 +4,4 @@ batman_interface: bat-{{ site_code }}
main_bridge: br-{{ site_code }}
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
respondd_announce_git_version: 4fd2e3e6eb15c2a52b7401c88a105ff483934689
respondd_announce_git_version: fc2d8d78d53d1908ad16b79b66f79557ccd9a83a

2
roles/fastd_exporter/meta/main.yml → roles/respondd/meta/main.yml
View File

@ -1,4 +1,4 @@
---
dependencies:
- { role: go }
- { role: git }

4
roles/respondd/tasks/main.yml
View File

@ -7,10 +7,6 @@
git: repo={{ respondd_announce_git_root }} dest=/opt/{{ site_code }}/respondd-announce/ version={{ respondd_announce_git_version }}
notify: Restart respondd
- name: Configure respondd
template: src=respondd.conf.j2 dest=/opt/{{ site_code }}/respondd.conf
notify: Restart respondd
- name: Install systemd unit
template: src=respondd.service.j2 dest=/lib/systemd/system/respondd.service
notify:

20
roles/respondd/templates/respondd.conf.j2
View File

@ -1,20 +0,0 @@
# Default settings
[Defaults]
# Listen port, defaults to 1001
Port: 1001
# Default multicast listen addresses
MulticastLinkAddress: ff02::2:1001
MulticastSiteAddress: ff05::2:1001
# Default domain to use
DefaultDomain: {{ site_code }}
# Default domain type
DomainType: batadv
# A domain
[{{ site_code }}]
# Batman interface, mandatory
BatmanInterface: {{ batman_interface }}
# Other listen interfaces
Interfaces: {{ main_bridge }}
# IPv4 gateway option for ddhcpd
IPv4Gateway: {{ batman_ipv4 | ipaddr('address') }}

2
roles/respondd/templates/respondd.service.j2
View File

@ -5,7 +5,7 @@ Description=Respondd
After=network-online.target
[Service]
ExecStart=/opt/{{ site_code }}/respondd-announce/respondd.py -d /opt/{{ site_code }}/respondd-announce/providers -f /opt/{{ site_code }}/respondd.conf
ExecStart=/opt/{{ site_code }}/respondd-announce/respondd.py -d /opt/{{ site_code }}/respondd-announce/providers -i {{ main_bridge }} -b {{ batman_interface }} -m {{ batman_ipv4 | ipaddr('address') }}
Restart=always
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
WorkingDirectory=/opt/{{ site_code }}/respondd-announce

Some files were not shown because too many files have changed in this diff Show More