Update .drone.yml

Chrony uses PHC via VirtIO PTP on KVM to sync the virtial mashines time to
the hosts RTC within nanoseconds. Ntpd is still used for anything else
not virtualized on kvm.

.ansible-lint

@@ -1,4 +0,0 @@
-skip_list:
- - meta-no-info
- - package-latest
- - risky-file-permissions

.drone.yml

@@ -8,4 +8,4 @@ steps:
 - name: lint
   image: cytopia/ansible-lint:latest
   commands:
-  - ansible-lint
+  - ansible-lint -x305,403,701

.gitignore

@@ -2,4 +2,3 @@
 __pycache__
 site.retry
 *.pyc
-ff-ansible.code-workspace

README.md

@@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
 
 ## Requirements
 
-The python packages netaddr and passlib are required on the host running ansible.
+The python package netaddr is required on the host running ansible.
 
 The vault password must be stored in `.vault_pass`.
 
-The *only* supported distributions to deploy roles on is debian buster.
+The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
 
 
 ## Running Ansible

ansible.cfg

@@ -1,6 +1,5 @@
 [defaults]
 ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
-interpreter_python = auto
 inventory       = ./hosts
 library         = ./library
 nocows          = 1

group_vars/all/vars.yml

@@ -2,20 +2,6 @@
 
 acertmgr_mode: webdir
 
-dnsdist_targets:
-- gw11.regensburg.freifunk.net:8053
-- gw21.regensburg.freifunk.net:8053
-- gw31.regensburg.freifunk.net:8053
-- resolver.regensburg.freifunk.net:8053
-
-dns_slaves:
-- 195.201.117.207
-- 2a01:4f8:1c0c:7dda::1
-- 213.166.224.14
-- 2a02:958:0:1::e
-- 213.166.225.14
-- 2a02:958:0:1::1:e
-
 fastd_targets:
 - gw11.regensburg.freifunk.net:9281
 - gw21.regensburg.freifunk.net:9281
@@ -39,24 +25,21 @@ gre_matrix:
  - { id: 26, a: gw21, b: gw31 }
 # - { id: 33, a: gw22, b: gw31 }
 
-netbox_domain: netbox.regensburg.freifunk.net
+netbox_domain: netbox.ffrgb
 netbox_dbname: netbox
 netbox_dbuser: netbox
 netbox_dbpass: "{{ vault_netbox_dbpass }}"
 netbox_secret: "{{ vault_netbox_secret }}"
 
 node_targets:
-- ns1.regensburg.freifunk.net:9100
-- stats.regensburg.freifunk.net:9100
-- tiles.regensburg.freifunk.net:9100
 - gw11.regensburg.freifunk.net:9100
 - gw21.regensburg.freifunk.net:9100
 - gw31.regensburg.freifunk.net:9100
 - web.regensburg.freifunk.net:9100
-- resolver.regensburg.freifunk.net:9100
+- stats.ffrgb:9100
-- netbox.regensburg.freifunk.net:9100
 - unms.ffrgb:9100
 - unifi.ffrgb:9100
+- tiles.ffrgb:9100
 
 ntp_servers:
 - 0.de.pool.ntp.org
@@ -64,10 +47,6 @@ ntp_servers:
 - 2.de.pool.ntp.org
 - 3.de.pool.ntp.org
 
-prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
-
-prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
-
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
 
@@ -75,17 +54,8 @@ pve_targets:
 - pve01.ffrgb
 - pve02.ffrgb
 
-searxng_domain: sx.regensburg.freifunk.net
-searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
-
 site: ffrgb
 site_domain: regensburg.freifunk.net
 
-speedtest_domain: speed.regensburg.freifunk.net
-speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
-speedtest_secret: "{{ vault_speedtest_secret }}"
-
-tileserver_domain: tiles.regensburg.freifunk.net
-
 web_services:
-- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }
+- { id: tiles, domain: tiles.regensburg.freifunk.net }

group_vars/all/vault.yml

@@ -1,137 +1,134 @@
 $ANSIBLE_VAULT;1.1;AES256
-31633832313136353531623833383865383736333164376632363635333439613763643062663632
+33336336363031356335646231313439663164663337323062393465653638346538613762323532
-3736376165623664376436643138653435393239636333370a643363343061303436613238373237
+3130356238303530316134623963616261663162393061300a653332613538633462353265353965
-36653730376133363061333536626436363366393335303932663736316631633630323634353531
+63653131386233643635343732346336653164303236626666613963353963616634653939623135
-3734353134396561660a616339303762313430616234383138326438383432646564356662393536
+3231653165646661300a326563353632613937663137323562663364623133306338346633643832
-61376161343965656365646238393261356133326131613730343234336139366461333032396531
+38613536373436643539623064386566653738316532666166333538656664623966376639363962
-38653031363934623231336661363233393562383434323633353139336530383432383736353937
+63636332636331633762326539653863313233633032663063633136356562353737383365316238
-65633935373261653134653839353233643439616266613531373938393231643736333436353234
+62633432363661613162616230313437306439376265623563343564343532366266616536346432
-65646665626531323566326561353333666535666430613961666232646632303662343832643661
+38376465626236316434613631336465626363663263613232313662336133396434336437656464
-35373166323439623137383164663838393766326237336234326635383930323365326431343338
+34323863643366326633613632636662353232323563616138356537613762666561393133383265
-61343434363961633532656466653732626135306334303634383235643531396535326536636264
+65313162396434396662613131333261643966313366326435373831393338656361643733343837
-37343930623235363632623963346637363964666664636266373137363037383036633233643130
+64316462393361336630623563386336323138653833636464623163343134393033303865326161
-30323036653637656131623332613463303937323133653064623333396534336661306432323536
+33323461333334616333336466636436383764303362396561333830626137333462333564316364
-38373534303235323230306139663736663430633463663166393033613435616662336335643137
+38393437666662346630663137643132626133383965353030663632636237663433383462326165
-32366439333661313930636234346265306233393966623832613834623263356337356162396335
+30376436643137333361383839306537613535653564306164643363643330613031363630633964
-34353362613163323936613930666339303839393431303461363565623561363034306538396237
+62396238396530306431633362343739633230383934373364303733366136633136363761303762
-38326263303033376435623037653365636362653831623066653263623236613566623962313266
+33373165323939343063633965623733363934363330353662623134653438303337636161343132
-34336233343530366236313131323962666163383035633361333637343732356338626265613338
+66393361363838323731303564653834316265333363303662376630333930346534363133363861
-36643663336161663636343864623864323735613838373562376431643338346662393731373833
+62396533666365303065333330363066343238386438636661633233363831343838316131353633
-38313839393433626630363635323232373534303437656561316231653536306264386331333666
+38643764386166656632313938386133366233366130626636323330326466376566613563383561
-36323330626164363730643337623262303335333438303432373465343235303836366362383336
+62383038336566356533643336393430353365623932376161393438653465653962383130363433
-39666631363362383338616536666432373738336131653765353635373365623030393365636630
+34393437343238383634323432633134353664386136633533383463616235326239383966633431
-38303033306664356162316262346434343239646230663062643566336132613535393835366236
+36363532623932326432366330343332376264666537333234333234616638653830363633313465
-66306435653364323335623665316264646631383066373837653536316135316130393766356162
+38343038666336353634633238356662666338646661646265306564633861333461336231313834
-33326431643162383539323161626163316532373831386334643761636630616162666236613766
+64663166356432376564633163303636643963323032393737383537323639616333373133626264
-38633738333331616336363736396635306630363561613966656538633432363661313432373731
+32303466316562666338356235376133653833623936373131373237393334393665306561366636
-39303764303362336536396130613637653530376437333336613465643539396330623261356534
+66623437663334326631353132303030663236393762336639313861663962353363653831373563
-64633761643065313038656261326638343032353832376262653135663162353434323936353862
+62386633306463306634633862326632313063393362353438623437376138363433623934666162
-31663738353965303963353962626534303333303037336431373631396635363938326133336330
+37373662393437363965623162303934333230343962626233366630396531326665383065386161
-63353333616664663934636433653434626162323064653430666565613061623239613561643838
+65663666356431366335633339366637303137353765656638316535613933343237656563663863
-66356662303137383639336432633432636235306165306339623632316134306431376163616465
+65313230616338653030343034663937666134653336383732393538396337326238343761323137
-32636132656232303162333238393837383731633931363865356634643736326139313638333230
+30626138666262666465393036363133356563653437376666376366613635306162653739396531
-39316662306432333333333266333234646539646532316536383932666435366136346138626136
+64613664626663626462343737626266636132313366393861313436383137313765623165333734
-64373362366239633964616638363666656564323436636432663937666565653436613465366461
+35333036633234303733373161626331363333393062613933623931356234363735663165386338
-65376562303639363332636532386535386365656636346365333330386132383637636239653730
+61333961666638326134396431393335633435666135383738376335623135663934356437623062
-63333361303037393936653064336439653932373739336564333132303639343835376633666631
+66323833353065653866613264663262653731373865656363666466303330356563356434343161
-66613138343730636563626131623437343232303964626562633332303761626331383662373531
+34363564363564393132326264626134383630653437626536623166363965306363653539336461
-39663463656361303236666661356564373432333062303363313532333938633337363536343930
+36366538383134376564376665336231663532656464393832346166653462306235666139633265
-37376464393438613564653465353037313536626466643131336133336161316437316433663032
+34663235353765316633333865313439663736323462653232633362633333663539613934346136
-62633465613634373238383937643037346336336135353230386538353933616436646534366435
+31363536303338633333393064366234643762396364356539363966623936663764353161383136
-31323363666266373662626362663164653863326239303462363739383730643962333230343733
+34383432386537646566653964313731623761316161663136386532663332333262313861613932
-37393831383666393064626437323861353739363762346330666436356466316464393838366133
+35356566303364326436306235323463623331613663383031343335323537346530653637663939
-34653131653838643063396633346132336439393132353661373063623865643465306238326538
+34613333323738303731636362323735346561343332376137616339386163346134646566353231
-63313366386263623333636636376637383536353663643266653431626365666139393764663633
+65656264626131306130663761663763336464306563313835633432333761623633666433613830
-62366234376231393261646366383733633565303433353631343239313362646161663433653632
+63356265343839396162363333646630346364643661303331663236306535306465626435326662
-61303231616366386435666232353531306331613638633531613364663130643433336232633164
+62313963663636363366356132616239323632623733656137316663303031356631323235353634
-64373131303135316135376339353366313635653466663765323931616232333539333639623033
+64613035346633313366633138353737303565303434363139616466636163323137346238623562
-39626233316430303062336234623966376564386365613265363866666636626435306664336636
+61333066633833303232333934373039623762323435333261633835356466303564666132656362
-39346139316331306333666332393631306433623365303064383831643864336634303737633434
+62613939323735343163376165653634333834353334663532383866313232663533643138663766
-39303364633530343531373964353335333832636433313865303765393665633838316531343035
+31353138356562386135366130373063306538633465323363313361316438366631366463323730
-34666237353834613337353063666333353764666431376235393534613534363163333732373061
+62393637353931653930303230626665303066646539663338363133613431306532623865343531
-36663537363938373235326537326139366562656264393930653630383332383466333435386233
+64366263653062643334336132336466383563636630323539373336343330616531323962326537
-32613737303431333537326264343065306361653562633064393762643161313666663262313236
+64306535623135396537363735633039636335623561343435613864656330376631613434613866
-65386430306432653563623666646439376163383433653561333461383933383835373563396137
+31393166633361633063323538623361653135306539346366383264336634353633626136663731
-62383861393963313534616437663465333834663235356439363735633133623365383839613037
+35383332373338333935376438346232326236613430306533316561333438383238306666346465
-34303465363033313739373631363261313130616663336662346132653239313562386664353432
+36356235373466303536346363393661393838336331313536383662353438333662366563353038
-64373961663563393362303166633630343665663437373562613461343266646332313963653965
+66383237613132613636356461653037373437336264626539333763643261326239313065336463
-39363632313864343437333038623364323161376237386333616636303364373964343464643330
+34323361613565663336343131613530616462633331653134613431393839303364363831303337
-31613431313562353862306236623233636264653635643264333364336533623036356530343465
+39393732646234383936316637343066633761636231326639663239306231303834306631393933
-33366131333365393333373062623666663065316666363736633562363934336534313464353239
+32323335666262666232363638306562353866353338646234353631323533316532383235336632
-30666365303330363962653731626266376433666135333435313236386163653336386134633630
+33643934343836366631336666643730656137626466666232396535356664313132383838363832
-65336335346539666431643036636663643936326635636438636438646230353962646335396461
+39613664643761653461326234643539643831616537363836656561303562633064613238383233
-64623238343632346265376537323462316162633437633463656235626366666235653231303736
+33616336666462333461343766383063353361313032643230636132343631613636666636666639
-34316166363139336536396631663435386434396336346331663333353338353466346433393062
+38386136656565653439323162363035623665623139326366326431343861393664636664363934
-31343662316464356663356539303934633336613335373732353165366266303837303364616537
+61353761326136346636393261663335383664646531616366363436306461313063646264356561
-31356135313732633232343362663932656363633162623539323938643239383333306638346236
+63393931313266633734616362376630616535396635343363326361653434353631303836326433
-36666564323336346234313239656463626138313364656637353434303266613232353334666539
+64313533646331336338353533643031316638386330626362313938623736316134633062393930
-34666437356531393933656338373834303130663132303433376338643833643236333639663530
+31306332623364393839313761353564313563326462313637663635663661396638373130363866
-32653536643035303536353431623463353762393539363634636566396134353362633038333831
+30326263383730356135663433623138663239363765363664636133653462653262393766363966
-33633632666331666665373664633138323536633264653339663463326236343862656563323835
+37303862363131646236333134366664653061343735303035383663383539353732313935313933
-66633038346237356638646133626239336233633261626464626238636363666431646661366337
+37323461343530306632626631373238333636303135653535626631343862663639306136323363
-32396137303664363734666238346636653531666461306335343636303861653533356266643833
+30343731356434333030303332636637363364643363666136353266383138613066353732326665
-39633939666534663033336462336633636264336133633630366166356163306539613830636432
+32366234373864663333323035306334613937656666396437646335383839663336633364613338
-66326661646430366332363530333338373136656234613030616338383531313138666435313562
+63306635663762373331646535373638343436376431646564666239633631376465623730353935
-33346262353934636564613730396536333731653036303333343039393534643837663234346234
+66383262623838376339373735396131303434616132373832633061616132393931643830633864
-30303032623565316234343834303061303333346539636138343334663131646463363863663062
+37663931613633656339383062336462383661363463323632396636633965373439383938626635
-31343432383238623733346563323533636466346538616334646338366465356165613434623730
+38336330383139653365653664383934663838306531373164626136613338343861353262663431
-37323930623539353764643939643963353238646230396337633362363664613431303032656639
+30653265333065663664646564376466303838373961626436396631356366363832613930346664
-38613961633439613837636531653163383633373263343235303766613736616636613066316463
+34643962363862643732653631333665366134343332313863316164323465383138386262336336
-63346337383864363562373562643636343764626433383634643064313831373833356132393737
+32343365386362346237656361386163323062376232346137336365363731396639346137343735
-39356534623536373066663933356535356532636332343661333166663433666433363661343861
+62633436643265636262376639383635336536353131666661326238653339626666383562323763
-63393734656534363761313862613364616161303735323563656265323362313061343332346238
+63373636636530306461633035616163643962633033363565323164343034633666346133343638
-35353534663137653466396432353437333739363631373332316165663964653335363034636131
+37613463333461373663336630313834316333366466336539333135356338343731636231663530
-33363933333764306265306161336165306234616161313466393233363431363061633730653437
+38623738636534333762376434336336326166373363643864316233343735386234616663636534
-65313636366162303763663530386239343833626139643439306161623066313638323361353831
+32393838623939343536346634633339613837373735353565313138333864383632383533396264
-63323531353939356337613865663737373661343362353362326637666666383535633030626163
+36363430356237636235316631313664336265633333313137373861666333663865393065393531
-36386464326134333965623262356532353161316533626331623266623630383331313037376365
+30386335613531353837363738366232313036343731343566306166646466353164336136393330
-37353164306433633563386436653235616661366639343035306533643732326232366537633635
+65323933613266363739363231663563656437396231316666303437633564613465313937383038
-33306338386561353564643537353736663434663931343263333764633961666464373461346335
+32643465346130323738336364356331663163323236333764653566306664623164626437363465
-65323462313761653361343236326632393835613538616436666534363366626637376262326462
+34333165343034633135336234633765336333623333643632353335656238393863623062623665
-32366530383439646137383737303634613136396135633136316233326230323466383932616630
+39393434643538373633653630353963346132663366656532303764333838336562663735613737
-66316561333961346130306531623936376636646330373237623034633135303630353566333037
+39363865353736663263303565336263643333613238336462313839323738373063393639303531
-34656233316663656661623731633034643332336631356436653134366162396336643331623135
+34633739366531326666633634366230363431303663383432323463643665316136643434343839
-65646466633236393036383639623066663963653431343836626664383431363663653535383565
+66313030623561366431353863633666636262336637636235326434366536393830343433336462
-64333432343561623633316232623864386161376163333238623066636533353330336566313835
+34666631343862346239346434666462613836343161663234646439643562316564666632316665
-66653265346331393238343862353162383234303334626261643065656637386434636564663665
+66376137313231376433333163396564343435303434326235626239336237653332316232343361
-63616339663261616534376661393837343335373638366264323732353032363731376332653936
+30666531393863616132323837333931323534633561626263333534646530623433613633383061
-64393262346230636366336133616366646533373530356235316561643232333664343462386539
+36393361613736393333633166346465363762336232303530393262666366303763303862383632
-38396665626131646234613466396334346431316638333436633637353836313933656134383031
+30336437313339643861663635623334323330653030396432623932613433343836626238373530
-38633838323163383536323735626132323565643136663030643436303363333264373061663430
+35353535366237663865333832356661613635353138356438386333323734386237626532343665
-65613836313531636264633333346331343038373466653231613830383435386364636237303965
+31373061616234633336386661323164663934336464316364343036633336376234656263346530
-65663635633732663636333764623133373864356363313535333136613039313035663633386338
+64333336383861396261316436636638653934643463666263346430366238663663383834313266
-61343930323665616464643235396232393134373537616635663231343763346434626665393966
+65396434313161333532323036336538653830303232343364656365353339623165346164393039
-31613835666563333261373533316364346538393438636636633862353431333030623933663130
+62356561366461643831656466316266616335646163303438353735393830636434386335623632
-31626337303733373034666562363064373936656435636637356365386363346664306134376339
+32623835613262653566306561333835316334613633613138643235343265376238343932363264
-37383335646339636265656134383432396438383732303066396636373834373037663062336335
+65666334633663366338306566346433626431656131393233393661396361366365333733303130
-61346438636134333763346265653766396165626365633237373466346438363330633562353731
+38353435396462636633336238373131386562333063386235366233633030663861316161653362
-61313630373137303131326134613264356462333363643463643861666239623937636535336536
+36306431663639663137313762396338323933663036343130633438326435383934633861343262
-30313234623936316439643164316139386366336630616266653338383337653561656337343837
+39623431326362643833353532336233653664643733323432326466666165373333313266626565
-66613234363738306235316632316666376231306561653865353636373835646263393932316134
+38656465623362323966333238336262323563353038666635666137303064663333363730633335
-30313433613664306533386133376232323737633934396135626532323830346336353631383539
+31306139323831366363346331383834646635316166393334326535323339363038353365353538
-38666264343962646237313332396535643863393535303437346262613861646663303037333736
+31356164656235373536323830333135333931373764636439363135316532613530333734613964
-63326534313964613663376635306162653639623735633139326161323232653462343063383036
+66393233383132623536643664643862336162396630383932383731626233643966636437393461
-39616233613664626161663131383366663435626432626663623638646163666535316461383531
+30356262393661623737653439633336656635323134613336626336343666363138303931323064
-39663130646564373563323965386331353036366230343635363266323864623633663333656561
+36366333393330333365663965646664333561646434306463333135653130646337623035393434
-33353131623065623839396634653735396262656261323963363261643761373137616232666665
+66636261346534653263356230633838633033373566623138626264656236336630373634636430
-39643835383034383439393638363438633931323437613365643935383766333535643537633633
+39633136666565343332663330323937393565643338663433656466323535613064326233626637
-63633133303166326432613932396331356263626166343436386463376537656231656438313563
+63393064363434393634333863363761643433326438336634306438376235393632643332346339
-30653664383935383161303865363338393933363334653631616432643037626433356561636634
+63306437336431613535356138336666613862343437306330393566346332666534646230313265
-34316436383462386331393231633161383362666532363561326631613137656464306262313034
+66663839333730636538343630363933353039343064316330666631646565386438613232383031
-35636334623861323836326265396664373461313034343231316261616330313938333263666665
+63393963333063343437383130356331356162616266383231383535313530393264323232623934
-39616163346632623764666337313561626233636363343036363331663932616530346230653663
+30363861373261303966613361336335356233306530343435313730393166383536323937373666
-62373661306566373638383962356563323430613262326534663663383162396263306335613462
+33613033633530393933333265306265626632663266383834666334336364623864333735343735
-39326162663161663264626437353064306238646664376666336534326263313061393133373636
+35316132636333323566666339333039653862666264353638336336356334393030663733306264
-33346161376136636536393264363332633561373037326566313137366265383635376366343036
+61613661613166366238646264343239393735653437383539343731373266386238323532643739
-30613763633264303536396535303236353138393032336461666131356464343930656665326535
+38643262343666656661356338623035343934383765313939363537393434623965623437363239
-64393130376166383538353866323265303562326239626233636237626664346631646264386439
+61653034656535313937316639663166386432623034383864356465623032353636643737326336
-65383730333534656361366438316536613138303334343665396438336164663064373838323534
+38376436343133643263336435636638356465396566623037633334643863643165663765383161
-64626631363131663462303131333735633337653335623939383264363163633765326438313965
+33653530643836343334643734346335653131366439336139646131396237323862323132616339
-32623662383464316133623538616139623433336435316166346336663761343536393662393733
+35383739633133643864646163616661633032666532663861393638343232323437363263663435
-35333938383137383863653966363837366639303634616239643235653932643132323033373238
+65626561303137353330646162326464666236653633346636333864333366323336613638393365
-38323734353563383133333538316236393162636237313061363663303764343533626466373137
+36396262306266396638613736626637633163343938366130363133303535613131383562393333
-32656561383633633166386437653361313363666334636639353833323461663030313736613831
+63643830666437663931633231336432303561326231366639376130303564663564363766343834
-30613832306137323637653330306637323530613935333263373338346430393265333839636566
+3934
-39336662326637363038653734323230626234346433313830656264633732666430663265383031
-65313864386637303563636239646633393335616231613531633762326430633231343264363236
-32346662623562356432

host_vars/gw11.regensburg.freifunk.net

@@ -3,22 +3,13 @@
 batman_ipv4: 10.90.32.11/19
 batman_ipv6: fdef:f10f:1337:cafe::11/64
 batman_algo: BATMAN_IV
-global_ipv6: 2001:678:ddc:11::11/64
+global_ipv6: 2a00:9d80:6000:0101::11/64
 nextnode4: 10.90.32.1
 nextnode6: fdef:f10f:1337:cafe::1
 mtu: 1312
 
-vx_wg_vni: 3665730
-
-mesh_wg_port: 20010
-mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
-
 fastd_port: 10010
 
 gateway_id: 11
 
 site_code: ffrgb_cty
-
-nat_pool: 194.156.22.12-194.156.22.13
-
-ntp_server: true

host_vars/gw12.regensburg.freifunk.net

@@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
 nextnode6: fdef:f10f:1337:cafe::1
 mtu: 1312
 
-vx_wg_vni: 3665730
-
-mesh_wg_port: 20010
-mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
-
 fastd_port: 10010
 
 gateway_id: 12
 
 site_code: ffrgb_cty
-
-ntp_server: true

host_vars/gw21.regensburg.freifunk.net

@@ -3,22 +3,13 @@
 batman_ipv4: 10.90.64.21/19
 batman_ipv6: fdef:f20f:1337:cafe::21/64
 batman_algo: BATMAN_IV
-global_ipv6: 2001:678:ddc:21::21/64
+global_ipv6: 2a00:9d80:6000:0102::21/64
 nextnode4: 10.90.64.1
 nextnode6: fdef:f20f:1337:cafe::1
 mtu: 1312
 
-vx_wg_vni: 11781694
-
-mesh_wg_port: 20020
-mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
-
 fastd_port: 10020
 
 gateway_id: 21
 
 site_code: ffrgb_uml
-
-nat_pool: 194.156.22.22-194.156.22.23
-
-ntp_server: true

host_vars/gw22.regensburg.freifunk.net

@@ -10,13 +10,6 @@ mtu: 1312
 
 fastd_port: 10020
 
-vx_wg_vni: 11781694
-
-mesh_wg_port: 20020
-mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
-
 gateway_id: 22
 
 site_code: ffrgb_uml
-
-ntp_server: true

host_vars/gw31.regensburg.freifunk.net

@@ -3,22 +3,13 @@
 batman_ipv4: 10.90.96.31/19
 batman_ipv6: fdef:f30f:1337:cafe::31/64
 batman_algo: BATMAN_IV
-global_ipv6: 2001:678:ddc:31::31/64
+global_ipv6: 2a00:9d80:6000:0103::31/64
 nextnode4: 10.90.96.1
 nextnode6: fdef:f30f:1337:cafe::1
 mtu: 1312
 
-vx_wg_vni: 3120917
-
-mesh_wg_port: 20030
-mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
-
 fastd_port: 10030
 
 gateway_id: 31
 
 site_code: ffrgb_tst
-
-nat_pool: 194.156.22.32-194.156.22.33
-
-ntp_server: true

host_vars/resolver.regensburg.freifunk.net

@@ -1,3 +0,0 @@
----
-
-acertmgr_mode: standalone

host_vars/stats.regensburg.freifunk.net

@@ -1,31 +0,0 @@
----
-
-grafana_rendering: True
-
-# yanic needs this
-site_code: ffrgb_cty
-
-yanic_publisher: true
-
-yanic_repondd_enable: false
-
-yanic_respondd_interface: ens18
-yanic_respondd_ip: true
-
-yanic_nodes_prune_after: 60d
-yanic_nodes_offline_after: 5m
-
-yanic_meshviewer_enable: false
-
-yanic_nodelist_enable: true
-
-yanic_database_delete_after: 720d
-
-yanic_dbc_repondd_enable: false
-
-yanic_influxdb:
-- enable: true
-  host: http://127.0.0.1:8086
-  database: ffrgb
-  username: "admin"
-  password: "{{ vault_yanic_influx_pw }}"

hosts

@@ -2,12 +2,9 @@
 gw11.regensburg.freifunk.net
 gw21.regensburg.freifunk.net
 gw31.regensburg.freifunk.net
-netbox.regensburg.freifunk.net
-ns1.regensburg.freifunk.net
-resolver.regensburg.freifunk.net
-stats.regensburg.freifunk.net
-sx.regensburg.freifunk.net
-tiles.regensburg.freifunk.net
 web.regensburg.freifunk.net
+stats.ffrgb ansible_host=10.90.224.100
 unms.ffrgb ansible_host=10.90.224.101
 unifi.ffrgb ansible_host=10.90.224.102
+tiles.ffrgb ansible_host=10.90.224.103
+netbox.ffrgb ansible_host=10.90.224.104

library/fastd_key

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 
 EXAMPLES = '''
 # Generates a fastd key
@@ -23,7 +23,7 @@ if __name__ == '__main__':
     # create file with restrictive permissions
     with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
       # generate fastd secret
-      secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
+      secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
       handle.write('secret "%s";\n' % secret)
 
     changed = True

roles/apt/files/unattended-upgrades.conf

@@ -1,7 +1,7 @@
 // Unattended-Upgrade::Origins-Pattern controls which packages are
 // upgraded.
 //
-// Lines below have the format "keyword=value,...".  A
+// Lines below have the format format is "keyword=value,...".  A
 // package will be upgraded only if the values in its metadata match
 // all the supplied keywords in a line.  (In other words, omitted
 // keywords are wild cards.) The keywords originate from the Release
@@ -19,73 +19,50 @@
 // Within lines unattended-upgrades allows 2 macros whose values are
 // derived from /etc/debian_version:
 //   ${distro_id}            Installed origin.
-//   ${distro_codename}      Installed codename (eg, "buster")
+//   ${distro_codename}      Installed codename (eg, "jessie")
 Unattended-Upgrade::Origins-Pattern {
         // Codename based matching:
         // This will follow the migration of a release through different
         // archives (e.g. from testing to stable and later oldstable).
-        // Software will be the latest available for the named release,
+//      "o=Debian,n=jessie";
-        // but the Debian release itself will not be automatically upgraded.
+//      "o=Debian,n=jessie-updates";
-        "origin=Debian,codename=${distro_codename}-updates";
+//      "o=Debian,n=jessie-proposed-updates";
-//      "origin=Debian,codename=${distro_codename}-proposed-updates";
+//      "o=Debian,n=jessie,l=Debian-Security";
-        "origin=Debian,codename=${distro_codename},label=Debian";
-        "origin=Debian,codename=${distro_codename},label=Debian-Security";
-        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
         // Archive or Suite based matching:
         // Note that this will silently match a different release after
         // migration to the specified archive (e.g. testing becomes the
         // new stable).
-//      "o=Debian,a=stable";
+        "origin=Debian,codename=${distro_codename}";
-//      "o=Debian,a=stable-updates";
+        "origin=Debian,codename=${distro_codename}-updates";
-//      "o=Debian,a=proposed-updates";
+        "origin=Debian,codename=${distro_codename}-proposed-updates";
-//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
 };
 
-// Python regular expressions, matching packages to exclude from upgrading
+// List of packages to not update (regexp are supported)
 Unattended-Upgrade::Package-Blacklist {
-    // The following matches all packages starting with linux-
+//	"vim";
-//  "linux-";
+//	"libc6";
-
+//	"libc6-dev";
-    // Use $ to explicitely define the end of a package name. Without
+//	"libc6-i686";
-    // the $, "libc6" would match all of them.
-//  "libc6$";
-//  "libc6-dev$";
-//  "libc6-i686$";
-
-    // Special characters need escaping
-//  "libstdc\+\+6$";
-
-    // The following matches packages like xen-system-amd64, xen-utils-4.1,
-    // xenstore-utils and libxenstore3.0
-//  "(lib)?xen(store)?";
-
-    // For more information about Python regular expressions, see
-    // https://docs.python.org/3/howto/regex.html
 };
 
 // This option allows you to control if on a unclean dpkg exit
 // unattended-upgrades will automatically run 
 //   dpkg --force-confold --configure -a
 // The default is true, to ensure updates keep getting installed
-//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
 
 // Split the upgrade into the smallest possible chunks so that
-// they can be interrupted with SIGTERM. This makes the upgrade
+// they can be interrupted with SIGUSR1. This makes the upgrade
 // a bit slower but it has the benefit that shutdown while a upgrade
 // is running is possible (with a small delay)
-//Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::MinimalSteps "true";
 
-// Install all updates when the machine is shutting down
+// Install all unattended-upgrades when the machine is shuting down
-// instead of doing it in the background while the machine is running.
+// instead of doing it in the background while the machine is running
-// This will (obviously) make shutdown slower.
+// This will (obviously) make shutdown slower
-// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+Unattended-Upgrade::InstallOnShutdown "false";
-// This allows more time for unattended-upgrades to shut down gracefully
-// or even install a few packages in InstallOnShutdown mode, but is still a
-// big step back from the 30 minutes allowed for InstallOnShutdown previously.
-// Users enabling InstallOnShutdown mode are advised to increase
-// InhibitDelayMaxSec even further, possibly to 30 minutes.
-//Unattended-Upgrade::InstallOnShutdown "false";
 
 // Send email to this address for problems or packages upgrades
 // If empty or unset then no email is sent, make sure that you
@@ -93,20 +70,11 @@ Unattended-Upgrade::Package-Blacklist {
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "root";
 
-// Set this value to one of:
+// Set this value to "true" to get emails only on errors. Default
-//    "always", "only-on-error" or "on-change"
+// is to always send a mail if Unattended-Upgrade::Mail is set
-// If this is not set, then any legacy MailOnlyOnError (boolean) value
+Unattended-Upgrade::MailOnlyOnError "true";
-// is used to chose between "only-on-error" and "on-change"
-Unattended-Upgrade::MailReport "only-on-error";
 
-// Remove unused automatically installed kernel-related packages
+// Do automatic removal of new unused dependencies after the upgrade
-// (kernel images, kernel headers and kernel version locked tools).
-Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
-
-// Do automatic removal of newly unused dependencies after the upgrade
-Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
-
-// Do automatic removal of unused packages after the upgrade
 // (equivalent to apt-get autoremove)
 Unattended-Upgrade::Remove-Unused-Dependencies "true";
 
@@ -114,8 +82,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
 //  the file /var/run/reboot-required is found after the upgrade 
 Unattended-Upgrade::Automatic-Reboot "false";
 
-// Automatically reboot even if there are users currently logged in
+// Automatically reboot even if there are users currently logged in.
-// when Unattended-Upgrade::Automatic-Reboot is set to true
 //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
 
 // If automatic reboot is enabled and needed, reboot at the specific
@@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
 
 // Use apt bandwidth limit feature, this example limits the download
 // speed to 70kb/sec
-//Acquire::http::Dl-Limit "70";
+Acquire::http::Dl-Limit "200";
 
 // Enable logging to syslog. Default is False
 // Unattended-Upgrade::SyslogEnable "false";
 
 // Specify syslog facility. Default is daemon
 // Unattended-Upgrade::SyslogFacility "daemon";
-
-// Download and install upgrades only on AC power
-// (i.e. skip or gracefully stop updates on battery)
-// Unattended-Upgrade::OnlyOnACPower "true";
-
-// Download and install upgrades only on non-metered connection
-// (i.e. skip or gracefully stop updates on a metered connection)
-// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
-
-// Verbose logging
-// Unattended-Upgrade::Verbose "false";
-
-// Print debugging information both in unattended-upgrades and
-// in unattended-upgrade-shutdown
-// Unattended-Upgrade::Debug "false";
-
-// Allow package downgrade if Pin-Priority exceeds 1000
-// Unattended-Upgrade::Allow-downgrade "false";
-
-// When APT fails to mark a package to be upgraded or installed try adjusting
-// candidates of related packages to help APT's resolver in finding a solution
-// where the package can be upgraded or installed.
-// This is a workaround until APT's resolver is fixed to always find a
-// solution if it exists. (See Debian bug #711128.)
-// The fallback is enabled by default, except on Debian's sid release because
-// uninstallable packages are frequent there.
-// Disabling the fallback speeds up unattended-upgrades when there are
-// uninstallable packages at the expense of rarely keeping back packages which
-// could be upgraded or installed.
-// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

roles/apt/tasks/main.yml

@@ -8,7 +8,6 @@
     name:
     - apt-transport-https
     - debian-goodies
-    - gnupg2
     - lsof
     - unattended-upgrades
 

roles/arp-cache/tasks/main.yml

@@ -8,4 +8,4 @@
   - { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
   - { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
   - { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
-  - { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
+  - { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }

roles/common/handlers/main.yml

@@ -1,13 +1,7 @@
 ---
 
-- name: Restart chrony
-  service: name=chrony state=restarted
-
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
-- name: update-grub
-  command: update-grub
-
 - name: update-initramfs
   command: update-initramfs -u -k all

roles/common/tasks/Debian.yml

@@ -1,79 +0,0 @@
----
-
-- name: Install misc software
-  apt:
-    name:
-    - ca-certificates
-    - dnsutils
-    - git
-    - htop
-    - less
-    - mtr-tiny
-    - net-tools
-    - openssl
-    - psmisc
-    - pydf
-    - rsync
-    - sudo
-    - vim-nox
-    - wget
-    - zsh
-    - fail2ban
-
-- name: Install software on KVM VMs
-  apt:
-    name:
-    - acpid
-    - qemu-guest-agent
-  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
-
-- name: Configure misc software
-  copy: src={{ item.src }} dest={{ item.dest }}
-  diff: no
-  with_items:
-  - { src: ".zshrc", dest: "/root/.zshrc" }
-  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
-  - { src: "motd", dest: "/etc/motd" }
-  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
-
-- name: Set shell for root user
-  user: name=root shell=/bin/zsh
-
-- name: Disable hibernation/resume
-  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
-  notify: update-initramfs
-
-- name: Enable serial console on KVM VMs
-  lineinfile:
-    path: "/etc/default/grub"
-    state: "present"
-    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
-    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
-  notify: update-grub
-  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
-
-- name: Prevent normal users from running su
-  lineinfile:
-    path: /etc/pam.d/su
-    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
-    line: "auth       required   pam_wheel.so"
-
-- name: Configure journald retention
-  lineinfile:
-    path: "/etc/systemd/journald.conf"
-    state: "present"
-    regexp: "^#?MaxRetentionSec=.*"
-    line: "MaxRetentionSec=7day"
-  notify: Restart journald
-
-- name: Set logrotate.conf to daily
-  replace:
-    path: "/etc/logrotate.conf"
-    regexp: "(?:weekly|monthly)"
-    replace: "daily"
-
-- name: Set logrotate.conf rotation to 7
-  replace:
-    path: "/etc/logrotate.conf"
-    regexp: "rotate [0-9]+"
-    replace: "rotate 7"

roles/common/tasks/Proxmox.yml

@@ -1,25 +0,0 @@
----
-
-- name: Install misc software
-  apt:
-    name:
-    - dnsutils
-    - htop
-    - ipmitool
-    - less
-    - rsync
-    - vim-nox
-    - wget
-    - zsh
-
-- name: Configure misc software
-  copy: src={{ item.src }} dest={{ item.dest }}
-  diff: no
-  with_items:
-  - { src: ".zshrc", dest: "/root/.zshrc" }
-  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
-  - { src: "motd", dest: "/etc/motd" }
-  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
-
-- name: Set shell for root user
-  user: name=root shell=/bin/zsh

roles/common/tasks/chrony.yml

@@ -1,11 +0,0 @@
----
-
-- name: Install chrony
-  apt: name=chrony
-
-- name: Configure chrony
-  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
-  notify: Restart chrony
-
-- name: Start chrony
-  service: name=chrony state=started enabled=yes

roles/common/tasks/main.yml

@@ -1,21 +1,75 @@
 ---
 
-- name: Cleanup
+- name: Install misc software
-  apt: autoclean=yes
+  apt: name={{ item }}
-  when: ansible_os_family == "Debian"
+  with_items:
+  - dnsutils
+  - git
+  - htop
+  - less
+  - mtr-tiny
+  - net-tools
+  - openssl
+  - psmisc
+  - pydf
+  - rsync
+  - sudo
+  - vim-nox
+  - zsh
+  - fail2ban
 
-- name: Gather package facts
+- name: Install software on KVM VMs
-  package_facts:
+  apt: name={{ item }}
-    manager: apt
+  with_items:
-  when: ansible_os_family == "Debian"
+  - acpid
+  - qemu-guest-agent
+  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 
-- name: Proxmox
+- name: Configure misc software
-  include: Proxmox.yml
+  copy: src={{ item.src }} dest={{ item.dest }}
-  when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
+  diff: no
+  with_items:
+  - { src: '.zshrc', dest: '/root/.zshrc' }
+  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
+  - { src: 'motd', dest: '/etc/motd' }
+  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
 
-- name: Debian
+- name: Set shell for root user
-  include: Debian.yml
+  user: name=root shell=/bin/zsh
-  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
 
-- name: Setup chrony
+- name: Disable hibernation/resume
-  include: chrony.yml
+  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
+  notify: update-initramfs
+
+- name: use new-style network interface names
+  file: path=/etc/systemd/network/{{ item }} state=absent
+  with_items:
+  - 50-virtio-kernel-names.link
+  - 99-default.link
+  notify: update-initramfs
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: '^.*auth\s+required\s+pam_wheel.so$'
+    line: 'auth       required   pam_wheel.so'
+
+- name: Configure journald retention
+  lineinfile:
+    path: "/etc/systemd/journald.conf"
+    state: "present"
+    regexp: "^#?MaxRetentionSec=.*"
+    line: "MaxRetentionSec=7day"
+  notify: Restart journald
+
+- name: Set logrotate.conf to daily
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "(?:weekly|monthly)"
+    replace: "daily"
+
+- name: Set logrotate.conf rotation to 7
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "rotate [0-9]+"
+    replace: "rotate 7"

roles/common/templates/chrony.conf.j2

@@ -1,53 +0,0 @@
-# Welcome to the chrony configuration file. See chrony.conf(5) for more
-# information about usable directives.
-
-# Include configuration files found in /etc/chrony/conf.d.
-confdir /etc/chrony/conf.d
-
-{% for srv in ntp_servers %}
-server {{ srv }} iburst
-{% endfor %}
-{% if ntp_peers is defined %}
-
-{% for peer in ntp_peers %}
-peer {{ peer }}
-{% endfor %}
-{% endif %}
-
-{% if ntp_server is defined and ntp_server is true %}
-allow 10.90.0.0/16
-allow 2001:678:ddc::/48
-{% endif -%}
-
-# This directive specify the location of the file containing ID/key pairs for
-# NTP authentication.
-keyfile /etc/chrony/chrony.keys
-
-# This directive specify the file into which chronyd will store the rate
-# information.
-driftfile /var/lib/chrony/chrony.drift
-
-# Save NTS keys and cookies.
-ntsdumpdir /var/lib/chrony
-
-# Uncomment the following line to turn logging on.
-#log tracking measurements statistics
-
-# Log files location.
-logdir /var/log/chrony
-
-# Stop bad estimates upsetting machine clock.
-maxupdateskew 100.0
-
-# This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
-rtcsync
-
-# Step the system clock instead of slewing it if the adjustment is larger than
-# one second, but only in the first three clock updates.
-makestep 1 3
-
-# Get TAI-UTC offset and leap seconds from the system tz database.
-# This directive must be commented out when using time sources serving
-# leap-smeared time.
-leapsectz right/UTC

roles/dhcpd/defaults/main.yml

@@ -2,5 +2,5 @@
 
 dhcpd_interfaces: br-{{ site_code }}
 dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
-dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
+dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
 name_server: "{{ batman_ipv4 | ipaddr('address') }}"

roles/dhcpd/templates/dhcpd.conf.j2

@@ -2,7 +2,7 @@
 
 # option definitions common to all supported networks...
 option domain-name "{{ site_domain }}";
-option domain-name-servers {{ nextnode4 }}, {{ name_server }};
+option domain-name-servers {{nextnode4}}, {{ name_server }};
 
 local-address {{ batman_ipv4 | ipaddr('address') }};
 

roles/dns/handlers/main.yml

@@ -1,13 +1,7 @@
 ---
 
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
 - name: Restart powerdns
   service: name={{ item }} state=restarted
   with_items:
    - pdns
    - pdns-recursor
-
-- name: Restart dnsdist
-  service: name=dnsdist state=restarted

roles/dns/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Install powerdns
+  apt: name={{ item }}
+  with_items:
+  - pdns-backend-bind
+  - pdns-recursor
+  - pdns-server
+
+- name: Create zone directory
+  file: path=/etc/powerdns/bind/ state=directory
+
+- name: Configure powerdns
+  template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
+  tags: dns
+  notify: Restart powerdns
+  with_items:
+  - bind/ffrgb.zone
+  - bind/90.10.in-addr.arpa.zone
+  - bindbackend.conf
+  - pdns.conf
+  - recursor.conf
+
+- name: Start the powerdns services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - pdns
+  - pdns-recursor

roles/dns/templates/pdns.conf.j2

@@ -12,6 +12,12 @@ launch=bind
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
+#################################
+# local-ipv6    Local IP address to which we bind
+#
+# local-ipv6=::
+local-ipv6=
+
 #################################
 # local-port    The port on which we listen
 #

roles/dns/templates/recursor.conf.j2

@@ -25,17 +25,19 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-local-address=127.0.0.1
+local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
 
 #################################
 # local-port    port to listen on
 #
-local-port=5353
+local-port=53
 
 #################################
-# query-local-address   Source IP address for sending queries
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
 #
-query-local-address=::,0.0.0.0
+{% if global_ipv6 is defined %}
+query-local-address6={{ global_ipv6 | ipaddr('address') }}
+{% endif %}
 
 #################################
 # quiet Suppress logging of questions and answers

roles/dns_auth/handlers/main.yml

@@ -1,4 +0,0 @@
----
-
-- name: Restart powerdns
-  service: name=pdns state=restarted

roles/dns_auth/tasks/main.yml

@@ -1,22 +0,0 @@
----
-
-- name: Install powerdns
-  apt:
-    name:
-    - pdns-server
-    - pdns-backend-sqlite3
-    - sqlite3
-
-- name: Configure powerdns
-  template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
-  notify: Restart powerdns
-
-- name: Initialize database
-  command:
-    cmd: >
-      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
-      /var/lib/powerdns/powerdns.sqlite3
-    creates: /var/lib/powerdns/powerdns.sqlite3
-
-- name: Start the powerdns services
-  service: name=pdns state=started enabled=yes

roles/dns_auth/templates/pdns.conf.j2

@@ -1,35 +0,0 @@
-#################################
-# allow-axfr-ips	Allow zonetransfers only to these subnets
-#
-# allow-axfr-ips=127.0.0.0/8,::1
-allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
-
-#################################
-# dname-processing	If we should support DNAME records
-#
-# dname-processing=no
-dname-processing=yes
-
-#################################
-# launch	Which backends to launch and order to query them in
-#
-# launch=
-launch=gsqlite3
-
-gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
-
-#################################
-# master	Act as a master
-#
-# master=no
-master=yes
-
-#################################
-# only-notify	Only send AXFR NOTIFY to these IP addresses or netmasks
-#
-# only-notify=0.0.0.0/0,::/0
-only-notify=
-
-# security-poll-suffix  Domain name from which to query security update notifications
-#
-security-poll-suffix=

roles/dns_resolver/handlers/main.yml

@@ -1,10 +0,0 @@
----
-
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart powerdns
-  service: name=pdns-recursor state=restarted
-
-- name: Restart dnsdist
-  service: name=dnsdist state=restarted

roles/dns_resolver/meta/main.yml

@@ -1,4 +0,0 @@
----
-
-dependencies:
-- { role: acertmgr }

roles/dns_resolver/tasks/main.yml

@@ -1,35 +0,0 @@
----
-
-- name: Install powerdns
-  apt:
-    name:
-    - dnsdist
-    - pdns-recursor
-
-- name: Ensure certificates are available
-  command:
-    cmd: >
-      openssl req -x509 -nodes -newkey rsa:2048
-      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
-      -days 730 -subj "/CN={{ ansible_fqdn }}"
-    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
-  notify: Restart dnsdist
-
-- name: Configure certificate manager
-  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
-  notify: Run acertmgr
-
-- name: Configure powerdns
-  template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
-  notify: Restart powerdns
-
-- name: Configure dnsdist
-  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
-  notify: Restart dnsdist
-
-- name: Start the dns services
-  service: name={{ item }} state=started enabled=yes
-  with_items:
-  - dnsdist
-  - pdns-recursor

roles/dns_resolver/templates/certs.j2

@@ -1,15 +0,0 @@
----
-
-{{ ansible_fqdn }}:
-- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
-  user: _dnsdist
-  group: _dnsdist
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service dnsdist restart'
-- path: /etc/dnsdist/{{ ansible_fqdn }}.key
-  user: _dnsdist
-  group: _dnsdist
-  perm: '400'
-  format: key
-  action: '/usr/sbin/service dnsdist restart'

roles/dns_resolver/templates/dnsdist.conf.j2

@@ -1,24 +0,0 @@
--- {{ ansible_managed }}
-
-setLocal('127.0.0.1')
-addLocal('::1')
-addLocal('{{ ansible_default_ipv4.address }}')
-addLocal('{{ ansible_default_ipv6.address }}')
-
-setACL({'0.0.0.0/0', '::/0'})
-
-addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
-
-newServer({address='127.0.0.1:5353', name='localhost'})
-
-addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-
--- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
-addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-
--- HTTP Endpoint for Prometheus
-webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-
--- disable security status polling via DNS
-setSecurityPollSuffix('')

roles/dns_resolver/templates/recursor.conf.j2

@@ -1,53 +0,0 @@
-# {{ ansible_managed }}
-
-#################################
-# allow-from    If set, only allow these comma separated netmasks to recurse
-#
-#allow-from=127.0.0.0/8
-
-#################################
-# config-dir    Location of configuration directory (recursor.conf)
-#
-config-dir=/etc/powerdns
-
-#################################
-# dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
-#
-# dnssec=process-no-validate
-dnssec=off
-
-#################################
-# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
-#
-local-address=127.0.0.1
-
-#################################
-# local-port    port to listen on
-#
-local-port=5353
-
-#################################
-# query-local-address   Source IP address for sending queries
-#
-query-local-address=::,0.0.0.0
-
-#################################
-# quiet Suppress logging of questions and answers
-#
-quiet=yes
-
-#################################
-# security-poll-suffix  Domain name from which to query security update notifications
-#
-# security-poll-suffix=secpoll.powerdns.com.
-security-poll-suffix=
-
-#################################
-# setgid        If set, change group id to this gid for more security
-#
-setgid=pdns
-
-#################################
-# setuid        If set, change user id to this uid for more security
-#
-setuid=pdns

roles/dns_split/tasks/main.yml

@@ -1,47 +0,0 @@
----
-
-- name: Install powerdns
-  apt:
-    name:
-    - dnsdist
-    - pdns-backend-bind
-    - pdns-recursor
-    - pdns-server
-
-- name: Ensure certificates are available
-  command:
-    cmd: >
-      openssl req -x509 -nodes -newkey rsa:2048
-      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
-      -days 730 -subj "/CN={{ ansible_fqdn }}"
-    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
-  notify: Restart dnsdist
-
-- name: Configure certificate manager
-  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
-  notify: Run acertmgr
-
-- name: Create zone directory
-  file: path=/etc/powerdns/bind/ state=directory
-
-- name: Configure powerdns
-  template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
-  notify: Restart powerdns
-  with_items:
-  - bind/ffrgb.zone
-  - bind/90.10.in-addr.arpa.zone
-  - bindbackend.conf
-  - pdns.conf
-  - recursor.conf
-
-- name: Configure dnsdist
-  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
-  notify: Restart dnsdist
-
-- name: Start the dns services
-  service: name={{ item }} state=started enabled=yes
-  with_items:
-  - dnsdist
-  - pdns
-  - pdns-recursor

roles/dns_split/templates/certs.j2

@@ -1,15 +0,0 @@
----
-
-{{ ansible_fqdn }}:
-- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
-  user: _dnsdist
-  group: _dnsdist
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service dnsdist restart'
-- path: /etc/dnsdist/{{ ansible_fqdn }}.key
-  user: _dnsdist
-  group: _dnsdist
-  perm: '400'
-  format: key
-  action: '/usr/sbin/service dnsdist restart'

roles/dns_split/templates/dnsdist.conf.j2

@@ -1,20 +0,0 @@
--- {{ ansible_managed }}
-
-setLocal('127.0.0.1')
-addLocal('::1')
-addLocal('{{ batman_ipv4 | ipaddr('address') }}')
-addLocal('{{ batman_ipv6 | ipaddr('address') }}')
-
-newServer({address='127.0.0.1:5353', name='localhost'})
-
-addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-
--- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
-addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-
--- HTTP Endpoint for Prometheus
-webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-
--- disable security status polling via DNS
-setSecurityPollSuffix('')

roles/docker/tasks/main.yml

@@ -1,10 +1,17 @@
 ---
 
+- name: Enable docker apt-key
+  apt_key: url='https://download.docker.com/linux/debian/gpg'
+
+- name: Enable docker repository
+  apt_repository:
+    repo: 'deb https://download.docker.com/linux/debian buster stable'
+    filename: docker
+
 - name: Install docker
   apt:
     name:
-    - docker.io
+    - docker-ce
-    - python3-docker
+    - docker-ce-cli
-
+    - containerd.io
-- name: Enable docker
+    - python-docker
-  service: name=docker state=started enabled=yes

roles/exit-ip/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+conntrack_max: 131072
+fastd_instances: 3

roles/exit-ip/templates/rules.v4.j2

@@ -4,14 +4,12 @@
 :INPUT ACCEPT [1:136]
 :OUTPUT ACCEPT [2:472]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
+-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
 COMMIT
 *filter
 :INPUT ACCEPT [1124:131621]
--A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
 -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
--A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
--A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [1151:175226]

roles/exit-ip/templates/rules.v6.j2

@@ -1,13 +1,9 @@
 # {{ ansible_managed }}
 *filter
 :INPUT ACCEPT [0:0]
--A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
 -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
--A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
--A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [0:0]
--A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
--A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
 COMMIT

roles/exit_ip/defaults/main.yml

@@ -1,5 +0,0 @@
----
-
-conntrack_max: 131072
-fastd_instances: 3
-nat_pool: "{{ ansible_default_ipv4.address }}"

roles/fastd/templates/fastd.conf.j2

@@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
 
 method "null";
 method "salsa2012+umac";
+method "xsalsa20-poly1305";
 
 secure handshakes yes;
 

roles/git/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Install git
+  apt: name=git
+
+- name: Install ca-certificates
+  apt: name=ca-certificates

roles/grafana/defaults/main.yml

@@ -1,3 +0,0 @@
----
-
-grafana_rendering: False

roles/grafana/tasks/main.yml

@@ -1,38 +1,10 @@
 ---
 
-- name: Retrieve Grafana Key and avoid apt_key
+- name: Enable grafana apt-key
-  block:
+  apt_key: url='https://packages.grafana.com/gpg.key'
-    - name: grafana |no apt key
-      ansible.builtin.get_url:
-        url: https://apt.grafana.com/gpg.key
-        dest: /usr/share/keyrings/grafana.key
 
 - name: Enable grafana repository
-  apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
+  apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
 
 - name: Install grafana
   apt: name=grafana
-
-- name: Install grafana rendering dependencies
-  apt:
-    name:
-    - libxdamage1
-    - libxext6
-    - libxi6
-    - libxtst6
-    - libnss3
-    - libnss3
-    - libcups2
-    - libxss1
-    - libxrandr2
-    - libasound2
-    - libatk1.0-0
-    - libatk-bridge2.0-0
-    - libpangocairo-1.0-0
-    - libpango-1.0-0
-    - libcairo2
-    - libatspi2.0-0
-    - libgtk3.0-cil
-    - libgdk3.0-cil
-    - libx11-xcb-dev
-  when: grafana_rendering

roles/influxdb/tasks/main.yml

@@ -1,23 +0,0 @@
----
-
-- name: Import Influxdb GPG siging key with store
-  ansible.builtin.get_url:
-    url: "https://repos.influxdata.com/influxdata-archive_compat.key"
-    dest: /etc/apt/trusted.gpg.d/influxdb.key
-    checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
-
-- name: Convert key
-  ansible.builtin.command:
-    argv:
-      - gpg
-      - --dearmor
-      - /etc/apt/trusted.gpg.d/influxdb.key
-    creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
-
-- name: Enable InfluxDB repository
-  ansible.builtin.apt_repository:
-    repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
-    state: present
-
-- name: Install influxdb
-  apt: name=influxdb

roles/mesh-interfaces/files/networking.service

@@ -1,9 +1,8 @@
 [Unit]
-Description=Network initialization
+Description=ifupdown2 networking initialization
 Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
 DefaultDependencies=no
-After=local-fs.target network-pre.target
+Before=network.target shutdown.target network-online.target
-Before=shutdown.target network.target network-online.target
 Conflicts=shutdown.target
 
 [Service]
@@ -11,7 +10,6 @@ Type=oneshot
 RemainAfterExit=yes
 SyslogIdentifier=networking
 TimeoutStopSec=30s
-EnvironmentFile=/etc/default/networking
 ExecStart=/usr/share/ifupdown2/sbin/start-networking start
 ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
 ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

roles/mesh-interfaces/tasks/main.yml

@@ -1,13 +1,10 @@
 ---
 
 - name: Install dependencies
-  apt:
+  apt: name=python-pkg-resources
-    name:
-    - bridge-utils
 
-# work-around to get a version new enough not to screw up forwarding setting on all interfaces
 - name: Install ifupdown2
-  apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
+  apt: name=ifupdown2 state=latest
 
 - name: Uninstall ifupdown
   apt: name=ifupdown state=absent

roles/mesh-interfaces/templates/mesh.conf.j2

@@ -14,8 +14,6 @@ iface br-{{ site_code }}
 {% if global_ipv6 is defined %}
 	address		{{ global_ipv6 }}
 {% endif %}
-	#
-	post-up		echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 
 # bat-{{ site_code }}
 auto bat-{{ site_code }}
@@ -23,14 +21,18 @@ iface bat-{{ site_code }}
 	hwaddress	f2:00:90:00:{{ gateway_id }}:20
 	mtu		1500
 	#
+	batman-hop-penalty	5
 	batman-ifaces		dmy-{{ site_code }}
 	batman-ifaces-ignore-regex	.*_.*
-	batman-routing-algo	{{ batman_algo }}
 	#
-	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} gw server
+	# TODO use batman-xyz instead of batctl
-	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} hp 5
+	# see /usr/share/ifupdown2/addons/batman_adv.py
-	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} it 5000
+	#
-	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} mff 1
+	up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
+	up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
+	up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
+	up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
+	up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 
 
 # dmy-{{ site_code }}

roles/mesh_wg/files/ping

@@ -1 +0,0 @@
-OK

roles/mesh_wg/handlers/main.yml

@@ -1,4 +0,0 @@
----
-
-- name: Reload interfaces
-  command: /sbin/ifreload -a

roles/mesh_wg/tasks/main.yml

@@ -1,25 +0,0 @@
----
-
-- name: Install wireguard
-  apt: name=wireguard-tools
-
-- name: Create wireguard config directory
-  file:
-    path: /etc/wireguard
-    state: directory
-    mode: 0700
-
-- name: Configure wireguard options
-  template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
-  notify: Reload interfaces
-
-- name: Configure mesh interfaces
-  template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
-  notify: Reload interfaces
-
-- name: Install wgskex
-  apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
-
-
-- name: Install ping endpoint
-  copy: src=ping dest=/var/www/html/ping

roles/mesh_wg/templates/mesh_wg.conf.j2

@@ -1,21 +0,0 @@
-# {{ ansible_managed }}
-
-# vx-{{ site_code }}
-auto vx-{{ site_code }}
-iface vx-{{ site_code }}
-	mtu		1350
-	vxlan-physdev	wg-{{ site_code }}
-	pre-up		ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
-	up		ip link set vx-{{ site_code }} up
-	post-up		batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
-	down		ip link set vx-{{ site_code }} down
-	post-down	ip -6 link del vx-{{ site_code }}
-
-# wg-{{ site_code }}
-auto wg-{{ site_code }}
-iface wg-{{ site_code }}
-	address		fe80::{{ gateway_id }}/128
-	ipv6-addrgen	no
-	pre-up		ip link add dev wg-{{ site_code }} type wireguard
-	pre-up		wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
-	post-up		ip link set wg-{{ site_code }} mtu 1420

roles/mesh_wg/templates/wg.conf.j2

@@ -1,3 +0,0 @@
-[Interface]
-PrivateKey = {{ mesh_wg_privkey }}
-ListenPort = {{ mesh_wg_port }}

roles/netbox/defaults/main.yml

@@ -2,4 +2,4 @@
 
 netbox_group: netbox
 netbox_user: netbox
-netbox_version: 4.1.8
+netbox_version: 2.8.7

roles/netbox/handlers/main.yml

@@ -1,13 +0,0 @@
----
-
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Reload systemd
-  systemd: daemon_reload=yes
-
-- name: Restart netbox
-  service: name=netbox state=restarted
-
-- name: Restart netbox-rq
-  service: name=netbox-rq state=restarted

roles/netbox/tasks/main.yml

@@ -15,7 +15,7 @@
     - libssl-dev
     - libxml2-dev
     - libxslt1-dev
-    - python3-setuptools
+    - python-setuptools
     - python3-dev
     - python3-pip
     - python3-venv
@@ -25,128 +25,52 @@
   apt:
     name:
     - postgresql
-    - python3-psycopg2
+    - python-psycopg2
 
-- name: Configure PostgreSQL user
+- name: Configure PostgreSQL database
-  postgresql_user:
+  postgresql_db: name={{ netbox_dbname }}
-    name: "{{ netbox_dbuser }}"
-    password: "{{ netbox_dbpass }}"
   become: true
   become_user: postgres
 
-- name: Configure PostgreSQL database
+- name: Configure PostgreSQL user
-  postgresql_db:
+  postgresql_user: db={{ netbox_dbname }} name={{ netbox_dbuser }} password={{ netbox_dbpass }} priv=ALL state=present
-    name: "{{ netbox_dbname }}"
-    owner: "{{ netbox_dbuser }}"
   become: true
   become_user: postgres
 
 - name: Install redis
   apt: name=redis-server
 
+# TODO configure redis?
+
 - name: Unpack netbox
-  unarchive:
+  unarchive: src=https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz dest=/opt remote_src=yes creates=/opt/netbox-{{ netbox_version }}
-    src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
+  # TODO user/group/chown?
-    dest: /opt
-    remote_src: yes
-    creates: "/opt/netbox-{{ netbox_version }}"
-  register: netbox_unarchive
 
 - name: Configure netbox
-  template:
+  template: src=configuration.py.j2 dest=/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py owner={{ netbox_user }} group={{ netbox_group }}
-    src: configuration.py.j2
-    dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
-    owner: "{{ netbox_user }}"
-    group: "{{ netbox_group }}"
-  notify: Restart netbox
 
-- name: Configure gunicorn
+- name: Install venv
-  template:
+  pip: requirements=/opt/netbox-{{ netbox_version }}/requirements.txt virtualenv=/opt/netbox-{{ netbox_version }}/venv virtualenv_command="/usr/bin/python3 -m venv"
-    src: gunicorn.py.j2
-    dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
-    owner: "{{ netbox_user }}"
-    group: "{{ netbox_group }}"
-
-- name: Netbox file permissions
-  file:
-    path: "/opt/netbox-{{ netbox_version }}"
-    owner: "{{ netbox_user }}"
-    group: "{{ netbox_group }}"
-    recurse: yes
-
-- name: Fix psycopg variant
-  lineinfile:
-    path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
-    regexp: '^psycopg\[.*,pool\]==(.*)$'
-    line: 'psycopg[binary,pool]==\1'
-    backrefs: yes
-  register: netbox_psycopg_fix
-
-- name: Run upgrade script
-  command:
-    cmd: ./upgrade.sh
-    chdir: "/opt/netbox-{{ netbox_version }}"
-  become: true
-  become_user: "{{ netbox_user }}"
-  when: netbox_unarchive.changed or netbox_psycopg_fix.changed
 
 # TODO - still manual work
-# * Create a super user
+# * Run Database Migrations
-# * Migrate media files
+# * Create a Super User
-
+# * Collect Static Files
-- name: Install netbox housekeeping cronjob
+# * Gunicorn Configuration
-  template:
+# * systemd Configuration
-    src: netbox-housekeeping.sh.j2
-    dest: /etc/cron.daily/netbox-housekeeping.sh
-    mode: 0755
 
 - name: Ensure certificates are available
-  command:
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt -days 730 -subj "/CN={{ netbox_domain }}" creates=/etc/nginx/ssl/{{ netbox_domain }}.crt
-    cmd: >
-      openssl req -x509 -nodes -newkey rsa:2048
-      -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-      -days 730 -subj "/CN={{ netbox_domain }}"
-    creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
   notify: Restart nginx
 
-- name: Request nsupdate key for certificate
+#- name: Configure certificate manager for netbox
-  include_role: name=acme-dnskey-generate
+#  template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
-  vars:
+#  notify: Run acertmgr
-    acme_dnskey_san_domains:
-    - "{{ netbox_domain }}"
-  when: "'kitchen' in group_names"
-
-- name: Configure certificate manager for netbox
-  template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
-  notify: Run acertmgr
 
 - name: Configure vhost
-  template:
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/netbox
-    src: vhost.j2
-    dest: /etc/nginx/sites-available/netbox
-    owner: root
-    mode: "0644"
   notify: Restart nginx
 
 - name: Enable vhost
-  file:
+  file: src=/etc/nginx/sites-available/netbox dest=/etc/nginx/sites-enabled/netbox state=link
-    src: /etc/nginx/sites-available/netbox
-    dest: /etc/nginx/sites-enabled/netbox
-    state: link
   notify: Restart nginx
-
-- name: Install systemd units
-  template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
-  with_items:
-  - netbox
-  - netbox-rq
-  notify:
-  - Reload systemd
-  - Restart netbox
-  - Restart netbox-rq
-
-- name: Enable services
-  service: name={{ item }} state=started enabled=yes
-  with_items:
-  - netbox
-  - netbox-rq

roles/netbox/templates/configuration.py.j2

@@ -33,10 +33,8 @@ REDIS = {
         # 'SENTINEL_SERVICE': 'netbox',
         'PASSWORD': '',
         'DATABASE': 0,
+        'DEFAULT_TIMEOUT': 300,
         'SSL': False,
-        # Set this to True to skip TLS certificate verification
-        # This can expose the connection to attacks, be careful
-        # 'INSECURE_SKIP_TLS_VERIFY': False,
     },
     'caching': {
         'HOST': 'localhost',
@@ -46,10 +44,8 @@ REDIS = {
         # 'SENTINEL_SERVICE': 'netbox',
         'PASSWORD': '',
         'DATABASE': 1,
+        'DEFAULT_TIMEOUT': 300,
         'SSL': False,
-        # Set this to True to skip TLS certificate verification
-        # This can expose the connection to attacks, be careful
-        # 'INSECURE_SKIP_TLS_VERIFY': False,
     }
 }
 
@@ -69,13 +65,32 @@ SECRET_KEY = '{{ netbox_secret }}'
 # Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
 # application errors (assuming correct email settings are provided).
 ADMINS = [
-    # ('John Doe', 'jdoe@example.com'),
+    # ['John Doe', 'jdoe@example.com'],
 ]
 
-# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
+# URL schemes that are allowed within links in NetBox
+ALLOWED_URL_SCHEMES = (
+    'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+)
+
+# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
+# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
+BANNER_TOP = ''
+BANNER_BOTTOM = ''
+
+# Text to include on the login page above the login form. HTML is allowed.
+BANNER_LOGIN = ''
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
 # BASE_PATH = 'netbox/'
 BASE_PATH = ''
 
+# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
+CACHE_TIMEOUT = 900
+
+# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
+CHANGELOG_RETENTION = 90
+
 # API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
 # allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
 # CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@@ -104,6 +119,10 @@ EMAIL = {
     'FROM_EMAIL': '',
 }
 
+# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
+# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
+ENFORCE_GLOBAL_UNIQUE = False
+
 # Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
 # by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
 EXEMPT_VIEW_PERMISSIONS = [
@@ -126,18 +145,22 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
 #   https://docs.djangoproject.com/en/stable/topics/logging/
 LOGGING = {}
 
-# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
-# authenticated to NetBox indefinitely.
-LOGIN_PERSISTENCE = False
-
 # Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
-# are permitted to access most data in NetBox but not make any changes.
+# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
 LOGIN_REQUIRED = True
 
 # The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
 # re-authenticate. (Default: 1209600 [14 days])
 LOGIN_TIMEOUT = None
 
+# Setting this to True will display a "maintenance mode" banner at the top of every page.
+MAINTENANCE_MODE = False
+
+# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
+# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
+# all objects by specifying "?limit=0".
+MAX_PAGE_SIZE = 1000
+
 # The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
 # the default value of this setting is derived from the installed location.
 # MEDIA_ROOT = '/opt/netbox/netbox/media'
@@ -155,6 +178,20 @@ LOGIN_TIMEOUT = None
 # Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
 METRICS_ENABLED = False
 
+# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
+NAPALM_USERNAME = ''
+NAPALM_PASSWORD = ''
+
+# NAPALM timeout (in seconds). (Default: 30)
+NAPALM_TIMEOUT = 30
+
+# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
+# be provided as a dictionary.
+NAPALM_ARGS = {}
+
+# Determine how many objects to display per page within a list. (Default: 50)
+PAGINATE_COUNT = 50
+
 # Enable installed plugins. Add the name of each plugin to the list.
 PLUGINS = []
 
@@ -167,13 +204,24 @@ PLUGINS = []
 #     }
 # }
 
+# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
+# prefer IPv4 instead.
+PREFER_IPV4 = False
+
+# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
+RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
+RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
+
 # Remote authentication support
 REMOTE_AUTH_ENABLED = False
-REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
+REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
 REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
 REMOTE_AUTH_AUTO_CREATE_USER = True
 REMOTE_AUTH_DEFAULT_GROUPS = []
-REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+REMOTE_AUTH_DEFAULT_PERMISSIONS = []
+
+# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
+RELEASE_CHECK_TIMEOUT = 24 * 3600
 
 # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
 # version check or use the URL below to check for release in the official NetBox repository.
@@ -184,16 +232,10 @@ RELEASE_CHECK_URL = None
 # this setting is derived from the installed location.
 # REPORTS_ROOT = '/opt/netbox/netbox/reports'
 
-# Maximum execution time for background tasks, in seconds.
-RQ_DEFAULT_TIMEOUT = 300
-
 # The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
 # this setting is derived from the installed location.
 # SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
 
-# The name to use for the session cookie.
-SESSION_COOKIE_NAME = 'sessionid'
-
 # By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
 # local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
 # database access.) Note that the user as which NetBox runs must have read and write permissions to this path.

roles/netbox/templates/gunicorn.py.j2

@@ -1,16 +0,0 @@
-# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
-bind = '127.0.0.1:8001'
-
-# Number of gunicorn workers to spawn. This should typically be 2n+1, where
-# n is the number of CPU cores present.
-workers = 5
-
-# Number of threads per worker process
-threads = 3
-
-# Timeout (in seconds) for a request to complete
-timeout = 120
-
-# The maximum number of requests a worker can handle before being respawned
-max_requests = 5000
-max_requests_jitter = 500

roles/netbox/templates/netbox-housekeeping.sh.j2

@@ -1,9 +0,0 @@
-#!/bin/sh
-# This shell script invokes NetBox's housekeeping management command, which
-# intended to be run nightly. This script can be copied into your system's
-# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
-# within the cron configuration file.
-#
-# If NetBox has been installed into a nonstandard location, update the paths
-# below.
-/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

roles/netbox/templates/netbox-rq.service.j2

@@ -1,21 +0,0 @@
-[Unit]
-Description=NetBox Request Queue Worker
-Documentation=https://netbox.readthedocs.io/en/stable/
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-
-User={{ netbox_user }}
-Group={{ netbox_group }}
-WorkingDirectory=/opt/netbox-{{ netbox_version }}
-
-ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
-
-Restart=on-failure
-RestartSec=30
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target

roles/netbox/templates/netbox.service.j2

@@ -1,22 +0,0 @@
-[Unit]
-Description=NetBox WSGI Service
-Documentation=https://netbox.readthedocs.io/en/stable/
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-
-User={{ netbox_user }}
-Group={{ netbox_group }}
-PIDFile=/var/tmp/netbox.pid
-WorkingDirectory=/opt/netbox-{{ netbox_version }}
-
-ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
-
-Restart=on-failure
-RestartSec=30
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target

roles/netbox/templates/vhost.j2

@@ -10,7 +10,7 @@ server {
 	}
 
 	location / {
-		return 301 https://$host$request_uri;
+		return 301 https://{{ netbox_domain }}$request_uri;
 	}
 }
 
@@ -30,9 +30,9 @@ server {
 	location / {
 		client_max_body_size 32M;
 
-		proxy_pass http://localhost:8001;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_pass http://localhost:8001;
 	}
 }

roles/nginx/defaults/main.yml

@@ -1,3 +0,0 @@
----
-
-nginx_anonymize: False

roles/nginx/files/nginx.conf

@@ -47,32 +47,7 @@ http {
 	# Logging Settings
 	##
 
-{% if nginx_anonymize %}
-	map $remote_addr $ip_anonym1 {
-		default 0.0.0;
-		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
-		"~(?P<ip>[^:]+:[^:]+):" $ip;
-	}
-
-	map $remote_addr $ip_anonym2 {
-		default .0;
-		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
-		"~(?P<ip>[^:]+:[^:]+):" ::;
-	}
-
-	map $ip_anonym1$ip_anonym2 $ip_anonymized {
-		default 0.0.0.0;
-		"~(?P<ip>.*)" $ip;
-	}
-
-	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
-		'"$request" $status $body_bytes_sent '
-		'"$http_referer" "$http_user_agent"';
-
-	access_log /var/log/nginx/access.log anonymized;
-{% else %}
 	access_log /var/log/nginx/access.log;
-{% endif %}
 	error_log /var/log/nginx/error.log;
 
 	##

roles/nginx/tasks/main.yml

@@ -30,7 +30,7 @@
   - /etc/nginx/dhparam.pem
 
 - name: Configure nginx
-  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
+  copy: src=nginx.conf dest=/etc/nginx/nginx.conf
   notify: Restart nginx
 
 - name: Configure default vhost
@@ -41,7 +41,7 @@
 - name: Ensure network and dns are available before nginx
   lineinfile:
     dest: /lib/systemd/system/nginx.service
-    line: "After=network-online.target remote-fs.target nss-lookup.target"
+    line: "After=network-online.target nss-lookup.target"
     regexp: "^After="
 
 - name: Start nginx

roles/node_exporter/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
-node_exporter_version: 1.2.0
+node_exporter_version: 1.0.1
 node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

roles/node_exporter/files/node_exporter

@@ -1 +1 @@
-OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
+OPTIONS=""

roles/node_exporter/tasks/main.yml

@@ -9,27 +9,6 @@
 - name: Configure node_exporter
   copy: src=node_exporter dest=/etc/default/node_exporter
 
-- name: Create configuration directory
-  file: path=/etc/node_exporter state=directory
-
-- name: Ensure certificates are available
-  command:
-    cmd: >
-      openssl req -x509 -nodes -newkey rsa:2048
-      -keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-      -out /etc/node_exporter/{{ ansible_fqdn }}.crt
-      -days 730 -subj "/CN={{ ansible_fqdn }}"
-    creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
-  notify: Restart node_exporter
-
-- name: Ensure correct certificate permissions
-  file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
-  notify: Restart node_exporter
-
-- name: Configure node_exporter TLS
-  template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
-  notify: Restart node_exporter
-
 - name: Install systemd unit
   template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
   notify:

roles/node_exporter/templates/web-config.yml.j2

@@ -1,6 +0,0 @@
-tls_server_config:
-  cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
-  key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
-
-basic_auth_users:
-  prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

roles/ntp/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Restart ntp
+  service: name=ntp state=restarted
+
+- name: Restart ntpd
+  service: name=ntpd state=restarted
+
+- name: Restart chrony
+  service: name=chrony state=restarted

roles/ntp/tasks/chrony.yml

@@ -0,0 +1,34 @@
+---
+# Use chronyd to lock time via PHC to hosts RTC
+
+- name: Install chrony
+  apt:
+    name: chrony
+    state: latest
+    install_recommends: no
+
+- name: Load kmod ptp_kvm at boot time
+  blockinfile:
+    path: /etc/modules-load.d/ptp_kvm.conf
+    create: yes
+    owner: root
+    mode: '0400'
+    block: |
+      # Load VirtIO PTP driver for chrony
+      ptp_kvm
+  register: load_ptp_kvm
+  when:
+  - ansible_virtualization_role == 'guest'
+  - ansible_virtualization_type == 'kvm'
+
+- name: Load kmod ptp_kvm
+  modprobe:
+    name: ptp_kvm
+    state: present
+  when: not (load_ptp_kvm is skipped)
+
+- name: Configure chronyd
+  template:
+    src: chrony.conf.j2
+    dest: /etc/chrony/chrony.conf
+  notify: Restart chrony

roles/ntp/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+# Select best time source
+# * on kvm sync to hypervisor rtc within nanoseconds accuracy
+# * on anything else use ntpd wich supports only milliseconds accuracy
+
+- name: Setup chrony
+  include_tasks: chrony.yml
+  register: ntp_use_chrony
+  when:
+  - ansible_virtualization_role == 'guest'
+  - ansible_virtualization_type == 'kvm'
+
+- name: Setup ntpd
+  include_tasks: ntp.yml
+  when:
+  - ntp_use_chrony is skipped

roles/ntp/tasks/ntp.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Install ntp
+  apt: name=ntp
+
+- name: Configure ntp
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf
+  notify: Restart ntp
+
+- name: Start the ntp service
+  service: name=ntp state=started enabled=yes

roles/ntp/templates/chrony.conf.j2

@@ -0,0 +1,27 @@
+# {{ ansible_managed }}
+
+{% if not (load_ptp_kvm is skipped) %}
+refclock PHC /dev/ptp0 poll 2
+{% elif ntp_servers is defined %}
+{% for srv in ntp_servers %}
+server {{ srv }} iburst
+{% endfor %}
+{% else %}
+pool 2.debian.pool.ntp.org iburst
+{% endif %}
+
+{% if ntp_peers is defined %}
+{% for peer in ntp_peers %}
+peer {{ peer }}
+{% endfor %}
+{% endif %}
+
+keyfile /etc/chrony/chrony.keys
+driftfile /var/lib/chrony/chrony.drift
+logdir /var/log/chrony
+maxupdateskew 100.0
+rtcsync
+makestep 1 3
+
+# Do not allow chronyc for security reasons
+cmdport 0

roles/ntp/templates/ntp.conf.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+{% for srv in ntp_servers %}
+server {{ srv }} iburst
+{% endfor %}
+{% if ntp_peers is defined %}
+
+{% for peer in ntp_peers %}
+peer {{ peer }}
+{% endfor %}
+{% endif %}
+
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+
+restrict 127.0.0.1
+restrict -6 ::1

roles/prometheus/tasks/main.yml

@@ -6,7 +6,7 @@
 - name: Install dependencies
   apt:
     name:
-    - python3-pip
+    - python-setuptools
     - python3-setuptools
     - virtualenv
 
@@ -22,13 +22,6 @@
   - Reload systemd
   - Restart prometheus-pve-exporter
 
-- name: Configure prometheus retention
-  lineinfile:
-    path: /etc/default/prometheus
-    regexp: '^ARGS=.*$'
-    line: 'ARGS="--storage.tsdb.retention.time=365d"'
-  notify: Restart prometheus
-
 - name: Configure prometheus
   template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
   notify: Restart prometheus

roles/prometheus/templates/prometheus.yml.j2

@@ -27,29 +27,12 @@ rule_files:
 scrape_configs:
 {% if node_targets is defined %}
   - job_name: node
-    scheme: https
-    basic_auth:
-      username: prometheus
-      password: {{ prometheus_node_pass }}
-    tls_config:
-      insecure_skip_verify: true
     static_configs:
       - targets:
 {% for target in node_targets %}
         - {{ target }}
 {% endfor %}
 {% endif %}
-{% if dnsdist_targets is defined %}
-  - job_name: dnsdist
-    basic_auth:
-      username: prometheus
-      password: {{ prometheus_dnsdist_pass }}
-    static_configs:
-      - targets:
-{% for target in dnsdist_targets %}
-        - {{ target }}
-{% endfor %}
-{% endif %}
 {% if fastd_targets is defined %}
   - job_name: fastd
     static_configs:

roles/radvd/templates/radvd.conf.j2

@@ -19,6 +19,6 @@ interface br-{{ site_code }} {
     AdvRouterAddr on;
   };
   {% endif %}
-  RDNSS {{ batman_ipv6 | ipaddr('address') }} {
+  RDNSS {{ batman_ipv6 | ipaddr('address')}} {
   };
 };