Compare commits
2 Commits
master
...
ntp-chrony
Author | SHA1 | Date | |
---|---|---|---|
42bb310ca1 | |||
f5cc5cea9c |
@ -1,4 +0,0 @@
|
|||||||
skip_list:
|
|
||||||
- meta-no-info
|
|
||||||
- package-latest
|
|
||||||
- risky-file-permissions
|
|
@ -8,4 +8,4 @@ steps:
|
|||||||
- name: lint
|
- name: lint
|
||||||
image: cytopia/ansible-lint:latest
|
image: cytopia/ansible-lint:latest
|
||||||
commands:
|
commands:
|
||||||
- ansible-lint
|
- ansible-lint -x305,403,701
|
||||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,4 +2,3 @@
|
|||||||
__pycache__
|
__pycache__
|
||||||
site.retry
|
site.retry
|
||||||
*.pyc
|
*.pyc
|
||||||
ff-ansible.code-workspace
|
|
||||||
|
@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
The python packages netaddr and passlib are required on the host running ansible.
|
The python package netaddr is required on the host running ansible.
|
||||||
|
|
||||||
The vault password must be stored in `.vault_pass`.
|
The vault password must be stored in `.vault_pass`.
|
||||||
|
|
||||||
The *only* supported distributions to deploy roles on is debian buster.
|
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
|
||||||
|
|
||||||
|
|
||||||
## Running Ansible
|
## Running Ansible
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
[defaults]
|
[defaults]
|
||||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||||
interpreter_python = auto
|
|
||||||
inventory = ./hosts
|
inventory = ./hosts
|
||||||
library = ./library
|
library = ./library
|
||||||
nocows = 1
|
nocows = 1
|
||||||
|
@ -2,20 +2,6 @@
|
|||||||
|
|
||||||
acertmgr_mode: webdir
|
acertmgr_mode: webdir
|
||||||
|
|
||||||
dnsdist_targets:
|
|
||||||
- gw11.regensburg.freifunk.net:8053
|
|
||||||
- gw21.regensburg.freifunk.net:8053
|
|
||||||
- gw31.regensburg.freifunk.net:8053
|
|
||||||
- resolver.regensburg.freifunk.net:8053
|
|
||||||
|
|
||||||
dns_slaves:
|
|
||||||
- 195.201.117.207
|
|
||||||
- 2a01:4f8:1c0c:7dda::1
|
|
||||||
- 213.166.224.14
|
|
||||||
- 2a02:958:0:1::e
|
|
||||||
- 213.166.225.14
|
|
||||||
- 2a02:958:0:1::1:e
|
|
||||||
|
|
||||||
fastd_targets:
|
fastd_targets:
|
||||||
- gw11.regensburg.freifunk.net:9281
|
- gw11.regensburg.freifunk.net:9281
|
||||||
- gw21.regensburg.freifunk.net:9281
|
- gw21.regensburg.freifunk.net:9281
|
||||||
@ -49,14 +35,11 @@ node_targets:
|
|||||||
- gw11.regensburg.freifunk.net:9100
|
- gw11.regensburg.freifunk.net:9100
|
||||||
- gw21.regensburg.freifunk.net:9100
|
- gw21.regensburg.freifunk.net:9100
|
||||||
- gw31.regensburg.freifunk.net:9100
|
- gw31.regensburg.freifunk.net:9100
|
||||||
- ns1.regensburg.freifunk.net:9100
|
|
||||||
- resolver.regensburg.freifunk.net:9100
|
|
||||||
- stats.regensburg.freifunk.net:9100
|
|
||||||
- web.regensburg.freifunk.net:9100
|
- web.regensburg.freifunk.net:9100
|
||||||
|
- stats.ffrgb:9100
|
||||||
- unms.ffrgb:9100
|
- unms.ffrgb:9100
|
||||||
- unifi.ffrgb:9100
|
- unifi.ffrgb:9100
|
||||||
- tiles.ffrgb:9100
|
- tiles.ffrgb:9100
|
||||||
- netbox.ffrgb:9100
|
|
||||||
|
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- 0.de.pool.ntp.org
|
- 0.de.pool.ntp.org
|
||||||
@ -64,10 +47,6 @@ ntp_servers:
|
|||||||
- 2.de.pool.ntp.org
|
- 2.de.pool.ntp.org
|
||||||
- 3.de.pool.ntp.org
|
- 3.de.pool.ntp.org
|
||||||
|
|
||||||
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
|
|
||||||
|
|
||||||
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
|
|
||||||
|
|
||||||
prometheus_pve_user: prometheus@pve
|
prometheus_pve_user: prometheus@pve
|
||||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||||
|
|
||||||
|
@ -1,151 +1,134 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
36396532616163303161303134326565316637343336613531663031376439303930306532373063
|
33336336363031356335646231313439663164663337323062393465653638346538613762323532
|
||||||
3765313339353437393633373035663661623461343132380a373536646632346364663662626665
|
3130356238303530316134623963616261663162393061300a653332613538633462353265353965
|
||||||
37373532633937623030393735383164376233383838613635353565333763626430616630636536
|
63653131386233643635343732346336653164303236626666613963353963616634653939623135
|
||||||
6635373636383462610a326662393234333166373834323834353537363239616639343531616339
|
3231653165646661300a326563353632613937663137323562663364623133306338346633643832
|
||||||
63383939313735653364383137346166306639633637636137353832666333633963633363663265
|
38613536373436643539623064386566653738316532666166333538656664623966376639363962
|
||||||
39356136613639643135633534636264393838376431336462363030363463643232663534313261
|
63636332636331633762326539653863313233633032663063633136356562353737383365316238
|
||||||
64373861313135623264316135646234376230653863633863366538353736653964363137303533
|
62633432363661613162616230313437306439376265623563343564343532366266616536346432
|
||||||
63623730396338643738313432343962666461653136333361383033623161376662346165626338
|
38376465626236316434613631336465626363663263613232313662336133396434336437656464
|
||||||
33356162376536303363343363343830383365323737636334323632306261336538356639306632
|
34323863643366326633613632636662353232323563616138356537613762666561393133383265
|
||||||
39333166353830386537383033396465343461396330386238653961386237336234376533633931
|
65313162396434396662613131333261643966313366326435373831393338656361643733343837
|
||||||
64653331326263343063306230653265643731323732353437643161383238376664636562383561
|
64316462393361336630623563386336323138653833636464623163343134393033303865326161
|
||||||
31376561373130636561366333306139636533363933313566363537363238343462323539313439
|
33323461333334616333336466636436383764303362396561333830626137333462333564316364
|
||||||
30393035643138666435393237383039623735353963353039323966666130393638306565333631
|
38393437666662346630663137643132626133383965353030663632636237663433383462326165
|
||||||
64653432623664346637656134643963323233376535333731653466633064306365306164643337
|
30376436643137333361383839306537613535653564306164643363643330613031363630633964
|
||||||
61306661356531623737386439373465636339643435343838393863333034383437343832383134
|
62396238396530306431633362343739633230383934373364303733366136633136363761303762
|
||||||
64666332613865306438643830376665623435376632373362356363343339363533303433313939
|
33373165323939343063633965623733363934363330353662623134653438303337636161343132
|
||||||
33623636616334646536663333383031396666376562366335656666363233636265643435383334
|
66393361363838323731303564653834316265333363303662376630333930346534363133363861
|
||||||
39656432383035323334373639326535306237643336663232633566663837663466383331336261
|
62396533666365303065333330363066343238386438636661633233363831343838316131353633
|
||||||
32383238353137333731386331623264633338373964653261643865353162623232393930333432
|
38643764386166656632313938386133366233366130626636323330326466376566613563383561
|
||||||
38323065343865643135653535623934613634636465333865353465326139613130376134396132
|
62383038336566356533643336393430353365623932376161393438653465653962383130363433
|
||||||
62366539396432633935663930663063363536393331393666616438396231643938306139313033
|
34393437343238383634323432633134353664386136633533383463616235326239383966633431
|
||||||
31623237646135633237343566646436363864303334373861306430626131366430666634303862
|
36363532623932326432366330343332376264666537333234333234616638653830363633313465
|
||||||
34663163373263366561306336336535656465326633613535343665343361373936346431363538
|
38343038666336353634633238356662666338646661646265306564633861333461336231313834
|
||||||
34303565336132646461656135623463373832396533316132313139303133303565616434663138
|
64663166356432376564633163303636643963323032393737383537323639616333373133626264
|
||||||
62663561663530363834623130313464623465653139343033313132366665636535666639323162
|
32303466316562666338356235376133653833623936373131373237393334393665306561366636
|
||||||
62316666643532353166373430633832643434356664346337633738623739353835313539666130
|
66623437663334326631353132303030663236393762336639313861663962353363653831373563
|
||||||
66633931306330363532363630626162353066316565643235636162393532393234646230363131
|
62386633306463306634633862326632313063393362353438623437376138363433623934666162
|
||||||
37666166393666313661663863643866656236313935356131313230313861636631643034643662
|
37373662393437363965623162303934333230343962626233366630396531326665383065386161
|
||||||
64393866633064383164643365363038626536663831393432363661383736306663356563313734
|
65663666356431366335633339366637303137353765656638316535613933343237656563663863
|
||||||
63363363363531623634363835363364303137646335373662313764323263306539386435663631
|
65313230616338653030343034663937666134653336383732393538396337326238343761323137
|
||||||
39396234623064636531653063326562383235333865393935376265393932633763613838343733
|
30626138666262666465393036363133356563653437376666376366613635306162653739396531
|
||||||
34353663313462313437316534663239353535313434646431663862393561613264626634643864
|
64613664626663626462343737626266636132313366393861313436383137313765623165333734
|
||||||
31633734633963346634376165343435666538313932343230343237363839323764633835623337
|
35333036633234303733373161626331363333393062613933623931356234363735663165386338
|
||||||
62653466376265343639343064366461653964303337363561306138363534613036376338373266
|
61333961666638326134396431393335633435666135383738376335623135663934356437623062
|
||||||
65376432396234383661653330613465623735373834393836646439616634613865323236666264
|
66323833353065653866613264663262653731373865656363666466303330356563356434343161
|
||||||
31336363373063346231376164663930336539633363306633393938643234373065343164613738
|
34363564363564393132326264626134383630653437626536623166363965306363653539336461
|
||||||
30343831383432343931336633633830653736303061383634666337613930396262393334663561
|
36366538383134376564376665336231663532656464393832346166653462306235666139633265
|
||||||
38343232613361333564653362306139346130643530373938366332396535636630353536646336
|
34663235353765316633333865313439663736323462653232633362633333663539613934346136
|
||||||
37623962353933326561346636303338333934356230356363303938613566343365626431633134
|
31363536303338633333393064366234643762396364356539363966623936663764353161383136
|
||||||
35636432396166653835643234396662663463313063636564663835326366613739313531356431
|
34383432386537646566653964313731623761316161663136386532663332333262313861613932
|
||||||
36353664316461396366356233623236373230616534393136626231376436343538326163623764
|
35356566303364326436306235323463623331613663383031343335323537346530653637663939
|
||||||
66306264643562316563323062323637383131363062373362613061363736353430363137623161
|
34613333323738303731636362323735346561343332376137616339386163346134646566353231
|
||||||
32356630363866383064626538313739663335633235646435663134396537316165383334333464
|
65656264626131306130663761663763336464306563313835633432333761623633666433613830
|
||||||
33626430303630663565396665383265313663643264616566646639376134646233336332373264
|
63356265343839396162363333646630346364643661303331663236306535306465626435326662
|
||||||
33613462663539666432646666303533343837636438373261303232663864626566373732316339
|
62313963663636363366356132616239323632623733656137316663303031356631323235353634
|
||||||
64646564633930653437646137656466343135326562626531353265666134656665396163636534
|
64613035346633313366633138353737303565303434363139616466636163323137346238623562
|
||||||
33343135393237363234336363656263666530396635386132663530386631363066663234363265
|
61333066633833303232333934373039623762323435333261633835356466303564666132656362
|
||||||
66343264343837396165626138373835656237626236626130316134303131353539313732666463
|
62613939323735343163376165653634333834353334663532383866313232663533643138663766
|
||||||
30373661666232646438393662653535373433353762376264666536306130613531616462313830
|
31353138356562386135366130373063306538633465323363313361316438366631366463323730
|
||||||
35626461633538343261623636373236333336636436343438626338316236373039303737386438
|
62393637353931653930303230626665303066646539663338363133613431306532623865343531
|
||||||
39316433353739633264336535653561383039313734646139393961653537313562633266363338
|
64366263653062643334336132336466383563636630323539373336343330616531323962326537
|
||||||
38336236363166393964336461323430393639393866653337366564636538396338656339626136
|
64306535623135396537363735633039636335623561343435613864656330376631613434613866
|
||||||
35396566616634656137653438306136663831326166663338323531336364646332646162323430
|
31393166633361633063323538623361653135306539346366383264336634353633626136663731
|
||||||
38383234653565623062636135333136613039663362623230366364343635356234386631373664
|
35383332373338333935376438346232326236613430306533316561333438383238306666346465
|
||||||
33373965393033336235356266336331306366613065396139316363316133616265646232623762
|
36356235373466303536346363393661393838336331313536383662353438333662366563353038
|
||||||
32346331616236663231326631366364393735303163626335643730656233353236636633303939
|
66383237613132613636356461653037373437336264626539333763643261326239313065336463
|
||||||
63383965353137363062313265623733313338613966643563363466396333356262643065363666
|
34323361613565663336343131613530616462633331653134613431393839303364363831303337
|
||||||
66346333366566376336366662363632623536356564313334343135633136663632656262323334
|
39393732646234383936316637343066633761636231326639663239306231303834306631393933
|
||||||
64336135373163383339336664346632646535386536386361386336363138373130316438663062
|
32323335666262666232363638306562353866353338646234353631323533316532383235336632
|
||||||
37353231663130303838333932323532653365323238333737643866356163383032393934346530
|
33643934343836366631336666643730656137626466666232396535356664313132383838363832
|
||||||
33636565326138613963396432323838663037366463343633613730613339343266373233393063
|
39613664643761653461326234643539643831616537363836656561303562633064613238383233
|
||||||
38656264613530373262333937313037373431326665356339313638323334346464623936643035
|
33616336666462333461343766383063353361313032643230636132343631613636666636666639
|
||||||
33616630336464396531396365366462333265313239323966633563656332373164623536303963
|
38386136656565653439323162363035623665623139326366326431343861393664636664363934
|
||||||
31633437343130613039303131363264623232633232656332653138333161666233376233316639
|
61353761326136346636393261663335383664646531616366363436306461313063646264356561
|
||||||
33386636336263333463636438383231666466373934323235326366356263633563393664383939
|
63393931313266633734616362376630616535396635343363326361653434353631303836326433
|
||||||
35326562656166616264313937636432643265636565623335326237333432343238383536303735
|
64313533646331336338353533643031316638386330626362313938623736316134633062393930
|
||||||
38643333383834343633366366373639323738613433326665633362316563306161386230653363
|
31306332623364393839313761353564313563326462313637663635663661396638373130363866
|
||||||
33386463323765663838326331666433313563343266623063363962373961333064343964393439
|
30326263383730356135663433623138663239363765363664636133653462653262393766363966
|
||||||
38633036376138383936663031343835353865333635653861653131383535343939356631656532
|
37303862363131646236333134366664653061343735303035383663383539353732313935313933
|
||||||
62656464623263626464613365386234353632303734643631633435626133383538376136643335
|
37323461343530306632626631373238333636303135653535626631343862663639306136323363
|
||||||
31333430643839666238373561643966633334653361373336306266383631663537303265316564
|
30343731356434333030303332636637363364643363666136353266383138613066353732326665
|
||||||
37633633363933353931653830306663393766303363333535313737346239613366326536653530
|
32366234373864663333323035306334613937656666396437646335383839663336633364613338
|
||||||
34643166663333663066373735376266306635306132383134653161646337333161356234366533
|
63306635663762373331646535373638343436376431646564666239633631376465623730353935
|
||||||
34323461653763386636653665353362323565396535326366663639313437616663376332616630
|
66383262623838376339373735396131303434616132373832633061616132393931643830633864
|
||||||
33323531623935383639623635323662636239386631623361613066616134396565306565393161
|
37663931613633656339383062336462383661363463323632396636633965373439383938626635
|
||||||
62313235316264663261306461623032373938336661653534383835303638333831613232316564
|
38336330383139653365653664383934663838306531373164626136613338343861353262663431
|
||||||
65333135383761373937626534663633633936396532313263396338393462623830396538313464
|
30653265333065663664646564376466303838373961626436396631356366363832613930346664
|
||||||
61333966373930626135663839633766383332656564366639386130323061363137333065653433
|
34643962363862643732653631333665366134343332313863316164323465383138386262336336
|
||||||
36313434326234386466643730663939376461633334646133363763303561373862633565663634
|
32343365386362346237656361386163323062376232346137336365363731396639346137343735
|
||||||
65646237346636636230313136633136623236646239323937373163616230636264326534373263
|
62633436643265636262376639383635336536353131666661326238653339626666383562323763
|
||||||
36333035643663626239306363636635336237373761333239363937633932363936663832396438
|
63373636636530306461633035616163643962633033363565323164343034633666346133343638
|
||||||
34346662633265326365383866383864356563393431363137333564326466613832666663633539
|
37613463333461373663336630313834316333366466336539333135356338343731636231663530
|
||||||
33666638393337336633613032623739633836663831353762653437323733336230396333643733
|
38623738636534333762376434336336326166373363643864316233343735386234616663636534
|
||||||
65663462346166653534323533376431356535316238363639613636383663306635343836376365
|
32393838623939343536346634633339613837373735353565313138333864383632383533396264
|
||||||
64363765393863363038363739353239633934343138636564343562316131313933616363356237
|
36363430356237636235316631313664336265633333313137373861666333663865393065393531
|
||||||
66306230613863633038313161613861653138656433623031313534666139393535383163366339
|
30386335613531353837363738366232313036343731343566306166646466353164336136393330
|
||||||
36393138323838656139653163393965356131633961623930623637663839383564633534336565
|
65323933613266363739363231663563656437396231316666303437633564613465313937383038
|
||||||
30643334353537306637636263633331306162316565633630303636323833636234336264316361
|
32643465346130323738336364356331663163323236333764653566306664623164626437363465
|
||||||
36613833653565613562363763336633323236393836653466356638646166333661653431376463
|
34333165343034633135336234633765336333623333643632353335656238393863623062623665
|
||||||
32363638616433643264323938616262383663653334323931346639633836333462333663376364
|
39393434643538373633653630353963346132663366656532303764333838336562663735613737
|
||||||
32663838663534626565376661656663643162626137363431363461313864623732613764333664
|
39363865353736663263303565336263643333613238336462313839323738373063393639303531
|
||||||
39626232333534326364613838376434666635313731646533363635386230333036336533633034
|
34633739366531326666633634366230363431303663383432323463643665316136643434343839
|
||||||
31323132343230646631626131663436356263626563323934643765666462343234653038383564
|
66313030623561366431353863633666636262336637636235326434366536393830343433336462
|
||||||
64393739663035636266663539326661303262383966323634333234363233656465396665613636
|
34666631343862346239346434666462613836343161663234646439643562316564666632316665
|
||||||
38623063336337383931343931333565623261313638613235633230623638623863616238316662
|
66376137313231376433333163396564343435303434326235626239336237653332316232343361
|
||||||
33376135646535656434323732656362343834663530316437333630373230303136303137306637
|
30666531393863616132323837333931323534633561626263333534646530623433613633383061
|
||||||
31343266386535346362383032376635386132636138333765616361653463316239303536316262
|
36393361613736393333633166346465363762336232303530393262666366303763303862383632
|
||||||
35623062316533656661356462643864383536303835346235353339663238386532343064636233
|
30336437313339643861663635623334323330653030396432623932613433343836626238373530
|
||||||
66363566623663353265616434336163396336336263613030623134653361363732323738313363
|
35353535366237663865333832356661613635353138356438386333323734386237626532343665
|
||||||
61343232656233363433626334306433626566616537376537663930613738386663393035373533
|
31373061616234633336386661323164663934336464316364343036633336376234656263346530
|
||||||
64656639326165666138343361613637653166316330393665643533333466613861653232333138
|
64333336383861396261316436636638653934643463666263346430366238663663383834313266
|
||||||
66316464336465653062376261643238323761383161623933353433613266646537623639396666
|
65396434313161333532323036336538653830303232343364656365353339623165346164393039
|
||||||
32343735323833383365313539333138656230306134343631666232653965663264656635343061
|
62356561366461643831656466316266616335646163303438353735393830636434386335623632
|
||||||
38353162383364323538366666666365316432393939333663366664356364633939653837346431
|
32623835613262653566306561333835316334613633613138643235343265376238343932363264
|
||||||
35383063393664656539393763313735663638343863616431306566356332343935653631646536
|
65666334633663366338306566346433626431656131393233393661396361366365333733303130
|
||||||
66643130613266636331663762303962643434653532336531396165303638303831393561376633
|
38353435396462636633336238373131386562333063386235366233633030663861316161653362
|
||||||
36613537333163633837666530356163343733313631633962326365363063663261333061376135
|
36306431663639663137313762396338323933663036343130633438326435383934633861343262
|
||||||
39363532366638343430643664663863653666663064386562616434313831633032316238393963
|
39623431326362643833353532336233653664643733323432326466666165373333313266626565
|
||||||
38346564306438653865663937633037373961636630653530643936326333316433636334333935
|
38656465623362323966333238336262323563353038666635666137303064663333363730633335
|
||||||
65326434316435313364666364613138306630356234393839313031373536336539623132653634
|
31306139323831366363346331383834646635316166393334326535323339363038353365353538
|
||||||
30336332323932323863353139303835643865313466356637303032393437636531313330666536
|
31356164656235373536323830333135333931373764636439363135316532613530333734613964
|
||||||
34333565376635633863303066376330313362303836366666313530336430343939313466633135
|
66393233383132623536643664643862336162396630383932383731626233643966636437393461
|
||||||
32373238363031396665656536646236393133376435633638303238636663313738353532393236
|
30356262393661623737653439633336656635323134613336626336343666363138303931323064
|
||||||
38633831633039616430343932343066303837303161653166623761343033386437303231393931
|
36366333393330333365663965646664333561646434306463333135653130646337623035393434
|
||||||
65353334666164343337363035616162383635623838343662323430326639633834366666393663
|
66636261346534653263356230633838633033373566623138626264656236336630373634636430
|
||||||
31356138366666333563653738653032646633316537326333306133333435623132306236373963
|
39633136666565343332663330323937393565643338663433656466323535613064326233626637
|
||||||
37326435373064386131383938353465373239323434366339343364646565393131643335366530
|
63393064363434393634333863363761643433326438336634306438376235393632643332346339
|
||||||
35346465616330346232656239643165663438386339663136336362356437653334326335666564
|
63306437336431613535356138336666613862343437306330393566346332666534646230313265
|
||||||
38326436623239393833393838656335336565666536386164356535633363363836323966343663
|
66663839333730636538343630363933353039343064316330666631646565386438613232383031
|
||||||
66323563616564623165373730353238353063393362653964316338333932636333353064333761
|
63393963333063343437383130356331356162616266383231383535313530393264323232623934
|
||||||
61626432383233323630626465393461393130363232383565646631343464363138323763656637
|
30363861373261303966613361336335356233306530343435313730393166383536323937373666
|
||||||
35653964386434653335666335373932646133653966626430656636626461646263383464643666
|
33613033633530393933333265306265626632663266383834666334336364623864333735343735
|
||||||
61396265333465343039653333646661383165356335633532623165323364363630386335373935
|
35316132636333323566666339333039653862666264353638336336356334393030663733306264
|
||||||
34363739636432366565366265373038643633613739363266653531623032333030303437346665
|
61613661613166366238646264343239393735653437383539343731373266386238323532643739
|
||||||
63333666623536353238616636633065393562623566376461336262363665323866376666303930
|
38643262343666656661356338623035343934383765313939363537393434623965623437363239
|
||||||
66393533353766373732326231373732663766393034326538643063393037316239653838333738
|
61653034656535313937316639663166386432623034383864356465623032353636643737326336
|
||||||
35636539393966343866613932663230663638653862643934616539393436383639356339633133
|
38376436343133643263336435636638356465396566623037633334643863643165663765383161
|
||||||
32643836356136353436623738613133353631313936643165376265373638343838396665356166
|
33653530643836343334643734346335653131366439336139646131396237323862323132616339
|
||||||
39303661646265653436396131613536386236613938323739363863633766303365636466376637
|
35383739633133643864646163616661633032666532663861393638343232323437363263663435
|
||||||
38353837633239643166383931323961383362343831633835643930613465346335656566326434
|
65626561303137353330646162326464666236653633346636333864333366323336613638393365
|
||||||
63303565366161373062343162616536653165373537363331353639303230663265643335356330
|
36396262306266396638613736626637633163343938366130363133303535613131383562393333
|
||||||
30333263623431666135393931626431626362366562626431623434613633643062373961663361
|
63643830666437663931633231336432303561326231366639376130303564663564363766343834
|
||||||
65343135353536643863316161326635333038643634396230353465646238356234653034323638
|
3934
|
||||||
39353365306230313031336337313637336233623865666439653861643637663732386461333432
|
|
||||||
61333831306539303439373634376566363861393830333665366238666364653637343364313865
|
|
||||||
30643564363739346566636565636363386533663434653761386565316266333436623031333134
|
|
||||||
33616464323165393331326665633235326231623365373236303335353837663739373165346139
|
|
||||||
65633066343530303335336362343838356565343638313133646339353235633661636361303934
|
|
||||||
65636332383130333036316138393235353363623061613130383431323735626136636334343439
|
|
||||||
39363764386639626432366534363839613366336139363439343066333933366537373333336465
|
|
||||||
32363334326463323261303562633034383233653438643764633231373761326334336561623832
|
|
||||||
37663763343933386165313665646234626263616136343366663834323739343934343833616336
|
|
||||||
38616636396438386539303637646134393865363235616465613665616439653730613039306265
|
|
||||||
36366433356362363537653838626133656430333132666635306137663134333139323565363531
|
|
||||||
33656433393031386537353766366638393433363031616632323962353933666232653563313830
|
|
||||||
38656565376630396235656533313731656666363762386339613534613236656533366161653866
|
|
||||||
61633965366135376264316264393964343035306330623739643338306362633838373434306335
|
|
||||||
34313636373930623663666362633736653363353461616639323261646235653266383837393036
|
|
||||||
34626466623666643465326465343833336338343964666537623431313639656136373339643834
|
|
||||||
6531336131373761336363393133626166376263663037666231
|
|
||||||
|
@ -3,20 +3,13 @@
|
|||||||
batman_ipv4: 10.90.32.11/19
|
batman_ipv4: 10.90.32.11/19
|
||||||
batman_ipv6: fdef:f10f:1337:cafe::11/64
|
batman_ipv6: fdef:f10f:1337:cafe::11/64
|
||||||
batman_algo: BATMAN_IV
|
batman_algo: BATMAN_IV
|
||||||
global_ipv6: 2001:678:ddc:11::11/64
|
global_ipv6: 2a00:9d80:6000:0101::11/64
|
||||||
nextnode4: 10.90.32.1
|
nextnode4: 10.90.32.1
|
||||||
nextnode6: fdef:f10f:1337:cafe::1
|
nextnode6: fdef:f10f:1337:cafe::1
|
||||||
mtu: 1312
|
mtu: 1312
|
||||||
|
|
||||||
vx_wg_vni: 3665730
|
|
||||||
|
|
||||||
mesh_wg_port: 20010
|
|
||||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
|
|
||||||
|
|
||||||
fastd_port: 10010
|
fastd_port: 10010
|
||||||
|
|
||||||
gateway_id: 11
|
gateway_id: 11
|
||||||
|
|
||||||
site_code: ffrgb_cty
|
site_code: ffrgb_cty
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
|
|||||||
nextnode6: fdef:f10f:1337:cafe::1
|
nextnode6: fdef:f10f:1337:cafe::1
|
||||||
mtu: 1312
|
mtu: 1312
|
||||||
|
|
||||||
vx_wg_vni: 3665730
|
|
||||||
|
|
||||||
mesh_wg_port: 20010
|
|
||||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
|
|
||||||
|
|
||||||
fastd_port: 10010
|
fastd_port: 10010
|
||||||
|
|
||||||
gateway_id: 12
|
gateway_id: 12
|
||||||
|
|
||||||
site_code: ffrgb_cty
|
site_code: ffrgb_cty
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
@ -3,20 +3,13 @@
|
|||||||
batman_ipv4: 10.90.64.21/19
|
batman_ipv4: 10.90.64.21/19
|
||||||
batman_ipv6: fdef:f20f:1337:cafe::21/64
|
batman_ipv6: fdef:f20f:1337:cafe::21/64
|
||||||
batman_algo: BATMAN_IV
|
batman_algo: BATMAN_IV
|
||||||
global_ipv6: 2001:678:ddc:21::21/64
|
global_ipv6: 2a00:9d80:6000:0102::21/64
|
||||||
nextnode4: 10.90.64.1
|
nextnode4: 10.90.64.1
|
||||||
nextnode6: fdef:f20f:1337:cafe::1
|
nextnode6: fdef:f20f:1337:cafe::1
|
||||||
mtu: 1312
|
mtu: 1312
|
||||||
|
|
||||||
fastd_port: 10020
|
fastd_port: 10020
|
||||||
|
|
||||||
vx_wg_vni: 11781694
|
|
||||||
|
|
||||||
mesh_wg_port: 20020
|
|
||||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
|
|
||||||
|
|
||||||
gateway_id: 21
|
gateway_id: 21
|
||||||
|
|
||||||
site_code: ffrgb_uml
|
site_code: ffrgb_uml
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
@ -10,13 +10,6 @@ mtu: 1312
|
|||||||
|
|
||||||
fastd_port: 10020
|
fastd_port: 10020
|
||||||
|
|
||||||
vx_wg_vni: 11781694
|
|
||||||
|
|
||||||
mesh_wg_port: 20020
|
|
||||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
|
|
||||||
|
|
||||||
gateway_id: 22
|
gateway_id: 22
|
||||||
|
|
||||||
site_code: ffrgb_uml
|
site_code: ffrgb_uml
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
@ -3,22 +3,13 @@
|
|||||||
batman_ipv4: 10.90.96.31/19
|
batman_ipv4: 10.90.96.31/19
|
||||||
batman_ipv6: fdef:f30f:1337:cafe::31/64
|
batman_ipv6: fdef:f30f:1337:cafe::31/64
|
||||||
batman_algo: BATMAN_IV
|
batman_algo: BATMAN_IV
|
||||||
global_ipv6: 2001:678:ddc:31::31/64
|
global_ipv6: 2a00:9d80:6000:0103::31/64
|
||||||
nextnode4: 10.90.96.1
|
nextnode4: 10.90.96.1
|
||||||
nextnode6: fdef:f30f:1337:cafe::1
|
nextnode6: fdef:f30f:1337:cafe::1
|
||||||
mtu: 1312
|
mtu: 1312
|
||||||
|
|
||||||
vx_wg_vni: 3120917
|
|
||||||
|
|
||||||
mesh_wg_port: 20030
|
|
||||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
|
|
||||||
|
|
||||||
fastd_port: 10030
|
fastd_port: 10030
|
||||||
|
|
||||||
gateway_id: 31
|
gateway_id: 31
|
||||||
|
|
||||||
site_code: ffrgb_tst
|
site_code: ffrgb_tst
|
||||||
|
|
||||||
nat_pool: 194.156.22.32-194.156.22.33
|
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
acertmgr_mode: standalone
|
|
@ -1,31 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
grafana_rendering: True
|
|
||||||
|
|
||||||
# yanic needs this
|
|
||||||
site_code: ffrgb_cty
|
|
||||||
|
|
||||||
yanic_publisher: true
|
|
||||||
|
|
||||||
yanic_repondd_enable: false
|
|
||||||
|
|
||||||
yanic_respondd_interface: ens18
|
|
||||||
yanic_respondd_ip: true
|
|
||||||
|
|
||||||
yanic_nodes_prune_after: 60d
|
|
||||||
yanic_nodes_offline_after: 5m
|
|
||||||
|
|
||||||
yanic_meshviewer_enable: false
|
|
||||||
|
|
||||||
yanic_nodelist_enable: true
|
|
||||||
|
|
||||||
yanic_database_delete_after: 720d
|
|
||||||
|
|
||||||
yanic_dbc_repondd_enable: false
|
|
||||||
|
|
||||||
yanic_influxdb:
|
|
||||||
- enable: true
|
|
||||||
host: http://127.0.0.1:8086
|
|
||||||
database: ffrgb
|
|
||||||
username: "admin"
|
|
||||||
password: "{{ vault_yanic_influx_pw }}"
|
|
4
hosts
4
hosts
@ -2,10 +2,8 @@
|
|||||||
gw11.regensburg.freifunk.net
|
gw11.regensburg.freifunk.net
|
||||||
gw21.regensburg.freifunk.net
|
gw21.regensburg.freifunk.net
|
||||||
gw31.regensburg.freifunk.net
|
gw31.regensburg.freifunk.net
|
||||||
ns1.regensburg.freifunk.net
|
|
||||||
resolver.regensburg.freifunk.net
|
|
||||||
stats.regensburg.freifunk.net
|
|
||||||
web.regensburg.freifunk.net
|
web.regensburg.freifunk.net
|
||||||
|
stats.ffrgb ansible_host=10.90.224.100
|
||||||
unms.ffrgb ansible_host=10.90.224.101
|
unms.ffrgb ansible_host=10.90.224.101
|
||||||
unifi.ffrgb ansible_host=10.90.224.102
|
unifi.ffrgb ansible_host=10.90.224.102
|
||||||
tiles.ffrgb ansible_host=10.90.224.103
|
tiles.ffrgb ansible_host=10.90.224.103
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python
|
||||||
|
|
||||||
EXAMPLES = '''
|
EXAMPLES = '''
|
||||||
# Generates a fastd key
|
# Generates a fastd key
|
||||||
@ -23,7 +23,7 @@ if __name__ == '__main__':
|
|||||||
# create file with restrictive permissions
|
# create file with restrictive permissions
|
||||||
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
|
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
|
||||||
# generate fastd secret
|
# generate fastd secret
|
||||||
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
|
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
|
||||||
handle.write('secret "%s";\n' % secret)
|
handle.write('secret "%s";\n' % secret)
|
||||||
|
|
||||||
changed = True
|
changed = True
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||||
// upgraded.
|
// upgraded.
|
||||||
//
|
//
|
||||||
// Lines below have the format "keyword=value,...". A
|
// Lines below have the format format is "keyword=value,...". A
|
||||||
// package will be upgraded only if the values in its metadata match
|
// package will be upgraded only if the values in its metadata match
|
||||||
// all the supplied keywords in a line. (In other words, omitted
|
// all the supplied keywords in a line. (In other words, omitted
|
||||||
// keywords are wild cards.) The keywords originate from the Release
|
// keywords are wild cards.) The keywords originate from the Release
|
||||||
@ -19,73 +19,50 @@
|
|||||||
// Within lines unattended-upgrades allows 2 macros whose values are
|
// Within lines unattended-upgrades allows 2 macros whose values are
|
||||||
// derived from /etc/debian_version:
|
// derived from /etc/debian_version:
|
||||||
// ${distro_id} Installed origin.
|
// ${distro_id} Installed origin.
|
||||||
// ${distro_codename} Installed codename (eg, "buster")
|
// ${distro_codename} Installed codename (eg, "jessie")
|
||||||
Unattended-Upgrade::Origins-Pattern {
|
Unattended-Upgrade::Origins-Pattern {
|
||||||
// Codename based matching:
|
// Codename based matching:
|
||||||
// This will follow the migration of a release through different
|
// This will follow the migration of a release through different
|
||||||
// archives (e.g. from testing to stable and later oldstable).
|
// archives (e.g. from testing to stable and later oldstable).
|
||||||
// Software will be the latest available for the named release,
|
// "o=Debian,n=jessie";
|
||||||
// but the Debian release itself will not be automatically upgraded.
|
// "o=Debian,n=jessie-updates";
|
||||||
"origin=Debian,codename=${distro_codename}-updates";
|
// "o=Debian,n=jessie-proposed-updates";
|
||||||
// "origin=Debian,codename=${distro_codename}-proposed-updates";
|
// "o=Debian,n=jessie,l=Debian-Security";
|
||||||
"origin=Debian,codename=${distro_codename},label=Debian";
|
|
||||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
|
||||||
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
|
|
||||||
|
|
||||||
// Archive or Suite based matching:
|
// Archive or Suite based matching:
|
||||||
// Note that this will silently match a different release after
|
// Note that this will silently match a different release after
|
||||||
// migration to the specified archive (e.g. testing becomes the
|
// migration to the specified archive (e.g. testing becomes the
|
||||||
// new stable).
|
// new stable).
|
||||||
// "o=Debian,a=stable";
|
"origin=Debian,codename=${distro_codename}";
|
||||||
// "o=Debian,a=stable-updates";
|
"origin=Debian,codename=${distro_codename}-updates";
|
||||||
// "o=Debian,a=proposed-updates";
|
"origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||||
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
|
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||||
};
|
};
|
||||||
|
|
||||||
// Python regular expressions, matching packages to exclude from upgrading
|
// List of packages to not update (regexp are supported)
|
||||||
Unattended-Upgrade::Package-Blacklist {
|
Unattended-Upgrade::Package-Blacklist {
|
||||||
// The following matches all packages starting with linux-
|
// "vim";
|
||||||
// "linux-";
|
// "libc6";
|
||||||
|
// "libc6-dev";
|
||||||
// Use $ to explicitely define the end of a package name. Without
|
// "libc6-i686";
|
||||||
// the $, "libc6" would match all of them.
|
|
||||||
// "libc6$";
|
|
||||||
// "libc6-dev$";
|
|
||||||
// "libc6-i686$";
|
|
||||||
|
|
||||||
// Special characters need escaping
|
|
||||||
// "libstdc\+\+6$";
|
|
||||||
|
|
||||||
// The following matches packages like xen-system-amd64, xen-utils-4.1,
|
|
||||||
// xenstore-utils and libxenstore3.0
|
|
||||||
// "(lib)?xen(store)?";
|
|
||||||
|
|
||||||
// For more information about Python regular expressions, see
|
|
||||||
// https://docs.python.org/3/howto/regex.html
|
|
||||||
};
|
};
|
||||||
|
|
||||||
// This option allows you to control if on a unclean dpkg exit
|
// This option allows you to control if on a unclean dpkg exit
|
||||||
// unattended-upgrades will automatically run
|
// unattended-upgrades will automatically run
|
||||||
// dpkg --force-confold --configure -a
|
// dpkg --force-confold --configure -a
|
||||||
// The default is true, to ensure updates keep getting installed
|
// The default is true, to ensure updates keep getting installed
|
||||||
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||||
|
|
||||||
// Split the upgrade into the smallest possible chunks so that
|
// Split the upgrade into the smallest possible chunks so that
|
||||||
// they can be interrupted with SIGTERM. This makes the upgrade
|
// they can be interrupted with SIGUSR1. This makes the upgrade
|
||||||
// a bit slower but it has the benefit that shutdown while a upgrade
|
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||||
// is running is possible (with a small delay)
|
// is running is possible (with a small delay)
|
||||||
//Unattended-Upgrade::MinimalSteps "true";
|
Unattended-Upgrade::MinimalSteps "true";
|
||||||
|
|
||||||
// Install all updates when the machine is shutting down
|
// Install all unattended-upgrades when the machine is shuting down
|
||||||
// instead of doing it in the background while the machine is running.
|
// instead of doing it in the background while the machine is running
|
||||||
// This will (obviously) make shutdown slower.
|
// This will (obviously) make shutdown slower
|
||||||
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
|
Unattended-Upgrade::InstallOnShutdown "false";
|
||||||
// This allows more time for unattended-upgrades to shut down gracefully
|
|
||||||
// or even install a few packages in InstallOnShutdown mode, but is still a
|
|
||||||
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
|
|
||||||
// Users enabling InstallOnShutdown mode are advised to increase
|
|
||||||
// InhibitDelayMaxSec even further, possibly to 30 minutes.
|
|
||||||
//Unattended-Upgrade::InstallOnShutdown "false";
|
|
||||||
|
|
||||||
// Send email to this address for problems or packages upgrades
|
// Send email to this address for problems or packages upgrades
|
||||||
// If empty or unset then no email is sent, make sure that you
|
// If empty or unset then no email is sent, make sure that you
|
||||||
@ -93,20 +70,11 @@ Unattended-Upgrade::Package-Blacklist {
|
|||||||
// 'mailx' must be installed. E.g. "user@example.com"
|
// 'mailx' must be installed. E.g. "user@example.com"
|
||||||
Unattended-Upgrade::Mail "root";
|
Unattended-Upgrade::Mail "root";
|
||||||
|
|
||||||
// Set this value to one of:
|
// Set this value to "true" to get emails only on errors. Default
|
||||||
// "always", "only-on-error" or "on-change"
|
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||||
// If this is not set, then any legacy MailOnlyOnError (boolean) value
|
Unattended-Upgrade::MailOnlyOnError "true";
|
||||||
// is used to chose between "only-on-error" and "on-change"
|
|
||||||
Unattended-Upgrade::MailReport "only-on-error";
|
|
||||||
|
|
||||||
// Remove unused automatically installed kernel-related packages
|
// Do automatic removal of new unused dependencies after the upgrade
|
||||||
// (kernel images, kernel headers and kernel version locked tools).
|
|
||||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
||||||
|
|
||||||
// Do automatic removal of newly unused dependencies after the upgrade
|
|
||||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
|
||||||
|
|
||||||
// Do automatic removal of unused packages after the upgrade
|
|
||||||
// (equivalent to apt-get autoremove)
|
// (equivalent to apt-get autoremove)
|
||||||
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||||
|
|
||||||
@ -114,8 +82,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|||||||
// the file /var/run/reboot-required is found after the upgrade
|
// the file /var/run/reboot-required is found after the upgrade
|
||||||
Unattended-Upgrade::Automatic-Reboot "false";
|
Unattended-Upgrade::Automatic-Reboot "false";
|
||||||
|
|
||||||
// Automatically reboot even if there are users currently logged in
|
// Automatically reboot even if there are users currently logged in.
|
||||||
// when Unattended-Upgrade::Automatic-Reboot is set to true
|
|
||||||
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
||||||
|
|
||||||
// If automatic reboot is enabled and needed, reboot at the specific
|
// If automatic reboot is enabled and needed, reboot at the specific
|
||||||
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
|
|||||||
|
|
||||||
// Use apt bandwidth limit feature, this example limits the download
|
// Use apt bandwidth limit feature, this example limits the download
|
||||||
// speed to 70kb/sec
|
// speed to 70kb/sec
|
||||||
//Acquire::http::Dl-Limit "70";
|
Acquire::http::Dl-Limit "200";
|
||||||
|
|
||||||
// Enable logging to syslog. Default is False
|
// Enable logging to syslog. Default is False
|
||||||
// Unattended-Upgrade::SyslogEnable "false";
|
// Unattended-Upgrade::SyslogEnable "false";
|
||||||
|
|
||||||
// Specify syslog facility. Default is daemon
|
// Specify syslog facility. Default is daemon
|
||||||
// Unattended-Upgrade::SyslogFacility "daemon";
|
// Unattended-Upgrade::SyslogFacility "daemon";
|
||||||
|
|
||||||
// Download and install upgrades only on AC power
|
|
||||||
// (i.e. skip or gracefully stop updates on battery)
|
|
||||||
// Unattended-Upgrade::OnlyOnACPower "true";
|
|
||||||
|
|
||||||
// Download and install upgrades only on non-metered connection
|
|
||||||
// (i.e. skip or gracefully stop updates on a metered connection)
|
|
||||||
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
|
|
||||||
|
|
||||||
// Verbose logging
|
|
||||||
// Unattended-Upgrade::Verbose "false";
|
|
||||||
|
|
||||||
// Print debugging information both in unattended-upgrades and
|
|
||||||
// in unattended-upgrade-shutdown
|
|
||||||
// Unattended-Upgrade::Debug "false";
|
|
||||||
|
|
||||||
// Allow package downgrade if Pin-Priority exceeds 1000
|
|
||||||
// Unattended-Upgrade::Allow-downgrade "false";
|
|
||||||
|
|
||||||
// When APT fails to mark a package to be upgraded or installed try adjusting
|
|
||||||
// candidates of related packages to help APT's resolver in finding a solution
|
|
||||||
// where the package can be upgraded or installed.
|
|
||||||
// This is a workaround until APT's resolver is fixed to always find a
|
|
||||||
// solution if it exists. (See Debian bug #711128.)
|
|
||||||
// The fallback is enabled by default, except on Debian's sid release because
|
|
||||||
// uninstallable packages are frequent there.
|
|
||||||
// Disabling the fallback speeds up unattended-upgrades when there are
|
|
||||||
// uninstallable packages at the expense of rarely keeping back packages which
|
|
||||||
// could be upgraded or installed.
|
|
||||||
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
|
|
||||||
|
@ -8,7 +8,6 @@
|
|||||||
name:
|
name:
|
||||||
- apt-transport-https
|
- apt-transport-https
|
||||||
- debian-goodies
|
- debian-goodies
|
||||||
- gnupg2
|
|
||||||
- lsof
|
- lsof
|
||||||
- unattended-upgrades
|
- unattended-upgrades
|
||||||
|
|
||||||
|
@ -8,4 +8,4 @@
|
|||||||
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
|
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
|
||||||
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
|
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
|
||||||
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
|
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
|
||||||
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
|
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }
|
File diff suppressed because it is too large
Load Diff
@ -1,39 +1,38 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Install misc software
|
- name: Install misc software
|
||||||
apt:
|
apt: name={{ item }}
|
||||||
name:
|
with_items:
|
||||||
- ca-certificates
|
- dnsutils
|
||||||
- dnsutils
|
- git
|
||||||
- git
|
- htop
|
||||||
- htop
|
- less
|
||||||
- less
|
- mtr-tiny
|
||||||
- mtr-tiny
|
- net-tools
|
||||||
- net-tools
|
- openssl
|
||||||
- openssl
|
- psmisc
|
||||||
- psmisc
|
- pydf
|
||||||
- pydf
|
- rsync
|
||||||
- rsync
|
- sudo
|
||||||
- sudo
|
- vim-nox
|
||||||
- vim-nox
|
- zsh
|
||||||
- zsh
|
- fail2ban
|
||||||
- fail2ban
|
|
||||||
|
|
||||||
- name: Install software on KVM VMs
|
- name: Install software on KVM VMs
|
||||||
apt:
|
apt: name={{ item }}
|
||||||
name:
|
with_items:
|
||||||
- acpid
|
- acpid
|
||||||
- qemu-guest-agent
|
- qemu-guest-agent
|
||||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||||
|
|
||||||
- name: Configure misc software
|
- name: Configure misc software
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
diff: no
|
diff: no
|
||||||
with_items:
|
with_items:
|
||||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
- { src: "motd", dest: "/etc/motd" }
|
- { src: 'motd', dest: '/etc/motd' }
|
||||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||||
|
|
||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
@ -52,8 +51,8 @@
|
|||||||
- name: Prevent normal users from running su
|
- name: Prevent normal users from running su
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/pam.d/su
|
path: /etc/pam.d/su
|
||||||
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
||||||
line: "auth required pam_wheel.so"
|
line: 'auth required pam_wheel.so'
|
||||||
|
|
||||||
- name: Configure journald retention
|
- name: Configure journald retention
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -2,5 +2,5 @@
|
|||||||
|
|
||||||
dhcpd_interfaces: br-{{ site_code }}
|
dhcpd_interfaces: br-{{ site_code }}
|
||||||
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
|
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
|
||||||
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
|
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
|
||||||
name_server: "{{ batman_ipv4 | ipaddr('address') }}"
|
name_server: "{{ batman_ipv4 | ipaddr('address') }}"
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
# option definitions common to all supported networks...
|
# option definitions common to all supported networks...
|
||||||
option domain-name "{{ site_domain }}";
|
option domain-name "{{ site_domain }}";
|
||||||
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
|
option domain-name-servers {{nextnode4}}, {{ name_server }};
|
||||||
|
|
||||||
local-address {{ batman_ipv4 | ipaddr('address') }};
|
local-address {{ batman_ipv4 | ipaddr('address') }};
|
||||||
|
|
||||||
|
@ -1,13 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
||||||
- name: Restart powerdns
|
- name: Restart powerdns
|
||||||
service: name={{ item }} state=restarted
|
service: name={{ item }} state=restarted
|
||||||
with_items:
|
with_items:
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
||||||
- name: Restart dnsdist
|
|
||||||
service: name=dnsdist state=restarted
|
|
28
roles/dns/tasks/main.yml
Normal file
28
roles/dns/tasks/main.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install powerdns
|
||||||
|
apt: name={{ item }}
|
||||||
|
with_items:
|
||||||
|
- pdns-backend-bind
|
||||||
|
- pdns-recursor
|
||||||
|
- pdns-server
|
||||||
|
|
||||||
|
- name: Create zone directory
|
||||||
|
file: path=/etc/powerdns/bind/ state=directory
|
||||||
|
|
||||||
|
- name: Configure powerdns
|
||||||
|
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
|
||||||
|
tags: dns
|
||||||
|
notify: Restart powerdns
|
||||||
|
with_items:
|
||||||
|
- bind/ffrgb.zone
|
||||||
|
- bind/90.10.in-addr.arpa.zone
|
||||||
|
- bindbackend.conf
|
||||||
|
- pdns.conf
|
||||||
|
- recursor.conf
|
||||||
|
|
||||||
|
- name: Start the powerdns services
|
||||||
|
service: name={{ item }} state=started enabled=yes
|
||||||
|
with_items:
|
||||||
|
- pdns
|
||||||
|
- pdns-recursor
|
@ -12,6 +12,12 @@ launch=bind
|
|||||||
# local-address=0.0.0.0
|
# local-address=0.0.0.0
|
||||||
local-address=127.0.0.1
|
local-address=127.0.0.1
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# local-ipv6 Local IP address to which we bind
|
||||||
|
#
|
||||||
|
# local-ipv6=::
|
||||||
|
local-ipv6=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port The port on which we listen
|
# local-port The port on which we listen
|
||||||
#
|
#
|
@ -16,15 +16,21 @@ config-dir=/etc/powerdns
|
|||||||
# dnssec=process-no-validate
|
# dnssec=process-no-validate
|
||||||
dnssec=off
|
dnssec=off
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||||
|
#
|
||||||
|
# forward-zones=
|
||||||
|
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||||
#
|
#
|
||||||
local-address=127.0.0.1
|
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port port to listen on
|
# local-port port to listen on
|
||||||
#
|
#
|
||||||
local-port=5353
|
local-port=53
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Restart powerdns
|
|
||||||
service: name=pdns state=restarted
|
|
@ -1,22 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Install powerdns
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- pdns-server
|
|
||||||
- pdns-backend-sqlite3
|
|
||||||
- sqlite3
|
|
||||||
|
|
||||||
- name: Configure powerdns
|
|
||||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
|
||||||
notify: Restart powerdns
|
|
||||||
|
|
||||||
- name: Initialize database
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
|
||||||
/var/lib/powerdns/powerdns.sqlite3
|
|
||||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
|
||||||
|
|
||||||
- name: Start the powerdns services
|
|
||||||
service: name=pdns state=started enabled=yes
|
|
@ -1,35 +0,0 @@
|
|||||||
#################################
|
|
||||||
# allow-axfr-ips Allow zonetransfers only to these subnets
|
|
||||||
#
|
|
||||||
# allow-axfr-ips=127.0.0.0/8,::1
|
|
||||||
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# dname-processing If we should support DNAME records
|
|
||||||
#
|
|
||||||
# dname-processing=no
|
|
||||||
dname-processing=yes
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# launch Which backends to launch and order to query them in
|
|
||||||
#
|
|
||||||
# launch=
|
|
||||||
launch=gsqlite3
|
|
||||||
|
|
||||||
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# master Act as a master
|
|
||||||
#
|
|
||||||
# master=no
|
|
||||||
master=yes
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
|
||||||
#
|
|
||||||
# only-notify=0.0.0.0/0,::/0
|
|
||||||
only-notify=
|
|
||||||
|
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
|
||||||
#
|
|
||||||
security-poll-suffix=
|
|
@ -1,10 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
||||||
- name: Restart powerdns
|
|
||||||
service: name=pdns-recursor state=restarted
|
|
||||||
|
|
||||||
- name: Restart dnsdist
|
|
||||||
service: name=dnsdist state=restarted
|
|
@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- { role: acertmgr }
|
|
@ -1,35 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Install powerdns
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- dnsdist
|
|
||||||
- pdns-recursor
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
|
|
||||||
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
|
|
||||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
|
||||||
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
|
||||||
notify: Restart dnsdist
|
|
||||||
|
|
||||||
- name: Configure certificate manager
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure powerdns
|
|
||||||
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
|
|
||||||
notify: Restart powerdns
|
|
||||||
|
|
||||||
- name: Configure dnsdist
|
|
||||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
|
||||||
notify: Restart dnsdist
|
|
||||||
|
|
||||||
- name: Start the dns services
|
|
||||||
service: name={{ item }} state=started enabled=yes
|
|
||||||
with_items:
|
|
||||||
- dnsdist
|
|
||||||
- pdns-recursor
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
{{ ansible_fqdn }}:
|
|
||||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
|
||||||
user: _dnsdist
|
|
||||||
group: _dnsdist
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service dnsdist restart'
|
|
||||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
|
|
||||||
user: _dnsdist
|
|
||||||
group: _dnsdist
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service dnsdist restart'
|
|
@ -1,24 +0,0 @@
|
|||||||
-- {{ ansible_managed }}
|
|
||||||
|
|
||||||
setLocal('127.0.0.1')
|
|
||||||
addLocal('::1')
|
|
||||||
addLocal('{{ ansible_default_ipv4.address }}')
|
|
||||||
addLocal('{{ ansible_default_ipv6.address }}')
|
|
||||||
|
|
||||||
setACL({'0.0.0.0/0', '::/0'})
|
|
||||||
|
|
||||||
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
|
|
||||||
|
|
||||||
newServer({address='127.0.0.1:5353', name='localhost'})
|
|
||||||
|
|
||||||
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
|
||||||
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
|
||||||
|
|
||||||
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
|
|
||||||
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
|
|
||||||
|
|
||||||
-- HTTP Endpoint for Prometheus
|
|
||||||
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
|
|
||||||
|
|
||||||
-- disable security status polling via DNS
|
|
||||||
setSecurityPollSuffix('')
|
|
@ -1,47 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Install powerdns
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- dnsdist
|
|
||||||
- pdns-backend-bind
|
|
||||||
- pdns-recursor
|
|
||||||
- pdns-server
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
|
|
||||||
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
|
|
||||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
|
||||||
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
|
||||||
notify: Restart dnsdist
|
|
||||||
|
|
||||||
- name: Configure certificate manager
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Create zone directory
|
|
||||||
file: path=/etc/powerdns/bind/ state=directory
|
|
||||||
|
|
||||||
- name: Configure powerdns
|
|
||||||
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
|
|
||||||
notify: Restart powerdns
|
|
||||||
with_items:
|
|
||||||
- bind/ffrgb.zone
|
|
||||||
- bind/90.10.in-addr.arpa.zone
|
|
||||||
- bindbackend.conf
|
|
||||||
- pdns.conf
|
|
||||||
- recursor.conf
|
|
||||||
|
|
||||||
- name: Configure dnsdist
|
|
||||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
|
||||||
notify: Restart dnsdist
|
|
||||||
|
|
||||||
- name: Start the dns services
|
|
||||||
service: name={{ item }} state=started enabled=yes
|
|
||||||
with_items:
|
|
||||||
- dnsdist
|
|
||||||
- pdns
|
|
||||||
- pdns-recursor
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
{{ ansible_fqdn }}:
|
|
||||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
|
||||||
user: _dnsdist
|
|
||||||
group: _dnsdist
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service dnsdist restart'
|
|
||||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
|
|
||||||
user: _dnsdist
|
|
||||||
group: _dnsdist
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service dnsdist restart'
|
|
@ -1,20 +0,0 @@
|
|||||||
-- {{ ansible_managed }}
|
|
||||||
|
|
||||||
setLocal('127.0.0.1')
|
|
||||||
addLocal('::1')
|
|
||||||
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
|
|
||||||
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
|
|
||||||
|
|
||||||
newServer({address='127.0.0.1:5353', name='localhost'})
|
|
||||||
|
|
||||||
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
|
||||||
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
|
||||||
|
|
||||||
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
|
|
||||||
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
|
|
||||||
|
|
||||||
-- HTTP Endpoint for Prometheus
|
|
||||||
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
|
|
||||||
|
|
||||||
-- disable security status polling via DNS
|
|
||||||
setSecurityPollSuffix('')
|
|
@ -1,54 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
|
||||||
#
|
|
||||||
#allow-from=127.0.0.0/8
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# config-dir Location of configuration directory (recursor.conf)
|
|
||||||
#
|
|
||||||
config-dir=/etc/powerdns
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
|
||||||
#
|
|
||||||
# dnssec=process-no-validate
|
|
||||||
dnssec=off
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
|
||||||
#
|
|
||||||
# forward-zones=
|
|
||||||
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
|
||||||
#
|
|
||||||
local-address=127.0.0.1
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# local-port port to listen on
|
|
||||||
#
|
|
||||||
local-port=5353
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# quiet Suppress logging of questions and answers
|
|
||||||
#
|
|
||||||
quiet=yes
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
|
||||||
#
|
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
|
||||||
security-poll-suffix=
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# setgid If set, change group id to this gid for more security
|
|
||||||
#
|
|
||||||
setgid=pdns
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# setuid If set, change user id to this uid for more security
|
|
||||||
#
|
|
||||||
setuid=pdns
|
|
@ -1,10 +1,17 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Enable docker apt-key
|
||||||
|
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
||||||
|
|
||||||
|
- name: Enable docker repository
|
||||||
|
apt_repository:
|
||||||
|
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||||
|
filename: docker
|
||||||
|
|
||||||
- name: Install docker
|
- name: Install docker
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- docker.io
|
- docker-ce
|
||||||
- python3-docker
|
- docker-ce-cli
|
||||||
|
- containerd.io
|
||||||
- name: Enable docker
|
- python-docker
|
||||||
service: name=docker state=started enabled=yes
|
|
||||||
|
4
roles/exit-ip/defaults/main.yml
Normal file
4
roles/exit-ip/defaults/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
conntrack_max: 131072
|
||||||
|
fastd_instances: 3
|
@ -4,14 +4,12 @@
|
|||||||
:INPUT ACCEPT [1:136]
|
:INPUT ACCEPT [1:136]
|
||||||
:OUTPUT ACCEPT [2:472]
|
:OUTPUT ACCEPT [2:472]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
|
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
|
||||||
COMMIT
|
COMMIT
|
||||||
*filter
|
*filter
|
||||||
:INPUT ACCEPT [1124:131621]
|
:INPUT ACCEPT [1124:131621]
|
||||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
|
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
|
||||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
||||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
|
|
||||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
|
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD ACCEPT [0:0]
|
||||||
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||||
:OUTPUT ACCEPT [1151:175226]
|
:OUTPUT ACCEPT [1151:175226]
|
@ -1,13 +1,9 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
*filter
|
*filter
|
||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
|
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
|
||||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
||||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
|
|
||||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
|
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD ACCEPT [0:0]
|
||||||
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
|
|
||||||
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
|
|
||||||
COMMIT
|
COMMIT
|
@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
conntrack_max: 131072
|
|
||||||
fastd_instances: 3
|
|
||||||
nat_pool: "{{ ansible_default_ipv4.address }}"
|
|
@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
|
|||||||
|
|
||||||
method "null";
|
method "null";
|
||||||
method "salsa2012+umac";
|
method "salsa2012+umac";
|
||||||
|
method "xsalsa20-poly1305";
|
||||||
|
|
||||||
secure handshakes yes;
|
secure handshakes yes;
|
||||||
|
|
||||||
|
7
roles/git/tasks/main.yml
Normal file
7
roles/git/tasks/main.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install git
|
||||||
|
apt: name=git
|
||||||
|
|
||||||
|
- name: Install ca-certificates
|
||||||
|
apt: name=ca-certificates
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
grafana_rendering: False
|
|
@ -1,38 +1,10 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Retrieve Grafana Key and avoid apt_key
|
- name: Enable grafana apt-key
|
||||||
block:
|
apt_key: url='https://packages.grafana.com/gpg.key'
|
||||||
- name: grafana |no apt key
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: https://apt.grafana.com/gpg.key
|
|
||||||
dest: /usr/share/keyrings/grafana.key
|
|
||||||
|
|
||||||
- name: Enable grafana repository
|
- name: Enable grafana repository
|
||||||
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
|
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
|
||||||
|
|
||||||
- name: Install grafana
|
- name: Install grafana
|
||||||
apt: name=grafana
|
apt: name=grafana
|
||||||
|
|
||||||
- name: Install grafana rendering dependencies
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- libxdamage1
|
|
||||||
- libxext6
|
|
||||||
- libxi6
|
|
||||||
- libxtst6
|
|
||||||
- libnss3
|
|
||||||
- libnss3
|
|
||||||
- libcups2
|
|
||||||
- libxss1
|
|
||||||
- libxrandr2
|
|
||||||
- libasound2
|
|
||||||
- libatk1.0-0
|
|
||||||
- libatk-bridge2.0-0
|
|
||||||
- libpangocairo-1.0-0
|
|
||||||
- libpango-1.0-0
|
|
||||||
- libcairo2
|
|
||||||
- libatspi2.0-0
|
|
||||||
- libgtk3.0-cil
|
|
||||||
- libgdk3.0-cil
|
|
||||||
- libx11-xcb-dev
|
|
||||||
when: grafana_rendering
|
|
||||||
|
@ -1,23 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Import Influxdb GPG siging key with store
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
|
|
||||||
dest: /etc/apt/trusted.gpg.d/influxdb.key
|
|
||||||
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
|
|
||||||
|
|
||||||
- name: Convert key
|
|
||||||
ansible.builtin.command:
|
|
||||||
argv:
|
|
||||||
- gpg
|
|
||||||
- --dearmor
|
|
||||||
- /etc/apt/trusted.gpg.d/influxdb.key
|
|
||||||
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
|
|
||||||
|
|
||||||
- name: Enable InfluxDB repository
|
|
||||||
ansible.builtin.apt_repository:
|
|
||||||
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Install influxdb
|
|
||||||
apt: name=influxdb
|
|
@ -1,9 +1,8 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Network initialization
|
Description=ifupdown2 networking initialization
|
||||||
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
|
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
After=local-fs.target network-pre.target
|
Before=network.target shutdown.target network-online.target
|
||||||
Before=shutdown.target network.target network-online.target
|
|
||||||
Conflicts=shutdown.target
|
Conflicts=shutdown.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
@ -11,7 +10,6 @@ Type=oneshot
|
|||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
SyslogIdentifier=networking
|
SyslogIdentifier=networking
|
||||||
TimeoutStopSec=30s
|
TimeoutStopSec=30s
|
||||||
EnvironmentFile=/etc/default/networking
|
|
||||||
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
|
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
|
||||||
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
|
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
|
||||||
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload
|
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload
|
@ -1,13 +1,10 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
apt:
|
apt: name=python-pkg-resources
|
||||||
name:
|
|
||||||
- bridge-utils
|
|
||||||
|
|
||||||
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
|
|
||||||
- name: Install ifupdown2
|
- name: Install ifupdown2
|
||||||
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
|
apt: name=ifupdown2 state=latest
|
||||||
|
|
||||||
- name: Uninstall ifupdown
|
- name: Uninstall ifupdown
|
||||||
apt: name=ifupdown state=absent
|
apt: name=ifupdown state=absent
|
@ -14,8 +14,6 @@ iface br-{{ site_code }}
|
|||||||
{% if global_ipv6 is defined %}
|
{% if global_ipv6 is defined %}
|
||||||
address {{ global_ipv6 }}
|
address {{ global_ipv6 }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
#
|
|
||||||
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
|
|
||||||
|
|
||||||
# bat-{{ site_code }}
|
# bat-{{ site_code }}
|
||||||
auto bat-{{ site_code }}
|
auto bat-{{ site_code }}
|
||||||
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
|
|||||||
hwaddress f2:00:90:00:{{ gateway_id }}:20
|
hwaddress f2:00:90:00:{{ gateway_id }}:20
|
||||||
mtu 1500
|
mtu 1500
|
||||||
#
|
#
|
||||||
|
batman-hop-penalty 5
|
||||||
batman-ifaces dmy-{{ site_code }}
|
batman-ifaces dmy-{{ site_code }}
|
||||||
batman-ifaces-ignore-regex .*_.*
|
batman-ifaces-ignore-regex .*_.*
|
||||||
batman-routing-algo {{ batman_algo }}
|
|
||||||
#
|
#
|
||||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
|
# TODO use batman-xyz instead of batctl
|
||||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
|
# see /usr/share/ifupdown2/addons/batman_adv.py
|
||||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
|
#
|
||||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
|
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
|
||||||
|
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
|
||||||
|
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
|
||||||
|
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
|
||||||
|
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
|
||||||
|
|
||||||
|
|
||||||
# dmy-{{ site_code }}
|
# dmy-{{ site_code }}
|
@ -1 +0,0 @@
|
|||||||
OK
|
|
@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Reload interfaces
|
|
||||||
command: /sbin/ifreload -a
|
|
@ -1,25 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Install wireguard
|
|
||||||
apt: name=wireguard-tools
|
|
||||||
|
|
||||||
- name: Create wireguard config directory
|
|
||||||
file:
|
|
||||||
path: /etc/wireguard
|
|
||||||
state: directory
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: Configure wireguard options
|
|
||||||
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
|
|
||||||
notify: Reload interfaces
|
|
||||||
|
|
||||||
- name: Configure mesh interfaces
|
|
||||||
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
|
|
||||||
notify: Reload interfaces
|
|
||||||
|
|
||||||
- name: Install wgskex
|
|
||||||
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
|
|
||||||
|
|
||||||
|
|
||||||
- name: Install ping endpoint
|
|
||||||
copy: src=ping dest=/var/www/html/ping
|
|
@ -1,21 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
# vx-{{ site_code }}
|
|
||||||
auto vx-{{ site_code }}
|
|
||||||
iface vx-{{ site_code }}
|
|
||||||
mtu 1350
|
|
||||||
vxlan-physdev wg-{{ site_code }}
|
|
||||||
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
|
|
||||||
up ip link set vx-{{ site_code }} up
|
|
||||||
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
|
|
||||||
down ip link set vx-{{ site_code }} down
|
|
||||||
post-down ip -6 link del vx-{{ site_code }}
|
|
||||||
|
|
||||||
# wg-{{ site_code }}
|
|
||||||
auto wg-{{ site_code }}
|
|
||||||
iface wg-{{ site_code }}
|
|
||||||
address fe80::{{ gateway_id }}/128
|
|
||||||
ipv6-addrgen no
|
|
||||||
pre-up ip link add dev wg-{{ site_code }} type wireguard
|
|
||||||
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
|
|
||||||
post-up ip link set wg-{{ site_code }} mtu 1420
|
|
@ -1,3 +0,0 @@
|
|||||||
[Interface]
|
|
||||||
PrivateKey = {{ mesh_wg_privkey }}
|
|
||||||
ListenPort = {{ mesh_wg_port }}
|
|
@ -2,4 +2,4 @@
|
|||||||
|
|
||||||
netbox_group: netbox
|
netbox_group: netbox
|
||||||
netbox_user: netbox
|
netbox_user: netbox
|
||||||
netbox_version: 4.1.2
|
netbox_version: 2.8.7
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
||||||
- name: Reload systemd
|
|
||||||
systemd: daemon_reload=yes
|
|
||||||
|
|
||||||
- name: Restart netbox
|
|
||||||
service: name=netbox state=restarted
|
|
||||||
|
|
||||||
- name: Restart netbox-rq
|
|
||||||
service: name=netbox-rq state=restarted
|
|
@ -15,7 +15,7 @@
|
|||||||
- libssl-dev
|
- libssl-dev
|
||||||
- libxml2-dev
|
- libxml2-dev
|
||||||
- libxslt1-dev
|
- libxslt1-dev
|
||||||
- python3-setuptools
|
- python-setuptools
|
||||||
- python3-dev
|
- python3-dev
|
||||||
- python3-pip
|
- python3-pip
|
||||||
- python3-venv
|
- python3-venv
|
||||||
@ -25,128 +25,52 @@
|
|||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python-psycopg2
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
- name: Configure PostgreSQL database
|
||||||
postgresql_user:
|
postgresql_db: name={{ netbox_dbname }}
|
||||||
name: "{{ netbox_dbuser }}"
|
|
||||||
password: "{{ netbox_dbpass }}"
|
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL user
|
||||||
postgresql_db:
|
postgresql_user: db={{ netbox_dbname }} name={{ netbox_dbuser }} password={{ netbox_dbpass }} priv=ALL state=present
|
||||||
name: "{{ netbox_dbname }}"
|
|
||||||
owner: "{{ netbox_dbuser }}"
|
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Install redis
|
- name: Install redis
|
||||||
apt: name=redis-server
|
apt: name=redis-server
|
||||||
|
|
||||||
|
# TODO configure redis?
|
||||||
|
|
||||||
- name: Unpack netbox
|
- name: Unpack netbox
|
||||||
unarchive:
|
unarchive: src=https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz dest=/opt remote_src=yes creates=/opt/netbox-{{ netbox_version }}
|
||||||
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
|
# TODO user/group/chown?
|
||||||
dest: /opt
|
|
||||||
remote_src: yes
|
|
||||||
creates: "/opt/netbox-{{ netbox_version }}"
|
|
||||||
register: netbox_unarchive
|
|
||||||
|
|
||||||
- name: Configure netbox
|
- name: Configure netbox
|
||||||
template:
|
template: src=configuration.py.j2 dest=/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py owner={{ netbox_user }} group={{ netbox_group }}
|
||||||
src: configuration.py.j2
|
|
||||||
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
|
|
||||||
owner: "{{ netbox_user }}"
|
|
||||||
group: "{{ netbox_group }}"
|
|
||||||
notify: Restart netbox
|
|
||||||
|
|
||||||
- name: Configure gunicorn
|
- name: Install venv
|
||||||
template:
|
pip: requirements=/opt/netbox-{{ netbox_version }}/requirements.txt virtualenv=/opt/netbox-{{ netbox_version }}/venv virtualenv_command="/usr/bin/python3 -m venv"
|
||||||
src: gunicorn.py.j2
|
|
||||||
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
|
|
||||||
owner: "{{ netbox_user }}"
|
|
||||||
group: "{{ netbox_group }}"
|
|
||||||
|
|
||||||
- name: Netbox file permissions
|
|
||||||
file:
|
|
||||||
path: "/opt/netbox-{{ netbox_version }}"
|
|
||||||
owner: "{{ netbox_user }}"
|
|
||||||
group: "{{ netbox_group }}"
|
|
||||||
recurse: yes
|
|
||||||
|
|
||||||
- name: Fix psycopg variant
|
|
||||||
lineinfile:
|
|
||||||
path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
|
|
||||||
regexp: '^psycopg\[.*,pool\]==(.*)$'
|
|
||||||
line: 'psycopg[binary,pool]==\1'
|
|
||||||
backrefs: yes
|
|
||||||
register: netbox_psycopg_fix
|
|
||||||
|
|
||||||
- name: Run upgrade script
|
|
||||||
command:
|
|
||||||
cmd: ./upgrade.sh
|
|
||||||
chdir: "/opt/netbox-{{ netbox_version }}"
|
|
||||||
become: true
|
|
||||||
become_user: "{{ netbox_user }}"
|
|
||||||
when: netbox_unarchive.changed or netbox_psycopg_fix.changed
|
|
||||||
|
|
||||||
# TODO - still manual work
|
# TODO - still manual work
|
||||||
# * Create a super user
|
# * Run Database Migrations
|
||||||
# * Migrate media files
|
# * Create a Super User
|
||||||
|
# * Collect Static Files
|
||||||
- name: Install netbox housekeeping cronjob
|
# * Gunicorn Configuration
|
||||||
template:
|
# * systemd Configuration
|
||||||
src: netbox-housekeeping.sh.j2
|
|
||||||
dest: /etc/cron.daily/netbox-housekeeping.sh
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
- name: Ensure certificates are available
|
||||||
command:
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt -days 730 -subj "/CN={{ netbox_domain }}" creates=/etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
|
|
||||||
-days 730 -subj "/CN={{ netbox_domain }}"
|
|
||||||
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
|
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Request nsupdate key for certificate
|
#- name: Configure certificate manager for netbox
|
||||||
include_role: name=acme-dnskey-generate
|
# template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
||||||
vars:
|
# notify: Run acertmgr
|
||||||
acme_dnskey_san_domains:
|
|
||||||
- "{{ netbox_domain }}"
|
|
||||||
when: "'kitchen' in group_names"
|
|
||||||
|
|
||||||
- name: Configure certificate manager for netbox
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
- name: Configure vhost
|
||||||
template:
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/netbox
|
||||||
src: vhost.j2
|
|
||||||
dest: /etc/nginx/sites-available/netbox
|
|
||||||
owner: root
|
|
||||||
mode: "0644"
|
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Enable vhost
|
- name: Enable vhost
|
||||||
file:
|
file: src=/etc/nginx/sites-available/netbox dest=/etc/nginx/sites-enabled/netbox state=link
|
||||||
src: /etc/nginx/sites-available/netbox
|
|
||||||
dest: /etc/nginx/sites-enabled/netbox
|
|
||||||
state: link
|
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Install systemd units
|
|
||||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
|
||||||
with_items:
|
|
||||||
- netbox
|
|
||||||
- netbox-rq
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart netbox
|
|
||||||
- Restart netbox-rq
|
|
||||||
|
|
||||||
- name: Enable services
|
|
||||||
service: name={{ item }} state=started enabled=yes
|
|
||||||
with_items:
|
|
||||||
- netbox
|
|
||||||
- netbox-rq
|
|
||||||
|
@ -33,10 +33,8 @@ REDIS = {
|
|||||||
# 'SENTINEL_SERVICE': 'netbox',
|
# 'SENTINEL_SERVICE': 'netbox',
|
||||||
'PASSWORD': '',
|
'PASSWORD': '',
|
||||||
'DATABASE': 0,
|
'DATABASE': 0,
|
||||||
|
'DEFAULT_TIMEOUT': 300,
|
||||||
'SSL': False,
|
'SSL': False,
|
||||||
# Set this to True to skip TLS certificate verification
|
|
||||||
# This can expose the connection to attacks, be careful
|
|
||||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
|
||||||
},
|
},
|
||||||
'caching': {
|
'caching': {
|
||||||
'HOST': 'localhost',
|
'HOST': 'localhost',
|
||||||
@ -46,10 +44,8 @@ REDIS = {
|
|||||||
# 'SENTINEL_SERVICE': 'netbox',
|
# 'SENTINEL_SERVICE': 'netbox',
|
||||||
'PASSWORD': '',
|
'PASSWORD': '',
|
||||||
'DATABASE': 1,
|
'DATABASE': 1,
|
||||||
|
'DEFAULT_TIMEOUT': 300,
|
||||||
'SSL': False,
|
'SSL': False,
|
||||||
# Set this to True to skip TLS certificate verification
|
|
||||||
# This can expose the connection to attacks, be careful
|
|
||||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -69,13 +65,32 @@ SECRET_KEY = '{{ netbox_secret }}'
|
|||||||
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
|
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
|
||||||
# application errors (assuming correct email settings are provided).
|
# application errors (assuming correct email settings are provided).
|
||||||
ADMINS = [
|
ADMINS = [
|
||||||
# ('John Doe', 'jdoe@example.com'),
|
# ['John Doe', 'jdoe@example.com'],
|
||||||
]
|
]
|
||||||
|
|
||||||
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
|
# URL schemes that are allowed within links in NetBox
|
||||||
|
ALLOWED_URL_SCHEMES = (
|
||||||
|
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
||||||
|
)
|
||||||
|
|
||||||
|
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
|
||||||
|
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
|
||||||
|
BANNER_TOP = ''
|
||||||
|
BANNER_BOTTOM = ''
|
||||||
|
|
||||||
|
# Text to include on the login page above the login form. HTML is allowed.
|
||||||
|
BANNER_LOGIN = ''
|
||||||
|
|
||||||
|
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
|
||||||
# BASE_PATH = 'netbox/'
|
# BASE_PATH = 'netbox/'
|
||||||
BASE_PATH = ''
|
BASE_PATH = ''
|
||||||
|
|
||||||
|
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
|
||||||
|
CACHE_TIMEOUT = 900
|
||||||
|
|
||||||
|
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
|
||||||
|
CHANGELOG_RETENTION = 90
|
||||||
|
|
||||||
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
|
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
|
||||||
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
|
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
|
||||||
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
|
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
|
||||||
@ -104,6 +119,10 @@ EMAIL = {
|
|||||||
'FROM_EMAIL': '',
|
'FROM_EMAIL': '',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
|
||||||
|
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
|
||||||
|
ENFORCE_GLOBAL_UNIQUE = False
|
||||||
|
|
||||||
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
|
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
|
||||||
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
|
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
|
||||||
EXEMPT_VIEW_PERMISSIONS = [
|
EXEMPT_VIEW_PERMISSIONS = [
|
||||||
@ -126,18 +145,22 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
|
|||||||
# https://docs.djangoproject.com/en/stable/topics/logging/
|
# https://docs.djangoproject.com/en/stable/topics/logging/
|
||||||
LOGGING = {}
|
LOGGING = {}
|
||||||
|
|
||||||
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
|
|
||||||
# authenticated to NetBox indefinitely.
|
|
||||||
LOGIN_PERSISTENCE = False
|
|
||||||
|
|
||||||
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
||||||
# are permitted to access most data in NetBox but not make any changes.
|
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
|
||||||
LOGIN_REQUIRED = True
|
LOGIN_REQUIRED = True
|
||||||
|
|
||||||
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
||||||
# re-authenticate. (Default: 1209600 [14 days])
|
# re-authenticate. (Default: 1209600 [14 days])
|
||||||
LOGIN_TIMEOUT = None
|
LOGIN_TIMEOUT = None
|
||||||
|
|
||||||
|
# Setting this to True will display a "maintenance mode" banner at the top of every page.
|
||||||
|
MAINTENANCE_MODE = False
|
||||||
|
|
||||||
|
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
|
||||||
|
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
|
||||||
|
# all objects by specifying "?limit=0".
|
||||||
|
MAX_PAGE_SIZE = 1000
|
||||||
|
|
||||||
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
||||||
# the default value of this setting is derived from the installed location.
|
# the default value of this setting is derived from the installed location.
|
||||||
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
||||||
@ -155,6 +178,20 @@ LOGIN_TIMEOUT = None
|
|||||||
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
|
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
|
||||||
METRICS_ENABLED = False
|
METRICS_ENABLED = False
|
||||||
|
|
||||||
|
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
|
||||||
|
NAPALM_USERNAME = ''
|
||||||
|
NAPALM_PASSWORD = ''
|
||||||
|
|
||||||
|
# NAPALM timeout (in seconds). (Default: 30)
|
||||||
|
NAPALM_TIMEOUT = 30
|
||||||
|
|
||||||
|
# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
|
||||||
|
# be provided as a dictionary.
|
||||||
|
NAPALM_ARGS = {}
|
||||||
|
|
||||||
|
# Determine how many objects to display per page within a list. (Default: 50)
|
||||||
|
PAGINATE_COUNT = 50
|
||||||
|
|
||||||
# Enable installed plugins. Add the name of each plugin to the list.
|
# Enable installed plugins. Add the name of each plugin to the list.
|
||||||
PLUGINS = []
|
PLUGINS = []
|
||||||
|
|
||||||
@ -167,13 +204,24 @@ PLUGINS = []
|
|||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
|
|
||||||
|
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
|
||||||
|
# prefer IPv4 instead.
|
||||||
|
PREFER_IPV4 = False
|
||||||
|
|
||||||
|
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
|
||||||
|
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
|
||||||
|
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
|
||||||
|
|
||||||
# Remote authentication support
|
# Remote authentication support
|
||||||
REMOTE_AUTH_ENABLED = False
|
REMOTE_AUTH_ENABLED = False
|
||||||
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
|
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
|
||||||
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
||||||
REMOTE_AUTH_AUTO_CREATE_USER = True
|
REMOTE_AUTH_AUTO_CREATE_USER = True
|
||||||
REMOTE_AUTH_DEFAULT_GROUPS = []
|
REMOTE_AUTH_DEFAULT_GROUPS = []
|
||||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
|
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
|
||||||
|
|
||||||
|
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
|
||||||
|
RELEASE_CHECK_TIMEOUT = 24 * 3600
|
||||||
|
|
||||||
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
||||||
# version check or use the URL below to check for release in the official NetBox repository.
|
# version check or use the URL below to check for release in the official NetBox repository.
|
||||||
@ -184,16 +232,10 @@ RELEASE_CHECK_URL = None
|
|||||||
# this setting is derived from the installed location.
|
# this setting is derived from the installed location.
|
||||||
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
||||||
|
|
||||||
# Maximum execution time for background tasks, in seconds.
|
|
||||||
RQ_DEFAULT_TIMEOUT = 300
|
|
||||||
|
|
||||||
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
||||||
# this setting is derived from the installed location.
|
# this setting is derived from the installed location.
|
||||||
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
||||||
|
|
||||||
# The name to use for the session cookie.
|
|
||||||
SESSION_COOKIE_NAME = 'sessionid'
|
|
||||||
|
|
||||||
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
||||||
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
||||||
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
|
||||||
bind = '127.0.0.1:8001'
|
|
||||||
|
|
||||||
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
|
||||||
# n is the number of CPU cores present.
|
|
||||||
workers = 5
|
|
||||||
|
|
||||||
# Number of threads per worker process
|
|
||||||
threads = 3
|
|
||||||
|
|
||||||
# Timeout (in seconds) for a request to complete
|
|
||||||
timeout = 120
|
|
||||||
|
|
||||||
# The maximum number of requests a worker can handle before being respawned
|
|
||||||
max_requests = 5000
|
|
||||||
max_requests_jitter = 500
|
|
@ -1,9 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# This shell script invokes NetBox's housekeeping management command, which
|
|
||||||
# intended to be run nightly. This script can be copied into your system's
|
|
||||||
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
|
|
||||||
# within the cron configuration file.
|
|
||||||
#
|
|
||||||
# If NetBox has been installed into a nonstandard location, update the paths
|
|
||||||
# below.
|
|
||||||
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping
|
|
@ -1,21 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=NetBox Request Queue Worker
|
|
||||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User={{ netbox_user }}
|
|
||||||
Group={{ netbox_group }}
|
|
||||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
|
||||||
|
|
||||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
|
|
||||||
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=30
|
|
||||||
PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,22 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=NetBox WSGI Service
|
|
||||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User={{ netbox_user }}
|
|
||||||
Group={{ netbox_group }}
|
|
||||||
PIDFile=/var/tmp/netbox.pid
|
|
||||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
|
||||||
|
|
||||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
|
|
||||||
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=30
|
|
||||||
PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -30,9 +30,9 @@ server {
|
|||||||
location / {
|
location / {
|
||||||
client_max_body_size 32M;
|
client_max_body_size 32M;
|
||||||
|
|
||||||
proxy_pass http://localhost:8001;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
proxy_set_header X-Forwarded-Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_pass http://localhost:8001;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
nginx_anonymize: False
|
|
@ -47,32 +47,7 @@ http {
|
|||||||
# Logging Settings
|
# Logging Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
{% if nginx_anonymize %}
|
|
||||||
map $remote_addr $ip_anonym1 {
|
|
||||||
default 0.0.0;
|
|
||||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
|
|
||||||
"~(?P<ip>[^:]+:[^:]+):" $ip;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $remote_addr $ip_anonym2 {
|
|
||||||
default .0;
|
|
||||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
|
|
||||||
"~(?P<ip>[^:]+:[^:]+):" ::;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $ip_anonym1$ip_anonym2 $ip_anonymized {
|
|
||||||
default 0.0.0.0;
|
|
||||||
"~(?P<ip>.*)" $ip;
|
|
||||||
}
|
|
||||||
|
|
||||||
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
|
|
||||||
'"$request" $status $body_bytes_sent '
|
|
||||||
'"$http_referer" "$http_user_agent"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log anonymized;
|
|
||||||
{% else %}
|
|
||||||
access_log /var/log/nginx/access.log;
|
access_log /var/log/nginx/access.log;
|
||||||
{% endif %}
|
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
##
|
##
|
@ -30,7 +30,7 @@
|
|||||||
- /etc/nginx/dhparam.pem
|
- /etc/nginx/dhparam.pem
|
||||||
|
|
||||||
- name: Configure nginx
|
- name: Configure nginx
|
||||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
|
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Configure default vhost
|
- name: Configure default vhost
|
||||||
@ -41,7 +41,7 @@
|
|||||||
- name: Ensure network and dns are available before nginx
|
- name: Ensure network and dns are available before nginx
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /lib/systemd/system/nginx.service
|
dest: /lib/systemd/system/nginx.service
|
||||||
line: "After=network-online.target remote-fs.target nss-lookup.target"
|
line: "After=network-online.target nss-lookup.target"
|
||||||
regexp: "^After="
|
regexp: "^After="
|
||||||
|
|
||||||
- name: Start nginx
|
- name: Start nginx
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
node_exporter_version: 1.2.0
|
node_exporter_version: 1.0.1
|
||||||
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
|
OPTIONS=""
|
||||||
|
@ -9,27 +9,6 @@
|
|||||||
- name: Configure node_exporter
|
- name: Configure node_exporter
|
||||||
copy: src=node_exporter dest=/etc/default/node_exporter
|
copy: src=node_exporter dest=/etc/default/node_exporter
|
||||||
|
|
||||||
- name: Create configuration directory
|
|
||||||
file: path=/etc/node_exporter state=directory
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
|
|
||||||
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
|
|
||||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
|
||||||
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
|
|
||||||
notify: Restart node_exporter
|
|
||||||
|
|
||||||
- name: Ensure correct certificate permissions
|
|
||||||
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
|
|
||||||
notify: Restart node_exporter
|
|
||||||
|
|
||||||
- name: Configure node_exporter TLS
|
|
||||||
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
|
|
||||||
notify: Restart node_exporter
|
|
||||||
|
|
||||||
- name: Install systemd unit
|
- name: Install systemd unit
|
||||||
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
|
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
|
||||||
notify:
|
notify:
|
||||||
|
@ -1,6 +0,0 @@
|
|||||||
tls_server_config:
|
|
||||||
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
|
|
||||||
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
|
|
||||||
|
|
||||||
basic_auth_users:
|
|
||||||
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}
|
|
@ -1,4 +1,10 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Restart ntp
|
||||||
|
service: name=ntp state=restarted
|
||||||
|
|
||||||
|
- name: Restart ntpd
|
||||||
|
service: name=ntpd state=restarted
|
||||||
|
|
||||||
- name: Restart chrony
|
- name: Restart chrony
|
||||||
service: name=chrony state=restarted
|
service: name=chrony state=restarted
|
||||||
|
34
roles/ntp/tasks/chrony.yml
Normal file
34
roles/ntp/tasks/chrony.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
# Use chronyd to lock time via PHC to hosts RTC
|
||||||
|
|
||||||
|
- name: Install chrony
|
||||||
|
apt:
|
||||||
|
name: chrony
|
||||||
|
state: latest
|
||||||
|
install_recommends: no
|
||||||
|
|
||||||
|
- name: Load kmod ptp_kvm at boot time
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/modules-load.d/ptp_kvm.conf
|
||||||
|
create: yes
|
||||||
|
owner: root
|
||||||
|
mode: '0400'
|
||||||
|
block: |
|
||||||
|
# Load VirtIO PTP driver for chrony
|
||||||
|
ptp_kvm
|
||||||
|
register: load_ptp_kvm
|
||||||
|
when:
|
||||||
|
- ansible_virtualization_role == 'guest'
|
||||||
|
- ansible_virtualization_type == 'kvm'
|
||||||
|
|
||||||
|
- name: Load kmod ptp_kvm
|
||||||
|
modprobe:
|
||||||
|
name: ptp_kvm
|
||||||
|
state: present
|
||||||
|
when: not (load_ptp_kvm is skipped)
|
||||||
|
|
||||||
|
- name: Configure chronyd
|
||||||
|
template:
|
||||||
|
src: chrony.conf.j2
|
||||||
|
dest: /etc/chrony/chrony.conf
|
||||||
|
notify: Restart chrony
|
@ -1,11 +1,16 @@
|
|||||||
---
|
---
|
||||||
|
# Select best time source
|
||||||
|
# * on kvm sync to hypervisor rtc within nanoseconds accuracy
|
||||||
|
# * on anything else use ntpd wich supports only milliseconds accuracy
|
||||||
|
|
||||||
- name: Install chrony
|
- name: Setup chrony
|
||||||
apt: name=chrony
|
include_tasks: chrony.yml
|
||||||
|
register: ntp_use_chrony
|
||||||
|
when:
|
||||||
|
- ansible_virtualization_role == 'guest'
|
||||||
|
- ansible_virtualization_type == 'kvm'
|
||||||
|
|
||||||
- name: Configure chrony
|
- name: Setup ntpd
|
||||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
include_tasks: ntp.yml
|
||||||
notify: Restart chrony
|
when:
|
||||||
|
- ntp_use_chrony is skipped
|
||||||
- name: Start chrony
|
|
||||||
service: name=chrony state=started enabled=yes
|
|
||||||
|
11
roles/ntp/tasks/ntp.yml
Normal file
11
roles/ntp/tasks/ntp.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install ntp
|
||||||
|
apt: name=ntp
|
||||||
|
|
||||||
|
- name: Configure ntp
|
||||||
|
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||||
|
notify: Restart ntp
|
||||||
|
|
||||||
|
- name: Start the ntp service
|
||||||
|
service: name=ntp state=started enabled=yes
|
@ -1,53 +1,27 @@
|
|||||||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
# {{ ansible_managed }}
|
||||||
# information about usable directives.
|
|
||||||
|
|
||||||
# Include configuration files found in /etc/chrony/conf.d.
|
|
||||||
confdir /etc/chrony/conf.d
|
|
||||||
|
|
||||||
|
{% if not (load_ptp_kvm is skipped) %}
|
||||||
|
refclock PHC /dev/ptp0 poll 2
|
||||||
|
{% elif ntp_servers is defined %}
|
||||||
{% for srv in ntp_servers %}
|
{% for srv in ntp_servers %}
|
||||||
server {{ srv }} iburst
|
server {{ srv }} iburst
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if ntp_peers is defined %}
|
{% else %}
|
||||||
|
pool 2.debian.pool.ntp.org iburst
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if ntp_peers is defined %}
|
||||||
{% for peer in ntp_peers %}
|
{% for peer in ntp_peers %}
|
||||||
peer {{ peer }}
|
peer {{ peer }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if ntp_server is defined and ntp_server is true %}
|
|
||||||
allow 10.90.0.0/16
|
|
||||||
allow 2001:678:ddc::/48
|
|
||||||
{% endif -%}
|
|
||||||
|
|
||||||
# This directive specify the location of the file containing ID/key pairs for
|
|
||||||
# NTP authentication.
|
|
||||||
keyfile /etc/chrony/chrony.keys
|
keyfile /etc/chrony/chrony.keys
|
||||||
|
|
||||||
# This directive specify the file into which chronyd will store the rate
|
|
||||||
# information.
|
|
||||||
driftfile /var/lib/chrony/chrony.drift
|
driftfile /var/lib/chrony/chrony.drift
|
||||||
|
|
||||||
# Save NTS keys and cookies.
|
|
||||||
ntsdumpdir /var/lib/chrony
|
|
||||||
|
|
||||||
# Uncomment the following line to turn logging on.
|
|
||||||
#log tracking measurements statistics
|
|
||||||
|
|
||||||
# Log files location.
|
|
||||||
logdir /var/log/chrony
|
logdir /var/log/chrony
|
||||||
|
|
||||||
# Stop bad estimates upsetting machine clock.
|
|
||||||
maxupdateskew 100.0
|
maxupdateskew 100.0
|
||||||
|
|
||||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
|
||||||
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
|
|
||||||
rtcsync
|
rtcsync
|
||||||
|
|
||||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
|
||||||
# one second, but only in the first three clock updates.
|
|
||||||
makestep 1 3
|
makestep 1 3
|
||||||
|
|
||||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
# Do not allow chronyc for security reasons
|
||||||
# This directive must be commented out when using time sources serving
|
cmdport 0
|
||||||
# leap-smeared time.
|
|
||||||
leapsectz right/UTC
|
|
||||||
|
17
roles/ntp/templates/ntp.conf.j2
Normal file
17
roles/ntp/templates/ntp.conf.j2
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% for srv in ntp_servers %}
|
||||||
|
server {{ srv }} iburst
|
||||||
|
{% endfor %}
|
||||||
|
{% if ntp_peers is defined %}
|
||||||
|
|
||||||
|
{% for peer in ntp_peers %}
|
||||||
|
peer {{ peer }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
restrict default kod nomodify notrap nopeer noquery
|
||||||
|
restrict -6 default kod nomodify notrap nopeer noquery
|
||||||
|
|
||||||
|
restrict 127.0.0.1
|
||||||
|
restrict -6 ::1
|
@ -6,7 +6,7 @@
|
|||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- python3-pip
|
- python-setuptools
|
||||||
- python3-setuptools
|
- python3-setuptools
|
||||||
- virtualenv
|
- virtualenv
|
||||||
|
|
||||||
@ -22,13 +22,6 @@
|
|||||||
- Reload systemd
|
- Reload systemd
|
||||||
- Restart prometheus-pve-exporter
|
- Restart prometheus-pve-exporter
|
||||||
|
|
||||||
- name: Configure prometheus retention
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/default/prometheus
|
|
||||||
regexp: '^ARGS=.*$'
|
|
||||||
line: 'ARGS="--storage.tsdb.retention.time=365d"'
|
|
||||||
notify: Restart prometheus
|
|
||||||
|
|
||||||
- name: Configure prometheus
|
- name: Configure prometheus
|
||||||
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
|
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
|
||||||
notify: Restart prometheus
|
notify: Restart prometheus
|
||||||
|
@ -27,29 +27,12 @@ rule_files:
|
|||||||
scrape_configs:
|
scrape_configs:
|
||||||
{% if node_targets is defined %}
|
{% if node_targets is defined %}
|
||||||
- job_name: node
|
- job_name: node
|
||||||
scheme: https
|
|
||||||
basic_auth:
|
|
||||||
username: prometheus
|
|
||||||
password: {{ prometheus_node_pass }}
|
|
||||||
tls_config:
|
|
||||||
insecure_skip_verify: true
|
|
||||||
static_configs:
|
static_configs:
|
||||||
- targets:
|
- targets:
|
||||||
{% for target in node_targets %}
|
{% for target in node_targets %}
|
||||||
- {{ target }}
|
- {{ target }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if dnsdist_targets is defined %}
|
|
||||||
- job_name: dnsdist
|
|
||||||
basic_auth:
|
|
||||||
username: prometheus
|
|
||||||
password: {{ prometheus_dnsdist_pass }}
|
|
||||||
static_configs:
|
|
||||||
- targets:
|
|
||||||
{% for target in dnsdist_targets %}
|
|
||||||
- {{ target }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
{% if fastd_targets is defined %}
|
{% if fastd_targets is defined %}
|
||||||
- job_name: fastd
|
- job_name: fastd
|
||||||
static_configs:
|
static_configs:
|
||||||
|
@ -19,6 +19,6 @@ interface br-{{ site_code }} {
|
|||||||
AdvRouterAddr on;
|
AdvRouterAddr on;
|
||||||
};
|
};
|
||||||
{% endif %}
|
{% endif %}
|
||||||
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
|
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -4,4 +4,4 @@ batman_interface: bat-{{ site_code }}
|
|||||||
main_bridge: br-{{ site_code }}
|
main_bridge: br-{{ site_code }}
|
||||||
|
|
||||||
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
|
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
|
||||||
respondd_announce_git_version: 4fd2e3e6eb15c2a52b7401c88a105ff483934689
|
respondd_announce_git_version: fc2d8d78d53d1908ad16b79b66f79557ccd9a83a
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- { role: go }
|
- { role: git }
|
@ -7,10 +7,6 @@
|
|||||||
git: repo={{ respondd_announce_git_root }} dest=/opt/{{ site_code }}/respondd-announce/ version={{ respondd_announce_git_version }}
|
git: repo={{ respondd_announce_git_root }} dest=/opt/{{ site_code }}/respondd-announce/ version={{ respondd_announce_git_version }}
|
||||||
notify: Restart respondd
|
notify: Restart respondd
|
||||||
|
|
||||||
- name: Configure respondd
|
|
||||||
template: src=respondd.conf.j2 dest=/opt/{{ site_code }}/respondd.conf
|
|
||||||
notify: Restart respondd
|
|
||||||
|
|
||||||
- name: Install systemd unit
|
- name: Install systemd unit
|
||||||
template: src=respondd.service.j2 dest=/lib/systemd/system/respondd.service
|
template: src=respondd.service.j2 dest=/lib/systemd/system/respondd.service
|
||||||
notify:
|
notify:
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
# Default settings
|
|
||||||
[Defaults]
|
|
||||||
# Listen port, defaults to 1001
|
|
||||||
Port: 1001
|
|
||||||
# Default multicast listen addresses
|
|
||||||
MulticastLinkAddress: ff02::2:1001
|
|
||||||
MulticastSiteAddress: ff05::2:1001
|
|
||||||
# Default domain to use
|
|
||||||
DefaultDomain: {{ site_code }}
|
|
||||||
# Default domain type
|
|
||||||
DomainType: batadv
|
|
||||||
|
|
||||||
# A domain
|
|
||||||
[{{ site_code }}]
|
|
||||||
# Batman interface, mandatory
|
|
||||||
BatmanInterface: {{ batman_interface }}
|
|
||||||
# Other listen interfaces
|
|
||||||
Interfaces: {{ main_bridge }}
|
|
||||||
# IPv4 gateway option for ddhcpd
|
|
||||||
IPv4Gateway: {{ batman_ipv4 | ipaddr('address') }}
|
|
@ -5,7 +5,7 @@ Description=Respondd
|
|||||||
After=network-online.target
|
After=network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/opt/{{ site_code }}/respondd-announce/respondd.py -d /opt/{{ site_code }}/respondd-announce/providers -f /opt/{{ site_code }}/respondd.conf
|
ExecStart=/opt/{{ site_code }}/respondd-announce/respondd.py -d /opt/{{ site_code }}/respondd-announce/providers -i {{ main_bridge }} -b {{ batman_interface }} -m {{ batman_ipv4 | ipaddr('address') }}
|
||||||
Restart=always
|
Restart=always
|
||||||
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
WorkingDirectory=/opt/{{ site_code }}/respondd-announce
|
WorkingDirectory=/opt/{{ site_code }}/respondd-announce
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user