Compare commits

..

4 Commits

Author SHA1 Message Date
f90f251763 Add linter pipeline
Some checks failed
continuous-integration/drone/push Build is failing
2020-06-20 22:49:42 +02:00
8c6dd29da3 Update role acertmgr add var acertmgr_version
Defining variable acertmgr_version from role defaults, allows version
string to be overridden. Role defaults are set in connection: local scope.
This also shortens long line to make this role linter compliant
2020-06-20 22:36:29 +02:00
9cd6777a7c Mitigate lint E204 in roles nginx, web-gw and web-svc 2020-06-20 22:12:05 +02:00
33d86b9ebb Add role common-handlers fixes linter E303
Commonly used handlers can be loaded by dependency. This also replaces
systemctl daemon-reload invocation by its ansible module equivalent.
2020-06-20 21:44:09 +02:00
165 changed files with 2021 additions and 5122 deletions

View File

@ -1,4 +0,0 @@
skip_list:
- meta-no-info
- package-latest
- risky-file-permissions

View File

@ -6,6 +6,7 @@ type: docker
steps: steps:
- name: lint - name: lint
image: cytopia/ansible-lint:latest image: alpine:latest
commands: commands:
- ansible-lint - apk add git ansible ansible-lint
- ansible-lint -x305,403,701

1
.gitignore vendored
View File

@ -2,4 +2,3 @@
__pycache__ __pycache__
site.retry site.retry
*.pyc *.pyc
ff-ansible.code-workspace

View File

@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
## Requirements ## Requirements
The python packages netaddr and passlib are required on the host running ansible. The python package netaddr is required on the host running ansible.
The vault password must be stored in `.vault_pass`. The vault password must be stored in `.vault_pass`.
The *only* supported distributions to deploy roles on is debian buster. The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
## Running Ansible ## Running Ansible

View File

@ -1,6 +1,5 @@
[defaults] [defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time. ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts inventory = ./hosts
library = ./library library = ./library
nocows = 1 nocows = 1

View File

@ -2,20 +2,6 @@
acertmgr_mode: webdir acertmgr_mode: webdir
dnsdist_targets:
- gw11.regensburg.freifunk.net:8053
- gw21.regensburg.freifunk.net:8053
- gw31.regensburg.freifunk.net:8053
- resolver.regensburg.freifunk.net:8053
dns_slaves:
- 195.201.117.207
- 2a01:4f8:1c0c:7dda::1
- 213.166.224.14
- 2a02:958:0:1::e
- 213.166.225.14
- 2a02:958:0:1::1:e
fastd_targets: fastd_targets:
- gw11.regensburg.freifunk.net:9281 - gw11.regensburg.freifunk.net:9281
- gw21.regensburg.freifunk.net:9281 - gw21.regensburg.freifunk.net:9281
@ -39,24 +25,15 @@ gre_matrix:
- { id: 26, a: gw21, b: gw31 } - { id: 26, a: gw21, b: gw31 }
# - { id: 33, a: gw22, b: gw31 } # - { id: 33, a: gw22, b: gw31 }
netbox_domain: netbox.regensburg.freifunk.net
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
node_targets: node_targets:
- ns1.regensburg.freifunk.net:9100
- stats.regensburg.freifunk.net:9100
- tiles.regensburg.freifunk.net:9100
- gw11.regensburg.freifunk.net:9100 - gw11.regensburg.freifunk.net:9100
- gw21.regensburg.freifunk.net:9100 - gw21.regensburg.freifunk.net:9100
- gw31.regensburg.freifunk.net:9100 - gw31.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100 - web.regensburg.freifunk.net:9100
- resolver.regensburg.freifunk.net:9100 - stats.ffrgb:9100
- netbox.regensburg.freifunk.net:9100
- unms.ffrgb:9100 - unms.ffrgb:9100
- unifi.ffrgb:9100 - unifi.ffrgb:9100
- tiles.ffrgb:9100
ntp_servers: ntp_servers:
- 0.de.pool.ntp.org - 0.de.pool.ntp.org
@ -64,10 +41,6 @@ ntp_servers:
- 2.de.pool.ntp.org - 2.de.pool.ntp.org
- 3.de.pool.ntp.org - 3.de.pool.ntp.org
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
prometheus_pve_user: prometheus@pve prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}" prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -75,17 +48,8 @@ pve_targets:
- pve01.ffrgb - pve01.ffrgb
- pve02.ffrgb - pve02.ffrgb
searxng_domain: sx.regensburg.freifunk.net
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
site: ffrgb site: ffrgb
site_domain: regensburg.freifunk.net site_domain: regensburg.freifunk.net
speedtest_domain: speed.regensburg.freifunk.net
speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
speedtest_secret: "{{ vault_speedtest_secret }}"
tileserver_domain: tiles.regensburg.freifunk.net
web_services: web_services:
- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net } - { id: tiles, domain: tiles.regensburg.freifunk.net }

View File

@ -1,137 +1,128 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
31633832313136353531623833383865383736333164376632363635333439613763643062663632 36303531356238623563383536313866333234626534333764393330613338323437633133333933
3736376165623664376436643138653435393239636333370a643363343061303436613238373237 6664636362396636366362363236383763653561366236370a336538353466333830326166353833
36653730376133363061333536626436363366393335303932663736316631633630323634353531 38616339376634616533376262623839653063666633306537353065303436636130376335336631
3734353134396561660a616339303762313430616234383138326438383432646564356662393536 3432623039316431330a656664386662633362356137666661323438386333386632343864336663
61376161343965656365646238393261356133326131613730343234336139366461333032396531 36623430663333393434393464633633376431333736396165343964663137373366343262373262
38653031363934623231336661363233393562383434323633353139336530383432383736353937 62343237623763363961313666333364386364353732383061623937663731653037386562383339
65633935373261653134653839353233643439616266613531373938393231643736333436353234 39623633666336356666626134333935356265303035616135303532396632323861366233373936
65646665626531323566326561353333666535666430613961666232646632303662343832643661 61356363613161653263323737343866323538623039643230373765353337376631643362633639
35373166323439623137383164663838393766326237336234326635383930323365326431343338 32346239353462363239393862643665373663646530343837313132616166346662326339316635
61343434363961633532656466653732626135306334303634383235643531396535326536636264 35313465343631333939376165313661616133363565666439336163326132633137363166383831
37343930623235363632623963346637363964666664636266373137363037383036633233643130 62613832373839383234356463323761613036666331306434353165653639616336633638396633
30323036653637656131623332613463303937323133653064623333396534336661306432323536 61363333376239623738386262653165643335343436303634366536363338386138313235313562
38373534303235323230306139663736663430633463663166393033613435616662336335643137 34303332626239323235613532396435646632353132613962363961383536666131306533306566
32366439333661313930636234346265306233393966623832613834623263356337356162396335 64306364393266633635363162323133656363633862326231366161633138343765343564646236
34353362613163323936613930666339303839393431303461363565623561363034306538396237 66666535613764613964633164333063306263353931646532346136663839646533643230666362
38326263303033376435623037653365636362653831623066653263623236613566623962313266 65343432353838383832306331333832386363613566373461323033643963616237663165366636
34336233343530366236313131323962666163383035633361333637343732356338626265613338 36336266353664353136323237383237663363613035653664303634633266333565303833356238
36643663336161663636343864623864323735613838373562376431643338346662393731373833 62623538623861653135633666613034363766306263323262663631383961333932313837333339
38313839393433626630363635323232373534303437656561316231653536306264386331333666 38313439636262313563326232323937323163373532306464333662363362613064313638353338
36323330626164363730643337623262303335333438303432373465343235303836366362383336 34633766623962326464393564316563663764326462316232653935383463343163613532623931
39666631363362383338616536666432373738336131653765353635373365623030393365636630 33653136636634373939386439623661383432616534333061626232303266343666383335346666
38303033306664356162316262346434343239646230663062643566336132613535393835366236 34323336366232363563626139316666353433343236626334366138656334646338623338316439
66306435653364323335623665316264646631383066373837653536316135316130393766356162 32323833656430373831616661613662353465376664633233333666373766356666373839336232
33326431643162383539323161626163316532373831386334643761636630616162666236613766 65346637616539616330356138323865646433346339363130343366363731343262393538336466
38633738333331616336363736396635306630363561613966656538633432363661313432373731 30316565303133343762666165626533343135633937323162653964626535343962653636636163
39303764303362336536396130613637653530376437333336613465643539396330623261356534 36323066393039333531626434383830666665326563376638656238393439373033653763386131
64633761643065313038656261326638343032353832376262653135663162353434323936353862 65316265626130643335333362363232613733633835633234316565303532623766653032303332
31663738353965303963353962626534303333303037336431373631396635363938326133336330 33386661326362626538393033396430303564653737346339643966623337653661376633623166
63353333616664663934636433653434626162323064653430666565613061623239613561643838 66313162316131326364393731346336626663626564343662343334616533616537633765376463
66356662303137383639336432633432636235306165306339623632316134306431376163616465 64303939313639613665353035336536373436646436373038633233313330663965386665326234
32636132656232303162333238393837383731633931363865356634643736326139313638333230 37326338333262313461373765306163646233303930633838636563313138646461656130666234
39316662306432333333333266333234646539646532316536383932666435366136346138626136 33383232336333373965666630386131326137666633623231633739646435363532393432323330
64373362366239633964616638363666656564323436636432663937666565653436613465366461 33393431616630336139393236636533383537623162376636393365663733626565306661386665
65376562303639363332636532386535386365656636346365333330386132383637636239653730 65613536313032646636623334656266336531383733306361363536616661336236353735343535
63333361303037393936653064336439653932373739336564333132303639343835376633666631 31353738346332643465383735636666326532623166373962376563633861376361663663393030
66613138343730636563626131623437343232303964626562633332303761626331383662373531 31316366346531376635386335366564373530303664323934383930356530356265623530356461
39663463656361303236666661356564373432333062303363313532333938633337363536343930 31656461663637373238303737383263353065326333383564346532376261316130346461373230
37376464393438613564653465353037313536626466643131336133336161316437316433663032 31633939313061663235326331613061383033313131633330303238363135303637363133663637
62633465613634373238383937643037346336336135353230386538353933616436646534366435 61653439633534633234366164313665356265323931346234646163333463366466613934333536
31323363666266373662626362663164653863326239303462363739383730643962333230343733 36336662306531643537333437363032643433323564643736336539393634333139633631376238
37393831383666393064626437323861353739363762346330666436356466316464393838366133 63633031646163613161626139666334623961646230366561343839653638303465323632653438
34653131653838643063396633346132336439393132353661373063623865643465306238326538 39613364326264333131636231303031643336353663386238636561373839393834376636646534
63313366386263623333636636376637383536353663643266653431626365666139393764663633 31383764623664363065626331363762623232336162383164396435613330303432616632306336
62366234376231393261646366383733633565303433353631343239313362646161663433653632 64313564636433643430336333613339666536383062383932366137636432373038333134313263
61303231616366386435666232353531306331613638633531613364663130643433336232633164 61636635613534663662353732333563366230636332326337303433356536373563663639326438
64373131303135316135376339353366313635653466663765323931616232333539333639623033 31393664643765653365363834653936336138336261313337636363323063616261336137306662
39626233316430303062336234623966376564386365613265363866666636626435306664336636 66663632663864366262363566393437313136373531313264323663373866663865396335666431
39346139316331306333666332393631306433623365303064383831643864336634303737633434 33383665346634383039393334373166396230393432623934326665663931636431646330643033
39303364633530343531373964353335333832636433313865303765393665633838316531343035 65613339623863323537626631343935333966326263323836373163633531373662393561633731
34666237353834613337353063666333353764666431376235393534613534363163333732373061 64613237363562643164613338396436303334346234343739323137616364626433666464663133
36663537363938373235326537326139366562656264393930653630383332383466333435386233 61306630626261376465636234613263366334626161353338323739643938323137633835653032
32613737303431333537326264343065306361653562633064393762643161313666663262313236 66323964663965616666626138636433323736323630303832366365663436396265333033666662
65386430306432653563623666646439376163383433653561333461383933383835373563396137 65343730336233323637356435363931346638666239363964646538343665396466646238363531
62383861393963313534616437663465333834663235356439363735633133623365383839613037 31343535393931633830326561323437643834393430646431393765336433326236313537616532
34303465363033313739373631363261313130616663336662346132653239313562386664353432 37363739373838383361616663633963373032646663333735663533356630626537326165666530
64373961663563393362303166633630343665663437373562613461343266646332313963653965 61633537336437366266303463336438373137303037383761393365366365323263643239323736
39363632313864343437333038623364323161376237386333616636303364373964343464643330 33316637643735363531643965383530643333636437363936303133373261386237386630616232
31613431313562353862306236623233636264653635643264333364336533623036356530343465 30373861313638663639653932333532306166653462616136326365616465363436363663313430
33366131333365393333373062623666663065316666363736633562363934336534313464353239 30306664626566643431353362383364633961306536663136396538313364656231363538363964
30666365303330363962653731626266376433666135333435313236386163653336386134633630 37613761326365656632323034376634316430326666306330383937393963656333666437336639
65336335346539666431643036636663643936326635636438636438646230353962646335396461 61343365343463303161336366386161363662646138316536653635383034616431356265613032
64623238343632346265376537323462316162633437633463656235626366666235653231303736 66643937333933633932376133306465373031386334373032373261643762396637396139616638
34316166363139336536396631663435386434396336346331663333353338353466346433393062 64313966393732383830646566306266663734356531336564393362613937646565663337353038
31343662316464356663356539303934633336613335373732353165366266303837303364616537 31663734616536343938393638663636653532383538313137336166633632653235323833643665
31356135313732633232343362663932656363633162623539323938643239383333306638346236 35393234633364666561653934346139353761643536313438366231646564323138393133333662
36666564323336346234313239656463626138313364656637353434303266613232353334666539 36656164333831393061653632633830383766613638353863306663356164393665373965373237
34666437356531393933656338373834303130663132303433376338643833643236333639663530 32363065326231393231343839633463326235316533636163356434313832343064396532613832
32653536643035303536353431623463353762393539363634636566396134353362633038333831 33306331623364363566663463316139336134396636653264343563623339373566656134636364
33633632666331666665373664633138323536633264653339663463326236343862656563323835 38653435333061333966396131376564386134363433643134616338343535353132633465616364
66633038346237356638646133626239336233633261626464626238636363666431646661366337 31393266313339383233363364303731653933613632363231333965653237393962646132373761
32396137303664363734666238346636653531666461306335343636303861653533356266643833 30643865626130343263656562653765343561636235333966363935333038383734363136633339
39633939666534663033336462336633636264336133633630366166356163306539613830636432 65383232313633363761303063343936613765636633663866633833303938366339373635343733
66326661646430366332363530333338373136656234613030616338383531313138666435313562 32616432343338376139313663656535373064353063643661663732633130383932373138666133
33346262353934636564613730396536333731653036303333343039393534643837663234346234 33336262316664613936633032656234353262333633626237376636383261626331346464363261
30303032623565316234343834303061303333346539636138343334663131646463363863663062 65396138653264636537346436636230613435376532383130666138373334643834303064303161
31343432383238623733346563323533636466346538616334646338366465356165613434623730 38393563336564343530373362613166636639393963383539333234613734353834306135643363
37323930623539353764643939643963353238646230396337633362363664613431303032656639 65613732376661373137353262626565613164343631336531393132333137326531353439333731
38613961633439613837636531653163383633373263343235303766613736616636613066316463 37396434626365646565613766653930613632316632363764353330313836326436313438653836
63346337383864363562373562643636343764626433383634643064313831373833356132393737 64613337626236323435393363626332383235326635323561633261396466623462623536306361
39356534623536373066663933356535356532636332343661333166663433666433363661343861 65393331343664343533356462656638636638666464353037633334323363613936353266363530
63393734656534363761313862613364616161303735323563656265323362313061343332346238 39663264356132363836343765336163653731373035653332303462383933333734363537366233
35353534663137653466396432353437333739363631373332316165663964653335363034636131 33646333653762656534663635636634663835643730386264333738323962636266653734303239
33363933333764306265306161336165306234616161313466393233363431363061633730653437 30336261323039386461303933633366316537303230336238636662396133353735653936313232
65313636366162303763663530386239343833626139643439306161623066313638323361353831 63373335313162643562393131653930383566363239613063633931376536373366346331623337
63323531353939356337613865663737373661343362353362326637666666383535633030626163 64343734333565316232356634376438306536373662316632313066336364383062653765643165
36386464326134333965623262356532353161316533626331623266623630383331313037376365 66626465636365613064323664393163636230303664666632653938633364343136343464653735
37353164306433633563386436653235616661366639343035306533643732326232366537633635 38376637646232333735633861356238646235616536336662353466346163616631613062303837
33306338386561353564643537353736663434663931343263333764633961666464373461346335 32363638383838663833633532323365663531323632313534613133306336383262306530613337
65323462313761653361343236326632393835613538616436666534363366626637376262326462 39653732323430643334366131313137653265353632643136643662626361636666326364303831
32366530383439646137383737303634613136396135633136316233326230323466383932616630 39666166623564373133323332353337623038623737303935383036613236666339306235316166
66316561333961346130306531623936376636646330373237623034633135303630353566333037 37643737386438623261653064643339663865366433376162373466653461313961383166663830
34656233316663656661623731633034643332336631356436653134366162396336643331623135 35396661396664623866346661396563363564306136333137663166323362386431663835323365
65646466633236393036383639623066663963653431343836626664383431363663653535383565 35656361353162666638626130343833303165333964613161396132613939313738396563333336
64333432343561623633316232623864386161376163333238623066636533353330336566313835 64366533646137633166383431666366643937666139653637386535363135656432363136373134
66653265346331393238343862353162383234303334626261643065656637386434636564663665 62396433316339366534303064636436646365373138376162333032383539373939376337643663
63616339663261616534376661393837343335373638366264323732353032363731376332653936 62613966646361366435366361633864373066303933633039623530336236346261323335633130
64393262346230636366336133616366646533373530356235316561643232333664343462386539 65323838323235653839656530626661343731383966623732663430313137643566343566643932
38396665626131646234613466396334346431316638333436633637353836313933656134383031 62353936666632336532326266376438346339343030666530666261386335343566336237616639
38633838323163383536323735626132323565643136663030643436303363333264373061663430 33353932326435393266336263363466633035653161363162376630343132383436336164643337
65613836313531636264633333346331343038373466653231613830383435386364636237303965 66323436376265353062373166343162353334313365313462616139393430333164323539636235
65663635633732663636333764623133373864356363313535333136613039313035663633386338 38613531393030663831663361333437313333643264353131356163313630636264313130663363
61343930323665616464643235396232393134373537616635663231343763346434626665393966 62383166396131386133626131303163323865393832663262666434623833653861353064663062
31613835666563333261373533316364346538393438636636633862353431333030623933663130 65623239356163656433363339386632303562333064613631383933323563663761343465306133
31626337303733373034666562363064373936656435636637356365386363346664306134376339 32336233303461666366336466643936396366343735363934363136393738303031386339623532
37383335646339636265656134383432396438383732303066396636373834373037663062336335 30326131383636356535343462313338303235343739623039353066653661313431333461333030
61346438636134333763346265653766396165626365633237373466346438363330633562353731 65336166623732353432633236393233313964306435633231336534643134643834626534626131
61313630373137303131326134613264356462333363643463643861666239623937636535336536 39303239366439303230316565373235616261633362633737646365316133616366643333343138
30313234623936316439643164316139386366336630616266653338383337653561656337343837 31323138343838363735663835633361663036613461336135356639396334633765643764346365
66613234363738306235316632316666376231306561653865353636373835646263393932316134 33353332326330366434313662383765653561663238653137383339626539633364336336363634
30313433613664306533386133376232323737633934396135626532323830346336353631383539 65626465666435326566363863643064363365623361633266316137643637656537663934396663
38666264343962646237313332396535643863393535303437346262613861646663303037333736 65633738613231326461373761626135373866326130356335653739636130366135363137646362
63326534313964613663376635306162653639623735633139326161323232653462343063383036 37393839346634373132316434313966653730623035633933636230643765366261373839373333
39616233613664626161663131383366663435626432626663623638646163666535316461383531 39363263376533326533663365363538383434663830646630323562333235356335373363383831
39663130646564373563323965386331353036366230343635363266323864623633663333656561 66393361663865653238643035353138623730396363333633336261363739303264336136663638
33353131623065623839396634653735396262656261323963363261643761373137616232666665 61646366323238373861386266353135333835353665333965306665613331393438313064303435
39643835383034383439393638363438633931323437613365643935383766333535643537633633 36633333366637616666386531396539303630653735373163623437396161393633636435356631
63633133303166326432613932396331356263626166343436386463376537656231656438313563 30393530323234373631393630383564306132616135646534316466336335366131663465336231
30653664383935383161303865363338393933363334653631616432643037626433356561636634 64353136663436653637613765636234343836393262323535666232326265303333646436636531
34316436383462386331393231633161383362666532363561326631613137656464306262313034 38313063373133383062333439363036663562623639333932386131353666373037623539316335
35636334623861323836326265396664373461313034343231316261616330313938333263666665 39613766383631643661353238643534646464663231663166386634636330373332653963616330
39616163346632623764666337313561626233636363343036363331663932616530346230653663 39383238386135646330336565323762326463313939386236366161356463343566376231396465
62373661306566373638383962356563323430613262326534663663383162396263306335613462 64376661633465643864663236323961653535386362656238323730326663383138613831613633
39326162663161663264626437353064306238646664376666336534326263313061393133373636 38373661666363666661313065356364353232333466386263383761323264363535643034326563
33346161376136636536393264363332633561373037326566313137366265383635376366343036 61353638646463383063616365376535366232653135653430336231353633323665373438613437
30613763633264303536396535303236353138393032336461666131356464343930656665326535 32316164643438626236613839353333316536313439306334666566623465323366633036326466
64393130376166383538353866323265303562326239626233636237626664346631646264386439 61646263396333373063383861313033393335323263393261636265613736376361393735636130
65383730333534656361366438316536613138303334343665396438336164663064373838323534 643939373434306635633963666533396439
64626631363131663462303131333735633337653335623939383264363163633765326438313965
32623662383464316133623538616139623433336435316166346336663761343536393662393733
35333938383137383863653966363837366639303634616239643235653932643132323033373238
38323734353563383133333538316236393162636237313061363663303764343533626466373137
32656561383633633166386437653361313363666334636639353833323461663030313736613831
30613832306137323637653330306637323530613935333263373338346430393265333839636566
39336662326637363038653734323230626234346433313830656264633732666430663265383031
65313864386637303563636239646633393335616231613531633762326430633231343264363236
32346662623562356432

View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.32.11/19 batman_ipv4: 10.90.32.11/19
batman_ipv6: fdef:f10f:1337:cafe::11/64 batman_ipv6: fdef:f10f:1337:cafe::11/64
batman_algo: BATMAN_IV batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:11::11/64 global_ipv6: 2a00:9d80:6000:0101::11/64
nextnode4: 10.90.32.1 nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1 nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312 mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010 fastd_port: 10010
gateway_id: 11 gateway_id: 11
site_code: ffrgb_cty site_code: ffrgb_cty
nat_pool: 194.156.22.12-194.156.22.13
ntp_server: true

View File

@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1 nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312 mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010 fastd_port: 10010
gateway_id: 12 gateway_id: 12
site_code: ffrgb_cty site_code: ffrgb_cty
ntp_server: true

View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.64.21/19 batman_ipv4: 10.90.64.21/19
batman_ipv6: fdef:f20f:1337:cafe::21/64 batman_ipv6: fdef:f20f:1337:cafe::21/64
batman_algo: BATMAN_IV batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:21::21/64 global_ipv6: 2a00:9d80:6000:0102::21/64
nextnode4: 10.90.64.1 nextnode4: 10.90.64.1
nextnode6: fdef:f20f:1337:cafe::1 nextnode6: fdef:f20f:1337:cafe::1
mtu: 1312 mtu: 1312
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
fastd_port: 10020 fastd_port: 10020
gateway_id: 21 gateway_id: 21
site_code: ffrgb_uml site_code: ffrgb_uml
nat_pool: 194.156.22.22-194.156.22.23
ntp_server: true

View File

@ -10,13 +10,6 @@ mtu: 1312
fastd_port: 10020 fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 22 gateway_id: 22
site_code: ffrgb_uml site_code: ffrgb_uml
ntp_server: true

View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.96.31/19 batman_ipv4: 10.90.96.31/19
batman_ipv6: fdef:f30f:1337:cafe::31/64 batman_ipv6: fdef:f30f:1337:cafe::31/64
batman_algo: BATMAN_IV batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:31::31/64 global_ipv6: 2a00:9d80:6000:0103::31/64
nextnode4: 10.90.96.1 nextnode4: 10.90.96.1
nextnode6: fdef:f30f:1337:cafe::1 nextnode6: fdef:f30f:1337:cafe::1
mtu: 1312 mtu: 1312
vx_wg_vni: 3120917
mesh_wg_port: 20030
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
fastd_port: 10030 fastd_port: 10030
gateway_id: 31 gateway_id: 31
site_code: ffrgb_tst site_code: ffrgb_tst
nat_pool: 194.156.22.32-194.156.22.33
ntp_server: true

View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

View File

@ -1,31 +0,0 @@
---
grafana_rendering: True
# yanic needs this
site_code: ffrgb_cty
yanic_publisher: true
yanic_repondd_enable: false
yanic_respondd_interface: ens18
yanic_respondd_ip: true
yanic_nodes_prune_after: 60d
yanic_nodes_offline_after: 5m
yanic_meshviewer_enable: false
yanic_nodelist_enable: true
yanic_database_delete_after: 720d
yanic_dbc_repondd_enable: false
yanic_influxdb:
- enable: true
host: http://127.0.0.1:8086
database: ffrgb
username: "admin"
password: "{{ vault_yanic_influx_pw }}"

8
hosts
View File

@ -2,12 +2,8 @@
gw11.regensburg.freifunk.net gw11.regensburg.freifunk.net
gw21.regensburg.freifunk.net gw21.regensburg.freifunk.net
gw31.regensburg.freifunk.net gw31.regensburg.freifunk.net
netbox.regensburg.freifunk.net
ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net
sx.regensburg.freifunk.net
tiles.regensburg.freifunk.net
web.regensburg.freifunk.net web.regensburg.freifunk.net
stats.ffrgb ansible_host=10.90.224.100
unms.ffrgb ansible_host=10.90.224.101 unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102 unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103

View File

@ -1,4 +1,4 @@
#!/usr/bin/env python3 #!/usr/bin/env python
EXAMPLES = ''' EXAMPLES = '''
# Generates a fastd key # Generates a fastd key
@ -23,7 +23,7 @@ if __name__ == '__main__':
# create file with restrictive permissions # create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle: with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
# generate fastd secret # generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode() secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
handle.write('secret "%s";\n' % secret) handle.write('secret "%s";\n' % secret)
changed = True changed = True

View File

@ -1,7 +1,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are // Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded. // upgraded.
// //
// Lines below have the format "keyword=value,...". A // Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match // package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted // all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release // keywords are wild cards.) The keywords originate from the Release
@ -19,73 +19,50 @@
// Within lines unattended-upgrades allows 2 macros whose values are // Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version: // derived from /etc/debian_version:
// ${distro_id} Installed origin. // ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster") // ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern { Unattended-Upgrade::Origins-Pattern {
// Codename based matching: // Codename based matching:
// This will follow the migration of a release through different // This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable). // archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release, // "o=Debian,n=jessie";
// but the Debian release itself will not be automatically upgraded. // "o=Debian,n=jessie-updates";
"origin=Debian,codename=${distro_codename}-updates"; // "o=Debian,n=jessie-proposed-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates"; // "o=Debian,n=jessie,l=Debian-Security";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching: // Archive or Suite based matching:
// Note that this will silently match a different release after // Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the // migration to the specified archive (e.g. testing becomes the
// new stable). // new stable).
// "o=Debian,a=stable"; "origin=Debian,codename=${distro_codename}";
// "o=Debian,a=stable-updates"; "origin=Debian,codename=${distro_codename}-updates";
// "o=Debian,a=proposed-updates"; "origin=Debian,codename=${distro_codename}-proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; "origin=Debian,codename=${distro_codename},label=Debian-Security";
}; };
// Python regular expressions, matching packages to exclude from upgrading // List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist { Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux- // "vim";
// "linux-"; // "libc6";
// "libc6-dev";
// Use $ to explicitely define the end of a package name. Without // "libc6-i686";
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
}; };
// This option allows you to control if on a unclean dpkg exit // This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run // unattended-upgrades will automatically run
// dpkg --force-confold --configure -a // dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed // The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true"; Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that // Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade // they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade // a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay) // is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true"; Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down // Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running. // instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower. // This will (obviously) make shutdown slower
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. Unattended-Upgrade::InstallOnShutdown "false";
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades // Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you // If empty or unset then no email is sent, make sure that you
@ -93,20 +70,11 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com" // 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root"; Unattended-Upgrade::Mail "root";
// Set this value to one of: // Set this value to "true" to get emails only on errors. Default
// "always", "only-on-error" or "on-change" // is to always send a mail if Unattended-Upgrade::Mail is set
// If this is not set, then any legacy MailOnlyOnError (boolean) value Unattended-Upgrade::MailOnlyOnError "true";
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Remove unused automatically installed kernel-related packages // Do automatic removal of new unused dependencies after the upgrade
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove) // (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true";
@ -114,8 +82,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
// the file /var/run/reboot-required is found after the upgrade // the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false"; Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in // Automatically reboot even if there are users currently logged in.
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific // If automatic reboot is enabled and needed, reboot at the specific
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download // Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec // speed to 70kb/sec
//Acquire::http::Dl-Limit "70"; Acquire::http::Dl-Limit "200";
// Enable logging to syslog. Default is False // Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false"; // Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon // Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon"; // Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

View File

@ -3,18 +3,21 @@
- name: Configure apt not to install recommends packages - name: Configure apt not to install recommends packages
copy: src=apt-recommends.conf dest=/etc/apt/apt.conf.d/40recommends copy: src=apt-recommends.conf dest=/etc/apt/apt.conf.d/40recommends
- name: Install apt related tools - name: Install apt https transport plugin
apt: apt: name=apt-transport-https
name:
- apt-transport-https - name: Install debian-goodies for checkrestart
apt: name={{ item }}
with_items:
- debian-goodies - debian-goodies
- gnupg2
- lsof - lsof
- unattended-upgrades
- name: Configure periodic apt updates - name: Configure periodic apt updates
copy: src=apt-periodic.conf dest=/etc/apt/apt.conf.d/10periodic copy: src=apt-periodic.conf dest=/etc/apt/apt.conf.d/10periodic
- name: Install unattended-upgrades
apt: name=unattended-upgrades
- name: Configure unattended-upgrades - name: Configure unattended-upgrades
copy: src=unattended-upgrades.conf dest=/etc/apt/apt.conf.d/50unattended-upgrades copy: src=unattended-upgrades.conf dest=/etc/apt/apt.conf.d/50unattended-upgrades

View File

@ -8,4 +8,4 @@
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 } - { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 } - { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 } - { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 } - { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }

View File

@ -0,0 +1,4 @@
---
- name: 'Reload systemd'
systemd: daemon_reload=yes

File diff suppressed because it is too large Load Diff

View File

@ -1,13 +1,7 @@
--- ---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald - name: Restart journald
service: name=systemd-journald state=restarted service: name=systemd-journald state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs - name: update-initramfs
command: update-initramfs -u -k all command: update-initramfs -u -k all

View File

@ -1,79 +0,0 @@
---
- name: Install misc software
apt:
name:
- ca-certificates
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- wget
- zsh
- fail2ban
- name: Install software on KVM VMs
apt:
name:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: Enable serial console on KVM VMs
lineinfile:
path: "/etc/default/grub"
state: "present"
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
notify: update-grub
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

View File

@ -1,25 +0,0 @@
---
- name: Install misc software
apt:
name:
- dnsutils
- htop
- ipmitool
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh

View File

@ -1,11 +0,0 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

View File

@ -1,21 +1,75 @@
--- ---
- name: Cleanup - name: Install misc software
apt: autoclean=yes apt: name={{ item }}
when: ansible_os_family == "Debian" with_items:
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
- name: Gather package facts - name: Install software on KVM VMs
package_facts: apt: name={{ item }}
manager: apt with_items:
when: ansible_os_family == "Debian" - acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Proxmox - name: Configure misc software
include: Proxmox.yml copy: src={{ item.src }} dest={{ item.dest }}
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages diff: no
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Debian - name: Set shell for root user
include: Debian.yml user: name=root shell=/bin/zsh
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
- name: Setup chrony - name: Disable hibernation/resume
include: chrony.yml copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: use new-style network interface names
file: path=/etc/systemd/network/{{ item }} state=absent
with_items:
- 50-virtio-kernel-names.link
- 99-default.link
notify: update-initramfs
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

View File

@ -1,53 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 10.90.0.0/16
allow 2001:678:ddc::/48
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

View File

@ -2,5 +2,5 @@
dhcpd_interfaces: br-{{ site_code }} dhcpd_interfaces: br-{{ site_code }}
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}" dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}" dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
name_server: "{{ batman_ipv4 | ipaddr('address') }}" name_server: "{{ batman_ipv4 | ipaddr('address') }}"

View File

@ -2,7 +2,7 @@
# option definitions common to all supported networks... # option definitions common to all supported networks...
option domain-name "{{ site_domain }}"; option domain-name "{{ site_domain }}";
option domain-name-servers {{ nextnode4 }}, {{ name_server }}; option domain-name-servers {{nextnode4}}, {{ name_server }};
local-address {{ batman_ipv4 | ipaddr('address') }}; local-address {{ batman_ipv4 | ipaddr('address') }};

View File

@ -1,13 +1,7 @@
--- ---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns - name: Restart powerdns
service: name={{ item }} state=restarted service: name={{ item }} state=restarted
with_items: with_items:
- pdns - pdns
- pdns-recursor - pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

28
roles/dns/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install powerdns
apt: name={{ item }}
with_items:
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
tags: dns
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- pdns
- pdns-recursor

View File

@ -12,6 +12,12 @@ launch=bind
# local-address=0.0.0.0 # local-address=0.0.0.0
local-address=127.0.0.1 local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
################################# #################################
# local-port The port on which we listen # local-port The port on which we listen
# #

View File

@ -25,17 +25,19 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
################################# #################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
# #
local-address=127.0.0.1 local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
################################# #################################
# local-port port to listen on # local-port port to listen on
# #
local-port=5353 local-port=53
################################# #################################
# query-local-address Source IP address for sending queries # query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
# #
query-local-address=::,0.0.0.0 {% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %}
################################# #################################
# quiet Suppress logging of questions and answers # quiet Suppress logging of questions and answers

View File

@ -1,4 +0,0 @@
---
- name: Restart powerdns
service: name=pdns state=restarted

View File

@ -1,22 +0,0 @@
---
- name: Install powerdns
apt:
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
- name: Start the powerdns services
service: name=pdns state=started enabled=yes

View File

@ -1,35 +0,0 @@
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
#################################
# dname-processing If we should support DNAME records
#
# dname-processing=no
dname-processing=yes
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify=
# security-poll-suffix Domain name from which to query security update notifications
#
security-poll-suffix=

View File

@ -1,10 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name=pdns-recursor state=restarted
- name: Restart dnsdist
service: name=dnsdist state=restarted

View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

View File

@ -1,35 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-recursor
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Configure powerdns
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
notify: Restart powerdns
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns-recursor

View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

View File

@ -1,24 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
addLocal('{{ ansible_default_ipv6.address }}')
setACL({'0.0.0.0/0', '::/0'})
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -1,53 +0,0 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
#
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=5353
#################################
# query-local-address Source IP address for sending queries
#
query-local-address=::,0.0.0.0
#################################
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns

View File

@ -1,47 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

View File

@ -1,20 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -1,10 +1,17 @@
--- ---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker - name: Install docker
apt: apt:
name: name:
- docker.io - docker-ce
- python3-docker - docker-ce-cli
- containerd.io
- name: Enable docker - python-docker
service: name=docker state=started enabled=yes

View File

@ -0,0 +1,4 @@
---
conntrack_max: 131072
fastd_instances: 3

View File

@ -4,14 +4,12 @@
:INPUT ACCEPT [1:136] :INPUT ACCEPT [1:136]
:OUTPUT ACCEPT [2:472] :OUTPUT ACCEPT [2:472]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }} -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
COMMIT COMMIT
*filter *filter
:INPUT ACCEPT [1124:131621] :INPUT ACCEPT [1124:131621]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [1151:175226] :OUTPUT ACCEPT [1151:175226]

View File

@ -1,13 +1,9 @@
# {{ ansible_managed }} # {{ ansible_managed }}
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
COMMIT COMMIT

View File

@ -1,5 +0,0 @@
---
conntrack_max: 131072
fastd_instances: 3
nat_pool: "{{ ansible_default_ipv4.address }}"

View File

@ -1,7 +1,4 @@
--- ---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart fastd-exporter - name: Restart fastd-exporter
service: name=fastd-exporter state=restarted service: name=fastd-exporter state=restarted

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: common-handlers }

View File

@ -1,8 +1,5 @@
--- ---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart fastd - name: Restart fastd
service: name=fastd@{{ site_code }}{{ item }} state=restarted service: name=fastd@{{ site_code }}{{ item }} state=restarted
with_sequence: start=0 count={{ fastd_instances }} with_sequence: start=0 count={{ fastd_instances }}

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: common-handlers }

View File

@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
method "null"; method "null";
method "salsa2012+umac"; method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes; secure handshakes yes;

View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: go }

7
roles/git/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install git
apt: name=git
- name: Install ca-certificates
apt: name=ca-certificates

View File

@ -1,3 +0,0 @@
---
grafana_rendering: False

View File

@ -1,38 +1,10 @@
--- ---
- name: Retrieve Grafana Key and avoid apt_key - name: Enable grafana apt-key
block: apt_key: url='https://packages.grafana.com/gpg.key'
- name: grafana |no apt key
ansible.builtin.get_url:
url: https://apt.grafana.com/gpg.key
dest: /usr/share/keyrings/grafana.key
- name: Enable grafana repository - name: Enable grafana repository
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main" apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana - name: Install grafana
apt: name=grafana apt: name=grafana
- name: Install grafana rendering dependencies
apt:
name:
- libxdamage1
- libxext6
- libxi6
- libxtst6
- libnss3
- libnss3
- libcups2
- libxss1
- libxrandr2
- libasound2
- libatk1.0-0
- libatk-bridge2.0-0
- libpangocairo-1.0-0
- libpango-1.0-0
- libcairo2
- libatspi2.0-0
- libgtk3.0-cil
- libgdk3.0-cil
- libx11-xcb-dev
when: grafana_rendering

View File

@ -1,23 +0,0 @@
---
- name: Import Influxdb GPG siging key with store
ansible.builtin.get_url:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: /etc/apt/trusted.gpg.d/influxdb.key
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
ansible.builtin.command:
argv:
- gpg
- --dearmor
- /etc/apt/trusted.gpg.d/influxdb.key
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
- name: Enable InfluxDB repository
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
state: present
- name: Install influxdb
apt: name=influxdb

View File

@ -1,7 +0,0 @@
---
- name: Reload interfaces
command: /sbin/ifreload -a
- name: Reload systemd
systemd: daemon_reload=yes

View File

@ -1,9 +1,8 @@
[Unit] [Unit]
Description=Network initialization Description=ifupdown2 networking initialization
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8) Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
DefaultDependencies=no DefaultDependencies=no
After=local-fs.target network-pre.target Before=network.target shutdown.target network-online.target
Before=shutdown.target network.target network-online.target
Conflicts=shutdown.target Conflicts=shutdown.target
[Service] [Service]
@ -11,7 +10,6 @@ Type=oneshot
RemainAfterExit=yes RemainAfterExit=yes
SyslogIdentifier=networking SyslogIdentifier=networking
TimeoutStopSec=30s TimeoutStopSec=30s
EnvironmentFile=/etc/default/networking
ExecStart=/usr/share/ifupdown2/sbin/start-networking start ExecStart=/usr/share/ifupdown2/sbin/start-networking start
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: common-handlers }

View File

@ -1,13 +1,10 @@
--- ---
- name: Install dependencies - name: Install dependencies
apt: apt: name=python-pkg-resources
name:
- bridge-utils
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
- name: Install ifupdown2 - name: Install ifupdown2
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb apt: name=ifupdown2 state=latest
- name: Uninstall ifupdown - name: Uninstall ifupdown
apt: name=ifupdown state=absent apt: name=ifupdown state=absent

View File

@ -14,8 +14,6 @@ iface br-{{ site_code }}
{% if global_ipv6 is defined %} {% if global_ipv6 is defined %}
address {{ global_ipv6 }} address {{ global_ipv6 }}
{% endif %} {% endif %}
#
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# bat-{{ site_code }} # bat-{{ site_code }}
auto bat-{{ site_code }} auto bat-{{ site_code }}
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
hwaddress f2:00:90:00:{{ gateway_id }}:20 hwaddress f2:00:90:00:{{ gateway_id }}:20
mtu 1500 mtu 1500
# #
batman-hop-penalty 5
batman-ifaces dmy-{{ site_code }} batman-ifaces dmy-{{ site_code }}
batman-ifaces-ignore-regex .*_.* batman-ifaces-ignore-regex .*_.*
batman-routing-algo {{ batman_algo }}
# #
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server # TODO use batman-xyz instead of batctl
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5 # see /usr/share/ifupdown2/addons/batman_adv.py
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000 #
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1 up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# dmy-{{ site_code }} # dmy-{{ site_code }}

View File

@ -1 +0,0 @@
OK

View File

@ -1,25 +0,0 @@
---
- name: Install wireguard
apt: name=wireguard-tools
- name: Create wireguard config directory
file:
path: /etc/wireguard
state: directory
mode: 0700
- name: Configure wireguard options
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
notify: Reload interfaces
- name: Configure mesh interfaces
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
notify: Reload interfaces
- name: Install wgskex
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
- name: Install ping endpoint
copy: src=ping dest=/var/www/html/ping

View File

@ -1,21 +0,0 @@
# {{ ansible_managed }}
# vx-{{ site_code }}
auto vx-{{ site_code }}
iface vx-{{ site_code }}
mtu 1350
vxlan-physdev wg-{{ site_code }}
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
up ip link set vx-{{ site_code }} up
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
down ip link set vx-{{ site_code }} down
post-down ip -6 link del vx-{{ site_code }}
# wg-{{ site_code }}
auto wg-{{ site_code }}
iface wg-{{ site_code }}
address fe80::{{ gateway_id }}/128
ipv6-addrgen no
pre-up ip link add dev wg-{{ site_code }} type wireguard
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
post-up ip link set wg-{{ site_code }} mtu 1420

View File

@ -1,3 +0,0 @@
[Interface]
PrivateKey = {{ mesh_wg_privkey }}
ListenPort = {{ mesh_wg_port }}

View File

@ -1,5 +0,0 @@
---
netbox_group: netbox
netbox_user: netbox
netbox_version: 4.1.8

View File

@ -1,13 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart netbox
service: name=netbox state=restarted
- name: Restart netbox-rq
service: name=netbox-rq state=restarted

View File

@ -1,152 +0,0 @@
---
- name: Create group
group: name={{ netbox_group }}
- name: Create user
user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
- name: Install dependencies
apt:
name:
- build-essential
- libffi-dev
- libpq-dev
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python3-setuptools
- python3-dev
- python3-pip
- python3-venv
- zlib1g-dev
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL user
postgresql_user:
name: "{{ netbox_dbuser }}"
password: "{{ netbox_dbpass }}"
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db:
name: "{{ netbox_dbname }}"
owner: "{{ netbox_dbuser }}"
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
- name: Unpack netbox
unarchive:
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
dest: /opt
remote_src: yes
creates: "/opt/netbox-{{ netbox_version }}"
register: netbox_unarchive
- name: Configure netbox
template:
src: configuration.py.j2
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
- name: Configure gunicorn
template:
src: gunicorn.py.j2
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
- name: Netbox file permissions
file:
path: "/opt/netbox-{{ netbox_version }}"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
recurse: yes
- name: Fix psycopg variant
lineinfile:
path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
regexp: '^psycopg\[.*,pool\]==(.*)$'
line: 'psycopg[binary,pool]==\1'
backrefs: yes
register: netbox_psycopg_fix
- name: Run upgrade script
command:
cmd: ./upgrade.sh
chdir: "/opt/netbox-{{ netbox_version }}"
become: true
become_user: "{{ netbox_user }}"
when: netbox_unarchive.changed or netbox_psycopg_fix.changed
# TODO - still manual work
# * Create a super user
# * Migrate media files
- name: Install netbox housekeeping cronjob
template:
src: netbox-housekeeping.sh.j2
dest: /etc/cron.daily/netbox-housekeeping.sh
mode: 0755
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ netbox_domain }}"
when: "'kitchen' in group_names"
- name: Configure certificate manager for netbox
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template:
src: vhost.j2
dest: /etc/nginx/sites-available/netbox
owner: root
mode: "0644"
notify: Restart nginx
- name: Enable vhost
file:
src: /etc/nginx/sites-available/netbox
dest: /etc/nginx/sites-enabled/netbox
state: link
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- netbox
- netbox-rq
notify:
- Reload systemd
- Restart netbox
- Restart netbox-rq
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- netbox
- netbox-rq

View File

@ -1,15 +0,0 @@
---
{{ netbox_domain }}:
- path: /etc/nginx/ssl/{{ netbox_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -1,212 +0,0 @@
#########################
# #
# Required settings #
# #
#########################
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
#
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
ALLOWED_HOSTS = ['{{ netbox_domain }}']
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
DATABASE = {
'NAME': '{{ netbox_dbname }}', # Database name
'USER': '{{ netbox_dbuser }}', # PostgreSQL username
'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password
'HOST': 'localhost', # Database server
'PORT': '', # Database port (leave blank for default)
'CONN_MAX_AGE': 300, # Max database connection age
}
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
# to use two separate database IDs.
REDIS = {
'tasks': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 0,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
},
'caching': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 1,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
}
}
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
# symbols. NetBox will not run without this defined. For more information, see
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
SECRET_KEY = '{{ netbox_secret }}'
#########################
# #
# Optional settings #
# #
#########################
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ('John Doe', 'jdoe@example.com'),
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = [
# 'https://hostname.example.com',
]
CORS_ORIGIN_REGEX_WHITELIST = [
# r'^(https?://)?(\w+\.)?example\.com$',
]
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
# on a production system.
DEBUG = False
# Email settings
EMAIL = {
'SERVER': 'localhost',
'PORT': 25,
'USERNAME': '',
'PASSWORD': '',
'USE_SSL': False,
'USE_TLS': False,
'TIMEOUT': 10, # seconds
'FROM_EMAIL': '',
}
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
# 'dcim.site',
# 'dcim.region',
# 'ipam.prefix',
]
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
# HTTP_PROXIES = {
# 'http': 'http://10.10.1.10:3128',
# 'https': 'http://10.10.1.10:1080',
# }
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
# NetBox from an internal IP.
INTERNAL_IPS = ('127.0.0.1', '::1')
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox but not make any changes.
LOGIN_REQUIRED = True
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
# STORAGE_CONFIG = {
# 'AWS_ACCESS_KEY_ID': 'Key ID',
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
# 'AWS_S3_REGION_NAME': 'eu-west-1',
# }
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
# PLUGINS_CONFIG = {
# 'my_plugin': {
# 'foo': 'bar',
# 'buzz': 'bazz'
# }
# }
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
RELEASE_CHECK_URL = None
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
SESSION_FILE_PATH = None
# Time zone (default: UTC)
TIME_ZONE = 'Europe/Berlin'
# Date/time formatting. See the following link for supported formats:
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
DATE_FORMAT = 'N j, Y'
SHORT_DATE_FORMAT = 'Y-m-d'
TIME_FORMAT = 'g:i a'
SHORT_TIME_FORMAT = 'H:i:s'
DATETIME_FORMAT = 'N j, Y g:i a'
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'

View File

@ -1,16 +0,0 @@
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
bind = '127.0.0.1:8001'
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
# n is the number of CPU cores present.
workers = 5
# Number of threads per worker process
threads = 3
# Timeout (in seconds) for a request to complete
timeout = 120
# The maximum number of requests a worker can handle before being respawned
max_requests = 5000
max_requests_jitter = 500

View File

@ -1,9 +0,0 @@
#!/bin/sh
# This shell script invokes NetBox's housekeeping management command, which
# intended to be run nightly. This script can be copied into your system's
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
# within the cron configuration file.
#
# If NetBox has been installed into a nonstandard location, update the paths
# below.
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

View File

@ -1,21 +0,0 @@
[Unit]
Description=NetBox Request Queue Worker
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -1,22 +0,0 @@
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -1,38 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ netbox_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ netbox_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
location /static/ {
alias /opt/netbox-{{ netbox_version }}/netbox/static/;
}
location / {
client_max_body_size 32M;
proxy_pass http://localhost:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -1,3 +0,0 @@
---
nginx_anonymize: False

View File

@ -47,32 +47,7 @@ http {
# Logging Settings # Logging Settings
## ##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log; access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
## ##

View File

@ -30,7 +30,7 @@
- /etc/nginx/dhparam.pem - /etc/nginx/dhparam.pem
- name: Configure nginx - name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf copy: src=nginx.conf dest=/etc/nginx/nginx.conf
notify: Restart nginx notify: Restart nginx
- name: Configure default vhost - name: Configure default vhost
@ -41,7 +41,7 @@
- name: Ensure network and dns are available before nginx - name: Ensure network and dns are available before nginx
lineinfile: lineinfile:
dest: /lib/systemd/system/nginx.service dest: /lib/systemd/system/nginx.service
line: "After=network-online.target remote-fs.target nss-lookup.target" line: "After=network-online.target nss-lookup.target"
regexp: "^After=" regexp: "^After="
- name: Start nginx - name: Start nginx

View File

@ -1,4 +1,4 @@
--- ---
node_exporter_version: 1.2.0 node_exporter_version: 1.0.1
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

View File

@ -1 +1 @@
OPTIONS="--web.config=/etc/node_exporter/web-config.yml" OPTIONS=""

View File

@ -1,7 +1,4 @@
--- ---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart node_exporter - name: Restart node_exporter
service: name=node_exporter state=restarted service: name=node_exporter state=restarted

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: common-handlers }

View File

@ -9,27 +9,6 @@
- name: Configure node_exporter - name: Configure node_exporter
copy: src=node_exporter dest=/etc/default/node_exporter copy: src=node_exporter dest=/etc/default/node_exporter
- name: Create configuration directory
file: path=/etc/node_exporter state=directory
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
notify: Restart node_exporter
- name: Ensure correct certificate permissions
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
notify: Restart node_exporter
- name: Configure node_exporter TLS
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
notify: Restart node_exporter
- name: Install systemd unit - name: Install systemd unit
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
notify: notify:

View File

@ -1,6 +0,0 @@
tls_server_config:
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
basic_auth_users:
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

Some files were not shown because too many files have changed in this diff Show More