FF-RGB
/
ansible
4
2
Fork 1
Code Issues 3 Pull Requests Activity

Compare commits

base: FF-RGB:master
Branches Tags
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal
sprinterfreak:enhance-gitignore
sprinterfreak:acertmgr-require-idna
sprinterfreak:linter
sprinterfreak:master
..
compare: sprinterfreak:master
Branches Tags
sprinterfreak:enhance-gitignore
sprinterfreak:acertmgr-require-idna
sprinterfreak:linter
sprinterfreak:master
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal

No commits in common. "master" and "master" have entirely different histories.
master ... master

129 changed files with 1926 additions and 4436 deletions
Show Stats Expand all files Collapse all files

4
.ansible-lint
View File

@ -1,4 +0,0 @@
skip_list:
- meta-no-info
- package-latest
- risky-file-permissions

11
.drone.yml
View File

@ -1,11 +0,0 @@
---
name: playbook
kind: pipeline
type: docker
steps:
- name: lint
image: cytopia/ansible-lint:latest
commands:
- ansible-lint

1
.gitignore vendored
View File

@ -2,4 +2,3 @@
__pycache__
site.retry
*.pyc
ff-ansible.code-workspace

4
README.md
View File

@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
## Requirements
The python packages netaddr and passlib are required on the host running ansible.
The python package netaddr is required on the host running ansible.
The vault password must be stored in `.vault_pass`.
The *only* supported distributions to deploy roles on is debian buster.
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
## Running Ansible

1
ansible.cfg
View File

@ -1,6 +1,5 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
library = ./library
nocows = 1

29
group_vars/all/vars.yml
View File

@ -2,20 +2,6 @@
acertmgr_mode: webdir
dnsdist_targets:
- gw11.regensburg.freifunk.net:8053
- gw21.regensburg.freifunk.net:8053
- gw31.regensburg.freifunk.net:8053
- resolver.regensburg.freifunk.net:8053
dns_slaves:
- 195.201.117.207
- 2a01:4f8:1c0c:7dda::1
- 213.166.224.14
- 2a02:958:0:1::e
- 213.166.225.14
- 2a02:958:0:1::1:e
fastd_targets:
- gw11.regensburg.freifunk.net:9281
- gw21.regensburg.freifunk.net:9281
@ -39,24 +25,15 @@ gre_matrix:
- { id: 26, a: gw21, b: gw31 }
# - { id: 33, a: gw22, b: gw31 }
netbox_domain: netbox.ffrgb
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
node_targets:
- gw11.regensburg.freifunk.net:9100
- gw21.regensburg.freifunk.net:9100
- gw31.regensburg.freifunk.net:9100
- ns1.regensburg.freifunk.net:9100
- resolver.regensburg.freifunk.net:9100
- stats.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100
- stats.ffrgb:9100
- unms.ffrgb:9100
- unifi.ffrgb:9100
- tiles.ffrgb:9100
- netbox.ffrgb:9100
ntp_servers:
- 0.de.pool.ntp.org
@ -64,10 +41,6 @@ ntp_servers:
- 2.de.pool.ntp.org
- 3.de.pool.ntp.org
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"

277
group_vars/all/vault.yml
View File

@ -1,151 +1,128 @@
$ANSIBLE_VAULT;1.1;AES256
36396532616163303161303134326565316637343336613531663031376439303930306532373063
3765313339353437393633373035663661623461343132380a373536646632346364663662626665
37373532633937623030393735383164376233383838613635353565333763626430616630636536
6635373636383462610a326662393234333166373834323834353537363239616639343531616339
63383939313735653364383137346166306639633637636137353832666333633963633363663265
39356136613639643135633534636264393838376431336462363030363463643232663534313261
64373861313135623264316135646234376230653863633863366538353736653964363137303533
63623730396338643738313432343962666461653136333361383033623161376662346165626338
33356162376536303363343363343830383365323737636334323632306261336538356639306632
39333166353830386537383033396465343461396330386238653961386237336234376533633931
64653331326263343063306230653265643731323732353437643161383238376664636562383561
31376561373130636561366333306139636533363933313566363537363238343462323539313439
30393035643138666435393237383039623735353963353039323966666130393638306565333631
64653432623664346637656134643963323233376535333731653466633064306365306164643337
61306661356531623737386439373465636339643435343838393863333034383437343832383134
64666332613865306438643830376665623435376632373362356363343339363533303433313939
33623636616334646536663333383031396666376562366335656666363233636265643435383334
39656432383035323334373639326535306237643336663232633566663837663466383331336261
32383238353137333731386331623264633338373964653261643865353162623232393930333432
38323065343865643135653535623934613634636465333865353465326139613130376134396132
62366539396432633935663930663063363536393331393666616438396231643938306139313033
31623237646135633237343566646436363864303334373861306430626131366430666634303862
34663163373263366561306336336535656465326633613535343665343361373936346431363538
34303565336132646461656135623463373832396533316132313139303133303565616434663138
62663561663530363834623130313464623465653139343033313132366665636535666639323162
62316666643532353166373430633832643434356664346337633738623739353835313539666130
66633931306330363532363630626162353066316565643235636162393532393234646230363131
37666166393666313661663863643866656236313935356131313230313861636631643034643662
64393866633064383164643365363038626536663831393432363661383736306663356563313734
63363363363531623634363835363364303137646335373662313764323263306539386435663631
39396234623064636531653063326562383235333865393935376265393932633763613838343733
34353663313462313437316534663239353535313434646431663862393561613264626634643864
31633734633963346634376165343435666538313932343230343237363839323764633835623337
62653466376265343639343064366461653964303337363561306138363534613036376338373266
65376432396234383661653330613465623735373834393836646439616634613865323236666264
31336363373063346231376164663930336539633363306633393938643234373065343164613738
30343831383432343931336633633830653736303061383634666337613930396262393334663561
38343232613361333564653362306139346130643530373938366332396535636630353536646336
37623962353933326561346636303338333934356230356363303938613566343365626431633134
35636432396166653835643234396662663463313063636564663835326366613739313531356431
36353664316461396366356233623236373230616534393136626231376436343538326163623764
66306264643562316563323062323637383131363062373362613061363736353430363137623161
32356630363866383064626538313739663335633235646435663134396537316165383334333464
33626430303630663565396665383265313663643264616566646639376134646233336332373264
33613462663539666432646666303533343837636438373261303232663864626566373732316339
64646564633930653437646137656466343135326562626531353265666134656665396163636534
33343135393237363234336363656263666530396635386132663530386631363066663234363265
66343264343837396165626138373835656237626236626130316134303131353539313732666463
30373661666232646438393662653535373433353762376264666536306130613531616462313830
35626461633538343261623636373236333336636436343438626338316236373039303737386438
39316433353739633264336535653561383039313734646139393961653537313562633266363338
38336236363166393964336461323430393639393866653337366564636538396338656339626136
35396566616634656137653438306136663831326166663338323531336364646332646162323430
38383234653565623062636135333136613039663362623230366364343635356234386631373664
33373965393033336235356266336331306366613065396139316363316133616265646232623762
32346331616236663231326631366364393735303163626335643730656233353236636633303939
63383965353137363062313265623733313338613966643563363466396333356262643065363666
66346333366566376336366662363632623536356564313334343135633136663632656262323334
64336135373163383339336664346632646535386536386361386336363138373130316438663062
37353231663130303838333932323532653365323238333737643866356163383032393934346530
33636565326138613963396432323838663037366463343633613730613339343266373233393063
38656264613530373262333937313037373431326665356339313638323334346464623936643035
33616630336464396531396365366462333265313239323966633563656332373164623536303963
31633437343130613039303131363264623232633232656332653138333161666233376233316639
33386636336263333463636438383231666466373934323235326366356263633563393664383939
35326562656166616264313937636432643265636565623335326237333432343238383536303735
38643333383834343633366366373639323738613433326665633362316563306161386230653363
33386463323765663838326331666433313563343266623063363962373961333064343964393439
38633036376138383936663031343835353865333635653861653131383535343939356631656532
62656464623263626464613365386234353632303734643631633435626133383538376136643335
31333430643839666238373561643966633334653361373336306266383631663537303265316564
37633633363933353931653830306663393766303363333535313737346239613366326536653530
34643166663333663066373735376266306635306132383134653161646337333161356234366533
34323461653763386636653665353362323565396535326366663639313437616663376332616630
33323531623935383639623635323662636239386631623361613066616134396565306565393161
62313235316264663261306461623032373938336661653534383835303638333831613232316564
65333135383761373937626534663633633936396532313263396338393462623830396538313464
61333966373930626135663839633766383332656564366639386130323061363137333065653433
36313434326234386466643730663939376461633334646133363763303561373862633565663634
65646237346636636230313136633136623236646239323937373163616230636264326534373263
36333035643663626239306363636635336237373761333239363937633932363936663832396438
34346662633265326365383866383864356563393431363137333564326466613832666663633539
33666638393337336633613032623739633836663831353762653437323733336230396333643733
65663462346166653534323533376431356535316238363639613636383663306635343836376365
64363765393863363038363739353239633934343138636564343562316131313933616363356237
66306230613863633038313161613861653138656433623031313534666139393535383163366339
36393138323838656139653163393965356131633961623930623637663839383564633534336565
30643334353537306637636263633331306162316565633630303636323833636234336264316361
36613833653565613562363763336633323236393836653466356638646166333661653431376463
32363638616433643264323938616262383663653334323931346639633836333462333663376364
32663838663534626565376661656663643162626137363431363461313864623732613764333664
39626232333534326364613838376434666635313731646533363635386230333036336533633034
31323132343230646631626131663436356263626563323934643765666462343234653038383564
64393739663035636266663539326661303262383966323634333234363233656465396665613636
38623063336337383931343931333565623261313638613235633230623638623863616238316662
33376135646535656434323732656362343834663530316437333630373230303136303137306637
31343266386535346362383032376635386132636138333765616361653463316239303536316262
35623062316533656661356462643864383536303835346235353339663238386532343064636233
66363566623663353265616434336163396336336263613030623134653361363732323738313363
61343232656233363433626334306433626566616537376537663930613738386663393035373533
64656639326165666138343361613637653166316330393665643533333466613861653232333138
66316464336465653062376261643238323761383161623933353433613266646537623639396666
32343735323833383365313539333138656230306134343631666232653965663264656635343061
38353162383364323538366666666365316432393939333663366664356364633939653837346431
35383063393664656539393763313735663638343863616431306566356332343935653631646536
66643130613266636331663762303962643434653532336531396165303638303831393561376633
36613537333163633837666530356163343733313631633962326365363063663261333061376135
39363532366638343430643664663863653666663064386562616434313831633032316238393963
38346564306438653865663937633037373961636630653530643936326333316433636334333935
65326434316435313364666364613138306630356234393839313031373536336539623132653634
30336332323932323863353139303835643865313466356637303032393437636531313330666536
34333565376635633863303066376330313362303836366666313530336430343939313466633135
32373238363031396665656536646236393133376435633638303238636663313738353532393236
38633831633039616430343932343066303837303161653166623761343033386437303231393931
65353334666164343337363035616162383635623838343662323430326639633834366666393663
31356138366666333563653738653032646633316537326333306133333435623132306236373963
37326435373064386131383938353465373239323434366339343364646565393131643335366530
35346465616330346232656239643165663438386339663136336362356437653334326335666564
38326436623239393833393838656335336565666536386164356535633363363836323966343663
66323563616564623165373730353238353063393362653964316338333932636333353064333761
61626432383233323630626465393461393130363232383565646631343464363138323763656637
35653964386434653335666335373932646133653966626430656636626461646263383464643666
61396265333465343039653333646661383165356335633532623165323364363630386335373935
34363739636432366565366265373038643633613739363266653531623032333030303437346665
63333666623536353238616636633065393562623566376461336262363665323866376666303930
66393533353766373732326231373732663766393034326538643063393037316239653838333738
35636539393966343866613932663230663638653862643934616539393436383639356339633133
32643836356136353436623738613133353631313936643165376265373638343838396665356166
39303661646265653436396131613536386236613938323739363863633766303365636466376637
38353837633239643166383931323961383362343831633835643930613465346335656566326434
63303565366161373062343162616536653165373537363331353639303230663265643335356330
30333263623431666135393931626431626362366562626431623434613633643062373961663361
65343135353536643863316161326635333038643634396230353465646238356234653034323638
39353365306230313031336337313637336233623865666439653861643637663732386461333432
61333831306539303439373634376566363861393830333665366238666364653637343364313865
30643564363739346566636565636363386533663434653761386565316266333436623031333134
33616464323165393331326665633235326231623365373236303335353837663739373165346139
65633066343530303335336362343838356565343638313133646339353235633661636361303934
65636332383130333036316138393235353363623061613130383431323735626136636334343439
39363764386639626432366534363839613366336139363439343066333933366537373333336465
32363334326463323261303562633034383233653438643764633231373761326334336561623832
37663763343933386165313665646234626263616136343366663834323739343934343833616336
38616636396438386539303637646134393865363235616465613665616439653730613039306265
36366433356362363537653838626133656430333132666635306137663134333139323565363531
33656433393031386537353766366638393433363031616632323962353933666232653563313830
38656565376630396235656533313731656666363762386339613534613236656533366161653866
61633965366135376264316264393964343035306330623739643338306362633838373434306335
34313636373930623663666362633736653363353461616639323261646235653266383837393036
34626466623666643465326465343833336338343964666537623431313639656136373339643834
6531336131373761336363393133626166376263663037666231
36303531356238623563383536313866333234626534333764393330613338323437633133333933
6664636362396636366362363236383763653561366236370a336538353466333830326166353833
38616339376634616533376262623839653063666633306537353065303436636130376335336631
3432623039316431330a656664386662633362356137666661323438386333386632343864336663
36623430663333393434393464633633376431333736396165343964663137373366343262373262
62343237623763363961313666333364386364353732383061623937663731653037386562383339
39623633666336356666626134333935356265303035616135303532396632323861366233373936
61356363613161653263323737343866323538623039643230373765353337376631643362633639
32346239353462363239393862643665373663646530343837313132616166346662326339316635
35313465343631333939376165313661616133363565666439336163326132633137363166383831
62613832373839383234356463323761613036666331306434353165653639616336633638396633
61363333376239623738386262653165643335343436303634366536363338386138313235313562
34303332626239323235613532396435646632353132613962363961383536666131306533306566
64306364393266633635363162323133656363633862326231366161633138343765343564646236
66666535613764613964633164333063306263353931646532346136663839646533643230666362
65343432353838383832306331333832386363613566373461323033643963616237663165366636
36336266353664353136323237383237663363613035653664303634633266333565303833356238
62623538623861653135633666613034363766306263323262663631383961333932313837333339
38313439636262313563326232323937323163373532306464333662363362613064313638353338
34633766623962326464393564316563663764326462316232653935383463343163613532623931
33653136636634373939386439623661383432616534333061626232303266343666383335346666
34323336366232363563626139316666353433343236626334366138656334646338623338316439
32323833656430373831616661613662353465376664633233333666373766356666373839336232
65346637616539616330356138323865646433346339363130343366363731343262393538336466
30316565303133343762666165626533343135633937323162653964626535343962653636636163
36323066393039333531626434383830666665326563376638656238393439373033653763386131
65316265626130643335333362363232613733633835633234316565303532623766653032303332
33386661326362626538393033396430303564653737346339643966623337653661376633623166
66313162316131326364393731346336626663626564343662343334616533616537633765376463
64303939313639613665353035336536373436646436373038633233313330663965386665326234
37326338333262313461373765306163646233303930633838636563313138646461656130666234
33383232336333373965666630386131326137666633623231633739646435363532393432323330
33393431616630336139393236636533383537623162376636393365663733626565306661386665
65613536313032646636623334656266336531383733306361363536616661336236353735343535
31353738346332643465383735636666326532623166373962376563633861376361663663393030
31316366346531376635386335366564373530303664323934383930356530356265623530356461
31656461663637373238303737383263353065326333383564346532376261316130346461373230
31633939313061663235326331613061383033313131633330303238363135303637363133663637
61653439633534633234366164313665356265323931346234646163333463366466613934333536
36336662306531643537333437363032643433323564643736336539393634333139633631376238
63633031646163613161626139666334623961646230366561343839653638303465323632653438
39613364326264333131636231303031643336353663386238636561373839393834376636646534
31383764623664363065626331363762623232336162383164396435613330303432616632306336
64313564636433643430336333613339666536383062383932366137636432373038333134313263
61636635613534663662353732333563366230636332326337303433356536373563663639326438
31393664643765653365363834653936336138336261313337636363323063616261336137306662
66663632663864366262363566393437313136373531313264323663373866663865396335666431
33383665346634383039393334373166396230393432623934326665663931636431646330643033
65613339623863323537626631343935333966326263323836373163633531373662393561633731
64613237363562643164613338396436303334346234343739323137616364626433666464663133
61306630626261376465636234613263366334626161353338323739643938323137633835653032
66323964663965616666626138636433323736323630303832366365663436396265333033666662
65343730336233323637356435363931346638666239363964646538343665396466646238363531
31343535393931633830326561323437643834393430646431393765336433326236313537616532
37363739373838383361616663633963373032646663333735663533356630626537326165666530
61633537336437366266303463336438373137303037383761393365366365323263643239323736
33316637643735363531643965383530643333636437363936303133373261386237386630616232
30373861313638663639653932333532306166653462616136326365616465363436363663313430
30306664626566643431353362383364633961306536663136396538313364656231363538363964
37613761326365656632323034376634316430326666306330383937393963656333666437336639
61343365343463303161336366386161363662646138316536653635383034616431356265613032
66643937333933633932376133306465373031386334373032373261643762396637396139616638
64313966393732383830646566306266663734356531336564393362613937646565663337353038
31663734616536343938393638663636653532383538313137336166633632653235323833643665
35393234633364666561653934346139353761643536313438366231646564323138393133333662
36656164333831393061653632633830383766613638353863306663356164393665373965373237
32363065326231393231343839633463326235316533636163356434313832343064396532613832
33306331623364363566663463316139336134396636653264343563623339373566656134636364
38653435333061333966396131376564386134363433643134616338343535353132633465616364
31393266313339383233363364303731653933613632363231333965653237393962646132373761
30643865626130343263656562653765343561636235333966363935333038383734363136633339
65383232313633363761303063343936613765636633663866633833303938366339373635343733
32616432343338376139313663656535373064353063643661663732633130383932373138666133
33336262316664613936633032656234353262333633626237376636383261626331346464363261
65396138653264636537346436636230613435376532383130666138373334643834303064303161
38393563336564343530373362613166636639393963383539333234613734353834306135643363
65613732376661373137353262626565613164343631336531393132333137326531353439333731
37396434626365646565613766653930613632316632363764353330313836326436313438653836
64613337626236323435393363626332383235326635323561633261396466623462623536306361
65393331343664343533356462656638636638666464353037633334323363613936353266363530
39663264356132363836343765336163653731373035653332303462383933333734363537366233
33646333653762656534663635636634663835643730386264333738323962636266653734303239
30336261323039386461303933633366316537303230336238636662396133353735653936313232
63373335313162643562393131653930383566363239613063633931376536373366346331623337
64343734333565316232356634376438306536373662316632313066336364383062653765643165
66626465636365613064323664393163636230303664666632653938633364343136343464653735
38376637646232333735633861356238646235616536336662353466346163616631613062303837
32363638383838663833633532323365663531323632313534613133306336383262306530613337
39653732323430643334366131313137653265353632643136643662626361636666326364303831
39666166623564373133323332353337623038623737303935383036613236666339306235316166
37643737386438623261653064643339663865366433376162373466653461313961383166663830
35396661396664623866346661396563363564306136333137663166323362386431663835323365
35656361353162666638626130343833303165333964613161396132613939313738396563333336
64366533646137633166383431666366643937666139653637386535363135656432363136373134
62396433316339366534303064636436646365373138376162333032383539373939376337643663
62613966646361366435366361633864373066303933633039623530336236346261323335633130
65323838323235653839656530626661343731383966623732663430313137643566343566643932
62353936666632336532326266376438346339343030666530666261386335343566336237616639
33353932326435393266336263363466633035653161363162376630343132383436336164643337
66323436376265353062373166343162353334313365313462616139393430333164323539636235
38613531393030663831663361333437313333643264353131356163313630636264313130663363
62383166396131386133626131303163323865393832663262666434623833653861353064663062
65623239356163656433363339386632303562333064613631383933323563663761343465306133
32336233303461666366336466643936396366343735363934363136393738303031386339623532
30326131383636356535343462313338303235343739623039353066653661313431333461333030
65336166623732353432633236393233313964306435633231336534643134643834626534626131
39303239366439303230316565373235616261633362633737646365316133616366643333343138
31323138343838363735663835633361663036613461336135356639396334633765643764346365
33353332326330366434313662383765653561663238653137383339626539633364336336363634
65626465666435326566363863643064363365623361633266316137643637656537663934396663
65633738613231326461373761626135373866326130356335653739636130366135363137646362
37393839346634373132316434313966653730623035633933636230643765366261373839373333
39363263376533326533663365363538383434663830646630323562333235356335373363383831
66393361663865653238643035353138623730396363333633336261363739303264336136663638
61646366323238373861386266353135333835353665333965306665613331393438313064303435
36633333366637616666386531396539303630653735373163623437396161393633636435356631
30393530323234373631393630383564306132616135646534316466336335366131663465336231
64353136663436653637613765636234343836393262323535666232326265303333646436636531
38313063373133383062333439363036663562623639333932386131353666373037623539316335
39613766383631643661353238643534646464663231663166386634636330373332653963616330
39383238386135646330336565323762326463313939386236366161356463343566376231396465
64376661633465643864663236323961653535386362656238323730326663383138613831613633
38373661666363666661313065356364353232333466386263383761323264363535643034326563
61353638646463383063616365376535366232653135653430336231353633323665373438613437
32316164643438626236613839353333316536313439306334666566623465323366633036326466
61646263396333373063383861313033393335323263393261636265613736376361393735636130
643939373434306635633963666533396439

9
host_vars/gw11.regensburg.freifunk.net
View File

@ -3,20 +3,13 @@
batman_ipv4: 10.90.32.11/19
batman_ipv6: fdef:f10f:1337:cafe::11/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:11::11/64
global_ipv6: 2a00:9d80:6000:0101::11/64
nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 11
site_code: ffrgb_cty
ntp_server: true

7
host_vars/gw12.regensburg.freifunk.net
View File

@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 12
site_code: ffrgb_cty
ntp_server: true

9
host_vars/gw21.regensburg.freifunk.net
View File

@ -3,20 +3,13 @@
batman_ipv4: 10.90.64.21/19
batman_ipv6: fdef:f20f:1337:cafe::21/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:21::21/64
global_ipv6: 2a00:9d80:6000:0102::21/64
nextnode4: 10.90.64.1
nextnode6: fdef:f20f:1337:cafe::1
mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 21
site_code: ffrgb_uml
ntp_server: true

7
host_vars/gw22.regensburg.freifunk.net
View File

@ -10,13 +10,6 @@ mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 22
site_code: ffrgb_uml
ntp_server: true

11
host_vars/gw31.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.96.31/19
batman_ipv6: fdef:f30f:1337:cafe::31/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:31::31/64
global_ipv6: 2a00:9d80:6000:0103::31/64
nextnode4: 10.90.96.1
nextnode6: fdef:f30f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3120917
mesh_wg_port: 20030
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
fastd_port: 10030
gateway_id: 31
site_code: ffrgb_tst
nat_pool: 194.156.22.32-194.156.22.33
ntp_server: true

3
host_vars/resolver.regensburg.freifunk.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

31
host_vars/stats.regensburg.freifunk.net
View File

@ -1,31 +0,0 @@
---
grafana_rendering: True
# yanic needs this
site_code: ffrgb_cty
yanic_publisher: true
yanic_repondd_enable: false
yanic_respondd_interface: ens18
yanic_respondd_ip: true
yanic_nodes_prune_after: 60d
yanic_nodes_offline_after: 5m
yanic_meshviewer_enable: false
yanic_nodelist_enable: true
yanic_database_delete_after: 720d
yanic_dbc_repondd_enable: false
yanic_influxdb:
- enable: true
host: http://127.0.0.1:8086
database: ffrgb
username: "admin"
password: "{{ vault_yanic_influx_pw }}"

5
hosts
View File

@ -2,11 +2,8 @@
gw11.regensburg.freifunk.net
gw21.regensburg.freifunk.net
gw31.regensburg.freifunk.net
ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net
web.regensburg.freifunk.net
stats.ffrgb ansible_host=10.90.224.100
unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103
netbox.ffrgb ansible_host=10.90.224.104

4
library/fastd_key
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python3
#!/usr/bin/env python
EXAMPLES = '''
# Generates a fastd key
@ -23,7 +23,7 @@ if __name__ == '__main__':
# create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
# generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
handle.write('secret "%s";\n' % secret)
changed = True

3
roles/acertmgr/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"

9
roles/acertmgr/tasks/main.yml
View File

@ -8,9 +8,16 @@
- python3-yaml
- python3-pkg-resources
- name: Find current acertmgr version
get_url:
url: "https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt"
dest: /tmp/acertmgr.version
vars:
ansible_connection: local
- name: Install acertmgr
apt:
deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
deb: "https://github.com/moepman/acertmgr/releases/download/{{ lookup('file', '/tmp/acertmgr.version') }}/python3-acertmgr_{{ lookup('file', '/tmp/acertmgr.version') }}-1_all.deb"
- name: Create config directories
file:

121
roles/apt/files/unattended-upgrades.conf
View File

@ -1,7 +1,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...". A
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -19,73 +19,50 @@
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// Python regular expressions, matching packages to exclude from upgrading
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
@ -93,29 +70,19 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
Acquire::http::Dl-Limit "200";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

19
roles/apt/tasks/main.yml
View File

@ -3,18 +3,21 @@
- name: Configure apt not to install recommends packages
copy: src=apt-recommends.conf dest=/etc/apt/apt.conf.d/40recommends
- name: Install apt related tools
apt:
name:
- apt-transport-https
- debian-goodies
- gnupg2
- lsof
- unattended-upgrades
- name: Install apt https transport plugin
apt: name=apt-transport-https
- name: Install debian-goodies for checkrestart
apt: name={{ item }}
with_items:
- debian-goodies
- lsof
- name: Configure periodic apt updates
copy: src=apt-periodic.conf dest=/etc/apt/apt.conf.d/10periodic
- name: Install unattended-upgrades
apt: name=unattended-upgrades
- name: Configure unattended-upgrades
copy: src=unattended-upgrades.conf dest=/etc/apt/apt.conf.d/50unattended-upgrades

2
roles/arp_cache/tasks/main.yml → roles/arp-cache/tasks/main.yml
View File

@ -8,4 +8,4 @@
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

53
roles/common/tasks/main.yml
View File

@ -1,39 +1,38 @@
---
- name: Install misc software
apt:
name:
- ca-certificates
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
apt: name={{ item }}
with_items:
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
- name: Install software on KVM VMs
apt:
name:
- acpid
- qemu-guest-agent
apt: name={{ item }}
with_items:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh
@ -52,8 +51,8 @@
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:

2
roles/dhcpd/defaults/main.yml
View File

@ -2,5 +2,5 @@
dhcpd_interfaces: br-{{ site_code }}
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
name_server: "{{ batman_ipv4 | ipaddr('address') }}"

2
roles/dhcpd/templates/dhcpd.conf.j2
View File

@ -2,7 +2,7 @@
# option definitions common to all supported networks...
option domain-name "{{ site_domain }}";
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
option domain-name-servers {{nextnode4}}, {{ name_server }};
local-address {{ batman_ipv4 | ipaddr('address') }};

6
roles/dns_split/handlers/main.yml → roles/dns/handlers/main.yml
View File

@ -1,13 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name={{ item }} state=restarted
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

28
roles/dns/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install powerdns
apt: name={{ item }}
with_items:
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
tags: dns
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- pdns
- pdns-recursor

0
roles/dns_split/templates/bind/90.10.in-addr.arpa.zone.j2 → roles/dns/templates/bind/90.10.in-addr.arpa.zone.j2
View File

0
roles/dns_split/templates/bind/ffrgb.zone.j2 → roles/dns/templates/bind/ffrgb.zone.j2
View File

0
roles/dns_split/templates/bindbackend.conf.j2 → roles/dns/templates/bindbackend.conf.j2
View File

6
roles/dns_split/templates/pdns.conf.j2 → roles/dns/templates/pdns.conf.j2
View File

@ -12,6 +12,12 @@ launch=bind
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

10
roles/dns_resolver/templates/recursor.conf.j2 → roles/dns/templates/recursor.conf.j2
View File

@ -16,15 +16,21 @@ config-dir=/etc/powerdns
# dnssec=process-no-validate
dnssec=off
#################################
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
# forward-zones=
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
#################################
# local-port port to listen on
#
local-port=5353
local-port=53
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing

4
roles/dns_auth/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Restart powerdns
service: name=pdns state=restarted

22
roles/dns_auth/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Install powerdns
apt:
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
- name: Start the powerdns services
service: name=pdns state=started enabled=yes

35
roles/dns_auth/templates/pdns.conf.j2
View File

@ -1,35 +0,0 @@
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
#################################
# dname-processing If we should support DNAME records
#
# dname-processing=no
dname-processing=yes
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify=
# security-poll-suffix Domain name from which to query security update notifications
#
security-poll-suffix=

10
roles/dns_resolver/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name=pdns-recursor state=restarted
- name: Restart dnsdist
service: name=dnsdist state=restarted

4
roles/dns_resolver/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

35
roles/dns_resolver/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-recursor
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Configure powerdns
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
notify: Restart powerdns
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns-recursor

15
roles/dns_resolver/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

24
roles/dns_resolver/templates/dnsdist.conf.j2
View File

@ -1,24 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
addLocal('{{ ansible_default_ipv6.address }}')
setACL({'0.0.0.0/0', '::/0'})
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

47
roles/dns_split/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

15
roles/dns_split/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

20
roles/dns_split/templates/dnsdist.conf.j2
View File

@ -1,20 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

54
roles/dns_split/templates/recursor.conf.j2
View File

@ -1,54 +0,0 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
#
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
# forward-zones=
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=5353
#################################
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns

17
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes
- docker-ce
- docker-ce-cli
- containerd.io
- python-docker

4
roles/exit-ip/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
conntrack_max: 131072
fastd_instances: 3

0
roles/exit_ip/handlers/main.yml → roles/exit-ip/handlers/main.yml
View File

0
roles/exit_ip/tasks/main.yml → roles/exit-ip/tasks/main.yml
View File

6
roles/exit_ip/templates/rules.v4.j2 → roles/exit-ip/templates/rules.v4.j2
View File

@ -4,14 +4,12 @@
:INPUT ACCEPT [1:136]
:OUTPUT ACCEPT [2:472]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [1124:131621]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [1151:175226]

6
roles/exit_ip/templates/rules.v6.j2 → roles/exit-ip/templates/rules.v6.j2
View File

@ -1,13 +1,9 @@
# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
COMMIT

5
roles/exit_ip/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
conntrack_max: 131072
fastd_instances: 3
nat_pool: "{{ ansible_default_ipv4.address }}"

0
roles/fastd_exporter/defaults/main.yml → roles/fastd-exporter/defaults/main.yml
View File

0
roles/fastd_exporter/files/fastd-exporter.service → roles/fastd-exporter/files/fastd-exporter.service
View File

2
roles/fastd_exporter/handlers/main.yml → roles/fastd-exporter/handlers/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload
- name: Restart fastd-exporter
service: name=fastd-exporter state=restarted

0
roles/fastd_exporter/tasks/main.yml → roles/fastd-exporter/tasks/main.yml
View File

0
roles/fastd_exporter/templates/fastd-exporter.j2 → roles/fastd-exporter/templates/fastd-exporter.j2
View File

6
roles/fastd/handlers/main.yml
View File

@ -1,8 +1,8 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart fastd
service: name=fastd@{{ site_code }}{{ item }} state=restarted
with_sequence: start=0 count={{ fastd_instances }}
- name: Reload systemd
command: systemctl daemon-reload

1
roles/fastd/templates/fastd.conf.j2
View File

@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
method "null";
method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes;

7
roles/git/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install git
apt: name=git
- name: Install ca-certificates
apt: name=ca-certificates

3
roles/grafana/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
grafana_rendering: False

34
roles/grafana/tasks/main.yml
View File

@ -1,38 +1,10 @@
---
- name: Retrieve Grafana Key and avoid apt_key
block:
- name: grafana |no apt key
ansible.builtin.get_url:
url: https://apt.grafana.com/gpg.key
dest: /usr/share/keyrings/grafana.key
- name: Enable grafana apt-key
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Enable grafana repository
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana
apt: name=grafana
- name: Install grafana rendering dependencies
apt:
name:
- libxdamage1
- libxext6
- libxi6
- libxtst6
- libnss3
- libnss3
- libcups2
- libxss1
- libxrandr2
- libasound2
- libatk1.0-0
- libatk-bridge2.0-0
- libpangocairo-1.0-0
- libpango-1.0-0
- libcairo2
- libatspi2.0-0
- libgtk3.0-cil
- libgdk3.0-cil
- libx11-xcb-dev
when: grafana_rendering

0
roles/root_keys/tasks/main.yml → roles/gw-admin-ssh-keys/tasks/main.yml
View File

23
roles/influxdb/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
- name: Import Influxdb GPG siging key with store
ansible.builtin.get_url:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: /etc/apt/trusted.gpg.d/influxdb.key
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
ansible.builtin.command:
argv:
- gpg
- --dearmor
- /etc/apt/trusted.gpg.d/influxdb.key
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
- name: Enable InfluxDB repository
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
state: present
- name: Install influxdb
apt: name=influxdb

6
roles/interfaces/files/networking.service → roles/mesh-interfaces/files/networking.service
View File

@ -1,9 +1,8 @@
[Unit]
Description=Network initialization
Description=ifupdown2 networking initialization
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
DefaultDependencies=no
After=local-fs.target network-pre.target
Before=shutdown.target network.target network-online.target
Before=network.target shutdown.target network-online.target
Conflicts=shutdown.target
[Service]
@ -11,7 +10,6 @@ Type=oneshot
RemainAfterExit=yes
SyslogIdentifier=networking
TimeoutStopSec=30s
EnvironmentFile=/etc/default/networking
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

2
roles/interfaces/handlers/main.yml → roles/mesh-interfaces/handlers/main.yml
View File

@ -4,4 +4,4 @@
command: /sbin/ifreload -a
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload

7
roles/interfaces/tasks/main.yml → roles/mesh-interfaces/tasks/main.yml
View File

@ -1,13 +1,10 @@
---
- name: Install dependencies
apt:
name:
- bridge-utils
apt: name=python-pkg-resources
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
- name: Install ifupdown2
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
apt: name=ifupdown2 state=latest
- name: Uninstall ifupdown
apt: name=ifupdown state=absent

0
roles/interfaces/templates/backbone.conf.j2 → roles/mesh-interfaces/templates/backbone.conf.j2
View File

16
roles/interfaces/templates/mesh.conf.j2 → roles/mesh-interfaces/templates/mesh.conf.j2
View File

@ -14,8 +14,6 @@ iface br-{{ site_code }}
{% if global_ipv6 is defined %}
address {{ global_ipv6 }}
{% endif %}
#
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# bat-{{ site_code }}
auto bat-{{ site_code }}
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
hwaddress f2:00:90:00:{{ gateway_id }}:20
mtu 1500
#
batman-hop-penalty 5
batman-ifaces dmy-{{ site_code }}
batman-ifaces-ignore-regex .*_.*
batman-routing-algo {{ batman_algo }}
#
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
# TODO use batman-xyz instead of batctl
# see /usr/share/ifupdown2/addons/batman_adv.py
#
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# dmy-{{ site_code }}

1
roles/mesh_wg/files/ping
View File

@ -1 +0,0 @@
OK

4
roles/mesh_wg/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Reload interfaces
command: /sbin/ifreload -a

25
roles/mesh_wg/tasks/main.yml
View File

@ -1,25 +0,0 @@
---
- name: Install wireguard
apt: name=wireguard-tools
- name: Create wireguard config directory
file:
path: /etc/wireguard
state: directory
mode: 0700
- name: Configure wireguard options
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
notify: Reload interfaces
- name: Configure mesh interfaces
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
notify: Reload interfaces
- name: Install wgskex
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
- name: Install ping endpoint
copy: src=ping dest=/var/www/html/ping

21
roles/mesh_wg/templates/mesh_wg.conf.j2
View File

@ -1,21 +0,0 @@
# {{ ansible_managed }}
# vx-{{ site_code }}
auto vx-{{ site_code }}
iface vx-{{ site_code }}
mtu 1350
vxlan-physdev wg-{{ site_code }}
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
up ip link set vx-{{ site_code }} up
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
down ip link set vx-{{ site_code }} down
post-down ip -6 link del vx-{{ site_code }}
# wg-{{ site_code }}
auto wg-{{ site_code }}
iface wg-{{ site_code }}
address fe80::{{ gateway_id }}/128
ipv6-addrgen no
pre-up ip link add dev wg-{{ site_code }} type wireguard
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
post-up ip link set wg-{{ site_code }} mtu 1420

3
roles/mesh_wg/templates/wg.conf.j2
View File

@ -1,3 +0,0 @@
[Interface]
PrivateKey = {{ mesh_wg_privkey }}
ListenPort = {{ mesh_wg_port }}

5
roles/netbox/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
netbox_group: netbox
netbox_user: netbox
netbox_version: 3.7.8

13
roles/netbox/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart netbox
service: name=netbox state=restarted
- name: Restart netbox-rq
service: name=netbox-rq state=restarted

144
roles/netbox/tasks/main.yml
View File

@ -1,144 +0,0 @@
---
- name: Create group
group: name={{ netbox_group }}
- name: Create user
user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
- name: Install dependencies
apt:
name:
- build-essential
- libffi-dev
- libpq-dev
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python3-setuptools
- python3-dev
- python3-pip
- python3-venv
- zlib1g-dev
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL user
postgresql_user:
name: "{{ netbox_dbuser }}"
password: "{{ netbox_dbpass }}"
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db:
name: "{{ netbox_dbname }}"
owner: "{{ netbox_dbuser }}"
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
- name: Unpack netbox
unarchive:
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
dest: /opt
remote_src: yes
creates: "/opt/netbox-{{ netbox_version }}"
register: netbox_unarchive
- name: Configure netbox
template:
src: configuration.py.j2
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
- name: Configure gunicorn
template:
src: gunicorn.py.j2
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
- name: Netbox file permissions
file:
path: "/opt/netbox-{{ netbox_version }}"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
recurse: yes
- name: Run upgrade script
command:
cmd: ./upgrade.sh
chdir: "/opt/netbox-{{ netbox_version }}"
become: true
become_user: "{{ netbox_user }}"
when: netbox_unarchive.changed
# TODO - still manual work
# * Create a super user
# * Migrate media files
- name: Install netbox housekeeping cronjob
template:
src: netbox-housekeeping.sh.j2
dest: /etc/cron.daily/netbox-housekeeping.sh
mode: 0755
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ netbox_domain }}"
when: "'kitchen' in group_names"
- name: Configure certificate manager for netbox
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template:
src: vhost.j2
dest: /etc/nginx/sites-available/netbox
owner: root
mode: "0644"
notify: Restart nginx
- name: Enable vhost
file:
src: /etc/nginx/sites-available/netbox
dest: /etc/nginx/sites-enabled/netbox
state: link
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- netbox
- netbox-rq
notify:
- Reload systemd
- Restart netbox
- Restart netbox-rq
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- netbox
- netbox-rq

15
roles/netbox/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ netbox_domain }}:
- path: /etc/nginx/ssl/{{ netbox_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

212
roles/netbox/templates/configuration.py.j2
View File

@ -1,212 +0,0 @@
#########################
# #
# Required settings #
# #
#########################
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
#
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
ALLOWED_HOSTS = ['{{ netbox_domain }}']
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
DATABASE = {
'NAME': '{{ netbox_dbname }}', # Database name
'USER': '{{ netbox_dbuser }}', # PostgreSQL username
'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password
'HOST': 'localhost', # Database server
'PORT': '', # Database port (leave blank for default)
'CONN_MAX_AGE': 300, # Max database connection age
}
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
# to use two separate database IDs.
REDIS = {
'tasks': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 0,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
},
'caching': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 1,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
}
}
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
# symbols. NetBox will not run without this defined. For more information, see
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
SECRET_KEY = '{{ netbox_secret }}'
#########################
# #
# Optional settings #
# #
#########################
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ('John Doe', 'jdoe@example.com'),
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = [
# 'https://hostname.example.com',
]
CORS_ORIGIN_REGEX_WHITELIST = [
# r'^(https?://)?(\w+\.)?example\.com$',
]
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
# on a production system.
DEBUG = False
# Email settings
EMAIL = {
'SERVER': 'localhost',
'PORT': 25,
'USERNAME': '',
'PASSWORD': '',
'USE_SSL': False,
'USE_TLS': False,
'TIMEOUT': 10, # seconds
'FROM_EMAIL': '',
}
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
# 'dcim.site',
# 'dcim.region',
# 'ipam.prefix',
]
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
# HTTP_PROXIES = {
# 'http': 'http://10.10.1.10:3128',
# 'https': 'http://10.10.1.10:1080',
# }
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
# NetBox from an internal IP.
INTERNAL_IPS = ('127.0.0.1', '::1')
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox but not make any changes.
LOGIN_REQUIRED = True
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
# STORAGE_CONFIG = {
# 'AWS_ACCESS_KEY_ID': 'Key ID',
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
# 'AWS_S3_REGION_NAME': 'eu-west-1',
# }
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
# PLUGINS_CONFIG = {
# 'my_plugin': {
# 'foo': 'bar',
# 'buzz': 'bazz'
# }
# }
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
RELEASE_CHECK_URL = None
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
SESSION_FILE_PATH = None
# Time zone (default: UTC)
TIME_ZONE = 'Europe/Berlin'
# Date/time formatting. See the following link for supported formats:
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
DATE_FORMAT = 'N j, Y'
SHORT_DATE_FORMAT = 'Y-m-d'
TIME_FORMAT = 'g:i a'
SHORT_TIME_FORMAT = 'H:i:s'
DATETIME_FORMAT = 'N j, Y g:i a'
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'

16
roles/netbox/templates/gunicorn.py.j2
View File

@ -1,16 +0,0 @@
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
bind = '127.0.0.1:8001'
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
# n is the number of CPU cores present.
workers = 5
# Number of threads per worker process
threads = 3
# Timeout (in seconds) for a request to complete
timeout = 120
# The maximum number of requests a worker can handle before being respawned
max_requests = 5000
max_requests_jitter = 500

9
roles/netbox/templates/netbox-housekeeping.sh.j2
View File

@ -1,9 +0,0 @@
#!/bin/sh
# This shell script invokes NetBox's housekeeping management command, which
# intended to be run nightly. This script can be copied into your system's
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
# within the cron configuration file.
#
# If NetBox has been installed into a nonstandard location, update the paths
# below.
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

21
roles/netbox/templates/netbox-rq.service.j2
View File

@ -1,21 +0,0 @@
[Unit]
Description=NetBox Request Queue Worker
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

22
roles/netbox/templates/netbox.service.j2
View File

@ -1,22 +0,0 @@
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

38
roles/netbox/templates/vhost.j2
View File

@ -1,38 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ netbox_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ netbox_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ netbox_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
location /static/ {
alias /opt/netbox-{{ netbox_version }}/netbox/static/;
}
location / {
client_max_body_size 32M;
proxy_pass http://localhost:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

3
roles/nginx/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
nginx_anonymize: False

25
roles/nginx/templates/nginx.conf.j2 → roles/nginx/files/nginx.conf
View File

@ -47,32 +47,7 @@ http {
# Logging Settings
##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log;
##

12
roles/nginx/tasks/main.yml
View File

@ -8,13 +8,7 @@
when: nginx_ssl
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
when: nginx_ssl
notify: Restart nginx
@ -30,7 +24,7 @@
- /etc/nginx/dhparam.pem
- name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
notify: Restart nginx
- name: Configure default vhost
@ -41,7 +35,7 @@
- name: Ensure network and dns are available before nginx
lineinfile:
dest: /lib/systemd/system/nginx.service
line: "After=network-online.target remote-fs.target nss-lookup.target"
line: "After=network-online.target nss-lookup.target"
regexp: "^After="
- name: Start nginx

2
roles/node_exporter/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
node_exporter_version: 1.2.0
node_exporter_version: 1.0.1
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

2
roles/node_exporter/files/node_exporter
View File

@ -1 +1 @@
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
OPTIONS=""

2
roles/node_exporter/handlers/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload
- name: Restart node_exporter
service: name=node_exporter state=restarted

21
roles/node_exporter/tasks/main.yml
View File

@ -9,27 +9,6 @@
- name: Configure node_exporter
copy: src=node_exporter dest=/etc/default/node_exporter
- name: Create configuration directory
file: path=/etc/node_exporter state=directory
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
notify: Restart node_exporter
- name: Ensure correct certificate permissions
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
notify: Restart node_exporter
- name: Configure node_exporter TLS
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
notify: Restart node_exporter
- name: Install systemd unit
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
notify:

6
roles/node_exporter/templates/web-config.yml.j2
View File

@ -1,6 +0,0 @@
tls_server_config:
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
basic_auth_users:
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

7
roles/ntp/handlers/main.yml
View File

@ -1,4 +1,7 @@
---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart ntp
service: name=ntp state=restarted
- name: Restart ntpd
service: name=ntpd state=restarted

14
roles/ntp/tasks/main.yml
View File

@ -1,11 +1,11 @@
---
- name: Install chrony
apt: name=chrony
- name: Install ntp
apt: name=ntp
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Configure ntp
template: src=ntp.conf.j2 dest=/etc/ntp.conf
notify: Restart ntp
- name: Start chrony
service: name=chrony state=started enabled=yes
- name: Start the ntp service
service: name=ntp state=started enabled=yes

53
roles/ntp/templates/chrony.conf.j2
View File

@ -1,53 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 10.90.0.0/16
allow 2001:678:ddc::/48
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

17
roles/ntp/templates/ntp.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

2
roles/prometheus/handlers/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload
- name: Restart prometheus
service: name=prometheus state=restarted

9
roles/prometheus/tasks/main.yml
View File

@ -6,7 +6,7 @@
- name: Install dependencies
apt:
name:
- python3-pip
- python-setuptools
- python3-setuptools
- virtualenv
@ -22,13 +22,6 @@
- Reload systemd
- Restart prometheus-pve-exporter
- name: Configure prometheus retention
lineinfile:
path: /etc/default/prometheus
regexp: '^ARGS=.*$'
line: 'ARGS="--storage.tsdb.retention.time=365d"'
notify: Restart prometheus
- name: Configure prometheus
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
notify: Restart prometheus

17
roles/prometheus/templates/prometheus.yml.j2
View File

@ -27,29 +27,12 @@ rule_files:
scrape_configs:
{% if node_targets is defined %}
- job_name: node
scheme: https
basic_auth:
username: prometheus
password: {{ prometheus_node_pass }}
tls_config:
insecure_skip_verify: true
static_configs:
- targets:
{% for target in node_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if dnsdist_targets is defined %}
- job_name: dnsdist
basic_auth:
username: prometheus
password: {{ prometheus_dnsdist_pass }}
static_configs:
- targets:
{% for target in dnsdist_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if fastd_targets is defined %}
- job_name: fastd
static_configs:

2
roles/radvd/templates/radvd.conf.j2
View File

@ -19,6 +19,6 @@ interface br-{{ site_code }} {
AdvRouterAddr on;
};
{% endif %}
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
};
};

2
roles/respondd/defaults/main.yml
View File

@ -4,4 +4,4 @@ batman_interface: bat-{{ site_code }}
main_bridge: br-{{ site_code }}
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
respondd_announce_git_version: 4fd2e3e6eb15c2a52b7401c88a105ff483934689
respondd_announce_git_version: fc2d8d78d53d1908ad16b79b66f79557ccd9a83a

Some files were not shown because too many files have changed in this diff Show More