Compare commits
No commits in common. "master" and "master" have entirely different histories.
|
@ -1,4 +0,0 @@
|
|||
skip_list:
|
||||
- meta-no-info
|
||||
- package-latest
|
||||
- risky-file-permissions
|
11
.drone.yml
11
.drone.yml
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
|
||||
name: playbook
|
||||
kind: pipeline
|
||||
type: docker
|
||||
|
||||
steps:
|
||||
- name: lint
|
||||
image: cytopia/ansible-lint:latest
|
||||
commands:
|
||||
- ansible-lint
|
|
@ -2,4 +2,3 @@
|
|||
__pycache__
|
||||
site.retry
|
||||
*.pyc
|
||||
ff-ansible.code-workspace
|
||||
|
|
|
@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
|
|||
|
||||
## Requirements
|
||||
|
||||
The python packages netaddr and passlib are required on the host running ansible.
|
||||
The python package netaddr is required on the host running ansible.
|
||||
|
||||
The vault password must be stored in `.vault_pass`.
|
||||
|
||||
The *only* supported distributions to deploy roles on is debian buster.
|
||||
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
|
||||
|
||||
|
||||
## Running Ansible
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
[defaults]
|
||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||
interpreter_python = auto
|
||||
inventory = ./hosts
|
||||
library = ./library
|
||||
nocows = 1
|
||||
|
|
|
@ -2,20 +2,6 @@
|
|||
|
||||
acertmgr_mode: webdir
|
||||
|
||||
dnsdist_targets:
|
||||
- gw11.regensburg.freifunk.net:8053
|
||||
- gw21.regensburg.freifunk.net:8053
|
||||
- gw31.regensburg.freifunk.net:8053
|
||||
- resolver.regensburg.freifunk.net:8053
|
||||
|
||||
dns_slaves:
|
||||
- 195.201.117.207
|
||||
- 2a01:4f8:1c0c:7dda::1
|
||||
- 213.166.224.14
|
||||
- 2a02:958:0:1::e
|
||||
- 213.166.225.14
|
||||
- 2a02:958:0:1::1:e
|
||||
|
||||
fastd_targets:
|
||||
- gw11.regensburg.freifunk.net:9281
|
||||
- gw21.regensburg.freifunk.net:9281
|
||||
|
@ -39,24 +25,15 @@ gre_matrix:
|
|||
- { id: 26, a: gw21, b: gw31 }
|
||||
# - { id: 33, a: gw22, b: gw31 }
|
||||
|
||||
netbox_domain: netbox.ffrgb
|
||||
netbox_dbname: netbox
|
||||
netbox_dbuser: netbox
|
||||
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
||||
netbox_secret: "{{ vault_netbox_secret }}"
|
||||
|
||||
node_targets:
|
||||
- gw11.regensburg.freifunk.net:9100
|
||||
- gw21.regensburg.freifunk.net:9100
|
||||
- gw31.regensburg.freifunk.net:9100
|
||||
- ns1.regensburg.freifunk.net:9100
|
||||
- resolver.regensburg.freifunk.net:9100
|
||||
- stats.regensburg.freifunk.net:9100
|
||||
- web.regensburg.freifunk.net:9100
|
||||
- stats.ffrgb:9100
|
||||
- unms.ffrgb:9100
|
||||
- unifi.ffrgb:9100
|
||||
- tiles.ffrgb:9100
|
||||
- netbox.ffrgb:9100
|
||||
|
||||
ntp_servers:
|
||||
- 0.de.pool.ntp.org
|
||||
|
@ -64,10 +41,6 @@ ntp_servers:
|
|||
- 2.de.pool.ntp.org
|
||||
- 3.de.pool.ntp.org
|
||||
|
||||
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
|
||||
|
||||
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
|
||||
|
||||
prometheus_pve_user: prometheus@pve
|
||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||
|
||||
|
|
|
@ -1,151 +1,128 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36396532616163303161303134326565316637343336613531663031376439303930306532373063
|
||||
3765313339353437393633373035663661623461343132380a373536646632346364663662626665
|
||||
37373532633937623030393735383164376233383838613635353565333763626430616630636536
|
||||
6635373636383462610a326662393234333166373834323834353537363239616639343531616339
|
||||
63383939313735653364383137346166306639633637636137353832666333633963633363663265
|
||||
39356136613639643135633534636264393838376431336462363030363463643232663534313261
|
||||
64373861313135623264316135646234376230653863633863366538353736653964363137303533
|
||||
63623730396338643738313432343962666461653136333361383033623161376662346165626338
|
||||
33356162376536303363343363343830383365323737636334323632306261336538356639306632
|
||||
39333166353830386537383033396465343461396330386238653961386237336234376533633931
|
||||
64653331326263343063306230653265643731323732353437643161383238376664636562383561
|
||||
31376561373130636561366333306139636533363933313566363537363238343462323539313439
|
||||
30393035643138666435393237383039623735353963353039323966666130393638306565333631
|
||||
64653432623664346637656134643963323233376535333731653466633064306365306164643337
|
||||
61306661356531623737386439373465636339643435343838393863333034383437343832383134
|
||||
64666332613865306438643830376665623435376632373362356363343339363533303433313939
|
||||
33623636616334646536663333383031396666376562366335656666363233636265643435383334
|
||||
39656432383035323334373639326535306237643336663232633566663837663466383331336261
|
||||
32383238353137333731386331623264633338373964653261643865353162623232393930333432
|
||||
38323065343865643135653535623934613634636465333865353465326139613130376134396132
|
||||
62366539396432633935663930663063363536393331393666616438396231643938306139313033
|
||||
31623237646135633237343566646436363864303334373861306430626131366430666634303862
|
||||
34663163373263366561306336336535656465326633613535343665343361373936346431363538
|
||||
34303565336132646461656135623463373832396533316132313139303133303565616434663138
|
||||
62663561663530363834623130313464623465653139343033313132366665636535666639323162
|
||||
62316666643532353166373430633832643434356664346337633738623739353835313539666130
|
||||
66633931306330363532363630626162353066316565643235636162393532393234646230363131
|
||||
37666166393666313661663863643866656236313935356131313230313861636631643034643662
|
||||
64393866633064383164643365363038626536663831393432363661383736306663356563313734
|
||||
63363363363531623634363835363364303137646335373662313764323263306539386435663631
|
||||
39396234623064636531653063326562383235333865393935376265393932633763613838343733
|
||||
34353663313462313437316534663239353535313434646431663862393561613264626634643864
|
||||
31633734633963346634376165343435666538313932343230343237363839323764633835623337
|
||||
62653466376265343639343064366461653964303337363561306138363534613036376338373266
|
||||
65376432396234383661653330613465623735373834393836646439616634613865323236666264
|
||||
31336363373063346231376164663930336539633363306633393938643234373065343164613738
|
||||
30343831383432343931336633633830653736303061383634666337613930396262393334663561
|
||||
38343232613361333564653362306139346130643530373938366332396535636630353536646336
|
||||
37623962353933326561346636303338333934356230356363303938613566343365626431633134
|
||||
35636432396166653835643234396662663463313063636564663835326366613739313531356431
|
||||
36353664316461396366356233623236373230616534393136626231376436343538326163623764
|
||||
66306264643562316563323062323637383131363062373362613061363736353430363137623161
|
||||
32356630363866383064626538313739663335633235646435663134396537316165383334333464
|
||||
33626430303630663565396665383265313663643264616566646639376134646233336332373264
|
||||
33613462663539666432646666303533343837636438373261303232663864626566373732316339
|
||||
64646564633930653437646137656466343135326562626531353265666134656665396163636534
|
||||
33343135393237363234336363656263666530396635386132663530386631363066663234363265
|
||||
66343264343837396165626138373835656237626236626130316134303131353539313732666463
|
||||
30373661666232646438393662653535373433353762376264666536306130613531616462313830
|
||||
35626461633538343261623636373236333336636436343438626338316236373039303737386438
|
||||
39316433353739633264336535653561383039313734646139393961653537313562633266363338
|
||||
38336236363166393964336461323430393639393866653337366564636538396338656339626136
|
||||
35396566616634656137653438306136663831326166663338323531336364646332646162323430
|
||||
38383234653565623062636135333136613039663362623230366364343635356234386631373664
|
||||
33373965393033336235356266336331306366613065396139316363316133616265646232623762
|
||||
32346331616236663231326631366364393735303163626335643730656233353236636633303939
|
||||
63383965353137363062313265623733313338613966643563363466396333356262643065363666
|
||||
66346333366566376336366662363632623536356564313334343135633136663632656262323334
|
||||
64336135373163383339336664346632646535386536386361386336363138373130316438663062
|
||||
37353231663130303838333932323532653365323238333737643866356163383032393934346530
|
||||
33636565326138613963396432323838663037366463343633613730613339343266373233393063
|
||||
38656264613530373262333937313037373431326665356339313638323334346464623936643035
|
||||
33616630336464396531396365366462333265313239323966633563656332373164623536303963
|
||||
31633437343130613039303131363264623232633232656332653138333161666233376233316639
|
||||
33386636336263333463636438383231666466373934323235326366356263633563393664383939
|
||||
35326562656166616264313937636432643265636565623335326237333432343238383536303735
|
||||
38643333383834343633366366373639323738613433326665633362316563306161386230653363
|
||||
33386463323765663838326331666433313563343266623063363962373961333064343964393439
|
||||
38633036376138383936663031343835353865333635653861653131383535343939356631656532
|
||||
62656464623263626464613365386234353632303734643631633435626133383538376136643335
|
||||
31333430643839666238373561643966633334653361373336306266383631663537303265316564
|
||||
37633633363933353931653830306663393766303363333535313737346239613366326536653530
|
||||
34643166663333663066373735376266306635306132383134653161646337333161356234366533
|
||||
34323461653763386636653665353362323565396535326366663639313437616663376332616630
|
||||
33323531623935383639623635323662636239386631623361613066616134396565306565393161
|
||||
62313235316264663261306461623032373938336661653534383835303638333831613232316564
|
||||
65333135383761373937626534663633633936396532313263396338393462623830396538313464
|
||||
61333966373930626135663839633766383332656564366639386130323061363137333065653433
|
||||
36313434326234386466643730663939376461633334646133363763303561373862633565663634
|
||||
65646237346636636230313136633136623236646239323937373163616230636264326534373263
|
||||
36333035643663626239306363636635336237373761333239363937633932363936663832396438
|
||||
34346662633265326365383866383864356563393431363137333564326466613832666663633539
|
||||
33666638393337336633613032623739633836663831353762653437323733336230396333643733
|
||||
65663462346166653534323533376431356535316238363639613636383663306635343836376365
|
||||
64363765393863363038363739353239633934343138636564343562316131313933616363356237
|
||||
66306230613863633038313161613861653138656433623031313534666139393535383163366339
|
||||
36393138323838656139653163393965356131633961623930623637663839383564633534336565
|
||||
30643334353537306637636263633331306162316565633630303636323833636234336264316361
|
||||
36613833653565613562363763336633323236393836653466356638646166333661653431376463
|
||||
32363638616433643264323938616262383663653334323931346639633836333462333663376364
|
||||
32663838663534626565376661656663643162626137363431363461313864623732613764333664
|
||||
39626232333534326364613838376434666635313731646533363635386230333036336533633034
|
||||
31323132343230646631626131663436356263626563323934643765666462343234653038383564
|
||||
64393739663035636266663539326661303262383966323634333234363233656465396665613636
|
||||
38623063336337383931343931333565623261313638613235633230623638623863616238316662
|
||||
33376135646535656434323732656362343834663530316437333630373230303136303137306637
|
||||
31343266386535346362383032376635386132636138333765616361653463316239303536316262
|
||||
35623062316533656661356462643864383536303835346235353339663238386532343064636233
|
||||
66363566623663353265616434336163396336336263613030623134653361363732323738313363
|
||||
61343232656233363433626334306433626566616537376537663930613738386663393035373533
|
||||
64656639326165666138343361613637653166316330393665643533333466613861653232333138
|
||||
66316464336465653062376261643238323761383161623933353433613266646537623639396666
|
||||
32343735323833383365313539333138656230306134343631666232653965663264656635343061
|
||||
38353162383364323538366666666365316432393939333663366664356364633939653837346431
|
||||
35383063393664656539393763313735663638343863616431306566356332343935653631646536
|
||||
66643130613266636331663762303962643434653532336531396165303638303831393561376633
|
||||
36613537333163633837666530356163343733313631633962326365363063663261333061376135
|
||||
39363532366638343430643664663863653666663064386562616434313831633032316238393963
|
||||
38346564306438653865663937633037373961636630653530643936326333316433636334333935
|
||||
65326434316435313364666364613138306630356234393839313031373536336539623132653634
|
||||
30336332323932323863353139303835643865313466356637303032393437636531313330666536
|
||||
34333565376635633863303066376330313362303836366666313530336430343939313466633135
|
||||
32373238363031396665656536646236393133376435633638303238636663313738353532393236
|
||||
38633831633039616430343932343066303837303161653166623761343033386437303231393931
|
||||
65353334666164343337363035616162383635623838343662323430326639633834366666393663
|
||||
31356138366666333563653738653032646633316537326333306133333435623132306236373963
|
||||
37326435373064386131383938353465373239323434366339343364646565393131643335366530
|
||||
35346465616330346232656239643165663438386339663136336362356437653334326335666564
|
||||
38326436623239393833393838656335336565666536386164356535633363363836323966343663
|
||||
66323563616564623165373730353238353063393362653964316338333932636333353064333761
|
||||
61626432383233323630626465393461393130363232383565646631343464363138323763656637
|
||||
35653964386434653335666335373932646133653966626430656636626461646263383464643666
|
||||
61396265333465343039653333646661383165356335633532623165323364363630386335373935
|
||||
34363739636432366565366265373038643633613739363266653531623032333030303437346665
|
||||
63333666623536353238616636633065393562623566376461336262363665323866376666303930
|
||||
66393533353766373732326231373732663766393034326538643063393037316239653838333738
|
||||
35636539393966343866613932663230663638653862643934616539393436383639356339633133
|
||||
32643836356136353436623738613133353631313936643165376265373638343838396665356166
|
||||
39303661646265653436396131613536386236613938323739363863633766303365636466376637
|
||||
38353837633239643166383931323961383362343831633835643930613465346335656566326434
|
||||
63303565366161373062343162616536653165373537363331353639303230663265643335356330
|
||||
30333263623431666135393931626431626362366562626431623434613633643062373961663361
|
||||
65343135353536643863316161326635333038643634396230353465646238356234653034323638
|
||||
39353365306230313031336337313637336233623865666439653861643637663732386461333432
|
||||
61333831306539303439373634376566363861393830333665366238666364653637343364313865
|
||||
30643564363739346566636565636363386533663434653761386565316266333436623031333134
|
||||
33616464323165393331326665633235326231623365373236303335353837663739373165346139
|
||||
65633066343530303335336362343838356565343638313133646339353235633661636361303934
|
||||
65636332383130333036316138393235353363623061613130383431323735626136636334343439
|
||||
39363764386639626432366534363839613366336139363439343066333933366537373333336465
|
||||
32363334326463323261303562633034383233653438643764633231373761326334336561623832
|
||||
37663763343933386165313665646234626263616136343366663834323739343934343833616336
|
||||
38616636396438386539303637646134393865363235616465613665616439653730613039306265
|
||||
36366433356362363537653838626133656430333132666635306137663134333139323565363531
|
||||
33656433393031386537353766366638393433363031616632323962353933666232653563313830
|
||||
38656565376630396235656533313731656666363762386339613534613236656533366161653866
|
||||
61633965366135376264316264393964343035306330623739643338306362633838373434306335
|
||||
34313636373930623663666362633736653363353461616639323261646235653266383837393036
|
||||
34626466623666643465326465343833336338343964666537623431313639656136373339643834
|
||||
6531336131373761336363393133626166376263663037666231
|
||||
36303531356238623563383536313866333234626534333764393330613338323437633133333933
|
||||
6664636362396636366362363236383763653561366236370a336538353466333830326166353833
|
||||
38616339376634616533376262623839653063666633306537353065303436636130376335336631
|
||||
3432623039316431330a656664386662633362356137666661323438386333386632343864336663
|
||||
36623430663333393434393464633633376431333736396165343964663137373366343262373262
|
||||
62343237623763363961313666333364386364353732383061623937663731653037386562383339
|
||||
39623633666336356666626134333935356265303035616135303532396632323861366233373936
|
||||
61356363613161653263323737343866323538623039643230373765353337376631643362633639
|
||||
32346239353462363239393862643665373663646530343837313132616166346662326339316635
|
||||
35313465343631333939376165313661616133363565666439336163326132633137363166383831
|
||||
62613832373839383234356463323761613036666331306434353165653639616336633638396633
|
||||
61363333376239623738386262653165643335343436303634366536363338386138313235313562
|
||||
34303332626239323235613532396435646632353132613962363961383536666131306533306566
|
||||
64306364393266633635363162323133656363633862326231366161633138343765343564646236
|
||||
66666535613764613964633164333063306263353931646532346136663839646533643230666362
|
||||
65343432353838383832306331333832386363613566373461323033643963616237663165366636
|
||||
36336266353664353136323237383237663363613035653664303634633266333565303833356238
|
||||
62623538623861653135633666613034363766306263323262663631383961333932313837333339
|
||||
38313439636262313563326232323937323163373532306464333662363362613064313638353338
|
||||
34633766623962326464393564316563663764326462316232653935383463343163613532623931
|
||||
33653136636634373939386439623661383432616534333061626232303266343666383335346666
|
||||
34323336366232363563626139316666353433343236626334366138656334646338623338316439
|
||||
32323833656430373831616661613662353465376664633233333666373766356666373839336232
|
||||
65346637616539616330356138323865646433346339363130343366363731343262393538336466
|
||||
30316565303133343762666165626533343135633937323162653964626535343962653636636163
|
||||
36323066393039333531626434383830666665326563376638656238393439373033653763386131
|
||||
65316265626130643335333362363232613733633835633234316565303532623766653032303332
|
||||
33386661326362626538393033396430303564653737346339643966623337653661376633623166
|
||||
66313162316131326364393731346336626663626564343662343334616533616537633765376463
|
||||
64303939313639613665353035336536373436646436373038633233313330663965386665326234
|
||||
37326338333262313461373765306163646233303930633838636563313138646461656130666234
|
||||
33383232336333373965666630386131326137666633623231633739646435363532393432323330
|
||||
33393431616630336139393236636533383537623162376636393365663733626565306661386665
|
||||
65613536313032646636623334656266336531383733306361363536616661336236353735343535
|
||||
31353738346332643465383735636666326532623166373962376563633861376361663663393030
|
||||
31316366346531376635386335366564373530303664323934383930356530356265623530356461
|
||||
31656461663637373238303737383263353065326333383564346532376261316130346461373230
|
||||
31633939313061663235326331613061383033313131633330303238363135303637363133663637
|
||||
61653439633534633234366164313665356265323931346234646163333463366466613934333536
|
||||
36336662306531643537333437363032643433323564643736336539393634333139633631376238
|
||||
63633031646163613161626139666334623961646230366561343839653638303465323632653438
|
||||
39613364326264333131636231303031643336353663386238636561373839393834376636646534
|
||||
31383764623664363065626331363762623232336162383164396435613330303432616632306336
|
||||
64313564636433643430336333613339666536383062383932366137636432373038333134313263
|
||||
61636635613534663662353732333563366230636332326337303433356536373563663639326438
|
||||
31393664643765653365363834653936336138336261313337636363323063616261336137306662
|
||||
66663632663864366262363566393437313136373531313264323663373866663865396335666431
|
||||
33383665346634383039393334373166396230393432623934326665663931636431646330643033
|
||||
65613339623863323537626631343935333966326263323836373163633531373662393561633731
|
||||
64613237363562643164613338396436303334346234343739323137616364626433666464663133
|
||||
61306630626261376465636234613263366334626161353338323739643938323137633835653032
|
||||
66323964663965616666626138636433323736323630303832366365663436396265333033666662
|
||||
65343730336233323637356435363931346638666239363964646538343665396466646238363531
|
||||
31343535393931633830326561323437643834393430646431393765336433326236313537616532
|
||||
37363739373838383361616663633963373032646663333735663533356630626537326165666530
|
||||
61633537336437366266303463336438373137303037383761393365366365323263643239323736
|
||||
33316637643735363531643965383530643333636437363936303133373261386237386630616232
|
||||
30373861313638663639653932333532306166653462616136326365616465363436363663313430
|
||||
30306664626566643431353362383364633961306536663136396538313364656231363538363964
|
||||
37613761326365656632323034376634316430326666306330383937393963656333666437336639
|
||||
61343365343463303161336366386161363662646138316536653635383034616431356265613032
|
||||
66643937333933633932376133306465373031386334373032373261643762396637396139616638
|
||||
64313966393732383830646566306266663734356531336564393362613937646565663337353038
|
||||
31663734616536343938393638663636653532383538313137336166633632653235323833643665
|
||||
35393234633364666561653934346139353761643536313438366231646564323138393133333662
|
||||
36656164333831393061653632633830383766613638353863306663356164393665373965373237
|
||||
32363065326231393231343839633463326235316533636163356434313832343064396532613832
|
||||
33306331623364363566663463316139336134396636653264343563623339373566656134636364
|
||||
38653435333061333966396131376564386134363433643134616338343535353132633465616364
|
||||
31393266313339383233363364303731653933613632363231333965653237393962646132373761
|
||||
30643865626130343263656562653765343561636235333966363935333038383734363136633339
|
||||
65383232313633363761303063343936613765636633663866633833303938366339373635343733
|
||||
32616432343338376139313663656535373064353063643661663732633130383932373138666133
|
||||
33336262316664613936633032656234353262333633626237376636383261626331346464363261
|
||||
65396138653264636537346436636230613435376532383130666138373334643834303064303161
|
||||
38393563336564343530373362613166636639393963383539333234613734353834306135643363
|
||||
65613732376661373137353262626565613164343631336531393132333137326531353439333731
|
||||
37396434626365646565613766653930613632316632363764353330313836326436313438653836
|
||||
64613337626236323435393363626332383235326635323561633261396466623462623536306361
|
||||
65393331343664343533356462656638636638666464353037633334323363613936353266363530
|
||||
39663264356132363836343765336163653731373035653332303462383933333734363537366233
|
||||
33646333653762656534663635636634663835643730386264333738323962636266653734303239
|
||||
30336261323039386461303933633366316537303230336238636662396133353735653936313232
|
||||
63373335313162643562393131653930383566363239613063633931376536373366346331623337
|
||||
64343734333565316232356634376438306536373662316632313066336364383062653765643165
|
||||
66626465636365613064323664393163636230303664666632653938633364343136343464653735
|
||||
38376637646232333735633861356238646235616536336662353466346163616631613062303837
|
||||
32363638383838663833633532323365663531323632313534613133306336383262306530613337
|
||||
39653732323430643334366131313137653265353632643136643662626361636666326364303831
|
||||
39666166623564373133323332353337623038623737303935383036613236666339306235316166
|
||||
37643737386438623261653064643339663865366433376162373466653461313961383166663830
|
||||
35396661396664623866346661396563363564306136333137663166323362386431663835323365
|
||||
35656361353162666638626130343833303165333964613161396132613939313738396563333336
|
||||
64366533646137633166383431666366643937666139653637386535363135656432363136373134
|
||||
62396433316339366534303064636436646365373138376162333032383539373939376337643663
|
||||
62613966646361366435366361633864373066303933633039623530336236346261323335633130
|
||||
65323838323235653839656530626661343731383966623732663430313137643566343566643932
|
||||
62353936666632336532326266376438346339343030666530666261386335343566336237616639
|
||||
33353932326435393266336263363466633035653161363162376630343132383436336164643337
|
||||
66323436376265353062373166343162353334313365313462616139393430333164323539636235
|
||||
38613531393030663831663361333437313333643264353131356163313630636264313130663363
|
||||
62383166396131386133626131303163323865393832663262666434623833653861353064663062
|
||||
65623239356163656433363339386632303562333064613631383933323563663761343465306133
|
||||
32336233303461666366336466643936396366343735363934363136393738303031386339623532
|
||||
30326131383636356535343462313338303235343739623039353066653661313431333461333030
|
||||
65336166623732353432633236393233313964306435633231336534643134643834626534626131
|
||||
39303239366439303230316565373235616261633362633737646365316133616366643333343138
|
||||
31323138343838363735663835633361663036613461336135356639396334633765643764346365
|
||||
33353332326330366434313662383765653561663238653137383339626539633364336336363634
|
||||
65626465666435326566363863643064363365623361633266316137643637656537663934396663
|
||||
65633738613231326461373761626135373866326130356335653739636130366135363137646362
|
||||
37393839346634373132316434313966653730623035633933636230643765366261373839373333
|
||||
39363263376533326533663365363538383434663830646630323562333235356335373363383831
|
||||
66393361663865653238643035353138623730396363333633336261363739303264336136663638
|
||||
61646366323238373861386266353135333835353665333965306665613331393438313064303435
|
||||
36633333366637616666386531396539303630653735373163623437396161393633636435356631
|
||||
30393530323234373631393630383564306132616135646534316466336335366131663465336231
|
||||
64353136663436653637613765636234343836393262323535666232326265303333646436636531
|
||||
38313063373133383062333439363036663562623639333932386131353666373037623539316335
|
||||
39613766383631643661353238643534646464663231663166386634636330373332653963616330
|
||||
39383238386135646330336565323762326463313939386236366161356463343566376231396465
|
||||
64376661633465643864663236323961653535386362656238323730326663383138613831613633
|
||||
38373661666363666661313065356364353232333466386263383761323264363535643034326563
|
||||
61353638646463383063616365376535366232653135653430336231353633323665373438613437
|
||||
32316164643438626236613839353333316536313439306334666566623465323366633036326466
|
||||
61646263396333373063383861313033393335323263393261636265613736376361393735636130
|
||||
643939373434306635633963666533396439
|
||||
|
|
|
@ -3,20 +3,13 @@
|
|||
batman_ipv4: 10.90.32.11/19
|
||||
batman_ipv6: fdef:f10f:1337:cafe::11/64
|
||||
batman_algo: BATMAN_IV
|
||||
global_ipv6: 2001:678:ddc:11::11/64
|
||||
global_ipv6: 2a00:9d80:6000:0101::11/64
|
||||
nextnode4: 10.90.32.1
|
||||
nextnode6: fdef:f10f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 3665730
|
||||
|
||||
mesh_wg_port: 20010
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
|
||||
|
||||
fastd_port: 10010
|
||||
|
||||
gateway_id: 11
|
||||
|
||||
site_code: ffrgb_cty
|
||||
|
||||
ntp_server: true
|
||||
|
|
|
@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
|
|||
nextnode6: fdef:f10f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 3665730
|
||||
|
||||
mesh_wg_port: 20010
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
|
||||
|
||||
fastd_port: 10010
|
||||
|
||||
gateway_id: 12
|
||||
|
||||
site_code: ffrgb_cty
|
||||
|
||||
ntp_server: true
|
||||
|
|
|
@ -3,20 +3,13 @@
|
|||
batman_ipv4: 10.90.64.21/19
|
||||
batman_ipv6: fdef:f20f:1337:cafe::21/64
|
||||
batman_algo: BATMAN_IV
|
||||
global_ipv6: 2001:678:ddc:21::21/64
|
||||
global_ipv6: 2a00:9d80:6000:0102::21/64
|
||||
nextnode4: 10.90.64.1
|
||||
nextnode6: fdef:f20f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
fastd_port: 10020
|
||||
|
||||
vx_wg_vni: 11781694
|
||||
|
||||
mesh_wg_port: 20020
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
|
||||
|
||||
gateway_id: 21
|
||||
|
||||
site_code: ffrgb_uml
|
||||
|
||||
ntp_server: true
|
||||
|
|
|
@ -10,13 +10,6 @@ mtu: 1312
|
|||
|
||||
fastd_port: 10020
|
||||
|
||||
vx_wg_vni: 11781694
|
||||
|
||||
mesh_wg_port: 20020
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
|
||||
|
||||
gateway_id: 22
|
||||
|
||||
site_code: ffrgb_uml
|
||||
|
||||
ntp_server: true
|
||||
|
|
|
@ -3,22 +3,13 @@
|
|||
batman_ipv4: 10.90.96.31/19
|
||||
batman_ipv6: fdef:f30f:1337:cafe::31/64
|
||||
batman_algo: BATMAN_IV
|
||||
global_ipv6: 2001:678:ddc:31::31/64
|
||||
global_ipv6: 2a00:9d80:6000:0103::31/64
|
||||
nextnode4: 10.90.96.1
|
||||
nextnode6: fdef:f30f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 3120917
|
||||
|
||||
mesh_wg_port: 20030
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
|
||||
|
||||
fastd_port: 10030
|
||||
|
||||
gateway_id: 31
|
||||
|
||||
site_code: ffrgb_tst
|
||||
|
||||
nat_pool: 194.156.22.32-194.156.22.33
|
||||
|
||||
ntp_server: true
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
acertmgr_mode: standalone
|
|
@ -1,31 +0,0 @@
|
|||
---
|
||||
|
||||
grafana_rendering: True
|
||||
|
||||
# yanic needs this
|
||||
site_code: ffrgb_cty
|
||||
|
||||
yanic_publisher: true
|
||||
|
||||
yanic_repondd_enable: false
|
||||
|
||||
yanic_respondd_interface: ens18
|
||||
yanic_respondd_ip: true
|
||||
|
||||
yanic_nodes_prune_after: 60d
|
||||
yanic_nodes_offline_after: 5m
|
||||
|
||||
yanic_meshviewer_enable: false
|
||||
|
||||
yanic_nodelist_enable: true
|
||||
|
||||
yanic_database_delete_after: 720d
|
||||
|
||||
yanic_dbc_repondd_enable: false
|
||||
|
||||
yanic_influxdb:
|
||||
- enable: true
|
||||
host: http://127.0.0.1:8086
|
||||
database: ffrgb
|
||||
username: "admin"
|
||||
password: "{{ vault_yanic_influx_pw }}"
|
5
hosts
5
hosts
|
@ -2,11 +2,8 @@
|
|||
gw11.regensburg.freifunk.net
|
||||
gw21.regensburg.freifunk.net
|
||||
gw31.regensburg.freifunk.net
|
||||
ns1.regensburg.freifunk.net
|
||||
resolver.regensburg.freifunk.net
|
||||
stats.regensburg.freifunk.net
|
||||
web.regensburg.freifunk.net
|
||||
stats.ffrgb ansible_host=10.90.224.100
|
||||
unms.ffrgb ansible_host=10.90.224.101
|
||||
unifi.ffrgb ansible_host=10.90.224.102
|
||||
tiles.ffrgb ansible_host=10.90.224.103
|
||||
netbox.ffrgb ansible_host=10.90.224.104
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/usr/bin/env python3
|
||||
#!/usr/bin/env python
|
||||
|
||||
EXAMPLES = '''
|
||||
# Generates a fastd key
|
||||
|
@ -23,7 +23,7 @@ if __name__ == '__main__':
|
|||
# create file with restrictive permissions
|
||||
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
|
||||
# generate fastd secret
|
||||
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
|
||||
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
|
||||
handle.write('secret "%s";\n' % secret)
|
||||
|
||||
changed = True
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"
|
|
@ -8,9 +8,16 @@
|
|||
- python3-yaml
|
||||
- python3-pkg-resources
|
||||
|
||||
- name: Find current acertmgr version
|
||||
get_url:
|
||||
url: "https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt"
|
||||
dest: /tmp/acertmgr.version
|
||||
vars:
|
||||
ansible_connection: local
|
||||
|
||||
- name: Install acertmgr
|
||||
apt:
|
||||
deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
|
||||
deb: "https://github.com/moepman/acertmgr/releases/download/{{ lookup('file', '/tmp/acertmgr.version') }}/python3-acertmgr_{{ lookup('file', '/tmp/acertmgr.version') }}-1_all.deb"
|
||||
|
||||
- name: Create config directories
|
||||
file:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||
// upgraded.
|
||||
//
|
||||
// Lines below have the format "keyword=value,...". A
|
||||
// Lines below have the format format is "keyword=value,...". A
|
||||
// package will be upgraded only if the values in its metadata match
|
||||
// all the supplied keywords in a line. (In other words, omitted
|
||||
// keywords are wild cards.) The keywords originate from the Release
|
||||
|
@ -19,73 +19,50 @@
|
|||
// Within lines unattended-upgrades allows 2 macros whose values are
|
||||
// derived from /etc/debian_version:
|
||||
// ${distro_id} Installed origin.
|
||||
// ${distro_codename} Installed codename (eg, "buster")
|
||||
// ${distro_codename} Installed codename (eg, "jessie")
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
// Codename based matching:
|
||||
// This will follow the migration of a release through different
|
||||
// archives (e.g. from testing to stable and later oldstable).
|
||||
// Software will be the latest available for the named release,
|
||||
// but the Debian release itself will not be automatically upgraded.
|
||||
"origin=Debian,codename=${distro_codename}-updates";
|
||||
// "origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
|
||||
// "o=Debian,n=jessie";
|
||||
// "o=Debian,n=jessie-updates";
|
||||
// "o=Debian,n=jessie-proposed-updates";
|
||||
// "o=Debian,n=jessie,l=Debian-Security";
|
||||
|
||||
// Archive or Suite based matching:
|
||||
// Note that this will silently match a different release after
|
||||
// migration to the specified archive (e.g. testing becomes the
|
||||
// new stable).
|
||||
// "o=Debian,a=stable";
|
||||
// "o=Debian,a=stable-updates";
|
||||
// "o=Debian,a=proposed-updates";
|
||||
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
|
||||
"origin=Debian,codename=${distro_codename}";
|
||||
"origin=Debian,codename=${distro_codename}-updates";
|
||||
"origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
};
|
||||
|
||||
// Python regular expressions, matching packages to exclude from upgrading
|
||||
// List of packages to not update (regexp are supported)
|
||||
Unattended-Upgrade::Package-Blacklist {
|
||||
// The following matches all packages starting with linux-
|
||||
// "linux-";
|
||||
|
||||
// Use $ to explicitely define the end of a package name. Without
|
||||
// the $, "libc6" would match all of them.
|
||||
// "libc6$";
|
||||
// "libc6-dev$";
|
||||
// "libc6-i686$";
|
||||
|
||||
// Special characters need escaping
|
||||
// "libstdc\+\+6$";
|
||||
|
||||
// The following matches packages like xen-system-amd64, xen-utils-4.1,
|
||||
// xenstore-utils and libxenstore3.0
|
||||
// "(lib)?xen(store)?";
|
||||
|
||||
// For more information about Python regular expressions, see
|
||||
// https://docs.python.org/3/howto/regex.html
|
||||
// "vim";
|
||||
// "libc6";
|
||||
// "libc6-dev";
|
||||
// "libc6-i686";
|
||||
};
|
||||
|
||||
// This option allows you to control if on a unclean dpkg exit
|
||||
// unattended-upgrades will automatically run
|
||||
// dpkg --force-confold --configure -a
|
||||
// The default is true, to ensure updates keep getting installed
|
||||
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
|
||||
// Split the upgrade into the smallest possible chunks so that
|
||||
// they can be interrupted with SIGTERM. This makes the upgrade
|
||||
// they can be interrupted with SIGUSR1. This makes the upgrade
|
||||
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||
// is running is possible (with a small delay)
|
||||
//Unattended-Upgrade::MinimalSteps "true";
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
|
||||
// Install all updates when the machine is shutting down
|
||||
// instead of doing it in the background while the machine is running.
|
||||
// This will (obviously) make shutdown slower.
|
||||
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
|
||||
// This allows more time for unattended-upgrades to shut down gracefully
|
||||
// or even install a few packages in InstallOnShutdown mode, but is still a
|
||||
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
|
||||
// Users enabling InstallOnShutdown mode are advised to increase
|
||||
// InhibitDelayMaxSec even further, possibly to 30 minutes.
|
||||
//Unattended-Upgrade::InstallOnShutdown "false";
|
||||
// Install all unattended-upgrades when the machine is shuting down
|
||||
// instead of doing it in the background while the machine is running
|
||||
// This will (obviously) make shutdown slower
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
|
||||
// Send email to this address for problems or packages upgrades
|
||||
// If empty or unset then no email is sent, make sure that you
|
||||
|
@ -93,29 +70,19 @@ Unattended-Upgrade::Package-Blacklist {
|
|||
// 'mailx' must be installed. E.g. "user@example.com"
|
||||
Unattended-Upgrade::Mail "root";
|
||||
|
||||
// Set this value to one of:
|
||||
// "always", "only-on-error" or "on-change"
|
||||
// If this is not set, then any legacy MailOnlyOnError (boolean) value
|
||||
// is used to chose between "only-on-error" and "on-change"
|
||||
Unattended-Upgrade::MailReport "only-on-error";
|
||||
// Set this value to "true" to get emails only on errors. Default
|
||||
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||
Unattended-Upgrade::MailOnlyOnError "true";
|
||||
|
||||
// Remove unused automatically installed kernel-related packages
|
||||
// (kernel images, kernel headers and kernel version locked tools).
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
||||
|
||||
// Do automatic removal of newly unused dependencies after the upgrade
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
||||
|
||||
// Do automatic removal of unused packages after the upgrade
|
||||
// Do automatic removal of new unused dependencies after the upgrade
|
||||
// (equivalent to apt-get autoremove)
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||
|
||||
// Automatically reboot *WITHOUT CONFIRMATION* if
|
||||
// the file /var/run/reboot-required is found after the upgrade
|
||||
// the file /var/run/reboot-required is found after the upgrade
|
||||
Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
// Automatically reboot even if there are users currently logged in
|
||||
// when Unattended-Upgrade::Automatic-Reboot is set to true
|
||||
// Automatically reboot even if there are users currently logged in.
|
||||
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
||||
|
||||
// If automatic reboot is enabled and needed, reboot at the specific
|
||||
|
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
|
|||
|
||||
// Use apt bandwidth limit feature, this example limits the download
|
||||
// speed to 70kb/sec
|
||||
//Acquire::http::Dl-Limit "70";
|
||||
Acquire::http::Dl-Limit "200";
|
||||
|
||||
// Enable logging to syslog. Default is False
|
||||
// Unattended-Upgrade::SyslogEnable "false";
|
||||
|
||||
// Specify syslog facility. Default is daemon
|
||||
// Unattended-Upgrade::SyslogFacility "daemon";
|
||||
|
||||
// Download and install upgrades only on AC power
|
||||
// (i.e. skip or gracefully stop updates on battery)
|
||||
// Unattended-Upgrade::OnlyOnACPower "true";
|
||||
|
||||
// Download and install upgrades only on non-metered connection
|
||||
// (i.e. skip or gracefully stop updates on a metered connection)
|
||||
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
|
||||
|
||||
// Verbose logging
|
||||
// Unattended-Upgrade::Verbose "false";
|
||||
|
||||
// Print debugging information both in unattended-upgrades and
|
||||
// in unattended-upgrade-shutdown
|
||||
// Unattended-Upgrade::Debug "false";
|
||||
|
||||
// Allow package downgrade if Pin-Priority exceeds 1000
|
||||
// Unattended-Upgrade::Allow-downgrade "false";
|
||||
|
||||
// When APT fails to mark a package to be upgraded or installed try adjusting
|
||||
// candidates of related packages to help APT's resolver in finding a solution
|
||||
// where the package can be upgraded or installed.
|
||||
// This is a workaround until APT's resolver is fixed to always find a
|
||||
// solution if it exists. (See Debian bug #711128.)
|
||||
// The fallback is enabled by default, except on Debian's sid release because
|
||||
// uninstallable packages are frequent there.
|
||||
// Disabling the fallback speeds up unattended-upgrades when there are
|
||||
// uninstallable packages at the expense of rarely keeping back packages which
|
||||
// could be upgraded or installed.
|
||||
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
|
||||
|
|
|
@ -3,18 +3,21 @@
|
|||
- name: Configure apt not to install recommends packages
|
||||
copy: src=apt-recommends.conf dest=/etc/apt/apt.conf.d/40recommends
|
||||
|
||||
- name: Install apt related tools
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- debian-goodies
|
||||
- gnupg2
|
||||
- lsof
|
||||
- unattended-upgrades
|
||||
- name: Install apt https transport plugin
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Install debian-goodies for checkrestart
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- debian-goodies
|
||||
- lsof
|
||||
|
||||
- name: Configure periodic apt updates
|
||||
copy: src=apt-periodic.conf dest=/etc/apt/apt.conf.d/10periodic
|
||||
|
||||
- name: Install unattended-upgrades
|
||||
apt: name=unattended-upgrades
|
||||
|
||||
- name: Configure unattended-upgrades
|
||||
copy: src=unattended-upgrades.conf dest=/etc/apt/apt.conf.d/50unattended-upgrades
|
||||
|
||||
|
|
|
@ -8,4 +8,4 @@
|
|||
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }
|
File diff suppressed because it is too large
Load Diff
|
@ -1,39 +1,38 @@
|
|||
---
|
||||
|
||||
- name: Install misc software
|
||||
apt:
|
||||
name:
|
||||
- ca-certificates
|
||||
- dnsutils
|
||||
- git
|
||||
- htop
|
||||
- less
|
||||
- mtr-tiny
|
||||
- net-tools
|
||||
- openssl
|
||||
- psmisc
|
||||
- pydf
|
||||
- rsync
|
||||
- sudo
|
||||
- vim-nox
|
||||
- zsh
|
||||
- fail2ban
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- dnsutils
|
||||
- git
|
||||
- htop
|
||||
- less
|
||||
- mtr-tiny
|
||||
- net-tools
|
||||
- openssl
|
||||
- psmisc
|
||||
- pydf
|
||||
- rsync
|
||||
- sudo
|
||||
- vim-nox
|
||||
- zsh
|
||||
- fail2ban
|
||||
|
||||
- name: Install software on KVM VMs
|
||||
apt:
|
||||
name:
|
||||
- acpid
|
||||
- qemu-guest-agent
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- acpid
|
||||
- qemu-guest-agent
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'motd', dest: '/etc/motd' }
|
||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
@ -52,8 +51,8 @@
|
|||
- name: Prevent normal users from running su
|
||||
lineinfile:
|
||||
path: /etc/pam.d/su
|
||||
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||
line: "auth required pam_wheel.so"
|
||||
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
||||
line: 'auth required pam_wheel.so'
|
||||
|
||||
- name: Configure journald retention
|
||||
lineinfile:
|
||||
|
|
|
@ -2,5 +2,5 @@
|
|||
|
||||
dhcpd_interfaces: br-{{ site_code }}
|
||||
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
|
||||
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
|
||||
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
|
||||
name_server: "{{ batman_ipv4 | ipaddr('address') }}"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
# option definitions common to all supported networks...
|
||||
option domain-name "{{ site_domain }}";
|
||||
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
|
||||
option domain-name-servers {{nextnode4}}, {{ name_server }};
|
||||
|
||||
local-address {{ batman_ipv4 | ipaddr('address') }};
|
||||
|
||||
|
|
|
@ -1,13 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart powerdns
|
||||
service: name={{ item }} state=restarted
|
||||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- pdns-backend-bind
|
||||
- pdns-recursor
|
||||
- pdns-server
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
|
||||
tags: dns
|
||||
notify: Restart powerdns
|
||||
with_items:
|
||||
- bind/ffrgb.zone
|
||||
- bind/90.10.in-addr.arpa.zone
|
||||
- bindbackend.conf
|
||||
- pdns.conf
|
||||
- recursor.conf
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
|
@ -12,6 +12,12 @@ launch=bind
|
|||
# local-address=0.0.0.0
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-ipv6 Local IP address to which we bind
|
||||
#
|
||||
# local-ipv6=::
|
||||
local-ipv6=
|
||||
|
||||
#################################
|
||||
# local-port The port on which we listen
|
||||
#
|
|
@ -16,15 +16,21 @@ config-dir=/etc/powerdns
|
|||
# dnssec=process-no-validate
|
||||
dnssec=off
|
||||
|
||||
#################################
|
||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||
#
|
||||
# forward-zones=
|
||||
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
|
||||
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
local-address=127.0.0.1
|
||||
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=5353
|
||||
local-port=53
|
||||
|
||||
#################################
|
||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Restart powerdns
|
||||
service: name=pdns state=restarted
|
|
@ -1,22 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- pdns-server
|
||||
- pdns-backend-sqlite3
|
||||
- sqlite3
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/powerdns.sqlite3
|
||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name=pdns state=started enabled=yes
|
|
@ -1,35 +0,0 @@
|
|||
#################################
|
||||
# allow-axfr-ips Allow zonetransfers only to these subnets
|
||||
#
|
||||
# allow-axfr-ips=127.0.0.0/8,::1
|
||||
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
|
||||
|
||||
#################################
|
||||
# dname-processing If we should support DNAME records
|
||||
#
|
||||
# dname-processing=no
|
||||
dname-processing=yes
|
||||
|
||||
#################################
|
||||
# launch Which backends to launch and order to query them in
|
||||
#
|
||||
# launch=
|
||||
launch=gsqlite3
|
||||
|
||||
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
||||
|
||||
#################################
|
||||
# master Act as a master
|
||||
#
|
||||
# master=no
|
||||
master=yes
|
||||
|
||||
#################################
|
||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||
#
|
||||
# only-notify=0.0.0.0/0,::/0
|
||||
only-notify=
|
||||
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
security-poll-suffix=
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart powerdns
|
||||
service: name=pdns-recursor state=restarted
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
|
@ -1,35 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-recursor
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the dns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns-recursor
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
|
||||
{{ ansible_fqdn }}:
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service dnsdist restart'
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service dnsdist restart'
|
|
@ -1,24 +0,0 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ ansible_default_ipv4.address }}')
|
||||
addLocal('{{ ansible_default_ipv6.address }}')
|
||||
|
||||
setACL({'0.0.0.0/0', '::/0'})
|
||||
|
||||
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
|
||||
|
||||
newServer({address='127.0.0.1:5353', name='localhost'})
|
||||
|
||||
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
|
||||
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
|
||||
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
|
||||
|
||||
-- HTTP Endpoint for Prometheus
|
||||
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
|
@ -1,47 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-backend-bind
|
||||
- pdns-recursor
|
||||
- pdns-server
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
|
||||
notify: Restart powerdns
|
||||
with_items:
|
||||
- bind/ffrgb.zone
|
||||
- bind/90.10.in-addr.arpa.zone
|
||||
- bindbackend.conf
|
||||
- pdns.conf
|
||||
- recursor.conf
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the dns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns
|
||||
- pdns-recursor
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
|
||||
{{ ansible_fqdn }}:
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service dnsdist restart'
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service dnsdist restart'
|
|
@ -1,20 +0,0 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
|
||||
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
|
||||
|
||||
newServer({address='127.0.0.1:5353', name='localhost'})
|
||||
|
||||
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
|
||||
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
|
||||
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
|
||||
|
||||
-- HTTP Endpoint for Prometheus
|
||||
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
|
@ -1,54 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
#################################
|
||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||
#
|
||||
#allow-from=127.0.0.0/8
|
||||
|
||||
#################################
|
||||
# config-dir Location of configuration directory (recursor.conf)
|
||||
#
|
||||
config-dir=/etc/powerdns
|
||||
|
||||
#################################
|
||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||
#
|
||||
# dnssec=process-no-validate
|
||||
dnssec=off
|
||||
|
||||
#################################
|
||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||
#
|
||||
# forward-zones=
|
||||
forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
|
||||
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=5353
|
||||
|
||||
#################################
|
||||
# quiet Suppress logging of questions and answers
|
||||
#
|
||||
quiet=yes
|
||||
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
# security-poll-suffix=secpoll.powerdns.com.
|
||||
security-poll-suffix=
|
||||
|
||||
#################################
|
||||
# setgid If set, change group id to this gid for more security
|
||||
#
|
||||
setgid=pdns
|
||||
|
||||
#################################
|
||||
# setuid If set, change user id to this uid for more security
|
||||
#
|
||||
setuid=pdns
|
|
@ -1,10 +1,17 @@
|
|||
---
|
||||
|
||||
- name: Enable docker apt-key
|
||||
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
||||
|
||||
- name: Enable docker repository
|
||||
apt_repository:
|
||||
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||
filename: docker
|
||||
|
||||
- name: Install docker
|
||||
apt:
|
||||
name:
|
||||
- docker.io
|
||||
- python3-docker
|
||||
|
||||
- name: Enable docker
|
||||
service: name=docker state=started enabled=yes
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- python-docker
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
conntrack_max: 131072
|
||||
fastd_instances: 3
|
|
@ -4,14 +4,12 @@
|
|||
:INPUT ACCEPT [1:136]
|
||||
:OUTPUT ACCEPT [2:472]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
|
||||
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
|
||||
COMMIT
|
||||
*filter
|
||||
:INPUT ACCEPT [1124:131621]
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
|
||||
:FORWARD ACCEPT [0:0]
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
:OUTPUT ACCEPT [1151:175226]
|
|
@ -1,13 +1,9 @@
|
|||
# {{ ansible_managed }}
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
|
||||
:FORWARD ACCEPT [0:0]
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
|
||||
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
|
||||
COMMIT
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
|
||||
conntrack_max: 131072
|
||||
fastd_instances: 3
|
||||
nat_pool: "{{ ansible_default_ipv4.address }}"
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
command: systemctl daemon-reload
|
||||
|
||||
- name: Restart fastd-exporter
|
||||
service: name=fastd-exporter state=restarted
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart fastd
|
||||
service: name=fastd@{{ site_code }}{{ item }} state=restarted
|
||||
with_sequence: start=0 count={{ fastd_instances }}
|
||||
|
||||
- name: Reload systemd
|
||||
command: systemctl daemon-reload
|
||||
|
|
|
@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
|
|||
|
||||
method "null";
|
||||
method "salsa2012+umac";
|
||||
method "xsalsa20-poly1305";
|
||||
|
||||
secure handshakes yes;
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Install git
|
||||
apt: name=git
|
||||
|
||||
- name: Install ca-certificates
|
||||
apt: name=ca-certificates
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
grafana_rendering: False
|
|
@ -1,38 +1,10 @@
|
|||
---
|
||||
|
||||
- name: Retrieve Grafana Key and avoid apt_key
|
||||
block:
|
||||
- name: grafana |no apt key
|
||||
ansible.builtin.get_url:
|
||||
url: https://apt.grafana.com/gpg.key
|
||||
dest: /usr/share/keyrings/grafana.key
|
||||
- name: Enable grafana apt-key
|
||||
apt_key: url='https://packages.grafana.com/gpg.key'
|
||||
|
||||
- name: Enable grafana repository
|
||||
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
|
||||
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
|
||||
|
||||
- name: Install grafana
|
||||
apt: name=grafana
|
||||
|
||||
- name: Install grafana rendering dependencies
|
||||
apt:
|
||||
name:
|
||||
- libxdamage1
|
||||
- libxext6
|
||||
- libxi6
|
||||
- libxtst6
|
||||
- libnss3
|
||||
- libnss3
|
||||
- libcups2
|
||||
- libxss1
|
||||
- libxrandr2
|
||||
- libasound2
|
||||
- libatk1.0-0
|
||||
- libatk-bridge2.0-0
|
||||
- libpangocairo-1.0-0
|
||||
- libpango-1.0-0
|
||||
- libcairo2
|
||||
- libatspi2.0-0
|
||||
- libgtk3.0-cil
|
||||
- libgdk3.0-cil
|
||||
- libx11-xcb-dev
|
||||
when: grafana_rendering
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Import Influxdb GPG siging key with store
|
||||
ansible.builtin.get_url:
|
||||
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
|
||||
dest: /etc/apt/trusted.gpg.d/influxdb.key
|
||||
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
|
||||
|
||||
- name: Convert key
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- gpg
|
||||
- --dearmor
|
||||
- /etc/apt/trusted.gpg.d/influxdb.key
|
||||
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
|
||||
|
||||
- name: Enable InfluxDB repository
|
||||
ansible.builtin.apt_repository:
|
||||
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
|
||||
state: present
|
||||
|
||||
- name: Install influxdb
|
||||
apt: name=influxdb
|
|
@ -1,9 +1,8 @@
|
|||
[Unit]
|
||||
Description=Network initialization
|
||||
Description=ifupdown2 networking initialization
|
||||
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
|
||||
DefaultDependencies=no
|
||||
After=local-fs.target network-pre.target
|
||||
Before=shutdown.target network.target network-online.target
|
||||
Before=network.target shutdown.target network-online.target
|
||||
Conflicts=shutdown.target
|
||||
|
||||
[Service]
|
||||
|
@ -11,7 +10,6 @@ Type=oneshot
|
|||
RemainAfterExit=yes
|
||||
SyslogIdentifier=networking
|
||||
TimeoutStopSec=30s
|
||||
EnvironmentFile=/etc/default/networking
|
||||
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
|
||||
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
|
||||
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload
|
|
@ -4,4 +4,4 @@
|
|||
command: /sbin/ifreload -a
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
command: systemctl daemon-reload
|
|
@ -1,13 +1,10 @@
|
|||
---
|
||||
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- bridge-utils
|
||||
apt: name=python-pkg-resources
|
||||
|
||||
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
|
||||
- name: Install ifupdown2
|
||||
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
|
||||
apt: name=ifupdown2 state=latest
|
||||
|
||||
- name: Uninstall ifupdown
|
||||
apt: name=ifupdown state=absent
|
|
@ -14,8 +14,6 @@ iface br-{{ site_code }}
|
|||
{% if global_ipv6 is defined %}
|
||||
address {{ global_ipv6 }}
|
||||
{% endif %}
|
||||
#
|
||||
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
|
||||
|
||||
# bat-{{ site_code }}
|
||||
auto bat-{{ site_code }}
|
||||
|
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
|
|||
hwaddress f2:00:90:00:{{ gateway_id }}:20
|
||||
mtu 1500
|
||||
#
|
||||
batman-hop-penalty 5
|
||||
batman-ifaces dmy-{{ site_code }}
|
||||
batman-ifaces-ignore-regex .*_.*
|
||||
batman-routing-algo {{ batman_algo }}
|
||||
#
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
|
||||
# TODO use batman-xyz instead of batctl
|
||||
# see /usr/share/ifupdown2/addons/batman_adv.py
|
||||
#
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
|
||||
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
|
||||
|
||||
|
||||
# dmy-{{ site_code }}
|
|
@ -1 +0,0 @@
|
|||
OK
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Reload interfaces
|
||||
command: /sbin/ifreload -a
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install wireguard
|
||||
apt: name=wireguard-tools
|
||||
|
||||
- name: Create wireguard config directory
|
||||
file:
|
||||
path: /etc/wireguard
|
||||
state: directory
|
||||
mode: 0700
|
||||
|
||||
- name: Configure wireguard options
|
||||
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
|
||||
notify: Reload interfaces
|
||||
|
||||
- name: Configure mesh interfaces
|
||||
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
|
||||
notify: Reload interfaces
|
||||
|
||||
- name: Install wgskex
|
||||
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
|
||||
|
||||
|
||||
- name: Install ping endpoint
|
||||
copy: src=ping dest=/var/www/html/ping
|
|
@ -1,21 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# vx-{{ site_code }}
|
||||
auto vx-{{ site_code }}
|
||||
iface vx-{{ site_code }}
|
||||
mtu 1350
|
||||
vxlan-physdev wg-{{ site_code }}
|
||||
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
|
||||
up ip link set vx-{{ site_code }} up
|
||||
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
|
||||
down ip link set vx-{{ site_code }} down
|
||||
post-down ip -6 link del vx-{{ site_code }}
|
||||
|
||||
# wg-{{ site_code }}
|
||||
auto wg-{{ site_code }}
|
||||
iface wg-{{ site_code }}
|
||||
address fe80::{{ gateway_id }}/128
|
||||
ipv6-addrgen no
|
||||
pre-up ip link add dev wg-{{ site_code }} type wireguard
|
||||
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
|
||||
post-up ip link set wg-{{ site_code }} mtu 1420
|
|
@ -1,3 +0,0 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ mesh_wg_privkey }}
|
||||
ListenPort = {{ mesh_wg_port }}
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
|
||||
netbox_group: netbox
|
||||
netbox_user: netbox
|
||||
netbox_version: 3.7.8
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart netbox
|
||||
service: name=netbox state=restarted
|
||||
|
||||
- name: Restart netbox-rq
|
||||
service: name=netbox-rq state=restarted
|
|
@ -1,144 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Create group
|
||||
group: name={{ netbox_group }}
|
||||
|
||||
- name: Create user
|
||||
user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
|
||||
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- build-essential
|
||||
- libffi-dev
|
||||
- libpq-dev
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
- python3-setuptools
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-venv
|
||||
- zlib1g-dev
|
||||
|
||||
- name: Install PostgreSQL
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user:
|
||||
name: "{{ netbox_dbuser }}"
|
||||
password: "{{ netbox_dbpass }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db:
|
||||
name: "{{ netbox_dbname }}"
|
||||
owner: "{{ netbox_dbuser }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Install redis
|
||||
apt: name=redis-server
|
||||
|
||||
- name: Unpack netbox
|
||||
unarchive:
|
||||
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
|
||||
dest: /opt
|
||||
remote_src: yes
|
||||
creates: "/opt/netbox-{{ netbox_version }}"
|
||||
register: netbox_unarchive
|
||||
|
||||
- name: Configure netbox
|
||||
template:
|
||||
src: configuration.py.j2
|
||||
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
|
||||
owner: "{{ netbox_user }}"
|
||||
group: "{{ netbox_group }}"
|
||||
notify: Restart netbox
|
||||
|
||||
- name: Configure gunicorn
|
||||
template:
|
||||
src: gunicorn.py.j2
|
||||
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
|
||||
owner: "{{ netbox_user }}"
|
||||
group: "{{ netbox_group }}"
|
||||
|
||||
- name: Netbox file permissions
|
||||
file:
|
||||
path: "/opt/netbox-{{ netbox_version }}"
|
||||
owner: "{{ netbox_user }}"
|
||||
group: "{{ netbox_group }}"
|
||||
recurse: yes
|
||||
|
||||
- name: Run upgrade script
|
||||
command:
|
||||
cmd: ./upgrade.sh
|
||||
chdir: "/opt/netbox-{{ netbox_version }}"
|
||||
become: true
|
||||
become_user: "{{ netbox_user }}"
|
||||
when: netbox_unarchive.changed
|
||||
|
||||
# TODO - still manual work
|
||||
# * Create a super user
|
||||
# * Migrate media files
|
||||
|
||||
- name: Install netbox housekeeping cronjob
|
||||
template:
|
||||
src: netbox-housekeeping.sh.j2
|
||||
dest: /etc/cron.daily/netbox-housekeeping.sh
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||
-days 730 -subj "/CN={{ netbox_domain }}"
|
||||
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ netbox_domain }}"
|
||||
when: "'kitchen' in group_names"
|
||||
|
||||
- name: Configure certificate manager for netbox
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template:
|
||||
src: vhost.j2
|
||||
dest: /etc/nginx/sites-available/netbox
|
||||
owner: root
|
||||
mode: "0644"
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file:
|
||||
src: /etc/nginx/sites-available/netbox
|
||||
dest: /etc/nginx/sites-enabled/netbox
|
||||
state: link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Install systemd units
|
||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
||||
with_items:
|
||||
- netbox
|
||||
- netbox-rq
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart netbox
|
||||
- Restart netbox-rq
|
||||
|
||||
- name: Enable services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- netbox
|
||||
- netbox-rq
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
|
||||
{{ netbox_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ netbox_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
|
@ -1,212 +0,0 @@
|
|||
#########################
|
||||
# #
|
||||
# Required settings #
|
||||
# #
|
||||
#########################
|
||||
|
||||
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
|
||||
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
|
||||
#
|
||||
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
|
||||
ALLOWED_HOSTS = ['{{ netbox_domain }}']
|
||||
|
||||
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
|
||||
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
|
||||
DATABASE = {
|
||||
'NAME': '{{ netbox_dbname }}', # Database name
|
||||
'USER': '{{ netbox_dbuser }}', # PostgreSQL username
|
||||
'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password
|
||||
'HOST': 'localhost', # Database server
|
||||
'PORT': '', # Database port (leave blank for default)
|
||||
'CONN_MAX_AGE': 300, # Max database connection age
|
||||
}
|
||||
|
||||
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
|
||||
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
|
||||
# to use two separate database IDs.
|
||||
REDIS = {
|
||||
'tasks': {
|
||||
'HOST': 'localhost',
|
||||
'PORT': 6379,
|
||||
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
|
||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
||||
# 'SENTINEL_SERVICE': 'netbox',
|
||||
'PASSWORD': '',
|
||||
'DATABASE': 0,
|
||||
'SSL': False,
|
||||
# Set this to True to skip TLS certificate verification
|
||||
# This can expose the connection to attacks, be careful
|
||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
||||
},
|
||||
'caching': {
|
||||
'HOST': 'localhost',
|
||||
'PORT': 6379,
|
||||
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
|
||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
||||
# 'SENTINEL_SERVICE': 'netbox',
|
||||
'PASSWORD': '',
|
||||
'DATABASE': 1,
|
||||
'SSL': False,
|
||||
# Set this to True to skip TLS certificate verification
|
||||
# This can expose the connection to attacks, be careful
|
||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
||||
}
|
||||
}
|
||||
|
||||
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
|
||||
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
|
||||
# symbols. NetBox will not run without this defined. For more information, see
|
||||
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
|
||||
SECRET_KEY = '{{ netbox_secret }}'
|
||||
|
||||
|
||||
#########################
|
||||
# #
|
||||
# Optional settings #
|
||||
# #
|
||||
#########################
|
||||
|
||||
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
|
||||
# application errors (assuming correct email settings are provided).
|
||||
ADMINS = [
|
||||
# ('John Doe', 'jdoe@example.com'),
|
||||
]
|
||||
|
||||
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
|
||||
# BASE_PATH = 'netbox/'
|
||||
BASE_PATH = ''
|
||||
|
||||
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
|
||||
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
|
||||
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
|
||||
CORS_ORIGIN_ALLOW_ALL = False
|
||||
CORS_ORIGIN_WHITELIST = [
|
||||
# 'https://hostname.example.com',
|
||||
]
|
||||
CORS_ORIGIN_REGEX_WHITELIST = [
|
||||
# r'^(https?://)?(\w+\.)?example\.com$',
|
||||
]
|
||||
|
||||
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
|
||||
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
|
||||
# on a production system.
|
||||
DEBUG = False
|
||||
|
||||
# Email settings
|
||||
EMAIL = {
|
||||
'SERVER': 'localhost',
|
||||
'PORT': 25,
|
||||
'USERNAME': '',
|
||||
'PASSWORD': '',
|
||||
'USE_SSL': False,
|
||||
'USE_TLS': False,
|
||||
'TIMEOUT': 10, # seconds
|
||||
'FROM_EMAIL': '',
|
||||
}
|
||||
|
||||
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
|
||||
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
|
||||
EXEMPT_VIEW_PERMISSIONS = [
|
||||
# 'dcim.site',
|
||||
# 'dcim.region',
|
||||
# 'ipam.prefix',
|
||||
]
|
||||
|
||||
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
|
||||
# HTTP_PROXIES = {
|
||||
# 'http': 'http://10.10.1.10:3128',
|
||||
# 'https': 'http://10.10.1.10:1080',
|
||||
# }
|
||||
|
||||
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
|
||||
# NetBox from an internal IP.
|
||||
INTERNAL_IPS = ('127.0.0.1', '::1')
|
||||
|
||||
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
|
||||
# https://docs.djangoproject.com/en/stable/topics/logging/
|
||||
LOGGING = {}
|
||||
|
||||
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
|
||||
# authenticated to NetBox indefinitely.
|
||||
LOGIN_PERSISTENCE = False
|
||||
|
||||
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
||||
# are permitted to access most data in NetBox but not make any changes.
|
||||
LOGIN_REQUIRED = True
|
||||
|
||||
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
||||
# re-authenticate. (Default: 1209600 [14 days])
|
||||
LOGIN_TIMEOUT = None
|
||||
|
||||
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
||||
# the default value of this setting is derived from the installed location.
|
||||
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
||||
|
||||
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
|
||||
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
|
||||
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
|
||||
# STORAGE_CONFIG = {
|
||||
# 'AWS_ACCESS_KEY_ID': 'Key ID',
|
||||
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
|
||||
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
|
||||
# 'AWS_S3_REGION_NAME': 'eu-west-1',
|
||||
# }
|
||||
|
||||
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
|
||||
METRICS_ENABLED = False
|
||||
|
||||
# Enable installed plugins. Add the name of each plugin to the list.
|
||||
PLUGINS = []
|
||||
|
||||
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
|
||||
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
|
||||
# PLUGINS_CONFIG = {
|
||||
# 'my_plugin': {
|
||||
# 'foo': 'bar',
|
||||
# 'buzz': 'bazz'
|
||||
# }
|
||||
# }
|
||||
|
||||
# Remote authentication support
|
||||
REMOTE_AUTH_ENABLED = False
|
||||
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
|
||||
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
||||
REMOTE_AUTH_AUTO_CREATE_USER = True
|
||||
REMOTE_AUTH_DEFAULT_GROUPS = []
|
||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
|
||||
|
||||
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
||||
# version check or use the URL below to check for release in the official NetBox repository.
|
||||
RELEASE_CHECK_URL = None
|
||||
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
|
||||
|
||||
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
|
||||
# this setting is derived from the installed location.
|
||||
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
||||
|
||||
# Maximum execution time for background tasks, in seconds.
|
||||
RQ_DEFAULT_TIMEOUT = 300
|
||||
|
||||
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
||||
# this setting is derived from the installed location.
|
||||
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
||||
|
||||
# The name to use for the session cookie.
|
||||
SESSION_COOKIE_NAME = 'sessionid'
|
||||
|
||||
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
||||
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
||||
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
||||
SESSION_FILE_PATH = None
|
||||
|
||||
# Time zone (default: UTC)
|
||||
TIME_ZONE = 'Europe/Berlin'
|
||||
|
||||
# Date/time formatting. See the following link for supported formats:
|
||||
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
|
||||
DATE_FORMAT = 'N j, Y'
|
||||
SHORT_DATE_FORMAT = 'Y-m-d'
|
||||
TIME_FORMAT = 'g:i a'
|
||||
SHORT_TIME_FORMAT = 'H:i:s'
|
||||
DATETIME_FORMAT = 'N j, Y g:i a'
|
||||
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'
|
|
@ -1,16 +0,0 @@
|
|||
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
||||
bind = '127.0.0.1:8001'
|
||||
|
||||
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
||||
# n is the number of CPU cores present.
|
||||
workers = 5
|
||||
|
||||
# Number of threads per worker process
|
||||
threads = 3
|
||||
|
||||
# Timeout (in seconds) for a request to complete
|
||||
timeout = 120
|
||||
|
||||
# The maximum number of requests a worker can handle before being respawned
|
||||
max_requests = 5000
|
||||
max_requests_jitter = 500
|
|
@ -1,9 +0,0 @@
|
|||
#!/bin/sh
|
||||
# This shell script invokes NetBox's housekeeping management command, which
|
||||
# intended to be run nightly. This script can be copied into your system's
|
||||
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
|
||||
# within the cron configuration file.
|
||||
#
|
||||
# If NetBox has been installed into a nonstandard location, update the paths
|
||||
# below.
|
||||
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping
|
|
@ -1,21 +0,0 @@
|
|||
[Unit]
|
||||
Description=NetBox Request Queue Worker
|
||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User={{ netbox_user }}
|
||||
Group={{ netbox_group }}
|
||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
||||
|
||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,22 +0,0 @@
|
|||
[Unit]
|
||||
Description=NetBox WSGI Service
|
||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User={{ netbox_user }}
|
||||
Group={{ netbox_group }}
|
||||
PIDFile=/var/tmp/netbox.pid
|
||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
||||
|
||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,38 +0,0 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ netbox_domain }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ netbox_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ netbox_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
|
||||
|
||||
location /static/ {
|
||||
alias /opt/netbox-{{ netbox_version }}/netbox/static/;
|
||||
}
|
||||
|
||||
location / {
|
||||
client_max_body_size 32M;
|
||||
|
||||
proxy_pass http://localhost:8001;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
nginx_anonymize: False
|
|
@ -47,32 +47,7 @@ http {
|
|||
# Logging Settings
|
||||
##
|
||||
|
||||
{% if nginx_anonymize %}
|
||||
map $remote_addr $ip_anonym1 {
|
||||
default 0.0.0;
|
||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
|
||||
"~(?P<ip>[^:]+:[^:]+):" $ip;
|
||||
}
|
||||
|
||||
map $remote_addr $ip_anonym2 {
|
||||
default .0;
|
||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
|
||||
"~(?P<ip>[^:]+:[^:]+):" ::;
|
||||
}
|
||||
|
||||
map $ip_anonym1$ip_anonym2 $ip_anonymized {
|
||||
default 0.0.0.0;
|
||||
"~(?P<ip>.*)" $ip;
|
||||
}
|
||||
|
||||
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
access_log /var/log/nginx/access.log anonymized;
|
||||
{% else %}
|
||||
access_log /var/log/nginx/access.log;
|
||||
{% endif %}
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
|
@ -8,13 +8,7 @@
|
|||
when: nginx_ssl
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
|
||||
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
when: nginx_ssl
|
||||
notify: Restart nginx
|
||||
|
||||
|
@ -30,7 +24,7 @@
|
|||
- /etc/nginx/dhparam.pem
|
||||
|
||||
- name: Configure nginx
|
||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
|
||||
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure default vhost
|
||||
|
@ -41,7 +35,7 @@
|
|||
- name: Ensure network and dns are available before nginx
|
||||
lineinfile:
|
||||
dest: /lib/systemd/system/nginx.service
|
||||
line: "After=network-online.target remote-fs.target nss-lookup.target"
|
||||
line: "After=network-online.target nss-lookup.target"
|
||||
regexp: "^After="
|
||||
|
||||
- name: Start nginx
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
|
||||
node_exporter_version: 1.2.0
|
||||
node_exporter_version: 1.0.1
|
||||
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
||||
|
|
|
@ -1 +1 @@
|
|||
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
|
||||
OPTIONS=""
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
command: systemctl daemon-reload
|
||||
|
||||
- name: Restart node_exporter
|
||||
service: name=node_exporter state=restarted
|
||||
|
|
|
@ -9,27 +9,6 @@
|
|||
- name: Configure node_exporter
|
||||
copy: src=node_exporter dest=/etc/default/node_exporter
|
||||
|
||||
- name: Create configuration directory
|
||||
file: path=/etc/node_exporter state=directory
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
|
||||
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
|
||||
notify: Restart node_exporter
|
||||
|
||||
- name: Ensure correct certificate permissions
|
||||
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
|
||||
notify: Restart node_exporter
|
||||
|
||||
- name: Configure node_exporter TLS
|
||||
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
|
||||
notify: Restart node_exporter
|
||||
|
||||
- name: Install systemd unit
|
||||
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
|
||||
notify:
|
||||
|
|
|
@ -1,6 +0,0 @@
|
|||
tls_server_config:
|
||||
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
|
||||
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
|
||||
|
||||
basic_auth_users:
|
||||
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Restart chrony
|
||||
service: name=chrony state=restarted
|
||||
- name: Restart ntp
|
||||
service: name=ntp state=restarted
|
||||
|
||||
- name: Restart ntpd
|
||||
service: name=ntpd state=restarted
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Install chrony
|
||||
apt: name=chrony
|
||||
- name: Install ntp
|
||||
apt: name=ntp
|
||||
|
||||
- name: Configure chrony
|
||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
||||
notify: Restart chrony
|
||||
- name: Configure ntp
|
||||
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||
notify: Restart ntp
|
||||
|
||||
- name: Start chrony
|
||||
service: name=chrony state=started enabled=yes
|
||||
- name: Start the ntp service
|
||||
service: name=ntp state=started enabled=yes
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||
# information about usable directives.
|
||||
|
||||
# Include configuration files found in /etc/chrony/conf.d.
|
||||
confdir /etc/chrony/conf.d
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ntp_server is defined and ntp_server is true %}
|
||||
allow 10.90.0.0/16
|
||||
allow 2001:678:ddc::/48
|
||||
{% endif -%}
|
||||
|
||||
# This directive specify the location of the file containing ID/key pairs for
|
||||
# NTP authentication.
|
||||
keyfile /etc/chrony/chrony.keys
|
||||
|
||||
# This directive specify the file into which chronyd will store the rate
|
||||
# information.
|
||||
driftfile /var/lib/chrony/chrony.drift
|
||||
|
||||
# Save NTS keys and cookies.
|
||||
ntsdumpdir /var/lib/chrony
|
||||
|
||||
# Uncomment the following line to turn logging on.
|
||||
#log tracking measurements statistics
|
||||
|
||||
# Log files location.
|
||||
logdir /var/log/chrony
|
||||
|
||||
# Stop bad estimates upsetting machine clock.
|
||||
maxupdateskew 100.0
|
||||
|
||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
|
||||
rtcsync
|
||||
|
||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||
# one second, but only in the first three clock updates.
|
||||
makestep 1 3
|
||||
|
||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
||||
# This directive must be commented out when using time sources serving
|
||||
# leap-smeared time.
|
||||
leapsectz right/UTC
|
|
@ -0,0 +1,17 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
restrict default kod nomodify notrap nopeer noquery
|
||||
restrict -6 default kod nomodify notrap nopeer noquery
|
||||
|
||||
restrict 127.0.0.1
|
||||
restrict -6 ::1
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
command: systemctl daemon-reload
|
||||
|
||||
- name: Restart prometheus
|
||||
service: name=prometheus state=restarted
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- python3-pip
|
||||
- python-setuptools
|
||||
- python3-setuptools
|
||||
- virtualenv
|
||||
|
||||
|
@ -22,13 +22,6 @@
|
|||
- Reload systemd
|
||||
- Restart prometheus-pve-exporter
|
||||
|
||||
- name: Configure prometheus retention
|
||||
lineinfile:
|
||||
path: /etc/default/prometheus
|
||||
regexp: '^ARGS=.*$'
|
||||
line: 'ARGS="--storage.tsdb.retention.time=365d"'
|
||||
notify: Restart prometheus
|
||||
|
||||
- name: Configure prometheus
|
||||
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
|
||||
notify: Restart prometheus
|
||||
|
|
|
@ -27,29 +27,12 @@ rule_files:
|
|||
scrape_configs:
|
||||
{% if node_targets is defined %}
|
||||
- job_name: node
|
||||
scheme: https
|
||||
basic_auth:
|
||||
username: prometheus
|
||||
password: {{ prometheus_node_pass }}
|
||||
tls_config:
|
||||
insecure_skip_verify: true
|
||||
static_configs:
|
||||
- targets:
|
||||
{% for target in node_targets %}
|
||||
- {{ target }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if dnsdist_targets is defined %}
|
||||
- job_name: dnsdist
|
||||
basic_auth:
|
||||
username: prometheus
|
||||
password: {{ prometheus_dnsdist_pass }}
|
||||
static_configs:
|
||||
- targets:
|
||||
{% for target in dnsdist_targets %}
|
||||
- {{ target }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if fastd_targets is defined %}
|
||||
- job_name: fastd
|
||||
static_configs:
|
||||
|
|
|
@ -19,6 +19,6 @@ interface br-{{ site_code }} {
|
|||
AdvRouterAddr on;
|
||||
};
|
||||
{% endif %}
|
||||
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
|
||||
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
|
||||
};
|
||||
};
|
||||
|
|
|
@ -4,4 +4,4 @@ batman_interface: bat-{{ site_code }}
|
|||
main_bridge: br-{{ site_code }}
|
||||
|
||||
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
|
||||
respondd_announce_git_version: 4fd2e3e6eb15c2a52b7401c88a105ff483934689
|
||||
respondd_announce_git_version: fc2d8d78d53d1908ad16b79b66f79557ccd9a83a
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue