FF-RGB/ansible
4
2
Fork 1
Code Issues 3 Pull Requests Activity

Compare commits

base: FF-RGB:master
Branches Tags
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal
sprinterfreak:enhance-gitignore
sprinterfreak:acertmgr-require-idna
sprinterfreak:linter
sprinterfreak:master
..
compare: sprinterfreak:master
Branches Tags
sprinterfreak:enhance-gitignore
sprinterfreak:acertmgr-require-idna
sprinterfreak:linter
sprinterfreak:master
FF-RGB:master
FF-RGB:yanicfix-statserver
FF-RGB:ntp-chrony-proposal
FF-RGB:netbox-proposal

No commits in common. "master" and "master" have entirely different histories.
master ... master

159 changed files with 2009 additions and 5141 deletions
Show Stats Expand all files Collapse all files

4
.ansible-lint
View File

@ -1,4 +0,0 @@
skip_list:
- meta-no-info
- package-latest
- risky-file-permissions

11
.drone.yml
View File

@ -1,11 +0,0 @@
---
name: playbook
kind: pipeline
type: docker
steps:
- name: lint
image: cytopia/ansible-lint:latest
commands:
- ansible-lint

1
.gitignore vendored
View File

@ -2,4 +2,3 @@
__pycache__
site.retry
*.pyc
ff-ansible.code-workspace

4
README.md
View File

@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
## Requirements
The python packages netaddr and passlib are required on the host running ansible.
The python package netaddr is required on the host running ansible.
The vault password must be stored in `.vault_pass`.
The *only* supported distributions to deploy roles on is debian buster.
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
## Running Ansible

1
ansible.cfg
View File

@ -1,6 +1,5 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
library = ./library
nocows = 1

42
group_vars/all/vars.yml
View File

@ -2,20 +2,6 @@
acertmgr_mode: webdir
dnsdist_targets:
- gw11.regensburg.freifunk.net:8053
- gw21.regensburg.freifunk.net:8053
- gw31.regensburg.freifunk.net:8053
- resolver.regensburg.freifunk.net:8053
dns_slaves:
- 195.201.117.207
- 2a01:4f8:1c0c:7dda::1
- 213.166.224.14
- 2a02:958:0:1::e
- 213.166.225.14
- 2a02:958:0:1::1:e
fastd_targets:
- gw11.regensburg.freifunk.net:9281
- gw21.regensburg.freifunk.net:9281
@ -39,24 +25,15 @@ gre_matrix:
- { id: 26, a: gw21, b: gw31 }
# - { id: 33, a: gw22, b: gw31 }
netbox_domain: netbox.regensburg.freifunk.net
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
node_targets:
- ns1.regensburg.freifunk.net:9100
- stats.regensburg.freifunk.net:9100
- tiles.regensburg.freifunk.net:9100
- gw11.regensburg.freifunk.net:9100
- gw21.regensburg.freifunk.net:9100
- gw31.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100
- resolver.regensburg.freifunk.net:9100
- netbox.regensburg.freifunk.net:9100
- stats.ffrgb:9100
- unms.ffrgb:9100
- unifi.ffrgb:9100
- tiles.ffrgb:9100
ntp_servers:
- 0.de.pool.ntp.org
@ -64,10 +41,6 @@ ntp_servers:
- 2.de.pool.ntp.org
- 3.de.pool.ntp.org
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -75,17 +48,8 @@ pve_targets:
- pve01.ffrgb
- pve02.ffrgb
searxng_domain: sx.regensburg.freifunk.net
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
site: ffrgb
site_domain: regensburg.freifunk.net
speedtest_domain: speed.regensburg.freifunk.net
speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
speedtest_secret: "{{ vault_speedtest_secret }}"
tileserver_domain: tiles.regensburg.freifunk.net
web_services:
- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }
- { id: tiles, domain: tiles.regensburg.freifunk.net }

263
group_vars/all/vault.yml
View File

@ -1,137 +1,128 @@
$ANSIBLE_VAULT;1.1;AES256
31633832313136353531623833383865383736333164376632363635333439613763643062663632
3736376165623664376436643138653435393239636333370a643363343061303436613238373237
36653730376133363061333536626436363366393335303932663736316631633630323634353531
3734353134396561660a616339303762313430616234383138326438383432646564356662393536
61376161343965656365646238393261356133326131613730343234336139366461333032396531
38653031363934623231336661363233393562383434323633353139336530383432383736353937
65633935373261653134653839353233643439616266613531373938393231643736333436353234
65646665626531323566326561353333666535666430613961666232646632303662343832643661
35373166323439623137383164663838393766326237336234326635383930323365326431343338
61343434363961633532656466653732626135306334303634383235643531396535326536636264
37343930623235363632623963346637363964666664636266373137363037383036633233643130
30323036653637656131623332613463303937323133653064623333396534336661306432323536
38373534303235323230306139663736663430633463663166393033613435616662336335643137
32366439333661313930636234346265306233393966623832613834623263356337356162396335
34353362613163323936613930666339303839393431303461363565623561363034306538396237
38326263303033376435623037653365636362653831623066653263623236613566623962313266
34336233343530366236313131323962666163383035633361333637343732356338626265613338
36643663336161663636343864623864323735613838373562376431643338346662393731373833
38313839393433626630363635323232373534303437656561316231653536306264386331333666
36323330626164363730643337623262303335333438303432373465343235303836366362383336
39666631363362383338616536666432373738336131653765353635373365623030393365636630
38303033306664356162316262346434343239646230663062643566336132613535393835366236
66306435653364323335623665316264646631383066373837653536316135316130393766356162
33326431643162383539323161626163316532373831386334643761636630616162666236613766
38633738333331616336363736396635306630363561613966656538633432363661313432373731
39303764303362336536396130613637653530376437333336613465643539396330623261356534
64633761643065313038656261326638343032353832376262653135663162353434323936353862
31663738353965303963353962626534303333303037336431373631396635363938326133336330
63353333616664663934636433653434626162323064653430666565613061623239613561643838
66356662303137383639336432633432636235306165306339623632316134306431376163616465
32636132656232303162333238393837383731633931363865356634643736326139313638333230
39316662306432333333333266333234646539646532316536383932666435366136346138626136
64373362366239633964616638363666656564323436636432663937666565653436613465366461
65376562303639363332636532386535386365656636346365333330386132383637636239653730
63333361303037393936653064336439653932373739336564333132303639343835376633666631
66613138343730636563626131623437343232303964626562633332303761626331383662373531
39663463656361303236666661356564373432333062303363313532333938633337363536343930
37376464393438613564653465353037313536626466643131336133336161316437316433663032
62633465613634373238383937643037346336336135353230386538353933616436646534366435
31323363666266373662626362663164653863326239303462363739383730643962333230343733
37393831383666393064626437323861353739363762346330666436356466316464393838366133
34653131653838643063396633346132336439393132353661373063623865643465306238326538
63313366386263623333636636376637383536353663643266653431626365666139393764663633
62366234376231393261646366383733633565303433353631343239313362646161663433653632
61303231616366386435666232353531306331613638633531613364663130643433336232633164
64373131303135316135376339353366313635653466663765323931616232333539333639623033
39626233316430303062336234623966376564386365613265363866666636626435306664336636
39346139316331306333666332393631306433623365303064383831643864336634303737633434
39303364633530343531373964353335333832636433313865303765393665633838316531343035
34666237353834613337353063666333353764666431376235393534613534363163333732373061
36663537363938373235326537326139366562656264393930653630383332383466333435386233
32613737303431333537326264343065306361653562633064393762643161313666663262313236
65386430306432653563623666646439376163383433653561333461383933383835373563396137
62383861393963313534616437663465333834663235356439363735633133623365383839613037
34303465363033313739373631363261313130616663336662346132653239313562386664353432
64373961663563393362303166633630343665663437373562613461343266646332313963653965
39363632313864343437333038623364323161376237386333616636303364373964343464643330
31613431313562353862306236623233636264653635643264333364336533623036356530343465
33366131333365393333373062623666663065316666363736633562363934336534313464353239
30666365303330363962653731626266376433666135333435313236386163653336386134633630
65336335346539666431643036636663643936326635636438636438646230353962646335396461
64623238343632346265376537323462316162633437633463656235626366666235653231303736
34316166363139336536396631663435386434396336346331663333353338353466346433393062
31343662316464356663356539303934633336613335373732353165366266303837303364616537
31356135313732633232343362663932656363633162623539323938643239383333306638346236
36666564323336346234313239656463626138313364656637353434303266613232353334666539
34666437356531393933656338373834303130663132303433376338643833643236333639663530
32653536643035303536353431623463353762393539363634636566396134353362633038333831
33633632666331666665373664633138323536633264653339663463326236343862656563323835
66633038346237356638646133626239336233633261626464626238636363666431646661366337
32396137303664363734666238346636653531666461306335343636303861653533356266643833
39633939666534663033336462336633636264336133633630366166356163306539613830636432
66326661646430366332363530333338373136656234613030616338383531313138666435313562
33346262353934636564613730396536333731653036303333343039393534643837663234346234
30303032623565316234343834303061303333346539636138343334663131646463363863663062
31343432383238623733346563323533636466346538616334646338366465356165613434623730
37323930623539353764643939643963353238646230396337633362363664613431303032656639
38613961633439613837636531653163383633373263343235303766613736616636613066316463
63346337383864363562373562643636343764626433383634643064313831373833356132393737
39356534623536373066663933356535356532636332343661333166663433666433363661343861
63393734656534363761313862613364616161303735323563656265323362313061343332346238
35353534663137653466396432353437333739363631373332316165663964653335363034636131
33363933333764306265306161336165306234616161313466393233363431363061633730653437
65313636366162303763663530386239343833626139643439306161623066313638323361353831
63323531353939356337613865663737373661343362353362326637666666383535633030626163
36386464326134333965623262356532353161316533626331623266623630383331313037376365
37353164306433633563386436653235616661366639343035306533643732326232366537633635
33306338386561353564643537353736663434663931343263333764633961666464373461346335
65323462313761653361343236326632393835613538616436666534363366626637376262326462
32366530383439646137383737303634613136396135633136316233326230323466383932616630
66316561333961346130306531623936376636646330373237623034633135303630353566333037
34656233316663656661623731633034643332336631356436653134366162396336643331623135
65646466633236393036383639623066663963653431343836626664383431363663653535383565
64333432343561623633316232623864386161376163333238623066636533353330336566313835
66653265346331393238343862353162383234303334626261643065656637386434636564663665
63616339663261616534376661393837343335373638366264323732353032363731376332653936
64393262346230636366336133616366646533373530356235316561643232333664343462386539
38396665626131646234613466396334346431316638333436633637353836313933656134383031
38633838323163383536323735626132323565643136663030643436303363333264373061663430
65613836313531636264633333346331343038373466653231613830383435386364636237303965
65663635633732663636333764623133373864356363313535333136613039313035663633386338
61343930323665616464643235396232393134373537616635663231343763346434626665393966
31613835666563333261373533316364346538393438636636633862353431333030623933663130
31626337303733373034666562363064373936656435636637356365386363346664306134376339
37383335646339636265656134383432396438383732303066396636373834373037663062336335
61346438636134333763346265653766396165626365633237373466346438363330633562353731
61313630373137303131326134613264356462333363643463643861666239623937636535336536
30313234623936316439643164316139386366336630616266653338383337653561656337343837
66613234363738306235316632316666376231306561653865353636373835646263393932316134
30313433613664306533386133376232323737633934396135626532323830346336353631383539
38666264343962646237313332396535643863393535303437346262613861646663303037333736
63326534313964613663376635306162653639623735633139326161323232653462343063383036
39616233613664626161663131383366663435626432626663623638646163666535316461383531
39663130646564373563323965386331353036366230343635363266323864623633663333656561
33353131623065623839396634653735396262656261323963363261643761373137616232666665
39643835383034383439393638363438633931323437613365643935383766333535643537633633
63633133303166326432613932396331356263626166343436386463376537656231656438313563
30653664383935383161303865363338393933363334653631616432643037626433356561636634
34316436383462386331393231633161383362666532363561326631613137656464306262313034
35636334623861323836326265396664373461313034343231316261616330313938333263666665
39616163346632623764666337313561626233636363343036363331663932616530346230653663
62373661306566373638383962356563323430613262326534663663383162396263306335613462
39326162663161663264626437353064306238646664376666336534326263313061393133373636
33346161376136636536393264363332633561373037326566313137366265383635376366343036
30613763633264303536396535303236353138393032336461666131356464343930656665326535
64393130376166383538353866323265303562326239626233636237626664346631646264386439
65383730333534656361366438316536613138303334343665396438336164663064373838323534
64626631363131663462303131333735633337653335623939383264363163633765326438313965
32623662383464316133623538616139623433336435316166346336663761343536393662393733
35333938383137383863653966363837366639303634616239643235653932643132323033373238
38323734353563383133333538316236393162636237313061363663303764343533626466373137
32656561383633633166386437653361313363666334636639353833323461663030313736613831
30613832306137323637653330306637323530613935333263373338346430393265333839636566
39336662326637363038653734323230626234346433313830656264633732666430663265383031
65313864386637303563636239646633393335616231613531633762326430633231343264363236
32346662623562356432
36303531356238623563383536313866333234626534333764393330613338323437633133333933
6664636362396636366362363236383763653561366236370a336538353466333830326166353833
38616339376634616533376262623839653063666633306537353065303436636130376335336631
3432623039316431330a656664386662633362356137666661323438386333386632343864336663
36623430663333393434393464633633376431333736396165343964663137373366343262373262
62343237623763363961313666333364386364353732383061623937663731653037386562383339
39623633666336356666626134333935356265303035616135303532396632323861366233373936
61356363613161653263323737343866323538623039643230373765353337376631643362633639
32346239353462363239393862643665373663646530343837313132616166346662326339316635
35313465343631333939376165313661616133363565666439336163326132633137363166383831
62613832373839383234356463323761613036666331306434353165653639616336633638396633
61363333376239623738386262653165643335343436303634366536363338386138313235313562
34303332626239323235613532396435646632353132613962363961383536666131306533306566
64306364393266633635363162323133656363633862326231366161633138343765343564646236
66666535613764613964633164333063306263353931646532346136663839646533643230666362
65343432353838383832306331333832386363613566373461323033643963616237663165366636
36336266353664353136323237383237663363613035653664303634633266333565303833356238
62623538623861653135633666613034363766306263323262663631383961333932313837333339
38313439636262313563326232323937323163373532306464333662363362613064313638353338
34633766623962326464393564316563663764326462316232653935383463343163613532623931
33653136636634373939386439623661383432616534333061626232303266343666383335346666
34323336366232363563626139316666353433343236626334366138656334646338623338316439
32323833656430373831616661613662353465376664633233333666373766356666373839336232
65346637616539616330356138323865646433346339363130343366363731343262393538336466
30316565303133343762666165626533343135633937323162653964626535343962653636636163
36323066393039333531626434383830666665326563376638656238393439373033653763386131
65316265626130643335333362363232613733633835633234316565303532623766653032303332
33386661326362626538393033396430303564653737346339643966623337653661376633623166
66313162316131326364393731346336626663626564343662343334616533616537633765376463
64303939313639613665353035336536373436646436373038633233313330663965386665326234
37326338333262313461373765306163646233303930633838636563313138646461656130666234
33383232336333373965666630386131326137666633623231633739646435363532393432323330
33393431616630336139393236636533383537623162376636393365663733626565306661386665
65613536313032646636623334656266336531383733306361363536616661336236353735343535
31353738346332643465383735636666326532623166373962376563633861376361663663393030
31316366346531376635386335366564373530303664323934383930356530356265623530356461
31656461663637373238303737383263353065326333383564346532376261316130346461373230
31633939313061663235326331613061383033313131633330303238363135303637363133663637
61653439633534633234366164313665356265323931346234646163333463366466613934333536
36336662306531643537333437363032643433323564643736336539393634333139633631376238
63633031646163613161626139666334623961646230366561343839653638303465323632653438
39613364326264333131636231303031643336353663386238636561373839393834376636646534
31383764623664363065626331363762623232336162383164396435613330303432616632306336
64313564636433643430336333613339666536383062383932366137636432373038333134313263
61636635613534663662353732333563366230636332326337303433356536373563663639326438
31393664643765653365363834653936336138336261313337636363323063616261336137306662
66663632663864366262363566393437313136373531313264323663373866663865396335666431
33383665346634383039393334373166396230393432623934326665663931636431646330643033
65613339623863323537626631343935333966326263323836373163633531373662393561633731
64613237363562643164613338396436303334346234343739323137616364626433666464663133
61306630626261376465636234613263366334626161353338323739643938323137633835653032
66323964663965616666626138636433323736323630303832366365663436396265333033666662
65343730336233323637356435363931346638666239363964646538343665396466646238363531
31343535393931633830326561323437643834393430646431393765336433326236313537616532
37363739373838383361616663633963373032646663333735663533356630626537326165666530
61633537336437366266303463336438373137303037383761393365366365323263643239323736
33316637643735363531643965383530643333636437363936303133373261386237386630616232
30373861313638663639653932333532306166653462616136326365616465363436363663313430
30306664626566643431353362383364633961306536663136396538313364656231363538363964
37613761326365656632323034376634316430326666306330383937393963656333666437336639
61343365343463303161336366386161363662646138316536653635383034616431356265613032
66643937333933633932376133306465373031386334373032373261643762396637396139616638
64313966393732383830646566306266663734356531336564393362613937646565663337353038
31663734616536343938393638663636653532383538313137336166633632653235323833643665
35393234633364666561653934346139353761643536313438366231646564323138393133333662
36656164333831393061653632633830383766613638353863306663356164393665373965373237
32363065326231393231343839633463326235316533636163356434313832343064396532613832
33306331623364363566663463316139336134396636653264343563623339373566656134636364
38653435333061333966396131376564386134363433643134616338343535353132633465616364
31393266313339383233363364303731653933613632363231333965653237393962646132373761
30643865626130343263656562653765343561636235333966363935333038383734363136633339
65383232313633363761303063343936613765636633663866633833303938366339373635343733
32616432343338376139313663656535373064353063643661663732633130383932373138666133
33336262316664613936633032656234353262333633626237376636383261626331346464363261
65396138653264636537346436636230613435376532383130666138373334643834303064303161
38393563336564343530373362613166636639393963383539333234613734353834306135643363
65613732376661373137353262626565613164343631336531393132333137326531353439333731
37396434626365646565613766653930613632316632363764353330313836326436313438653836
64613337626236323435393363626332383235326635323561633261396466623462623536306361
65393331343664343533356462656638636638666464353037633334323363613936353266363530
39663264356132363836343765336163653731373035653332303462383933333734363537366233
33646333653762656534663635636634663835643730386264333738323962636266653734303239
30336261323039386461303933633366316537303230336238636662396133353735653936313232
63373335313162643562393131653930383566363239613063633931376536373366346331623337
64343734333565316232356634376438306536373662316632313066336364383062653765643165
66626465636365613064323664393163636230303664666632653938633364343136343464653735
38376637646232333735633861356238646235616536336662353466346163616631613062303837
32363638383838663833633532323365663531323632313534613133306336383262306530613337
39653732323430643334366131313137653265353632643136643662626361636666326364303831
39666166623564373133323332353337623038623737303935383036613236666339306235316166
37643737386438623261653064643339663865366433376162373466653461313961383166663830
35396661396664623866346661396563363564306136333137663166323362386431663835323365
35656361353162666638626130343833303165333964613161396132613939313738396563333336
64366533646137633166383431666366643937666139653637386535363135656432363136373134
62396433316339366534303064636436646365373138376162333032383539373939376337643663
62613966646361366435366361633864373066303933633039623530336236346261323335633130
65323838323235653839656530626661343731383966623732663430313137643566343566643932
62353936666632336532326266376438346339343030666530666261386335343566336237616639
33353932326435393266336263363466633035653161363162376630343132383436336164643337
66323436376265353062373166343162353334313365313462616139393430333164323539636235
38613531393030663831663361333437313333643264353131356163313630636264313130663363
62383166396131386133626131303163323865393832663262666434623833653861353064663062
65623239356163656433363339386632303562333064613631383933323563663761343465306133
32336233303461666366336466643936396366343735363934363136393738303031386339623532
30326131383636356535343462313338303235343739623039353066653661313431333461333030
65336166623732353432633236393233313964306435633231336534643134643834626534626131
39303239366439303230316565373235616261633362633737646365316133616366643333343138
31323138343838363735663835633361663036613461336135356639396334633765643764346365
33353332326330366434313662383765653561663238653137383339626539633364336336363634
65626465666435326566363863643064363365623361633266316137643637656537663934396663
65633738613231326461373761626135373866326130356335653739636130366135363137646362
37393839346634373132316434313966653730623035633933636230643765366261373839373333
39363263376533326533663365363538383434663830646630323562333235356335373363383831
66393361663865653238643035353138623730396363333633336261363739303264336136663638
61646366323238373861386266353135333835353665333965306665613331393438313064303435
36633333366637616666386531396539303630653735373163623437396161393633636435356631
30393530323234373631393630383564306132616135646534316466336335366131663465336231
64353136663436653637613765636234343836393262323535666232326265303333646436636531
38313063373133383062333439363036663562623639333932386131353666373037623539316335
39613766383631643661353238643534646464663231663166386634636330373332653963616330
39383238386135646330336565323762326463313939386236366161356463343566376231396465
64376661633465643864663236323961653535386362656238323730326663383138613831613633
38373661666363666661313065356364353232333466386263383761323264363535643034326563
61353638646463383063616365376535366232653135653430336231353633323665373438613437
32316164643438626236613839353333316536313439306334666566623465323366633036326466
61646263396333373063383861313033393335323263393261636265613736376361393735636130
643939373434306635633963666533396439

11
host_vars/gw11.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.32.11/19
batman_ipv6: fdef:f10f:1337:cafe::11/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:11::11/64
global_ipv6: 2a00:9d80:6000:0101::11/64
nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 11
site_code: ffrgb_cty
nat_pool: 194.156.22.12-194.156.22.13
ntp_server: true

7
host_vars/gw12.regensburg.freifunk.net
View File

@ -8,15 +8,8 @@ nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 12
site_code: ffrgb_cty
ntp_server: true

11
host_vars/gw21.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.64.21/19
batman_ipv6: fdef:f20f:1337:cafe::21/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:21::21/64
global_ipv6: 2a00:9d80:6000:0102::21/64
nextnode4: 10.90.64.1
nextnode6: fdef:f20f:1337:cafe::1
mtu: 1312
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
fastd_port: 10020
gateway_id: 21
site_code: ffrgb_uml
nat_pool: 194.156.22.22-194.156.22.23
ntp_server: true

7
host_vars/gw22.regensburg.freifunk.net
View File

@ -10,13 +10,6 @@ mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 22
site_code: ffrgb_uml
ntp_server: true

11
host_vars/gw31.regensburg.freifunk.net
View File

@ -3,22 +3,13 @@
batman_ipv4: 10.90.96.31/19
batman_ipv6: fdef:f30f:1337:cafe::31/64
batman_algo: BATMAN_IV
global_ipv6: 2001:678:ddc:31::31/64
global_ipv6: 2a00:9d80:6000:0103::31/64
nextnode4: 10.90.96.1
nextnode6: fdef:f30f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3120917
mesh_wg_port: 20030
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
fastd_port: 10030
gateway_id: 31
site_code: ffrgb_tst
nat_pool: 194.156.22.32-194.156.22.33
ntp_server: true

3
host_vars/resolver.regensburg.freifunk.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

31
host_vars/stats.regensburg.freifunk.net
View File

@ -1,31 +0,0 @@
---
grafana_rendering: True
# yanic needs this
site_code: ffrgb_cty
yanic_publisher: true
yanic_repondd_enable: false
yanic_respondd_interface: ens18
yanic_respondd_ip: true
yanic_nodes_prune_after: 60d
yanic_nodes_offline_after: 5m
yanic_meshviewer_enable: false
yanic_nodelist_enable: true
yanic_database_delete_after: 720d
yanic_dbc_repondd_enable: false
yanic_influxdb:
- enable: true
host: http://127.0.0.1:8086
database: ffrgb
username: "admin"
password: "{{ vault_yanic_influx_pw }}"

8
hosts
View File

@ -2,12 +2,8 @@
gw11.regensburg.freifunk.net
gw21.regensburg.freifunk.net
gw31.regensburg.freifunk.net
netbox.regensburg.freifunk.net
ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net
sx.regensburg.freifunk.net
tiles.regensburg.freifunk.net
web.regensburg.freifunk.net
stats.ffrgb ansible_host=10.90.224.100
unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103

4
library/fastd_key
View File

@ -1,4 +1,4 @@
#!/usr/bin/env python3
#!/usr/bin/env python
EXAMPLES = '''
# Generates a fastd key
@ -23,7 +23,7 @@ if __name__ == '__main__':
# create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
# generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
handle.write('secret "%s";\n' % secret)
changed = True

3
roles/acertmgr/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"

9
roles/acertmgr/tasks/main.yml
View File

@ -8,9 +8,16 @@
- python3-yaml
- python3-pkg-resources
- name: Find current acertmgr version
get_url:
url: "https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt"
dest: /tmp/acertmgr.version
vars:
ansible_connection: local
- name: Install acertmgr
apt:
deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
deb: "https://github.com/moepman/acertmgr/releases/download/{{ lookup('file', '/tmp/acertmgr.version') }}/python3-acertmgr_{{ lookup('file', '/tmp/acertmgr.version') }}-1_all.deb"
- name: Create config directories
file:

119
roles/apt/files/unattended-upgrades.conf
View File

@ -1,7 +1,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...". A
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -19,73 +19,50 @@
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// Python regular expressions, matching packages to exclude from upgrading
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
@ -93,20 +70,11 @@ Unattended-Upgrade::Package-Blacklist {
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
@ -114,8 +82,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
@ -125,40 +92,10 @@ Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
Acquire::http::Dl-Limit "200";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

19
roles/apt/tasks/main.yml
View File

@ -3,18 +3,21 @@
- name: Configure apt not to install recommends packages
copy: src=apt-recommends.conf dest=/etc/apt/apt.conf.d/40recommends
- name: Install apt related tools
apt:
name:
- apt-transport-https
- debian-goodies
- gnupg2
- lsof
- unattended-upgrades
- name: Install apt https transport plugin
apt: name=apt-transport-https
- name: Install debian-goodies for checkrestart
apt: name={{ item }}
with_items:
- debian-goodies
- lsof
- name: Configure periodic apt updates
copy: src=apt-periodic.conf dest=/etc/apt/apt.conf.d/10periodic
- name: Install unattended-upgrades
apt: name=unattended-upgrades
- name: Configure unattended-upgrades
copy: src=unattended-upgrades.conf dest=/etc/apt/apt.conf.d/50unattended-upgrades

2
roles/arp_cache/tasks/main.yml → roles/arp-cache/tasks/main.yml
View File

@ -8,4 +8,4 @@
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }

4261
roles/common/files/.zshrc
View File

File diff suppressed because it is too large Load Diff

6
roles/common/handlers/main.yml
View File

@ -1,13 +1,7 @@
---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald
service: name=systemd-journald state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs
command: update-initramfs -u -k all

79
roles/common/tasks/Debian.yml
View File

@ -1,79 +0,0 @@
---
- name: Install misc software
apt:
name:
- ca-certificates
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- wget
- zsh
- fail2ban
- name: Install software on KVM VMs
apt:
name:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: Enable serial console on KVM VMs
lineinfile:
path: "/etc/default/grub"
state: "present"
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
notify: update-grub
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

25
roles/common/tasks/Proxmox.yml
View File

@ -1,25 +0,0 @@
---
- name: Install misc software
apt:
name:
- dnsutils
- htop
- ipmitool
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh

11
roles/common/tasks/chrony.yml
View File

@ -1,11 +0,0 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

84
roles/common/tasks/main.yml
View File

@ -1,21 +1,75 @@
---
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
- name: Install misc software
apt: name={{ item }}
with_items:
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
- name: Install software on KVM VMs
apt: name={{ item }}
with_items:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Setup chrony
include: chrony.yml
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: use new-style network interface names
file: path=/etc/systemd/network/{{ item }} state=absent
with_items:
- 50-virtio-kernel-names.link
- 99-default.link
notify: update-initramfs
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

53
roles/common/templates/chrony.conf.j2
View File

@ -1,53 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 10.90.0.0/16
allow 2001:678:ddc::/48
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

2
roles/dhcpd/defaults/main.yml
View File

@ -2,5 +2,5 @@
dhcpd_interfaces: br-{{ site_code }}
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
name_server: "{{ batman_ipv4 | ipaddr('address') }}"

2
roles/dhcpd/templates/dhcpd.conf.j2
View File

@ -2,7 +2,7 @@
# option definitions common to all supported networks...
option domain-name "{{ site_domain }}";
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
option domain-name-servers {{nextnode4}}, {{ name_server }};
local-address {{ batman_ipv4 | ipaddr('address') }};

6
roles/dns_split/handlers/main.yml → roles/dns/handlers/main.yml
View File

@ -1,13 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name={{ item }} state=restarted
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

28
roles/dns/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install powerdns
apt: name={{ item }}
with_items:
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
tags: dns
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- pdns
- pdns-recursor

0
roles/dns_split/templates/bind/90.10.in-addr.arpa.zone.j2 → roles/dns/templates/bind/90.10.in-addr.arpa.zone.j2
View File

0
roles/dns_split/templates/bind/ffrgb.zone.j2 → roles/dns/templates/bind/ffrgb.zone.j2
View File

0
roles/dns_split/templates/bindbackend.conf.j2 → roles/dns/templates/bindbackend.conf.j2
View File

6
roles/dns_split/templates/pdns.conf.j2 → roles/dns/templates/pdns.conf.j2
View File

@ -12,6 +12,12 @@ launch=bind
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

10
roles/dns_split/templates/recursor.conf.j2 → roles/dns/templates/recursor.conf.j2
View File

@ -25,17 +25,19 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
#################################
# local-port port to listen on
#
local-port=5353
local-port=53
#################################
# query-local-address Source IP address for sending queries
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
#
query-local-address=::,0.0.0.0
{% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %}
#################################
# quiet Suppress logging of questions and answers

4
roles/dns_auth/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Restart powerdns
service: name=pdns state=restarted

22
roles/dns_auth/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Install powerdns
apt:
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
- name: Start the powerdns services
service: name=pdns state=started enabled=yes

35
roles/dns_auth/templates/pdns.conf.j2
View File

@ -1,35 +0,0 @@
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
#################################
# dname-processing If we should support DNAME records
#
# dname-processing=no
dname-processing=yes
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify=
# security-poll-suffix Domain name from which to query security update notifications
#
security-poll-suffix=

10
roles/dns_resolver/handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name=pdns-recursor state=restarted
- name: Restart dnsdist
service: name=dnsdist state=restarted

4
roles/dns_resolver/meta/main.yml
View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

35
roles/dns_resolver/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-recursor
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Configure powerdns
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
notify: Restart powerdns
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns-recursor

15
roles/dns_resolver/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

24
roles/dns_resolver/templates/dnsdist.conf.j2
View File

@ -1,24 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
addLocal('{{ ansible_default_ipv6.address }}')
setACL({'0.0.0.0/0', '::/0'})
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

53
roles/dns_resolver/templates/recursor.conf.j2
View File

@ -1,53 +0,0 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
#
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=5353
#################################
# query-local-address Source IP address for sending queries
#
query-local-address=::,0.0.0.0
#################################
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns

47
roles/dns_split/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

15
roles/dns_split/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

20
roles/dns_split/templates/dnsdist.conf.j2
View File

@ -1,20 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

17
roles/docker/tasks/main.yml
View File

@ -1,10 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
apt:
name:
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes
- docker-ce
- docker-ce-cli
- containerd.io
- python-docker

4
roles/exit-ip/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
conntrack_max: 131072
fastd_instances: 3

0
roles/exit_ip/handlers/main.yml → roles/exit-ip/handlers/main.yml
View File

0
roles/exit_ip/tasks/main.yml → roles/exit-ip/tasks/main.yml
View File

6
roles/exit_ip/templates/rules.v4.j2 → roles/exit-ip/templates/rules.v4.j2
View File

@ -4,14 +4,12 @@
:INPUT ACCEPT [1:136]
:OUTPUT ACCEPT [2:472]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [1124:131621]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [1151:175226]

6
roles/exit_ip/templates/rules.v6.j2 → roles/exit-ip/templates/rules.v6.j2
View File

@ -1,13 +1,9 @@
# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
COMMIT

5
roles/exit_ip/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
conntrack_max: 131072
fastd_instances: 3
nat_pool: "{{ ansible_default_ipv4.address }}"

0
roles/fastd_exporter/defaults/main.yml → roles/fastd-exporter/defaults/main.yml
View File

0
roles/fastd_exporter/files/fastd-exporter.service → roles/fastd-exporter/files/fastd-exporter.service
View File

2
roles/fastd_exporter/handlers/main.yml → roles/fastd-exporter/handlers/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload
- name: Restart fastd-exporter
service: name=fastd-exporter state=restarted

0
roles/fastd_exporter/tasks/main.yml → roles/fastd-exporter/tasks/main.yml
View File

0
roles/fastd_exporter/templates/fastd-exporter.j2 → roles/fastd-exporter/templates/fastd-exporter.j2
View File

6
roles/fastd/handlers/main.yml
View File

@ -1,8 +1,8 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart fastd
service: name=fastd@{{ site_code }}{{ item }} state=restarted
with_sequence: start=0 count={{ fastd_instances }}
- name: Reload systemd
command: systemctl daemon-reload

1
roles/fastd/templates/fastd.conf.j2
View File

@ -11,6 +11,7 @@ interface "vpn-{{ site_code }}{{ item }}";
method "null";
method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes;

7
roles/git/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Install git
apt: name=git
- name: Install ca-certificates
apt: name=ca-certificates

3
roles/grafana/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
grafana_rendering: False

34
roles/grafana/tasks/main.yml
View File

@ -1,38 +1,10 @@
---
- name: Retrieve Grafana Key and avoid apt_key
block:
- name: grafana |no apt key
ansible.builtin.get_url:
url: https://apt.grafana.com/gpg.key
dest: /usr/share/keyrings/grafana.key
- name: Enable grafana apt-key
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Enable grafana repository
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana
apt: name=grafana
- name: Install grafana rendering dependencies
apt:
name:
- libxdamage1
- libxext6
- libxi6
- libxtst6
- libnss3
- libnss3
- libcups2
- libxss1
- libxrandr2
- libasound2
- libatk1.0-0
- libatk-bridge2.0-0
- libpangocairo-1.0-0
- libpango-1.0-0
- libcairo2
- libatspi2.0-0
- libgtk3.0-cil
- libgdk3.0-cil
- libx11-xcb-dev
when: grafana_rendering

0
roles/root_keys/tasks/main.yml → roles/gw-admin-ssh-keys/tasks/main.yml
View File

23
roles/influxdb/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
- name: Import Influxdb GPG siging key with store
ansible.builtin.get_url:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: /etc/apt/trusted.gpg.d/influxdb.key
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
ansible.builtin.command:
argv:
- gpg
- --dearmor
- /etc/apt/trusted.gpg.d/influxdb.key
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
- name: Enable InfluxDB repository
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
state: present
- name: Install influxdb
apt: name=influxdb

6
roles/interfaces/files/networking.service → roles/mesh-interfaces/files/networking.service
View File

@ -1,9 +1,8 @@
[Unit]
Description=Network initialization
Description=ifupdown2 networking initialization
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
DefaultDependencies=no
After=local-fs.target network-pre.target
Before=shutdown.target network.target network-online.target
Before=network.target shutdown.target network-online.target
Conflicts=shutdown.target
[Service]
@ -11,7 +10,6 @@ Type=oneshot
RemainAfterExit=yes
SyslogIdentifier=networking
TimeoutStopSec=30s
EnvironmentFile=/etc/default/networking
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

2
roles/interfaces/handlers/main.yml → roles/mesh-interfaces/handlers/main.yml
View File

@ -4,4 +4,4 @@
command: /sbin/ifreload -a
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload

7
roles/interfaces/tasks/main.yml → roles/mesh-interfaces/tasks/main.yml
View File

@ -1,13 +1,10 @@
---
- name: Install dependencies
apt:
name:
- bridge-utils
apt: name=python-pkg-resources
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
- name: Install ifupdown2
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
apt: name=ifupdown2 state=latest
- name: Uninstall ifupdown
apt: name=ifupdown state=absent

0
roles/interfaces/templates/backbone.conf.j2 → roles/mesh-interfaces/templates/backbone.conf.j2
View File

16
roles/interfaces/templates/mesh.conf.j2 → roles/mesh-interfaces/templates/mesh.conf.j2
View File

@ -14,8 +14,6 @@ iface br-{{ site_code }}
{% if global_ipv6 is defined %}
address {{ global_ipv6 }}
{% endif %}
#
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# bat-{{ site_code }}
auto bat-{{ site_code }}
@ -23,14 +21,18 @@ iface bat-{{ site_code }}
hwaddress f2:00:90:00:{{ gateway_id }}:20
mtu 1500
#
batman-hop-penalty 5
batman-ifaces dmy-{{ site_code }}
batman-ifaces-ignore-regex .*_.*
batman-routing-algo {{ batman_algo }}
#
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
# TODO use batman-xyz instead of batctl
# see /usr/share/ifupdown2/addons/batman_adv.py
#
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# dmy-{{ site_code }}

1
roles/mesh_wg/files/ping
View File

@ -1 +0,0 @@
OK

4
roles/mesh_wg/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Reload interfaces
command: /sbin/ifreload -a

25
roles/mesh_wg/tasks/main.yml
View File

@ -1,25 +0,0 @@
---
- name: Install wireguard
apt: name=wireguard-tools
- name: Create wireguard config directory
file:
path: /etc/wireguard
state: directory
mode: 0700
- name: Configure wireguard options
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
notify: Reload interfaces
- name: Configure mesh interfaces
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
notify: Reload interfaces
- name: Install wgskex
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
- name: Install ping endpoint
copy: src=ping dest=/var/www/html/ping

21
roles/mesh_wg/templates/mesh_wg.conf.j2
View File

@ -1,21 +0,0 @@
# {{ ansible_managed }}
# vx-{{ site_code }}
auto vx-{{ site_code }}
iface vx-{{ site_code }}
mtu 1350
vxlan-physdev wg-{{ site_code }}
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
up ip link set vx-{{ site_code }} up
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
down ip link set vx-{{ site_code }} down
post-down ip -6 link del vx-{{ site_code }}
# wg-{{ site_code }}
auto wg-{{ site_code }}
iface wg-{{ site_code }}
address fe80::{{ gateway_id }}/128
ipv6-addrgen no
pre-up ip link add dev wg-{{ site_code }} type wireguard
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
post-up ip link set wg-{{ site_code }} mtu 1420

3
roles/mesh_wg/templates/wg.conf.j2
View File

@ -1,3 +0,0 @@
[Interface]
PrivateKey = {{ mesh_wg_privkey }}
ListenPort = {{ mesh_wg_port }}

5
roles/netbox/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
netbox_group: netbox
netbox_user: netbox
netbox_version: 4.1.8

13
roles/netbox/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart netbox
service: name=netbox state=restarted
- name: Restart netbox-rq
service: name=netbox-rq state=restarted

152
roles/netbox/tasks/main.yml
View File

@ -1,152 +0,0 @@
---
- name: Create group
group: name={{ netbox_group }}
- name: Create user
user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
- name: Install dependencies
apt:
name:
- build-essential
- libffi-dev
- libpq-dev
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python3-setuptools
- python3-dev
- python3-pip
- python3-venv
- zlib1g-dev
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure PostgreSQL user
postgresql_user:
name: "{{ netbox_dbuser }}"
password: "{{ netbox_dbpass }}"
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db:
name: "{{ netbox_dbname }}"
owner: "{{ netbox_dbuser }}"
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
- name: Unpack netbox
unarchive:
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
dest: /opt
remote_src: yes
creates: "/opt/netbox-{{ netbox_version }}"
register: netbox_unarchive
- name: Configure netbox
template:
src: configuration.py.j2
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
- name: Configure gunicorn
template:
src: gunicorn.py.j2
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
- name: Netbox file permissions
file:
path: "/opt/netbox-{{ netbox_version }}"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
recurse: yes
- name: Fix psycopg variant
lineinfile:
path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
regexp: '^psycopg\[.*,pool\]==(.*)$'
line: 'psycopg[binary,pool]==\1'
backrefs: yes
register: netbox_psycopg_fix
- name: Run upgrade script
command:
cmd: ./upgrade.sh
chdir: "/opt/netbox-{{ netbox_version }}"
become: true
become_user: "{{ netbox_user }}"
when: netbox_unarchive.changed or netbox_psycopg_fix.changed
# TODO - still manual work
# * Create a super user
# * Migrate media files
- name: Install netbox housekeeping cronjob
template:
src: netbox-housekeeping.sh.j2
dest: /etc/cron.daily/netbox-housekeeping.sh
mode: 0755
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ netbox_domain }}"
when: "'kitchen' in group_names"
- name: Configure certificate manager for netbox
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template:
src: vhost.j2
dest: /etc/nginx/sites-available/netbox
owner: root
mode: "0644"
notify: Restart nginx
- name: Enable vhost
file:
src: /etc/nginx/sites-available/netbox
dest: /etc/nginx/sites-enabled/netbox
state: link
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- netbox
- netbox-rq
notify:
- Reload systemd
- Restart netbox
- Restart netbox-rq
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- netbox
- netbox-rq

15
roles/netbox/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ netbox_domain }}:
- path: /etc/nginx/ssl/{{ netbox_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

212
roles/netbox/templates/configuration.py.j2
View File

@ -1,212 +0,0 @@
#########################
# #
# Required settings #
# #
#########################
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
#
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
ALLOWED_HOSTS = ['{{ netbox_domain }}']
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
DATABASE = {
'NAME': '{{ netbox_dbname }}', # Database name
'USER': '{{ netbox_dbuser }}', # PostgreSQL username
'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password
'HOST': 'localhost', # Database server
'PORT': '', # Database port (leave blank for default)
'CONN_MAX_AGE': 300, # Max database connection age
}
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
# to use two separate database IDs.
REDIS = {
'tasks': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 0,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
},
'caching': {
'HOST': 'localhost',
'PORT': 6379,
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 1,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
}
}
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
# symbols. NetBox will not run without this defined. For more information, see
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
SECRET_KEY = '{{ netbox_secret }}'
#########################
# #
# Optional settings #
# #
#########################
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ('John Doe', 'jdoe@example.com'),
]
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
CORS_ORIGIN_ALLOW_ALL = False
CORS_ORIGIN_WHITELIST = [
# 'https://hostname.example.com',
]
CORS_ORIGIN_REGEX_WHITELIST = [
# r'^(https?://)?(\w+\.)?example\.com$',
]
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
# on a production system.
DEBUG = False
# Email settings
EMAIL = {
'SERVER': 'localhost',
'PORT': 25,
'USERNAME': '',
'PASSWORD': '',
'USE_SSL': False,
'USE_TLS': False,
'TIMEOUT': 10, # seconds
'FROM_EMAIL': '',
}
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
# 'dcim.site',
# 'dcim.region',
# 'ipam.prefix',
]
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
# HTTP_PROXIES = {
# 'http': 'http://10.10.1.10:3128',
# 'https': 'http://10.10.1.10:1080',
# }
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
# NetBox from an internal IP.
INTERNAL_IPS = ('127.0.0.1', '::1')
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox but not make any changes.
LOGIN_REQUIRED = True
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
# STORAGE_CONFIG = {
# 'AWS_ACCESS_KEY_ID': 'Key ID',
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
# 'AWS_S3_REGION_NAME': 'eu-west-1',
# }
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
# PLUGINS_CONFIG = {
# 'my_plugin': {
# 'foo': 'bar',
# 'buzz': 'bazz'
# }
# }
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
RELEASE_CHECK_URL = None
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
SESSION_FILE_PATH = None
# Time zone (default: UTC)
TIME_ZONE = 'Europe/Berlin'
# Date/time formatting. See the following link for supported formats:
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
DATE_FORMAT = 'N j, Y'
SHORT_DATE_FORMAT = 'Y-m-d'
TIME_FORMAT = 'g:i a'
SHORT_TIME_FORMAT = 'H:i:s'
DATETIME_FORMAT = 'N j, Y g:i a'
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'

16
roles/netbox/templates/gunicorn.py.j2
View File

@ -1,16 +0,0 @@
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
bind = '127.0.0.1:8001'
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
# n is the number of CPU cores present.
workers = 5
# Number of threads per worker process
threads = 3
# Timeout (in seconds) for a request to complete
timeout = 120
# The maximum number of requests a worker can handle before being respawned
max_requests = 5000
max_requests_jitter = 500

9
roles/netbox/templates/netbox-housekeeping.sh.j2
View File

@ -1,9 +0,0 @@
#!/bin/sh
# This shell script invokes NetBox's housekeeping management command, which
# intended to be run nightly. This script can be copied into your system's
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
# within the cron configuration file.
#
# If NetBox has been installed into a nonstandard location, update the paths
# below.
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

21
roles/netbox/templates/netbox-rq.service.j2
View File

@ -1,21 +0,0 @@
[Unit]
Description=NetBox Request Queue Worker
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

22
roles/netbox/templates/netbox.service.j2
View File

@ -1,22 +0,0 @@
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

38
roles/netbox/templates/vhost.j2
View File

@ -1,38 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ netbox_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ netbox_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
location /static/ {
alias /opt/netbox-{{ netbox_version }}/netbox/static/;
}
location / {
client_max_body_size 32M;
proxy_pass http://localhost:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

3
roles/nginx/defaults/main.yml
View File

@ -1,3 +0,0 @@
---
nginx_anonymize: False

25
roles/nginx/templates/nginx.conf.j2 → roles/nginx/files/nginx.conf
View File

@ -47,32 +47,7 @@ http {
# Logging Settings
##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log;
##

12
roles/nginx/tasks/main.yml
View File

@ -8,13 +8,7 @@
when: nginx_ssl
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
when: nginx_ssl
notify: Restart nginx
@ -30,7 +24,7 @@
- /etc/nginx/dhparam.pem
- name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
notify: Restart nginx
- name: Configure default vhost
@ -41,7 +35,7 @@
- name: Ensure network and dns are available before nginx
lineinfile:
dest: /lib/systemd/system/nginx.service
line: "After=network-online.target remote-fs.target nss-lookup.target"
line: "After=network-online.target nss-lookup.target"
regexp: "^After="
- name: Start nginx

2
roles/node_exporter/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
node_exporter_version: 1.2.0
node_exporter_version: 1.0.1
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

2
roles/node_exporter/files/node_exporter
View File

@ -1 +1 @@
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
OPTIONS=""

2
roles/node_exporter/handlers/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload
- name: Restart node_exporter
service: name=node_exporter state=restarted

21
roles/node_exporter/tasks/main.yml
View File

@ -9,27 +9,6 @@
- name: Configure node_exporter
copy: src=node_exporter dest=/etc/default/node_exporter
- name: Create configuration directory
file: path=/etc/node_exporter state=directory
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
notify: Restart node_exporter
- name: Ensure correct certificate permissions
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
notify: Restart node_exporter
- name: Configure node_exporter TLS
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
notify: Restart node_exporter
- name: Install systemd unit
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
notify:

6
roles/node_exporter/templates/web-config.yml.j2
View File

@ -1,6 +0,0 @@
tls_server_config:
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
basic_auth_users:
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

7
roles/ntp/handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Restart ntp
service: name=ntp state=restarted
- name: Restart ntpd
service: name=ntpd state=restarted

11
roles/ntp/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Install ntp
apt: name=ntp
- name: Configure ntp
template: src=ntp.conf.j2 dest=/etc/ntp.conf
notify: Restart ntp
- name: Start the ntp service
service: name=ntp state=started enabled=yes

17
roles/ntp/templates/ntp.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

2
roles/prometheus/handlers/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
command: systemctl daemon-reload
- name: Restart prometheus
service: name=prometheus state=restarted

Some files were not shown because too many files have changed in this diff Show More