97 changed files with 2672 additions and 3845 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -39,24 +39,24 @@ gre_matrix:
 - { id: 26, a: gw21, b: gw31 }
 # - { id: 33, a: gw22, b: gw31 }
-netbox_domain: netbox.regensburg.freifunk.net
+netbox_domain: netbox.ffrgb
 netbox_dbname: netbox
 netbox_dbuser: netbox
 netbox_dbpass: "{{ vault_netbox_dbpass }}"
 netbox_secret: "{{ vault_netbox_secret }}"
 node_targets:
 - ns1.regensburg.freifunk.net:9100
 - stats.regensburg.freifunk.net:9100
 - tiles.regensburg.freifunk.net:9100
 - gw11.regensburg.freifunk.net:9100
 - gw21.regensburg.freifunk.net:9100
 - gw31.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100
+- ns1.regensburg.freifunk.net:9100
 - resolver.regensburg.freifunk.net:9100
- netbox.regensburg.freifunk.net:9100
+- stats.regensburg.freifunk.net:9100
 - web.regensburg.freifunk.net:9100
 - unms.ffrgb:9100
 - unifi.ffrgb:9100
 - tiles.ffrgb:9100
 - netbox.ffrgb:9100
 ntp_servers:
 - 0.de.pool.ntp.org
@ -75,17 +75,19 @@ pve_targets:
 - pve01.ffrgb
 - pve02.ffrgb
-searxng_domain: sx.regensburg.freifunk.net
+telegraf_influxdb_url: stats.regensburg.freifunk.net:8086
-searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
+telegraf_influxdb_database: wgstats
 telegraf_influxdb_username: admin
 telegraf_influxdb_password: "{{ vault_yanic_influx_pw }}"
 telegraf_plugins_base:
  - name: wireguard
    options:
      devices:
        - "wg-{{ site_code }}"
 site: ffrgb
 site_domain: regensburg.freifunk.net
 speedtest_domain: speed.regensburg.freifunk.net
 speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
 speedtest_secret: "{{ vault_speedtest_secret }}"
 tileserver_domain: tiles.regensburg.freifunk.net
 web_services:
- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }
+- { id: tiles, domain: tiles.regensburg.freifunk.net }
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,137 +1,151 @@
 $ANSIBLE_VAULT;1.1;AES256
-31633832313136353531623833383865383736333164376632363635333439613763643062663632
+36396532616163303161303134326565316637343336613531663031376439303930306532373063
-3736376165623664376436643138653435393239636333370a643363343061303436613238373237
+3765313339353437393633373035663661623461343132380a373536646632346364663662626665
-36653730376133363061333536626436363366393335303932663736316631633630323634353531
+37373532633937623030393735383164376233383838613635353565333763626430616630636536
-3734353134396561660a616339303762313430616234383138326438383432646564356662393536
+6635373636383462610a326662393234333166373834323834353537363239616639343531616339
-61376161343965656365646238393261356133326131613730343234336139366461333032396531
+63383939313735653364383137346166306639633637636137353832666333633963633363663265
-38653031363934623231336661363233393562383434323633353139336530383432383736353937
+39356136613639643135633534636264393838376431336462363030363463643232663534313261
-65633935373261653134653839353233643439616266613531373938393231643736333436353234
+64373861313135623264316135646234376230653863633863366538353736653964363137303533
-65646665626531323566326561353333666535666430613961666232646632303662343832643661
+63623730396338643738313432343962666461653136333361383033623161376662346165626338
-35373166323439623137383164663838393766326237336234326635383930323365326431343338
+33356162376536303363343363343830383365323737636334323632306261336538356639306632
-61343434363961633532656466653732626135306334303634383235643531396535326536636264
+39333166353830386537383033396465343461396330386238653961386237336234376533633931
-37343930623235363632623963346637363964666664636266373137363037383036633233643130
+64653331326263343063306230653265643731323732353437643161383238376664636562383561
-30323036653637656131623332613463303937323133653064623333396534336661306432323536
+31376561373130636561366333306139636533363933313566363537363238343462323539313439
-38373534303235323230306139663736663430633463663166393033613435616662336335643137
+30393035643138666435393237383039623735353963353039323966666130393638306565333631
-32366439333661313930636234346265306233393966623832613834623263356337356162396335
+64653432623664346637656134643963323233376535333731653466633064306365306164643337
-34353362613163323936613930666339303839393431303461363565623561363034306538396237
+61306661356531623737386439373465636339643435343838393863333034383437343832383134
-38326263303033376435623037653365636362653831623066653263623236613566623962313266
+64666332613865306438643830376665623435376632373362356363343339363533303433313939
-34336233343530366236313131323962666163383035633361333637343732356338626265613338
+33623636616334646536663333383031396666376562366335656666363233636265643435383334
-36643663336161663636343864623864323735613838373562376431643338346662393731373833
+39656432383035323334373639326535306237643336663232633566663837663466383331336261
-38313839393433626630363635323232373534303437656561316231653536306264386331333666
+32383238353137333731386331623264633338373964653261643865353162623232393930333432
-36323330626164363730643337623262303335333438303432373465343235303836366362383336
+38323065343865643135653535623934613634636465333865353465326139613130376134396132
-39666631363362383338616536666432373738336131653765353635373365623030393365636630
+62366539396432633935663930663063363536393331393666616438396231643938306139313033
-38303033306664356162316262346434343239646230663062643566336132613535393835366236
+31623237646135633237343566646436363864303334373861306430626131366430666634303862
-66306435653364323335623665316264646631383066373837653536316135316130393766356162
+34663163373263366561306336336535656465326633613535343665343361373936346431363538
-33326431643162383539323161626163316532373831386334643761636630616162666236613766
+34303565336132646461656135623463373832396533316132313139303133303565616434663138
-38633738333331616336363736396635306630363561613966656538633432363661313432373731
+62663561663530363834623130313464623465653139343033313132366665636535666639323162
-39303764303362336536396130613637653530376437333336613465643539396330623261356534
+62316666643532353166373430633832643434356664346337633738623739353835313539666130
-64633761643065313038656261326638343032353832376262653135663162353434323936353862
+66633931306330363532363630626162353066316565643235636162393532393234646230363131
-31663738353965303963353962626534303333303037336431373631396635363938326133336330
+37666166393666313661663863643866656236313935356131313230313861636631643034643662
-63353333616664663934636433653434626162323064653430666565613061623239613561643838
+64393866633064383164643365363038626536663831393432363661383736306663356563313734
-66356662303137383639336432633432636235306165306339623632316134306431376163616465
+63363363363531623634363835363364303137646335373662313764323263306539386435663631
-32636132656232303162333238393837383731633931363865356634643736326139313638333230
+39396234623064636531653063326562383235333865393935376265393932633763613838343733
-39316662306432333333333266333234646539646532316536383932666435366136346138626136
+34353663313462313437316534663239353535313434646431663862393561613264626634643864
-64373362366239633964616638363666656564323436636432663937666565653436613465366461
+31633734633963346634376165343435666538313932343230343237363839323764633835623337
-65376562303639363332636532386535386365656636346365333330386132383637636239653730
+62653466376265343639343064366461653964303337363561306138363534613036376338373266
-63333361303037393936653064336439653932373739336564333132303639343835376633666631
+65376432396234383661653330613465623735373834393836646439616634613865323236666264
-66613138343730636563626131623437343232303964626562633332303761626331383662373531
+31336363373063346231376164663930336539633363306633393938643234373065343164613738
-39663463656361303236666661356564373432333062303363313532333938633337363536343930
+30343831383432343931336633633830653736303061383634666337613930396262393334663561
-37376464393438613564653465353037313536626466643131336133336161316437316433663032
+38343232613361333564653362306139346130643530373938366332396535636630353536646336
-62633465613634373238383937643037346336336135353230386538353933616436646534366435
+37623962353933326561346636303338333934356230356363303938613566343365626431633134
-31323363666266373662626362663164653863326239303462363739383730643962333230343733
+35636432396166653835643234396662663463313063636564663835326366613739313531356431
-37393831383666393064626437323861353739363762346330666436356466316464393838366133
+36353664316461396366356233623236373230616534393136626231376436343538326163623764
-34653131653838643063396633346132336439393132353661373063623865643465306238326538
+66306264643562316563323062323637383131363062373362613061363736353430363137623161
-63313366386263623333636636376637383536353663643266653431626365666139393764663633
+32356630363866383064626538313739663335633235646435663134396537316165383334333464
-62366234376231393261646366383733633565303433353631343239313362646161663433653632
+33626430303630663565396665383265313663643264616566646639376134646233336332373264
-61303231616366386435666232353531306331613638633531613364663130643433336232633164
+33613462663539666432646666303533343837636438373261303232663864626566373732316339
-64373131303135316135376339353366313635653466663765323931616232333539333639623033
+64646564633930653437646137656466343135326562626531353265666134656665396163636534
-39626233316430303062336234623966376564386365613265363866666636626435306664336636
+33343135393237363234336363656263666530396635386132663530386631363066663234363265
-39346139316331306333666332393631306433623365303064383831643864336634303737633434
+66343264343837396165626138373835656237626236626130316134303131353539313732666463
-39303364633530343531373964353335333832636433313865303765393665633838316531343035
+30373661666232646438393662653535373433353762376264666536306130613531616462313830
-34666237353834613337353063666333353764666431376235393534613534363163333732373061
+35626461633538343261623636373236333336636436343438626338316236373039303737386438
-36663537363938373235326537326139366562656264393930653630383332383466333435386233
+39316433353739633264336535653561383039313734646139393961653537313562633266363338
-32613737303431333537326264343065306361653562633064393762643161313666663262313236
+38336236363166393964336461323430393639393866653337366564636538396338656339626136
-65386430306432653563623666646439376163383433653561333461383933383835373563396137
+35396566616634656137653438306136663831326166663338323531336364646332646162323430
-62383861393963313534616437663465333834663235356439363735633133623365383839613037
+38383234653565623062636135333136613039663362623230366364343635356234386631373664
-34303465363033313739373631363261313130616663336662346132653239313562386664353432
+33373965393033336235356266336331306366613065396139316363316133616265646232623762
-64373961663563393362303166633630343665663437373562613461343266646332313963653965
+32346331616236663231326631366364393735303163626335643730656233353236636633303939
-39363632313864343437333038623364323161376237386333616636303364373964343464643330
+63383965353137363062313265623733313338613966643563363466396333356262643065363666
-31613431313562353862306236623233636264653635643264333364336533623036356530343465
+66346333366566376336366662363632623536356564313334343135633136663632656262323334
-33366131333365393333373062623666663065316666363736633562363934336534313464353239
+64336135373163383339336664346632646535386536386361386336363138373130316438663062
-30666365303330363962653731626266376433666135333435313236386163653336386134633630
+37353231663130303838333932323532653365323238333737643866356163383032393934346530
-65336335346539666431643036636663643936326635636438636438646230353962646335396461
+33636565326138613963396432323838663037366463343633613730613339343266373233393063
-64623238343632346265376537323462316162633437633463656235626366666235653231303736
+38656264613530373262333937313037373431326665356339313638323334346464623936643035
-34316166363139336536396631663435386434396336346331663333353338353466346433393062
+33616630336464396531396365366462333265313239323966633563656332373164623536303963
-31343662316464356663356539303934633336613335373732353165366266303837303364616537
+31633437343130613039303131363264623232633232656332653138333161666233376233316639
-31356135313732633232343362663932656363633162623539323938643239383333306638346236
+33386636336263333463636438383231666466373934323235326366356263633563393664383939
-36666564323336346234313239656463626138313364656637353434303266613232353334666539
+35326562656166616264313937636432643265636565623335326237333432343238383536303735
-34666437356531393933656338373834303130663132303433376338643833643236333639663530
+38643333383834343633366366373639323738613433326665633362316563306161386230653363
-32653536643035303536353431623463353762393539363634636566396134353362633038333831
+33386463323765663838326331666433313563343266623063363962373961333064343964393439
-33633632666331666665373664633138323536633264653339663463326236343862656563323835
+38633036376138383936663031343835353865333635653861653131383535343939356631656532
-66633038346237356638646133626239336233633261626464626238636363666431646661366337
+62656464623263626464613365386234353632303734643631633435626133383538376136643335
-32396137303664363734666238346636653531666461306335343636303861653533356266643833
+31333430643839666238373561643966633334653361373336306266383631663537303265316564
-39633939666534663033336462336633636264336133633630366166356163306539613830636432
+37633633363933353931653830306663393766303363333535313737346239613366326536653530
-66326661646430366332363530333338373136656234613030616338383531313138666435313562
+34643166663333663066373735376266306635306132383134653161646337333161356234366533
-33346262353934636564613730396536333731653036303333343039393534643837663234346234
+34323461653763386636653665353362323565396535326366663639313437616663376332616630
-30303032623565316234343834303061303333346539636138343334663131646463363863663062
+33323531623935383639623635323662636239386631623361613066616134396565306565393161
-31343432383238623733346563323533636466346538616334646338366465356165613434623730
+62313235316264663261306461623032373938336661653534383835303638333831613232316564
-37323930623539353764643939643963353238646230396337633362363664613431303032656639
+65333135383761373937626534663633633936396532313263396338393462623830396538313464
-38613961633439613837636531653163383633373263343235303766613736616636613066316463
+61333966373930626135663839633766383332656564366639386130323061363137333065653433
-63346337383864363562373562643636343764626433383634643064313831373833356132393737
+36313434326234386466643730663939376461633334646133363763303561373862633565663634
-39356534623536373066663933356535356532636332343661333166663433666433363661343861
+65646237346636636230313136633136623236646239323937373163616230636264326534373263
-63393734656534363761313862613364616161303735323563656265323362313061343332346238
+36333035643663626239306363636635336237373761333239363937633932363936663832396438
-35353534663137653466396432353437333739363631373332316165663964653335363034636131
+34346662633265326365383866383864356563393431363137333564326466613832666663633539
-33363933333764306265306161336165306234616161313466393233363431363061633730653437
+33666638393337336633613032623739633836663831353762653437323733336230396333643733
-65313636366162303763663530386239343833626139643439306161623066313638323361353831
+65663462346166653534323533376431356535316238363639613636383663306635343836376365
-63323531353939356337613865663737373661343362353362326637666666383535633030626163
+64363765393863363038363739353239633934343138636564343562316131313933616363356237
-36386464326134333965623262356532353161316533626331623266623630383331313037376365
+66306230613863633038313161613861653138656433623031313534666139393535383163366339
-37353164306433633563386436653235616661366639343035306533643732326232366537633635
+36393138323838656139653163393965356131633961623930623637663839383564633534336565
-33306338386561353564643537353736663434663931343263333764633961666464373461346335
+30643334353537306637636263633331306162316565633630303636323833636234336264316361
-65323462313761653361343236326632393835613538616436666534363366626637376262326462
+36613833653565613562363763336633323236393836653466356638646166333661653431376463
-32366530383439646137383737303634613136396135633136316233326230323466383932616630
+32363638616433643264323938616262383663653334323931346639633836333462333663376364
-66316561333961346130306531623936376636646330373237623034633135303630353566333037
+32663838663534626565376661656663643162626137363431363461313864623732613764333664
-34656233316663656661623731633034643332336631356436653134366162396336643331623135
+39626232333534326364613838376434666635313731646533363635386230333036336533633034
-65646466633236393036383639623066663963653431343836626664383431363663653535383565
+31323132343230646631626131663436356263626563323934643765666462343234653038383564
-64333432343561623633316232623864386161376163333238623066636533353330336566313835
+64393739663035636266663539326661303262383966323634333234363233656465396665613636
-66653265346331393238343862353162383234303334626261643065656637386434636564663665
+38623063336337383931343931333565623261313638613235633230623638623863616238316662
-63616339663261616534376661393837343335373638366264323732353032363731376332653936
+33376135646535656434323732656362343834663530316437333630373230303136303137306637
-64393262346230636366336133616366646533373530356235316561643232333664343462386539
+31343266386535346362383032376635386132636138333765616361653463316239303536316262
-38396665626131646234613466396334346431316638333436633637353836313933656134383031
+35623062316533656661356462643864383536303835346235353339663238386532343064636233
-38633838323163383536323735626132323565643136663030643436303363333264373061663430
+66363566623663353265616434336163396336336263613030623134653361363732323738313363
-65613836313531636264633333346331343038373466653231613830383435386364636237303965
+61343232656233363433626334306433626566616537376537663930613738386663393035373533
-65663635633732663636333764623133373864356363313535333136613039313035663633386338
+64656639326165666138343361613637653166316330393665643533333466613861653232333138
-61343930323665616464643235396232393134373537616635663231343763346434626665393966
+66316464336465653062376261643238323761383161623933353433613266646537623639396666
-31613835666563333261373533316364346538393438636636633862353431333030623933663130
+32343735323833383365313539333138656230306134343631666232653965663264656635343061
-31626337303733373034666562363064373936656435636637356365386363346664306134376339
+38353162383364323538366666666365316432393939333663366664356364633939653837346431
-37383335646339636265656134383432396438383732303066396636373834373037663062336335
+35383063393664656539393763313735663638343863616431306566356332343935653631646536
-61346438636134333763346265653766396165626365633237373466346438363330633562353731
+66643130613266636331663762303962643434653532336531396165303638303831393561376633
-61313630373137303131326134613264356462333363643463643861666239623937636535336536
+36613537333163633837666530356163343733313631633962326365363063663261333061376135
-30313234623936316439643164316139386366336630616266653338383337653561656337343837
+39363532366638343430643664663863653666663064386562616434313831633032316238393963
-66613234363738306235316632316666376231306561653865353636373835646263393932316134
+38346564306438653865663937633037373961636630653530643936326333316433636334333935
-30313433613664306533386133376232323737633934396135626532323830346336353631383539
+65326434316435313364666364613138306630356234393839313031373536336539623132653634
-38666264343962646237313332396535643863393535303437346262613861646663303037333736
+30336332323932323863353139303835643865313466356637303032393437636531313330666536
-63326534313964613663376635306162653639623735633139326161323232653462343063383036
+34333565376635633863303066376330313362303836366666313530336430343939313466633135
-39616233613664626161663131383366663435626432626663623638646163666535316461383531
+32373238363031396665656536646236393133376435633638303238636663313738353532393236
-39663130646564373563323965386331353036366230343635363266323864623633663333656561
+38633831633039616430343932343066303837303161653166623761343033386437303231393931
-33353131623065623839396634653735396262656261323963363261643761373137616232666665
+65353334666164343337363035616162383635623838343662323430326639633834366666393663
-39643835383034383439393638363438633931323437613365643935383766333535643537633633
+31356138366666333563653738653032646633316537326333306133333435623132306236373963
-63633133303166326432613932396331356263626166343436386463376537656231656438313563
+37326435373064386131383938353465373239323434366339343364646565393131643335366530
-30653664383935383161303865363338393933363334653631616432643037626433356561636634
+35346465616330346232656239643165663438386339663136336362356437653334326335666564
-34316436383462386331393231633161383362666532363561326631613137656464306262313034
+38326436623239393833393838656335336565666536386164356535633363363836323966343663
-35636334623861323836326265396664373461313034343231316261616330313938333263666665
+66323563616564623165373730353238353063393362653964316338333932636333353064333761
-39616163346632623764666337313561626233636363343036363331663932616530346230653663
+61626432383233323630626465393461393130363232383565646631343464363138323763656637
-62373661306566373638383962356563323430613262326534663663383162396263306335613462
+35653964386434653335666335373932646133653966626430656636626461646263383464643666
-39326162663161663264626437353064306238646664376666336534326263313061393133373636
+61396265333465343039653333646661383165356335633532623165323364363630386335373935
-33346161376136636536393264363332633561373037326566313137366265383635376366343036
+34363739636432366565366265373038643633613739363266653531623032333030303437346665
-30613763633264303536396535303236353138393032336461666131356464343930656665326535
+63333666623536353238616636633065393562623566376461336262363665323866376666303930
-64393130376166383538353866323265303562326239626233636237626664346631646264386439
+66393533353766373732326231373732663766393034326538643063393037316239653838333738
-65383730333534656361366438316536613138303334343665396438336164663064373838323534
+35636539393966343866613932663230663638653862643934616539393436383639356339633133
-64626631363131663462303131333735633337653335623939383264363163633765326438313965
+32643836356136353436623738613133353631313936643165376265373638343838396665356166
-32623662383464316133623538616139623433336435316166346336663761343536393662393733
+39303661646265653436396131613536386236613938323739363863633766303365636466376637
-35333938383137383863653966363837366639303634616239643235653932643132323033373238
+38353837633239643166383931323961383362343831633835643930613465346335656566326434
-38323734353563383133333538316236393162636237313061363663303764343533626466373137
+63303565366161373062343162616536653165373537363331353639303230663265643335356330
-32656561383633633166386437653361313363666334636639353833323461663030313736613831
+30333263623431666135393931626431626362366562626431623434613633643062373961663361
-30613832306137323637653330306637323530613935333263373338346430393265333839636566
+65343135353536643863316161326635333038643634396230353465646238356234653034323638
-39336662326637363038653734323230626234346433313830656264633732666430663265383031
+39353365306230313031336337313637336233623865666439653861643637663732386461333432
-65313864386637303563636239646633393335616231613531633762326430633231343264363236
+61333831306539303439373634376566363861393830333665366238666364653637343364313865
-32346662623562356432
+30643564363739346566636565636363386533663434653761386565316266333436623031333134
 33616464323165393331326665633235326231623365373236303335353837663739373165346139
 65633066343530303335336362343838356565343638313133646339353235633661636361303934
 65636332383130333036316138393235353363623061613130383431323735626136636334343439
 39363764386639626432366534363839613366336139363439343066333933366537373333336465
 32363334326463323261303562633034383233653438643764633231373761326334336561623832
 37663763343933386165313665646234626263616136343366663834323739343934343833616336
 38616636396438386539303637646134393865363235616465613665616439653730613039306265
 36366433356362363537653838626133656430333132666635306137663134333139323565363531
 33656433393031386537353766366638393433363031616632323962353933666232653563313830
 38656565376630396235656533313731656666363762386339613534613236656533366161653866
 61633965366135376264316264393964343035306330623739643338306362633838373434306335
 34313636373930623663666362633736653363353461616639323261646235653266383837393036
 34626466623666643465326465343833336338343964666537623431313639656136373339643834
 6531336131373761336363393133626166376263663037666231
--- a/host_vars/gw11.regensburg.freifunk.net
+++ b/host_vars/gw11.regensburg.freifunk.net
@ -18,7 +18,3 @@ fastd_port: 10010
 gateway_id: 11
 site_code: ffrgb_cty
 nat_pool: 194.156.22.12-194.156.22.13
 ntp_server: true
--- a/host_vars/gw12.regensburg.freifunk.net
+++ b/host_vars/gw12.regensburg.freifunk.net
@ -18,5 +18,3 @@ fastd_port: 10010
 gateway_id: 12
 site_code: ffrgb_cty
 ntp_server: true
--- a/host_vars/gw21.regensburg.freifunk.net
+++ b/host_vars/gw21.regensburg.freifunk.net
@ -8,17 +8,13 @@ nextnode4: 10.90.64.1
 nextnode6: fdef:f20f:1337:cafe::1
 mtu: 1312
 fastd_port: 10020
 vx_wg_vni: 11781694
 mesh_wg_port: 20020
 mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
 fastd_port: 10020
 gateway_id: 21
 site_code: ffrgb_uml
 nat_pool: 194.156.22.22-194.156.22.23
 ntp_server: true
--- a/host_vars/gw22.regensburg.freifunk.net
+++ b/host_vars/gw22.regensburg.freifunk.net
@ -18,5 +18,3 @@ mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
 gateway_id: 22
 site_code: ffrgb_uml
 ntp_server: true
--- a/host_vars/gw31.regensburg.freifunk.net
+++ b/host_vars/gw31.regensburg.freifunk.net
@ -20,5 +20,3 @@ gateway_id: 31
 site_code: ffrgb_tst
 nat_pool: 194.156.22.32-194.156.22.33
 ntp_server: true
--- a/host_vars/resolver.regensburg.freifunk.net
+++ b/host_vars/resolver.regensburg.freifunk.net
@ -1,3 +0,0 @@
 ---
 acertmgr_mode: standalone
--- a/5
+++ b/5
@ -2,12 +2,11 @@
 gw11.regensburg.freifunk.net
 gw21.regensburg.freifunk.net
 gw31.regensburg.freifunk.net
 netbox.regensburg.freifunk.net
 ns1.regensburg.freifunk.net
 resolver.regensburg.freifunk.net
 stats.regensburg.freifunk.net
 sx.regensburg.freifunk.net
 tiles.regensburg.freifunk.net
 web.regensburg.freifunk.net
 unms.ffrgb ansible_host=10.90.224.101
 unifi.ffrgb ansible_host=10.90.224.102
 tiles.ffrgb ansible_host=10.90.224.103
 netbox.ffrgb ansible_host=10.90.224.104
--- a/library/fastd_key
+++ b/library/fastd_key
@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 EXAMPLES = '''
 # Generates a fastd key
--- a/roles/apt/files/unattended-upgrades.conf
+++ b/roles/apt/files/unattended-upgrades.conf
@ -1,7 +1,7 @@
 // Unattended-Upgrade::Origins-Pattern controls which packages are
 // upgraded.
 //
-// Lines below have the format "keyword=value,...".  A
+// Lines below have the format format is "keyword=value,...".  A
 // package will be upgraded only if the values in its metadata match
 // all the supplied keywords in a line.  (In other words, omitted
 // keywords are wild cards.) The keywords originate from the Release
@ -30,7 +30,6 @@ Unattended-Upgrade::Origins-Pattern {
 //      "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
@ -93,11 +92,9 @@ Unattended-Upgrade::Package-Blacklist {
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "root";
-// Set this value to one of:
+// Set this value to "true" to get emails only on errors. Default
-//    "always", "only-on-error" or "on-change"
+// is to always send a mail if Unattended-Upgrade::Mail is set
-// If this is not set, then any legacy MailOnlyOnError (boolean) value
+Unattended-Upgrade::MailOnlyOnError "true";
 // is used to chose between "only-on-error" and "on-change"
 Unattended-Upgrade::MailReport "only-on-error";
 // Remove unused automatically installed kernel-related packages
 // (kernel images, kernel headers and kernel version locked tools).
@ -147,18 +144,3 @@ Unattended-Upgrade::Automatic-Reboot "false";
 // Print debugging information both in unattended-upgrades and
 // in unattended-upgrade-shutdown
 // Unattended-Upgrade::Debug "false";
 // Allow package downgrade if Pin-Priority exceeds 1000
 // Unattended-Upgrade::Allow-downgrade "false";
 // When APT fails to mark a package to be upgraded or installed try adjusting
 // candidates of related packages to help APT's resolver in finding a solution
 // where the package can be upgraded or installed.
 // This is a workaround until APT's resolver is fixed to always find a
 // solution if it exists. (See Debian bug #711128.)
 // The fallback is enabled by default, except on Debian's sid release because
 // uninstallable packages are frequent there.
 // Disabling the fallback speeds up unattended-upgrades when there are
 // uninstallable packages at the expense of rarely keeping back packages which
 // could be upgraded or installed.
 // Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
--- a/roles/common/files/.zshrc
+++ b/roles/common/files/.zshrc
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -1,13 +1,7 @@
 ---
 - name: Restart chrony
  service: name=chrony state=restarted
 - name: Restart journald
  service: name=systemd-journald state=restarted
 - name: update-grub
  command: update-grub
 - name: update-initramfs
  command: update-initramfs -u -k all
--- a/roles/common/tasks/Debian.yml
+++ b/roles/common/tasks/Debian.yml
@ -1,79 +0,0 @@
 ---
 - name: Install misc software
  apt:
    name:
    - ca-certificates
    - dnsutils
    - git
    - htop
    - less
    - mtr-tiny
    - net-tools
    - openssl
    - psmisc
    - pydf
    - rsync
    - sudo
    - vim-nox
    - wget
    - zsh
    - fail2ban
 - name: Install software on KVM VMs
  apt:
    name:
    - acpid
    - qemu-guest-agent
  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 - name: Configure misc software
  copy: src={{ item.src }} dest={{ item.dest }}
  diff: no
  with_items:
  - { src: ".zshrc", dest: "/root/.zshrc" }
  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
  - { src: "motd", dest: "/etc/motd" }
  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 - name: Set shell for root user
  user: name=root shell=/bin/zsh
 - name: Disable hibernation/resume
  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
  notify: update-initramfs
 - name: Enable serial console on KVM VMs
  lineinfile:
    path: "/etc/default/grub"
    state: "present"
    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
  notify: update-grub
  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 - name: Prevent normal users from running su
  lineinfile:
    path: /etc/pam.d/su
    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
    line: "auth       required   pam_wheel.so"
 - name: Configure journald retention
  lineinfile:
    path: "/etc/systemd/journald.conf"
    state: "present"
    regexp: "^#?MaxRetentionSec=.*"
    line: "MaxRetentionSec=7day"
  notify: Restart journald
 - name: Set logrotate.conf to daily
  replace:
    path: "/etc/logrotate.conf"
    regexp: "(?:weekly|monthly)"
    replace: "daily"
 - name: Set logrotate.conf rotation to 7
  replace:
    path: "/etc/logrotate.conf"
    regexp: "rotate [0-9]+"
    replace: "rotate 7"
--- a/roles/common/tasks/Proxmox.yml
+++ b/roles/common/tasks/Proxmox.yml
@ -1,25 +0,0 @@
 ---
 - name: Install misc software
  apt:
    name:
    - dnsutils
    - htop
    - ipmitool
    - less
    - rsync
    - vim-nox
    - wget
    - zsh
 - name: Configure misc software
  copy: src={{ item.src }} dest={{ item.dest }}
  diff: no
  with_items:
  - { src: ".zshrc", dest: "/root/.zshrc" }
  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
  - { src: "motd", dest: "/etc/motd" }
  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 - name: Set shell for root user
  user: name=root shell=/bin/zsh
--- a/roles/common/tasks/chrony.yml
+++ b/roles/common/tasks/chrony.yml
@ -1,11 +0,0 @@
 ---
 - name: Install chrony
  apt: name=chrony
 - name: Configure chrony
  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
  notify: Restart chrony
 - name: Start chrony
  service: name=chrony state=started enabled=yes
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,21 +1,76 @@
 ---
- name: Cleanup
+- name: Install misc software
-  apt: autoclean=yes
+  apt:
-  when: ansible_os_family == "Debian"
+    name:
    - ca-certificates
    - dnsutils
    - git
    - htop
    - less
    - mtr-tiny
    - net-tools
    - openssl
    - psmisc
    - pydf
    - rsync
    - sudo
    - vim-nox
    - zsh
    - fail2ban
- name: Gather package facts
+- name: Install software on KVM VMs
-  package_facts:
+  apt:
-    manager: apt
+    name:
-  when: ansible_os_family == "Debian"
+    - acpid
    - qemu-guest-agent
  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Proxmox
+- name: Configure misc software
-  include: Proxmox.yml
+  copy: src={{ item.src }} dest={{ item.dest }}
-  when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
+  diff: no
  with_items:
  - { src: '.zshrc', dest: '/root/.zshrc' }
  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
  - { src: 'motd', dest: '/etc/motd' }
  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Debian
+- name: Set shell for root user
-  include: Debian.yml
+  user: name=root shell=/bin/zsh
  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
- name: Setup chrony
+- name: Disable hibernation/resume
-  include: chrony.yml
+  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
  notify: update-initramfs
 - name: use new-style network interface names
  file: path=/etc/systemd/network/{{ item }} state=absent
  with_items:
  - 50-virtio-kernel-names.link
  - 99-default.link
  notify: update-initramfs
 - name: Prevent normal users from running su
  lineinfile:
    path: /etc/pam.d/su
    regexp: '^.*auth\s+required\s+pam_wheel.so$'
    line: 'auth       required   pam_wheel.so'
 - name: Configure journald retention
  lineinfile:
    path: "/etc/systemd/journald.conf"
    state: "present"
    regexp: "^#?MaxRetentionSec=.*"
    line: "MaxRetentionSec=7day"
  notify: Restart journald
 - name: Set logrotate.conf to daily
  replace:
    path: "/etc/logrotate.conf"
    regexp: "(?:weekly|monthly)"
    replace: "daily"
 - name: Set logrotate.conf rotation to 7
  replace:
    path: "/etc/logrotate.conf"
    regexp: "rotate [0-9]+"
    replace: "rotate 7"
--- a/roles/common/templates/chrony.conf.j2
+++ b/roles/common/templates/chrony.conf.j2
@ -1,53 +0,0 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usable directives.
 # Include configuration files found in /etc/chrony/conf.d.
 confdir /etc/chrony/conf.d
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
 {% if ntp_peers is defined %}
 {% for peer in ntp_peers %}
 peer {{ peer }}
 {% endfor %}
 {% endif %}
 {% if ntp_server is defined and ntp_server is true %}
 allow 10.90.0.0/16
 allow 2001:678:ddc::/48
 {% endif -%}
 # This directive specify the location of the file containing ID/key pairs for
 # NTP authentication.
 keyfile /etc/chrony/chrony.keys
 # This directive specify the file into which chronyd will store the rate
 # information.
 driftfile /var/lib/chrony/chrony.drift
 # Save NTS keys and cookies.
 ntsdumpdir /var/lib/chrony
 # Uncomment the following line to turn logging on.
 #log tracking measurements statistics
 # Log files location.
 logdir /var/log/chrony
 # Stop bad estimates upsetting machine clock.
 maxupdateskew 100.0
 # This directive enables kernel synchronisation (every 11 minutes) of the
 # real-time clock. Note that it can't be used along with the 'rtcfile' directive.
 rtcsync
 # Step the system clock instead of slewing it if the adjustment is larger than
 # one second, but only in the first three clock updates.
 makestep 1 3
 # Get TAI-UTC offset and leap seconds from the system tz database.
 # This directive must be commented out when using time sources serving
 # leap-smeared time.
 leapsectz right/UTC
--- a/roles/dhcpd/defaults/main.yml
+++ b/roles/dhcpd/defaults/main.yml
@ -2,5 +2,5 @@
 dhcpd_interfaces: br-{{ site_code }}
 dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
-dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
+dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
 name_server: "{{ batman_ipv4 | ipaddr('address') }}"
--- a/roles/dns_auth/tasks/main.yml
+++ b/roles/dns_auth/tasks/main.yml
@ -1,5 +1,11 @@
 ---
 - name: Enable powerdns apt-key
  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
 - name: Enable powerdns repository
  apt_repository: repo='deb http://repo.powerdns.com/debian buster-auth-43 main'
 - name: Install powerdns
  apt:
    name:
--- a/roles/dns_auth/templates/pdns.conf.j2
+++ b/roles/dns_auth/templates/pdns.conf.j2
@ -29,7 +29,3 @@ master=yes
 #
 # only-notify=0.0.0.0/0,::/0
 only-notify=
 # security-poll-suffix  Domain name from which to query security update notifications
 #
 security-poll-suffix=
--- a/roles/dns_resolver/tasks/main.yml
+++ b/roles/dns_resolver/tasks/main.yml
@ -1,5 +1,11 @@
 ---
 - name: Enable powerdns apt-key
  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
 - name: Enable powerdns repository
  apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main'
 - name: Install powerdns
  apt:
    name:
--- a/roles/dns_resolver/templates/dnsdist.conf.j2
+++ b/roles/dns_resolver/templates/dnsdist.conf.j2
@ -5,11 +5,10 @@ addLocal('::1')
 addLocal('{{ ansible_default_ipv4.address }}')
 addLocal('{{ ansible_default_ipv6.address }}')
-setACL({'0.0.0.0/0', '::/0'})
+addACL('194.156.22.0/24')
 addACL('2001:678:ddc::/48')
-addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
+newServer({address='127.0.0.1:5353', qps=1, name='localhost'})
 newServer({address='127.0.0.1:5353', name='localhost'})
 addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
--- a/roles/dns_resolver/templates/recursor.conf.j2
+++ b/roles/dns_resolver/templates/recursor.conf.j2
@ -27,9 +27,11 @@ local-address=127.0.0.1
 local-port=5353
 #################################
-# query-local-address   Source IP address for sending queries
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
 #
-query-local-address=::,0.0.0.0
+{% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}
 {% endif %}
 #################################
 # quiet Suppress logging of questions and answers
--- a/roles/dns_split/tasks/main.yml
+++ b/roles/dns_split/tasks/main.yml
@ -1,5 +1,11 @@
 ---
 - name: Enable powerdns apt-key
  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
 - name: Enable powerdns repository
  apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main'
 - name: Install powerdns
  apt:
    name:
--- a/roles/dns_split/templates/dnsdist.conf.j2
+++ b/roles/dns_split/templates/dnsdist.conf.j2
@ -5,7 +5,7 @@ addLocal('::1')
 addLocal('{{ batman_ipv4 | ipaddr('address') }}')
 addLocal('{{ batman_ipv6 | ipaddr('address') }}')
-newServer({address='127.0.0.1:5353', name='localhost'})
+newServer({address='127.0.0.1:5353', qps=1, name='localhost'})
 addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
--- a/roles/dns_split/templates/pdns.conf.j2
+++ b/roles/dns_split/templates/pdns.conf.j2
@ -12,6 +12,12 @@ launch=bind
 # local-address=0.0.0.0
 local-address=127.0.0.1
 #################################
 # local-ipv6    Local IP address to which we bind
 #
 # local-ipv6=::
 local-ipv6=
 #################################
 # local-port    The port on which we listen
 #
--- a/roles/dns_split/templates/recursor.conf.j2
+++ b/roles/dns_split/templates/recursor.conf.j2
@ -33,9 +33,11 @@ local-address=127.0.0.1
 local-port=5353
 #################################
-# query-local-address   Source IP address for sending queries
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
 #
-query-local-address=::,0.0.0.0
+{% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}
 {% endif %}
 #################################
 # quiet Suppress logging of questions and answers
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,10 +1,17 @@
 ---
 - name: Enable docker apt-key
  apt_key: url='https://download.docker.com/linux/debian/gpg'
 - name: Enable docker repository
  apt_repository:
    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
    filename: docker
 - name: Install docker
  apt:
    name:
-    - docker.io
+    - docker-ce
    - docker-ce-cli
    - containerd.io
    - python3-docker
 - name: Enable docker
  service: name=docker state=started enabled=yes
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@ -1,14 +1,10 @@
 ---
- name: Retrieve Grafana Key and avoid apt_key
+- name: Enable grafana apt-key
-  block:
+  apt_key: url='https://packages.grafana.com/gpg.key'
    - name: grafana |no apt key
      ansible.builtin.get_url:
        url: https://apt.grafana.com/gpg.key
        dest: /usr/share/keyrings/grafana.key
 - name: Enable grafana repository
-  apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
+  apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
 - name: Install grafana
  apt: name=grafana
--- a/roles/influxdb/tasks/main.yml
+++ b/roles/influxdb/tasks/main.yml
@ -1,23 +1,10 @@
 ---
- name: Import Influxdb GPG siging key with store
+- name: Enable influxdb apt-key
-  ansible.builtin.get_url:
+  apt_key: url='https://repos.influxdata.com/influxdb.key'
    url: "https://repos.influxdata.com/influxdata-archive_compat.key"
    dest: /etc/apt/trusted.gpg.d/influxdb.key
    checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
+- name: Enable influxdb repository
-  ansible.builtin.command:
+  apt_repository: repo='deb https://repos.influxdata.com/debian buster stable'
    argv:
      - gpg
      - --dearmor
      - /etc/apt/trusted.gpg.d/influxdb.key
    creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
 - name: Enable InfluxDB repository
  ansible.builtin.apt_repository:
    repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
    state: present
 - name: Install influxdb
  apt: name=influxdb
--- a/roles/interfaces/templates/mesh.conf.j2
+++ b/roles/interfaces/templates/mesh.conf.j2
@ -14,8 +14,6 @@ iface br-{{ site_code }}
 {% if global_ipv6 is defined %}
 	address		{{ global_ipv6 }}
 {% endif %}
 	#
 	post-up		echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 # bat-{{ site_code }}
 auto bat-{{ site_code }}
@ -23,14 +21,15 @@ iface bat-{{ site_code }}
 	hwaddress	f2:00:90:00:{{ gateway_id }}:20
 	mtu		1500
 	#
 	batman-gw-mode		server
 	batman-hop-penalty	5
 	batman-ifaces		dmy-{{ site_code }}
 	batman-ifaces-ignore-regex	.*_.*
 	batman-multicast-mode	disabled
 	batman-routing-algo	{{ batman_algo }}
 	#
-	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} gw server
+	post-up		/usr/sbin/batctl -m bat-{{ site_code }} it 5000
-	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} hp 5
+	post-up		echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} it 5000
 	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} mff 1
 # dmy-{{ site_code }}
--- a/roles/mesh_wg/tasks/main.yml
+++ b/roles/mesh_wg/tasks/main.yml
@ -1,7 +1,17 @@
 ---
- name: Install wireguard
+- name: Enable backports
-  apt: name=wireguard-tools
+  apt_repository: repo='deb http://deb.debian.org/debian buster-backports main'
 - name: Install kernel headers
  apt: name=linux-headers-amd64
 - name: Install wireguard from backports
  apt:
    name:
    - wireguard-dkms
    - wireguard-tools
    default_release: buster-backports
 - name: Create wireguard config directory
  file:
@ -18,8 +28,7 @@
  notify: Reload interfaces
 - name: Install wgskex
-  apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
+  apt: deb=http://moepman.eu/tmp/wgskex_0.1.0_amd64.deb
 - name: Install ping endpoint
  copy: src=ping dest=/var/www/html/ping
--- a/roles/mesh_wg/templates/mesh_wg.conf.j2
+++ b/roles/mesh_wg/templates/mesh_wg.conf.j2
@ -3,11 +3,11 @@
 # vx-{{ site_code }}
 auto vx-{{ site_code }}
 iface vx-{{ site_code }}
 	mtu		1350
 	vxlan-physdev	wg-{{ site_code }}
 	pre-up		ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
 	up		ip link set vx-{{ site_code }} up
-	post-up		batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
+	post-up		ip link set vx-{{ site_code }} mtu 1350
 	post-up		batctl -m bat-{{ site_code }} if add vx-{{ site_code }}
 	down		ip link set vx-{{ site_code }} down
 	post-down	ip -6 link del vx-{{ site_code }}
--- a/roles/netbox/defaults/main.yml
+++ b/roles/netbox/defaults/main.yml
@ -2,4 +2,4 @@
 netbox_group: netbox
 netbox_user: netbox
-netbox_version: 4.1.8
+netbox_version: 2.11.9
--- a/roles/netbox/tasks/main.yml
+++ b/roles/netbox/tasks/main.yml
@ -27,95 +27,77 @@
    - postgresql
    - python3-psycopg2
- name: Configure PostgreSQL user
+- name: Configure PostgreSQL database
-  postgresql_user:
+  postgresql_db:
-    name: "{{ netbox_dbuser }}"
+    name: '{{ netbox_dbname }}'
    password: "{{ netbox_dbpass }}"
  become: true
  become_user: postgres
- name: Configure PostgreSQL database
+- name: Configure PostgreSQL user
-  postgresql_db:
+  postgresql_user:
-    name: "{{ netbox_dbname }}"
+    db: '{{ netbox_dbname }}'
-    owner: "{{ netbox_dbuser }}"
+    name: '{{ netbox_dbuser }}'
    password: '{{ netbox_dbpass }}'
    priv: ALL
    state: present
  become: true
  become_user: postgres
 - name: Install redis
  apt: name=redis-server
 # TODO configure redis?
 - name: Unpack netbox
  unarchive:
-    src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
+    src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
    dest: /opt
    remote_src: yes
-    creates: "/opt/netbox-{{ netbox_version }}"
+    creates: '/opt/netbox-{{ netbox_version }}'
  register: netbox_unarchive
 - name: Configure netbox
  template:
    src: configuration.py.j2
-    dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
+    dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
-    owner: "{{ netbox_user }}"
+    owner: '{{ netbox_user }}'
-    group: "{{ netbox_group }}"
+    group: '{{ netbox_group }}'
  notify: Restart netbox
 - name: Configure gunicorn
  template:
    src: gunicorn.py.j2
-    dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
+    dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py'
-    owner: "{{ netbox_user }}"
+    owner: '{{ netbox_user }}'
-    group: "{{ netbox_group }}"
+    group: '{{ netbox_group }}'
 - name: Netbox file permissions
  file:
-    path: "/opt/netbox-{{ netbox_version }}"
+    path: '/opt/netbox-{{ netbox_version }}'
-    owner: "{{ netbox_user }}"
+    owner: '{{ netbox_user }}'
-    group: "{{ netbox_group }}"
+    group: '{{ netbox_group }}'
    recurse: yes
 - name: Fix psycopg variant
  lineinfile:
    path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
    regexp: '^psycopg\[.*,pool\]==(.*)$'
    line: 'psycopg[binary,pool]==\1'
    backrefs: yes
  register: netbox_psycopg_fix
 - name: Run upgrade script
  command:
    cmd: ./upgrade.sh
-    chdir: "/opt/netbox-{{ netbox_version }}"
+    chdir: '/opt/netbox-{{ netbox_version }}'
  become: true
-  become_user: "{{ netbox_user }}"
+  become_user: '{{ netbox_user }}'
-  when: netbox_unarchive.changed or netbox_psycopg_fix.changed
+  when: netbox_unarchive.changed
 # TODO - still manual work
 # * Create a super user
 # * Migrate media files
 - name: Install netbox housekeeping cronjob
  template:
    src: netbox-housekeeping.sh.j2
    dest: /etc/cron.daily/netbox-housekeeping.sh
    mode: 0755
 - name: Ensure certificates are available
  command:
    cmd: >
      openssl req -x509 -nodes -newkey rsa:2048
      -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
      -days 730 -subj "/CN={{ netbox_domain }}"
-    creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
+    creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
  notify: Restart nginx
 - name: Request nsupdate key for certificate
  include_role: name=acme-dnskey-generate
  vars:
    acme_dnskey_san_domains:
    - "{{ netbox_domain }}"
  when: "'kitchen' in group_names"
 - name: Configure certificate manager for netbox
  template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
  notify: Run acertmgr
@ -125,7 +107,7 @@
    src: vhost.j2
    dest: /etc/nginx/sites-available/netbox
    owner: root
-    mode: "0644"
+    mode: '0644'
  notify: Restart nginx
 - name: Enable vhost
--- a/roles/netbox/templates/configuration.py.j2
+++ b/roles/netbox/templates/configuration.py.j2
@ -34,9 +34,6 @@ REDIS = {
        'PASSWORD': '',
        'DATABASE': 0,
        'SSL': False,
        # Set this to True to skip TLS certificate verification
        # This can expose the connection to attacks, be careful
        # 'INSECURE_SKIP_TLS_VERIFY': False,
    },
    'caching': {
        'HOST': 'localhost',
@ -47,9 +44,6 @@ REDIS = {
        'PASSWORD': '',
        'DATABASE': 1,
        'SSL': False,
        # Set this to True to skip TLS certificate verification
        # This can expose the connection to attacks, be careful
        # 'INSECURE_SKIP_TLS_VERIFY': False,
    }
 }
@ -69,13 +63,32 @@ SECRET_KEY = '{{ netbox_secret }}'
 # Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
 # application errors (assuming correct email settings are provided).
 ADMINS = [
-    # ('John Doe', 'jdoe@example.com'),
+    # ['John Doe', 'jdoe@example.com'],
 ]
-# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
+# URL schemes that are allowed within links in NetBox
 ALLOWED_URL_SCHEMES = (
    'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
 )
 # Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
 # content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
 BANNER_TOP = ''
 BANNER_BOTTOM = ''
 # Text to include on the login page above the login form. HTML is allowed.
 BANNER_LOGIN = ''
 # Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
 # BASE_PATH = 'netbox/'
 BASE_PATH = ''
 # Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
 CACHE_TIMEOUT = 900
 # Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
 CHANGELOG_RETENTION = 90
 # API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
 # allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
 # CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@ -104,6 +117,10 @@ EMAIL = {
    'FROM_EMAIL': '',
 }
 # Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
 # (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
 ENFORCE_GLOBAL_UNIQUE = False
 # Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
 # by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
 EXEMPT_VIEW_PERMISSIONS = [
@ -126,18 +143,22 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
 #   https://docs.djangoproject.com/en/stable/topics/logging/
 LOGGING = {}
 # Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
 # authenticated to NetBox indefinitely.
 LOGIN_PERSISTENCE = False
 # Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
-# are permitted to access most data in NetBox but not make any changes.
+# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
 LOGIN_REQUIRED = True
 # The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
 # re-authenticate. (Default: 1209600 [14 days])
 LOGIN_TIMEOUT = None
 # Setting this to True will display a "maintenance mode" banner at the top of every page.
 MAINTENANCE_MODE = False
 # An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
 # "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
 # all objects by specifying "?limit=0".
 MAX_PAGE_SIZE = 1000
 # The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
 # the default value of this setting is derived from the installed location.
 # MEDIA_ROOT = '/opt/netbox/netbox/media'
@ -155,6 +176,20 @@ LOGIN_TIMEOUT = None
 # Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
 METRICS_ENABLED = False
 # Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
 NAPALM_USERNAME = ''
 NAPALM_PASSWORD = ''
 # NAPALM timeout (in seconds). (Default: 30)
 NAPALM_TIMEOUT = 30
 # NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
 # be provided as a dictionary.
 NAPALM_ARGS = {}
 # Determine how many objects to display per page within a list. (Default: 50)
 PAGINATE_COUNT = 50
 # Enable installed plugins. Add the name of each plugin to the list.
 PLUGINS = []
@ -167,6 +202,14 @@ PLUGINS = []
 #     }
 # }
 # When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
 # prefer IPv4 instead.
 PREFER_IPV4 = False
 # Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
 RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
 RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
 # Remote authentication support
 REMOTE_AUTH_ENABLED = False
 REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
@ -175,6 +218,9 @@ REMOTE_AUTH_AUTO_CREATE_USER = True
 REMOTE_AUTH_DEFAULT_GROUPS = []
 REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
 # This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
 RELEASE_CHECK_TIMEOUT = 24 * 3600
 # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
 # version check or use the URL below to check for release in the official NetBox repository.
 RELEASE_CHECK_URL = None
@ -191,9 +237,6 @@ RQ_DEFAULT_TIMEOUT = 300
 # this setting is derived from the installed location.
 # SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
 # The name to use for the session cookie.
 SESSION_COOKIE_NAME = 'sessionid'
 # By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
 # local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
 # database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
--- a/roles/netbox/templates/netbox-housekeeping.sh.j2
+++ b/roles/netbox/templates/netbox-housekeeping.sh.j2
@ -1,9 +0,0 @@
 #!/bin/sh
 # This shell script invokes NetBox's housekeeping management command, which
 # intended to be run nightly. This script can be copied into your system's
 # daily cron directory (e.g. /etc/cron.daily), or referenced directly from
 # within the cron configuration file.
 #
 # If NetBox has been installed into a nonstandard location, update the paths
 # below.
 /opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping
--- a/roles/netbox/templates/netbox-rq.service.j2
+++ b/roles/netbox/templates/netbox-rq.service.j2
@ -7,8 +7,8 @@ Wants=network-online.target
 [Service]
 Type=simple
-User={{ netbox_user }}
+User=netbox
-Group={{ netbox_group }}
+Group=netbox
 WorkingDirectory=/opt/netbox-{{ netbox_version }}
 ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
--- a/roles/netbox/templates/netbox.service.j2
+++ b/roles/netbox/templates/netbox.service.j2
@ -7,8 +7,8 @@ Wants=network-online.target
 [Service]
 Type=simple
-User={{ netbox_user }}
+User=netbox
-Group={{ netbox_group }}
+Group=netbox
 PIDFile=/var/tmp/netbox.pid
 WorkingDirectory=/opt/netbox-{{ netbox_version }}
--- a/roles/netbox/templates/vhost.j2
+++ b/roles/netbox/templates/vhost.j2
@ -10,7 +10,7 @@ server {
 	}
 	location / {
-		return 301 https://$host$request_uri;
+		return 301 https://{{ netbox_domain }}$request_uri;
 	}
 }
@ -30,9 +30,9 @@ server {
 	location / {
 		client_max_body_size 32M;
 		proxy_pass http://localhost:8001;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_pass http://localhost:8001;
 	}
 }
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -41,7 +41,7 @@
 - name: Ensure network and dns are available before nginx
  lineinfile:
    dest: /lib/systemd/system/nginx.service
-    line: "After=network-online.target remote-fs.target nss-lookup.target"
+    line: "After=network-online.target nss-lookup.target"
    regexp: "^After="
 - name: Start nginx
--- a/roles/ntp/handlers/main.yml
+++ b/roles/ntp/handlers/main.yml
@ -0,0 +1,7 @@
 ---
 - name: Restart ntp
  service: name=ntp state=restarted
 - name: Restart ntpd
  service: name=ntpd state=restarted
--- a/roles/ntp/tasks/main.yml
+++ b/roles/ntp/tasks/main.yml
@ -0,0 +1,11 @@
 ---
 - name: Install ntp
  apt: name=ntp
 - name: Configure ntp
  template: src=ntp.conf.j2 dest=/etc/ntp.conf
  notify: Restart ntp
 - name: Start the ntp service
  service: name=ntp state=started enabled=yes
--- a/roles/ntp/templates/ntp.conf.j2
+++ b/roles/ntp/templates/ntp.conf.j2
@ -0,0 +1,17 @@
 # {{ ansible_managed }}
 {% for srv in ntp_servers %}
 server {{ srv }} iburst
 {% endfor %}
 {% if ntp_peers is defined %}
 {% for peer in ntp_peers %}
 peer {{ peer }}
 {% endfor %}
 {% endif %}
 restrict default kod nomodify notrap nopeer noquery
 restrict -6 default kod nomodify notrap nopeer noquery
 restrict 127.0.0.1
 restrict -6 ::1
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -6,7 +6,6 @@
 - name: Install dependencies
  apt:
    name:
    - python3-pip
    - python3-setuptools
    - virtualenv
@ -22,13 +21,6 @@
  - Reload systemd
  - Restart prometheus-pve-exporter
 - name: Configure prometheus retention
  lineinfile:
    path: /etc/default/prometheus
    regexp: '^ARGS=.*$'
    line: 'ARGS="--storage.tsdb.retention.time=365d"'
  notify: Restart prometheus
 - name: Configure prometheus
  template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
  notify: Restart prometheus
--- a/roles/searxng/handlers/main.yml
+++ b/roles/searxng/handlers/main.yml
@ -1,16 +0,0 @@
 ---
 - name: Reload systemd
  systemd: daemon_reload=yes
 - name: Restart searxng
  service: name=searxng state=restarted
 - name: Restart searxng-reload
  service: name=searxng-reload state=restarted
 - name: Restart nginx
  service: name=nginx state=restarted
 - name: Run acertmgr
  command: /usr/bin/acertmgr
--- a/roles/searxng/meta/main.yml
+++ b/roles/searxng/meta/main.yml
@ -1,5 +0,0 @@
 ---
 dependencies:
 - { role: acertmgr }
 - { role: nginx, nginx_ssl: True }
--- a/roles/searxng/tasks/main.yml
+++ b/roles/searxng/tasks/main.yml
@ -1,61 +0,0 @@
 ---
 - name: Install packages
  apt:
    name:
    - docker.io
    - docker-compose
 - name: Create searxng group
  group: name=searxng
 - name: Create searxng user
  user:
    name: searxng
    home: /opt/searxng
    shell: /bin/bash
    group: searxng
    groups: docker
 - name: Configure searxng container
  template: src=docker-compose.yml.j2 dest=/opt/searxng/docker-compose.yml
  notify: Restart searxng
 - name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ searxng_domain }}.key -out /etc/nginx/ssl/{{ searxng_domain }}.crt -days 730 -subj "/CN={{ searxng_domain }}" creates=/etc/nginx/ssl/{{ searxng_domain }}.crt
  notify: Restart nginx
 - name: Configure certificate manager for searxng
  template: src=certs.j2 dest=/etc/acertmgr/{{ searxng_domain }}.conf
  notify: Run acertmgr
 - name: Configure vhost
  template: src=vhost.j2 dest=/etc/nginx/sites-available/searxng
  notify: Restart nginx
 - name: Enable vhost
  file: src=/etc/nginx/sites-available/searxng dest=/etc/nginx/sites-enabled/searxng state=link
  notify: Restart nginx
 # TODO config files inside /opt/searxng/searxng
 - name: Systemd unit for searxng
  template: src=searxng.service.j2 dest=/etc/systemd/system/searxng.service
  notify:
  - Reload systemd
  - Restart searxng
 - name: Systemd unit for searxng-reload
  template: src=searxng-reload.{{ item }}.j2 dest=/etc/systemd/system/searxng-reload.{{ item }}
  with_items:
  - "service"
  - "timer"
  notify:
  - Reload systemd
  - Restart searxng-reload
 - name: Start the searxng service
  service: name=searxng state=started enabled=yes
 - name: Enable auto update timer
  service: name=searxng-reload.timer state=started enabled=yes
--- a/roles/searxng/templates/certs.j2
+++ b/roles/searxng/templates/certs.j2
@ -1,15 +0,0 @@
 ---
 {{ searxng_domains }}:
 - path: /etc/nginx/ssl/{{ searxng_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ searxng_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/searxng/templates/docker-compose.yml.j2
+++ b/roles/searxng/templates/docker-compose.yml.j2
@ -1,34 +0,0 @@
 ---
 version: "3.4"
 services:
  redis:
    image: redis:alpine
    tmpfs:
      - /var/lib/redis
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
  searxng:
    image: searxng/searxng:latest
    ports:
      - "127.0.0.1:8000:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      - SEARXNG_BASE_URL=https://{{ searxng_domain }}/
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
--- a/roles/searxng/templates/searxng-reload.service.j2
+++ b/roles/searxng/templates/searxng-reload.service.j2
@ -1,7 +0,0 @@
 [Unit]
 Description=Refresh searxng images
 [Service]
 Type=oneshot
 ExecStart=/bin/systemctl reload-or-restart searxng.service
--- a/roles/searxng/templates/searxng-reload.timer.j2
+++ b/roles/searxng/templates/searxng-reload.timer.j2
@ -1,10 +0,0 @@
 [Unit]
 Description=Refresh searxng images
 Requires=searxng.service
 After=searxng.service
 [Timer]
 OnCalendar=*:0/15
 [Install]
 WantedBy=timers.target
--- a/roles/searxng/templates/searxng.service.j2
+++ b/roles/searxng/templates/searxng.service.j2
@ -1,32 +0,0 @@
 [Unit]
 Description=searxng service using docker compose
 Requires=docker.service
 After=docker.service
 Before=nginx.service
 [Service]
 Type=simple
 User=searxng
 Group=searxng
 Restart=always
 TimeoutStartSec=1200
 WorkingDirectory=/opt/searxng
 # Update images
 ExecStartPre=-/usr/bin/docker-compose pull --quiet
 # Compose up
 ExecStart=/usr/bin/docker-compose up
 # Compose down, remove containers and volumes
 ExecStop=/usr/bin/docker-compose down -v
 # Refresh on reload
 ExecReload=-/usr/bin/docker-compose pull --quiet
 ExecReload=/usr/bin/docker-compose up -d
 [Install]
 WantedBy=multi-user.target
--- a/roles/searxng/templates/vhost.j2
+++ b/roles/searxng/templates/vhost.j2
@ -1,37 +0,0 @@
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ searxng_domains }};
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
 		alias /var/www/acme-challenge;
 	}
 	location / {
 		return 301 https://$host$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ searxng_domains }};
 	ssl_certificate_key /etc/nginx/ssl/{{ searxng_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ searxng_domain }}.crt;
 	# set max upload size
 	client_max_body_size 8M;
 	location / {
 		proxy_pass http://localhost:8000;
 		proxy_set_header Connection $http_connection;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 }
--- a/roles/speedtest/handlers/main.yml
+++ b/roles/speedtest/handlers/main.yml
@ -1,16 +0,0 @@
 ---
 - name: Reload systemd
  systemd: daemon_reload=yes
 - name: Restart speedtest
  service: name=speedtest state=restarted
 - name: Restart speedtest-reload
  service: name=speedtest-reload state=restarted
 - name: Restart nginx
  service: name=nginx state=restarted
 - name: Run acertmgr
  command: /usr/bin/acertmgr
--- a/roles/speedtest/meta/main.yml
+++ b/roles/speedtest/meta/main.yml
@ -1,5 +0,0 @@
 ---
 dependencies:
 - { role: acertmgr }
 - { role: nginx, nginx_anonymize: True, nginx_ssl: True }
--- a/roles/speedtest/tasks/main.yml
+++ b/roles/speedtest/tasks/main.yml
@ -1,59 +0,0 @@
 ---
 - name: Install packages
  apt:
    name:
    - docker.io
    - docker-compose
 - name: Create speedtest group
  group: name=speedtest
 - name: Create speedtest user
  user:
    name: speedtest
    home: /opt/speedtest
    shell: /bin/bash
    group: speedtest
    groups: docker
 - name: Configure speedtest container
  template: src=docker-compose.yml.j2 dest=/opt/speedtest/docker-compose.yml
  notify: Restart speedtest
 - name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ speedtest_domain }}.key -out /etc/nginx/ssl/{{ speedtest_domain }}.crt -days 730 -subj "/CN={{ speedtest_domain }}" creates=/etc/nginx/ssl/{{ speedtest_domain }}.crt
  notify: Restart nginx
 - name: Configure certificate manager for speedtest
  template: src=certs.j2 dest=/etc/acertmgr/{{ speedtest_domain }}.conf
  notify: Run acertmgr
 - name: Configure vhost
  template: src=vhost.j2 dest=/etc/nginx/sites-available/speedtest
  notify: Restart nginx
 - name: Enable vhost
  file: src=/etc/nginx/sites-available/speedtest dest=/etc/nginx/sites-enabled/speedtest state=link
  notify: Restart nginx
 - name: Systemd unit for speedtest
  template: src=speedtest.service.j2 dest=/etc/systemd/system/speedtest.service
  notify:
  - Reload systemd
  - Restart speedtest
 - name: Systemd unit for speedtest-reload
  template: src=speedtest-reload.{{ item }}.j2 dest=/etc/systemd/system/speedtest-reload.{{ item }}
  with_items:
  - "service"
  - "timer"
  notify:
  - Reload systemd
  - Restart speedtest-reload
 - name: Start the speedtest service
  service: name=speedtest state=started enabled=yes
 - name: Enable auto update timer
  service: name=speedtest-reload.timer state=started enabled=yes
--- a/roles/speedtest/templates/certs.j2
+++ b/roles/speedtest/templates/certs.j2
@ -1,15 +0,0 @@
 ---
 {{ speedtest_domains }}:
 - path: /etc/nginx/ssl/{{ speedtest_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ speedtest_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/speedtest/templates/docker-compose.yml.j2
+++ b/roles/speedtest/templates/docker-compose.yml.j2
@ -1,15 +0,0 @@
 ---
 version: "3.4"
 services:
  speedtest:
    image: adolfintel/speedtest
    restart: unless-stopped
    environment:
      MODE: standalone
      TELEMETRY: "true"
      ENABLE_ID_OBFUSCATION: "true"
      PASSWORD: {{ speedtest_secret }}
      WEBPORT: 8000
      TITLE: Freifunk Regensburg Speedtest
    ports:
      - "127.0.0.1:8000:8000"
--- a/roles/speedtest/templates/speedtest-reload.service.j2
+++ b/roles/speedtest/templates/speedtest-reload.service.j2
@ -1,7 +0,0 @@
 [Unit]
 Description=Refresh speedtest images
 [Service]
 Type=oneshot
 ExecStart=/bin/systemctl reload-or-restart speedtest.service
--- a/roles/speedtest/templates/speedtest-reload.timer.j2
+++ b/roles/speedtest/templates/speedtest-reload.timer.j2
@ -1,10 +0,0 @@
 [Unit]
 Description=Refresh speedtest images
 Requires=speedtest.service
 After=speedtest.service
 [Timer]
 OnCalendar=*:0/15
 [Install]
 WantedBy=timers.target
--- a/roles/speedtest/templates/speedtest.service.j2
+++ b/roles/speedtest/templates/speedtest.service.j2
@ -1,32 +0,0 @@
 [Unit]
 Description=speedtest service using docker compose
 Requires=docker.service
 After=docker.service
 Before=nginx.service
 [Service]
 Type=simple
 User=speedtest
 Group=speedtest
 Restart=always
 TimeoutStartSec=1200
 WorkingDirectory=/opt/speedtest
 # Update images
 ExecStartPre=-/usr/bin/docker-compose pull --quiet
 # Compose up
 ExecStart=/usr/bin/docker-compose up
 # Compose down, remove containers and volumes
 ExecStop=/usr/bin/docker-compose down -v
 # Refresh on reload
 ExecReload=-/usr/bin/docker-compose pull --quiet
 ExecReload=/usr/bin/docker-compose up -d
 [Install]
 WantedBy=multi-user.target
--- a/roles/speedtest/templates/vhost.j2
+++ b/roles/speedtest/templates/vhost.j2
@ -1,36 +0,0 @@
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ speedtest_domains }};
 	client_max_body_size 64M;
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
 		alias /var/www/acme-challenge;
 	}
 	location / {
 		proxy_pass http://127.0.0.1:8000;
 		proxy_set_header Host $host;
 		proxy_set_header Connection $http_connection;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Scheme $scheme;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ speedtest_domains }};
 	ssl_certificate_key /etc/nginx/ssl/{{ speedtest_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ speedtest_domain }}.crt;
 	location / {
 		return 301 http://$host$request_uri;
 	}
 }
--- a/roles/telegraf/README.md
+++ b/roles/telegraf/README.md
@ -0,0 +1,56 @@
 Telegraf
 ========
 An Ansible role to install, configure, and manage [Telegraf](https://github.com/influxdb/telegraf), the plugin-driven server agent for reporting metrics into InfluxDB.
 Requirements
 ------------
 Prior knowledge/experience with InfluxDB and Telegraf is highly recommended. Full documentation is available [here](https://docs.influxdata.com).
 Installation
 ------------
 Either clone this repository, or install through Ansible Galaxy directly using the command:
 ```
 ansible-galaxy install rossmcdonald.telegraf
 ```
 Role Variables
 --------------
 The high-level variables are stored in the `defaults/main.yml` file. The most important ones being:
 ```
 # Channel of Telegraf to install (currently only 'stable' is supported)
 telegraf_install_version: stable
 ```
 More advanced configuration options are stored in the `vars/main.yml` file, which includes all of the necessary bells and whistles to tweak your configuration.
 Dependencies
 ------------
 No other Ansible dependencies are required. This role was tested and developed with Ansible 1.9.4.
 Example Playbook
 ----------------
 An example playbook is included in the `test.yml` file. There is also a `Vagrantfile`, which can be used for quick local testing leveraging [Vagrant](https://www.vagrantup.com/).
 Contributions and Feedback
 --------------------------
 Any contributions are welcome. For any bugs or feature requests, please open an issue through Github.
 License
 -------
 MIT
 Author
 ------
 Created by [Ross McDonald](https://github.com/rossmcdonald).
--- a/roles/telegraf/Vagrantfile
+++ b/roles/telegraf/Vagrantfile
@ -0,0 +1,40 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 Vagrant.configure(2) do |config|
  config.vm.box = "ubuntu/trusty64"
  # config.vm.box = "ubuntu/vivid64"
  # config.vm.box = "relativkreativ/centos-7-minimal"
  # config.vm.box = "box-cutter/fedora22"
  # config.vm.box = "puppetlabs/centos-6.6-64-nocm"
  # config.vm.box = "debian/jessie64"
  BOX_COUNT = 1
  (1..BOX_COUNT).each do |machine_id|
    config.vm.define "telegraf#{machine_id}" do |machine|
      machine.vm.hostname = "telegraf#{machine_id}"
      # machine.vm.network "private_network", ip: "10.0.3.#{1+machine_id}", virtualbox__intnet: true
      # machine.vm.network "public_network"
      machine.vm.network "public_network", :bridge => 'en0: Wi-Fi (AirPort)'
      machine.vm.provider "virtualbox" do |v|
        v.memory = 512
        v.cpus = 1
      end
      if machine_id == BOX_COUNT
        machine.vm.provision "ansible" do |ansible|
          # ansible.verbose = 'vvvv'
          ansible.limit = 'all'
          ansible.playbook = "test.yml"
          ansible.sudo = true
          ansible.host_key_checking = false
          ansible.extra_vars = {
            is_vagrant: true,
          }
        end
      end
    end
  end
 end
--- a/roles/telegraf/defaults/main.yml
+++ b/roles/telegraf/defaults/main.yml
@ -0,0 +1,85 @@
 ---
 # Channel of Telegraf to install
 telegraf_install_version: stable
 # The user and group telegraf should run under (should be set to telegraf unless needed otherwise)
 telegraf_runas_user: telegraf
 telegraf_runas_group: telegraf
 # Configuration Template
 telegraf_configuration_template: telegraf.conf.j2
 # Configuration Variables
 telegraf_tags:
 telegraf_aws_tags: false
 telegraf_aws_tags_prefix:
 telegraf_agent_interval: 10s
 telegraf_round_interval: "true"
 telegraf_metric_batch_size: "1000"
 telegraf_metric_buffer_limit: "10000"
 telegraf_collection_jitter: 0s
 telegraf_flush_interval: 10s
 telegraf_flush_jitter: 0s
 telegraf_debug: "false"
 telegraf_quiet: "false"
 telegraf_hostname:
 telegraf_omit_hostname: "false"
 telegraf_install_url:
 telegraf_influxdb_url: http://stats.regensburg.freifunk.net:8086
 telegraf_influxdb_database: telegraf
 telegraf_influxdb_precision: s
 telegraf_influxdb_retention_policy: autogen
 telegraf_influxdb_write_consistency: any
 telegraf_influxdb_ssl_ca:
 telegraf_influxdb_ssl_cert:
 telegraf_influxdb_ssl_key:
 telegraf_influxdb_insecure_skip_verify:
 telegraf_influxdb_timeout: 5s
 telegraf_influxdb_username: telegraf
 telegraf_influxdb_password:
 telegraf_influxdb_user_agent:
 telegraf_influxdb_udp_payload:
 telegraf_plugins_base:
  - name: swap
  - name: processes
  - name: kernel
  - name: netstat
  - name: mem
  - name: system
  - name: cpu
    options:
      percpu: "true"
      totalcpu: "true"
      collect_cpu_time: "false"
      report_active: "false"
      fielddrop:
        - "time_*"
  - name: disk
    options:
      mountpoints:
        - "/"
      ignore_fs:
        - "tmpfs"
        - "devtmpfs"
        - "devfs"
  - name: diskio
    options:
      skip_serial_number: "true"
  - name: procstat
    options:
      exe: "influxd"
      prefix: "influxdb"
  - name: net
    options:
      interfaces:
        - "eth0"
 telegraf_plugins: "{{ telegraf_plugins_base }} + {{ telegraf_plugins_extra | default([]) }}"
 telegraf_influxdata_base_url: "https://repos.influxdata.com"
--- a/roles/telegraf/handlers/install.yml
+++ b/roles/telegraf/handlers/install.yml
--- a/roles/telegraf/handlers/main.yml
+++ b/roles/telegraf/handlers/main.yml
@ -0,0 +1,30 @@
 ---
 # The order here matters
 - name: restart telegraf
  service:
    name: telegraf
    state: restarted
  become: true
  when: telegraf_start_service
 - name: pause
  pause:
    seconds: "{{ telegraf_start_delay }}"
  when: telegraf_start_service
 ## After version 2.2 of ansible 'listen' could be used to
 ## group 'check status' and 'assert running' into a single listener
 - name: check status
  command: service telegraf status
  args:
    warn: false
  ignore_errors: yes
  register: telegraf_service_status
  become: true
  when: telegraf_start_service
 - name: assert running
  assert:
    that:
      - "telegraf_service_status.rc == 0"
  when: telegraf_start_service
--- a/roles/telegraf/meta/main.yml
+++ b/roles/telegraf/meta/main.yml
@ -0,0 +1,24 @@
 ---
 galaxy_info:
  author: Ross McDonald
  description: Install and configure Telegraf, the plugin-driven server agent for reporting metrics into InfluxDB
  company: InfluxData
  license: MIT
  min_ansible_version: 1.2
  platforms:
    - name: EL
      versions:
        - 6
        - 7
    - name: Ubuntu
      versions:
        - trusty
        - utopic
        - vivid
    - name: Debian
      versions:
        - jessie
        - wheezy
  categories:
    - monitoring
 dependencies: []
--- a/roles/telegraf/tasks/configure.yml
+++ b/roles/telegraf/tasks/configure.yml
@ -0,0 +1,70 @@
 ---
 - name: Retrieve ec2 facts
  ec2_metadata_facts:
  when: telegraf_aws_tags
 - name: Retrieve all ec2 tags on the instance
  ec2_tag:
    region: "{{ ansible_ec2_placement_region }}"
    resource: "{{ ansible_ec2_instance_id }}"
    state: list
  when: telegraf_aws_tags
  register: ec2_tags
 - name: get the rpm or apt package facts
  package_facts:
    manager: "auto"
 - name: Set templatized Telegraf configuration
  template:
    src: "{{ telegraf_configuration_template }}"
    dest: "{{ telegraf_configuration_dir }}/telegraf.conf"
    force: yes
    backup: yes
    owner: telegraf
    group: telegraf
    mode: 0740
  when: telegraf_template_configuration
  # If config changes, restart telegraf and confirm it remained running
  notify:
    - "restart telegraf"
    - "pause"
    - "check status"
    - "assert running"
 - name: Test for sysvinit script
  stat:
    path: /etc/init.d/telegraf
  register: telegraf_sysvinit_script
 - name: Modify user Telegraf should run as [sysvinit]
  replace:
    path: /etc/init.d/telegraf
    regexp: USER=.*
    replace: USER={{ telegraf_runas_user }}
  when: telegraf_runas_user != "telegraf" and telegraf_sysvinit_script.stat.exists
 - name: Modify group Telegraf should run as [sysvinit]
  replace:
    path: /etc/init.d/telegraf
    regexp: GROUP=.*
    replace: GROUP={{ telegraf_runas_group }}
  when: telegraf_runas_group != "telegraf" and telegraf_sysvinit_script.stat.exists
 - name: Create systemd service directory [systemd]
  file:
    path: /etc/systemd/system/telegraf.service.d
    state: directory
  when: telegraf_runas_user != "telegraf" and not telegraf_sysvinit_script.stat.exists
 - name: Modify user Telegraf should run as [systemd]
  template:
    src: systemd/system/telegraf.service.d/override.conf
    dest: /etc/systemd/system/telegraf.service.d/override.conf
  when: telegraf_runas_user != "telegraf" and not telegraf_sysvinit_script.stat.exists
  register: telegraf_unit_file_updated
 - name: Reload systemd configuration [systemd]
  systemd:
    daemon_reload: yes
  when: telegraf_unit_file_updated is defined and telegraf_unit_file_updated.changed
--- a/roles/telegraf/tasks/install-debian.yml
+++ b/roles/telegraf/tasks/install-debian.yml
@ -0,0 +1,55 @@
 ---
 - name: Install any necessary dependencies [Debian/Ubuntu]
  apt:
    name:
      - python-httplib2
      - python-apt
      - curl
      - apt-transport-https
    state: present
    update_cache: yes
    cache_valid_time: 3600
  register: apt_result
  until: apt_result is success
  retries: 2
  delay: 5
 - name: Import InfluxData GPG signing key [Debian/Ubuntu]
  apt_key:
    url: "{{ telegraf_influxdata_base_url }}/influxdb.key"
    state: present
  when: telegraf_install_url is not defined or telegraf_install_url == None
 - name: Add InfluxData repository [Debian/Ubuntu]
  apt_repository:
    repo: deb {{ telegraf_influxdata_base_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ telegraf_install_version }}
    state: present
  when: telegraf_install_url is not defined or telegraf_install_url == None
 - name: Install Telegraf packages [Debian/Ubuntu]
  apt:
    name: telegraf
    state: latest
    update_cache: yes
    cache_valid_time: 3600
  register: apt_result
  until: apt_result is success
  retries: 2
  delay: 5
  when: telegraf_install_url is not defined or telegraf_install_url == None
 - name: Download Telegraf package via URL [Debian/Ubuntu]
  get_url:
    url: "{{ telegraf_install_url }}"
    dest: /tmp/telegraf-ansible-download.deb
  when: telegraf_install_url is defined and telegraf_install_url != None
 - name: Install downloaded Telegraf package [Debian/Ubuntu]
  apt:
    deb: /tmp/telegraf-ansible-download.deb
    state: present
  register: apt_result
  until: apt_result is success
  retries: 2
  delay: 5
  when: telegraf_install_url is defined and telegraf_install_url != None
--- a/roles/telegraf/tasks/install-redhat.yml
+++ b/roles/telegraf/tasks/install-redhat.yml
@ -0,0 +1,21 @@
 ---
 - name: Add InfluxData repository file [RHEL/CentOS]
  template:
    src: etc/yum.repos.d/influxdata.repo.j2
    dest: /etc/yum.repos.d/influxdata.repo
    force: yes
    backup: yes
  when: telegraf_install_url is not defined or telegraf_install_url == None
 - name: Install Telegraf packages [RHEL/CentOS]
  yum:
    name: telegraf
    state: latest
    update_cache: yes
  when: telegraf_install_url is not defined or telegraf_install_url == None
 - name: Install Telegraf from URL [RHEL/CentOS]
  yum:
    name: "{{ telegraf_install_url }}"
    state: present
  when: telegraf_install_url is defined and telegraf_install_url != None
--- a/roles/telegraf/tasks/install.yml
+++ b/roles/telegraf/tasks/install.yml
@ -0,0 +1,6 @@
 ---
 - include: install-redhat.yml
  when: ansible_os_family == "RedHat"
 - include: install-debian.yml
  when: ansible_os_family == "Debian"
--- a/roles/telegraf/tasks/main.yml
+++ b/roles/telegraf/tasks/main.yml
@ -0,0 +1,10 @@
 ---
 - include: install.yml
  tags: [telegraf, install]
 - include: configure.yml
  tags: [telegraf, configure]
 - include: start.yml
  tags: [telegraf, start]
  when: telegraf_start_service
--- a/roles/telegraf/tasks/start.yml
+++ b/roles/telegraf/tasks/start.yml
@ -0,0 +1,12 @@
 ---
 - name: Start the Telegraf service
  service:
    name: telegraf
    state: started
    enabled: yes
  # Only care to check the status if the state changed to 'started'
  notify:
    - "pause"
    - "check status"
    - "assert running"
  become: true
--- a/roles/telegraf/templates/etc/yum.repos.d/influxdata.repo.j2
+++ b/roles/telegraf/templates/etc/yum.repos.d/influxdata.repo.j2
@ -0,0 +1,13 @@
 [influxdb]
 name = InfluxDB Repository - {{ ansible_distribution }} $releasever
 {% if ansible_distribution|lower == "amazon" %}
 baseurl = "{{ telegraf_influxdata_base_url }}/centos/6/amd64/{{ telegraf_install_version }}"
 {% elif ansible_distribution|lower == "redhat" %}
 baseurl = {{ telegraf_influxdata_base_url }}/rhel/$releasever/$basearch/{{ telegraf_install_version }}
 {% else %}
 baseurl = {{ telegraf_influxdata_base_url }}/{{ ansible_distribution|lower }}/$releasever/$basearch/{{ telegraf_install_version }}
 {% endif %}
 enabled = 1
 gpgcheck = 1
 gpgkey = {{ telegraf_influxdata_base_url }}/influxdb.key
 sslverify = 1
--- a/roles/telegraf/templates/systemd/system/telegraf.service.d/override.conf
+++ b/roles/telegraf/templates/systemd/system/telegraf.service.d/override.conf
@ -0,0 +1,2 @@
 [Service]
 User={{ telegraf_runas_user }}
--- a/roles/telegraf/templates/telegraf.conf.j2
+++ b/roles/telegraf/templates/telegraf.conf.j2
@ -0,0 +1,181 @@
 # Telegraf configuration
 # Telegraf is entirely plugin driven. All metrics are gathered from the
 # declared plugins.
 # Even if a plugin has no configuration, it must be declared in here
 # to be active. Declaring a plugin means just specifying the name
 # as a section with no variables. To deactivate a plugin, comment
 # out the name and any variables.
 # Use 'telegraf -config telegraf.toml -test' to see what metrics a config
 # file would generate.
 # One rule that plugins conform to is wherever a connection string
 # can be passed, the values '' and 'localhost' are treated specially.
 # They indicate to the plugin to use their own builtin configuration to
 # connect to the local system.
 # NOTE: The configuration has a few required parameters. They are marked
 # with 'required'. Be sure to edit those to make this configuration work.
 # Tags can also be specified via a normal map, but only one form at a time:
 [global_tags]
 {% if telegraf_tags is defined and telegraf_tags != None %}
 {% for key, value in telegraf_tags.items()%}
   {{ key }} = "{{ value }}"
 {% endfor %}
 {% endif %}
 {% if telegraf_aws_tags == true and ec2_tags is defined and ec2_tags != None %}
 {% for key, value in ec2_tags.tags.items()%}
   {{ telegraf_aws_tags_prefix }}{{ key }} = "{{ value }}"
 {% endfor %}
 {% endif %}
 # Configuration for telegraf agent
 [agent]
  ## Default data collection interval for all inputs
  interval = "{{ telegraf_agent_interval }}"
  ## Rounds collection interval to 'interval'
  ## ie, if interval="10s" then always collect on :00, :10, :20, etc.
  round_interval = {{ telegraf_round_interval }}
  ## Telegraf will send metrics to outputs in batches of at
  ## most metric_batch_size metrics.
  metric_batch_size = {{ telegraf_metric_batch_size }}
  ## For failed writes, telegraf will cache metric_buffer_limit metrics for each
  ## output, and will flush this buffer on a successful write. Oldest metrics
  ## are dropped first when this buffer fills.
  metric_buffer_limit = {{ telegraf_metric_buffer_limit }}
  ## Collection jitter is used to jitter the collection by a random amount.
  ## Each plugin will sleep for a random time within jitter before collecting.
  ## This can be used to avoid many plugins querying things like sysfs at the
  ## same time, which can have a measurable effect on the system.
  collection_jitter = "{{ telegraf_collection_jitter }}"
  ## Default flushing interval for all outputs. You shouldn't set this below
  ## interval. Maximum flush_interval will be flush_interval + flush_jitter
  flush_interval = "{{ telegraf_flush_interval }}"
  ## Jitter the flush interval by a random amount. This is primarily to avoid
  ## large write spikes for users running a large number of telegraf instances.
  ## ie, a jitter of 5s and interval 10s means flushes will happen every 10-15s
  flush_jitter = "{{ telegraf_flush_jitter }}"
  ## Run telegraf in debug mode
  debug = {{ telegraf_debug }}
  ## Run telegraf in quiet mode
  quiet = {{ telegraf_quiet }}
  hostname = "{{ ansible_hostname }}"
  ## If set to true, do no set the "host" tag in the telegraf agent.
  omit_hostname = {{ telegraf_omit_hostname }}
 ###############################################################################
 #                                  OUTPUTS                                    #
 ###############################################################################
 [outputs]
 # Configuration for influxdb server to send metrics to
 [[outputs.influxdb]]
  # The full HTTP or UDP endpoint URL for your InfluxDB instance.
  # Multiple urls can be specified but it is assumed that they are part of the same
  # cluster, this means that only ONE of the urls will be written to each interval.
  # urls = ["udp://localhost:8089"] # UDP endpoint example
  ## urls = [ "" ] # required
  urls = ["{{ telegraf_influxdb_url }}"]
  # The target database for metrics (telegraf will create it if not exists)
  database = "{{ telegraf_influxdb_database }}" # required
  # Precision of writes, valid values are n, u, ms, s, m, and h
  # note: using second precision greatly helps InfluxDB compression
  precision = "{{ telegraf_influxdb_precision }}"
  ## Retention policy to write to.
  retention_policy = "{{ telegraf_influxdb_retention_policy }}"
  ## Write consistency (clusters only), can be: "any", "one", "quorom", "all"
  write_consistency = "{{ telegraf_influxdb_write_consistency }}"
  # Connection timeout (for the connection with InfluxDB), formatted as a string.
  # If not provided, will default to 0 (no timeout)
  timeout = "{{ telegraf_influxdb_timeout }}"
 {% if telegraf_influxdb_username is defined and telegraf_influxdb_username != None %}
  username = "{{ telegraf_influxdb_username }}"
 {% endif %}
  password = "{{ telegraf_influxdb_password }}"
  # Set the user agent for HTTP POSTs (can be useful for log differentiation)
 {% if telegraf_influxdb_user_agent is defined and telegraf_influxdb_user_agent != None %}
  user_agent = "{{ telegraf_influxdb_user_agent }}"
 {% endif %}
  # Set UDP payload size, defaults to InfluxDB UDP Client default (512 bytes)
 {% if telegraf_influxdb_udp_payload is defined and telegraf_influxdb_udp_payload != None %}
  udp_payload = {{ telegraf_influxdb_udp_payload }}
 {% endif %}
  ## Optional SSL Config
 {% if telegraf_influxdb_ssl_ca is defined and telegraf_influxdb_ssl_ca != None %}
  # ssl_ca = "{{ telegraf_influxdb_ssl_ca }}"
 {% endif %}
 {% if telegraf_influxdb_ssl_cert is defined and telegraf_influxdb_ssl_cert != None %}
  # ssl_cert = "{{ telegraf_influxdb_ssl_cert }}"
 {% endif %}
 {% if telegraf_influxdb_ssl_key is defined and telegraf_influxdb_ssl_key != None %}
  # ssl_key = "{{ telegraf_influxdb_ssl_key }}"
 {% endif %}
 {% if telegraf_influxdb_insecure_skip_verify is defined and telegraf_influxdb_insecure_skip_verify != None %}
  ## Use SSL but skip chain & host verification
  insecure_skip_verify = {{ telegraf_influxdb_insecure_skip_verify }}
 {% endif %}
 ###############################################################################
 #                                  PLUGINS                                    #
 ###############################################################################
 {% for plugin in telegraf_plugins %}
 [[inputs.{{ plugin.name }}]]
 {% if plugin.options is defined %}
 {% for key, value in plugin.options.items() %}
 {% if value is not mapping %}
 {% if value is sequence and value is not string %}
 {% if value[0] is number %}
    {{ key }} = [ {{ value|join(', ') }} ]
 {% else %}
    {{ key }} = [ "{{ value|join('", "') }}" ]
 {% endif %}
 {% else %}
 {% if value == "true" or value == "false" or value is number %}
    {{ key }} = {{ value | lower }}
 {% else %}
    {{ key }} = "{{ value }}"
 {% endif %}
 {% endif %}
 {% endif %}
 {% endfor %}
 {% for key, value in plugin.options.items() %}
 {% if value is mapping %}
    [inputs.{{ plugin.name }}.{{ key }}]
 {% for lv2_key, lv2_value in value.items() %}
 {% if lv2_value is sequence and lv2_value is not string %}
 {% if lv2_value[0] is number %}
      {{ lv2_key }} = [ {{ lv2_value|join(', ') }} ]
 {% else %}
      {{ lv2_key }} = [ "{{ lv2_value|join('", "') }}" ]
 {% endif %}
 {% else %}
 {% if lv2_value == "true" or lv2_value == "false" or lv2_value is number %}
      {{ lv2_key }} = {{ lv2_value | lower }}
 {% else %}
      {{ lv2_key }} = "{{ lv2_value }}"
 {% endif %}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% endfor %}
 {% endif %}
 {% endfor %}
 ###############################################################################
 #                              service PLUGINS                                #
 ###############################################################################
--- a/roles/telegraf/test.yml
+++ b/roles/telegraf/test.yml
@ -0,0 +1,8 @@
 - hosts: all
  vars_files:
    - defaults/main.yml
    - vars/main.yml
  tasks:
    - include: tasks/main.yml
  handlers:
    - include: handlers/main.yml
--- a/roles/telegraf/vars/main.yml
+++ b/roles/telegraf/vars/main.yml
@ -0,0 +1,16 @@
 ---
 # Whether or not the playbook is run locally
 # This should only be set in the Vagrantfile and not modified elsewhere
 is_vagrant: no
 # If yes, service will be started. Will not be started if set to no.
 telegraf_start_service: yes
 telegraf_start_delay: 6
 # If yes, will overwrite the packaged configuration with an Asnible/jinja2 template
 telegraf_template_configuration: yes
 # Path for finding Telegraf data. Added for backwards-compatibility.
 telegraf_binary_path: /usr/bin/telegraf
 telegraf_configuration_dir: /etc/telegraf
--- a/roles/tileserver/README.md
+++ b/roles/tileserver/README.md
@ -1,11 +0,0 @@
 # Notes
 To generate a current .mbtiles file:
 # apt install tilemaker
 # cd /tmp
 # wget https://download.geofabrik.de/europe/germany-latest.osm.pbf
 # mount -o remount,size=24G /dev/shm                              
 # # tilemaker --input /tmp/germany-latest.osm.pbf --output /tmp/germany-latest.mbtiles --config /usr/share/doc/tilemaker/examples/config-openmaptiles.json --process /usr/share/doc/tilemaker/examples/process-openmaptiles.lua --store /dev/shm/
--- a/roles/tileserver/defaults/main.yml
+++ b/roles/tileserver/defaults/main.yml
@ -1,3 +0,0 @@
 ---
 tileserver_version: 5.0.0
--- a/roles/tileserver/files/config.json
+++ b/roles/tileserver/files/config.json
@ -1,7 +1,7 @@
 {
  "options": {
    "paths": {
-      "root": "//usr/src/app/node_modules/tileserver-gl-styles",
+      "root": "/app/node_modules/tileserver-gl-styles",
      "fonts": "fonts",
      "styles": "/data/styles",
      "mbtiles": "/data"
--- a/roles/tileserver/handlers/main.yml
+++ b/roles/tileserver/handlers/main.yml
@ -1,13 +1,4 @@
 ---
 - name: Reload systemd
  systemd: daemon_reload=yes
 - name: Restart nginx
  service: name=nginx state=restarted
 - name: Restart tileserver
-  service: name=tileserver state=restarted
+  command: docker restart tileserver
 - name: Run acertmgr
  command: /usr/bin/acertmgr
--- a/roles/tileserver/meta/main.yml
+++ b/roles/tileserver/meta/main.yml
@ -1,5 +1,4 @@
 ---
 dependencies:
- { role: acertmgr }
+- { role: docker }
 - { role: nginx, nginx_anonymize: True, nginx_ssl: True }
--- a/roles/tileserver/tasks/main.yml
+++ b/roles/tileserver/tasks/main.yml
@ -1,64 +1,34 @@
 ---
- name: Install packages
+- name: Create data directories
  apt:
    name:
    - docker.io
    - docker-compose
 - name: Create tileserver group
  group: name=tileserver
 - name: Create tileserver user
  user:
    name: tileserver
    home: /opt/tileserver
    shell: /bin/bash
    group: tileserver
    groups: docker
 - name: Configure tileserver container
  template: src=docker-compose.yml.j2 dest=/opt/tileserver/docker-compose.yml
  notify: Restart tileserver
 - name: Create style directory
  file:
-    path: /opt/tileserver/data/styles
+    path: "{{ item }}"
    recurse: yes
    state: directory
  with_items:
  - /opt/tileserver
  - /opt/tileserver/styles
 - name: Configre tileserver
  copy:
    src: "{{ item }}"
-    dest: /opt/tileserver/data/{{ item }}
+    dest: /opt/tileserver/{{ item }}
  with_items:
  - config.json
  - styles/day.json
  - styles/night.json
  notify: Restart tileserver
- name: Ensure certificates are available
+- name: Run tileserver container
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ tileserver_domain }}.key -out /etc/nginx/ssl/{{ tileserver_domain }}.crt -days 730 -subj "/CN={{ tileserver_domain }}" creates=/etc/nginx/ssl/{{ tileserver_domain }}.crt
+  docker_container:
-  notify: Restart nginx
+    name: tileserver
-
+    image: maptiler/tileserver-gl
- name: Configure certificate manager for tileserver
+    interactive: yes
-  template: src=certs.j2 dest=/etc/acertmgr/{{ tileserver_domain }}.conf
+    ports:
-  notify: Run acertmgr
+    - "80:80"
-
+    - "8080:8080"
- name: Configure vhost
+    pull: yes
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/tileserver
+    restart_policy: unless-stopped
-  notify: Restart nginx
+    state: started
-
+    tty: yes
- name: Enable vhost
+    volumes:
-  file: src=/etc/nginx/sites-available/tileserver dest=/etc/nginx/sites-enabled/tileserver state=link
+    - "/opt/tileserver:/data"
  notify: Restart nginx
 - name: Systemd unit for tileserver
  template: src=tileserver.service.j2 dest=/etc/systemd/system/tileserver.service
  notify:
  - Reload systemd
  - Restart tileserver
 - name: Start the tileserver service
  service: name=tileserver state=started enabled=yes
--- a/roles/tileserver/templates/certs.j2
+++ b/roles/tileserver/templates/certs.j2
@ -1,15 +0,0 @@
 ---
 {{ tileserver_domain }}:
 - path: /etc/nginx/ssl/{{ tileserver_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ tileserver_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/tileserver/templates/docker-compose.yml.j2
+++ b/roles/tileserver/templates/docker-compose.yml.j2
@ -1,10 +0,0 @@
 ---
 version: "3.4"
 services:
  tileserver:
    image: maptiler/tileserver-gl:v{{ tileserver_version }}
    restart: unless-stopped
    volumes:
      - ./data:/data
    ports:
      - "127.0.0.1:8080:8080"
--- a/roles/tileserver/templates/tileserver.service.j2
+++ b/roles/tileserver/templates/tileserver.service.j2
@ -1,25 +0,0 @@
 [Unit]
 Description=tileserver service using docker compose
 Requires=docker.service
 After=docker.service
 Before=nginx.service
 [Service]
 Type=simple
 User=tileserver
 Group=tileserver
 Restart=always
 TimeoutStartSec=1200
 WorkingDirectory=/opt/tileserver
 # Compose up
 ExecStart=/usr/bin/docker-compose up
 # Compose down, remove containers and volumes
 ExecStop=/usr/bin/docker-compose down -v
 [Install]
 WantedBy=multi-user.target
--- a/roles/unifi/tasks/main.yml
+++ b/roles/unifi/tasks/main.yml
@ -8,7 +8,7 @@
 - name: Run unifi container
  docker_container:
    name: unifi
-    image: jacobalberty/unifi:6.1.71
+    image: jacobalberty/unifi:stable
    env:
      RUNAS_UID0: "false"
      TZ: "Europe/Berlin"
--- a/roles/web_stats/templates/vhost.j2
+++ b/roles/web_stats/templates/vhost.j2
@ -27,7 +27,6 @@ server {
 	location / {
 		proxy_pass http://localhost:3000/;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header Host $http_host;
 	}
 	location /meshviewer {
--- a/roles/web_svc/tasks/main.yml
+++ b/roles/web_svc/tasks/main.yml
@ -5,5 +5,4 @@
  with_items: "{{ web_services }}"
  vars:
    domain: "{{ item.domain }}"
    domains: "{{ item.domains }}"
    web_svc: "{{ item.id }}"
--- a/roles/web_svc/templates/tiles_certs.j2
+++ b/roles/web_svc/templates/tiles_certs.j2
@ -1,6 +1,6 @@
 ---
-{{ domains }}:
+{{ domain }}:
 - path: /etc/nginx/ssl/{{ domain }}.crt
  user: root
  group: root
--- a/roles/web_svc/templates/tiles_vhost.j2
+++ b/roles/web_svc/templates/tiles_vhost.j2
@ -2,7 +2,7 @@ server {
 	listen 80;
 	listen [::]:80;
-	server_name {{ tileserver_domain }};
+	server_name {{ domain }};
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
@ -20,17 +20,17 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
-	server_name {{ tileserver_domain }};
+	server_name {{ domain }};
-	ssl_certificate_key /etc/nginx/ssl/{{ tileserver_domain }}.key;
+	ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ tileserver_domain }}.crt;
+	ssl_certificate /etc/nginx/ssl/{{ domain }}.crt;
 	location ~ /d/(.*\.png|.*\.webp) {
-		proxy_pass http://127.0.0.1:8080/styles/day/$1;
+		proxy_pass http://10.90.224.103/styles/day/$1;
 		proxy_cache tilecache;
 		proxy_cache_background_update on;
-#		proxy_cache_lock on;
+		proxy_cache_lock on;
 		proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
 		proxy_cache_valid 200 7d;
 		proxy_cache_valid any 1m;
@ -41,11 +41,11 @@ server {
 	}
 	location ~ /n/(.*\.png|.*\.webp) {
-		proxy_pass http://127.0.0.1:8080/styles/night/$1;
+		proxy_pass http://10.90.224.103/styles/night/$1;
 		proxy_cache tilecache;
 		proxy_cache_background_update on;
-#		proxy_cache_lock on;
+		proxy_cache_lock on;
 		proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
 		proxy_cache_valid 200 7d;
 		proxy_cache_valid any 1m;
--- a/roles/web_svc/templates/uisp_vhost.j2
+++ b/roles/web_svc/templates/uisp_vhost.j2
@ -1,38 +0,0 @@
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ domains }};
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
 		alias /var/www/acme-challenge;
 	}
 	location / {
 		return 301 https://$host$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ domains }};
 	ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ domain }}.crt;
 	allow 2001:678:ddc::/48;
 	deny all;
 	location /nms {
 		proxy_pass https://10.90.224.101:443/nms;
 		proxy_set_header Host $host;
 		proxy_set_header Connection $http_connection;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Scheme $scheme;
 	}
 }
--- a/site.yml
+++ b/site.yml
@ -5,6 +5,7 @@
  roles:
  - common
  - apt
  - ntp
  - node_exporter
 - name: Setup gateway servers
@ -29,6 +30,7 @@
  hosts: [gw11.regensburg.freifunk.net, gw21.regensburg.freifunk.net, gw31.regensburg.freifunk.net]
  roles:
  - mesh_wg
  - telegraf
 - name: Setup stats server
  hosts: stats.regensburg.freifunk.net
@ -39,11 +41,6 @@
  - yanic
  - web_stats
 - name: Setup tile server
  hosts: tiles.regensburg.freifunk.net
  roles:
  - tileserver
 - name: Setup name servers
  hosts: ns1.regensburg.freifunk.net
  roles:
@ -52,24 +49,13 @@
 - name: Setup web service proxy
  hosts: web.regensburg.freifunk.net
  roles:
  - speedtest
  - web_svc
 - name: Setup searxng server
  hosts: sx.regensburg.freifunk.net
  roles:
  - searxng
 - name: Setup resolver
  hosts: resolver.regensburg.freifunk.net
  roles:
  - dns_resolver
 - name: Setup netbox server
  hosts: netbox.regensburg.freifunk.net
  roles:
  - netbox
 - name: Setup unms server
  hosts: unms.ffrgb
  roles:
@ -79,3 +65,13 @@
  hosts: unifi.ffrgb
  roles:
  - unifi
 - name: Setup tile server
  hosts: tiles.ffrgb
  roles:
  - tileserver
 - name: Setup netbox server
  hosts: netbox.ffrgb
  roles:
  - netbox