Compare commits

..

196 Commits

Author SHA1 Message Date
360963a935 netbox: bump to version 4.1.8 2024-12-18 11:41:00 +01:00
1f81547c60 netbox: bump to version 4.1.7 2024-11-22 17:09:06 +01:00
4a8f51ba6c don't destroy containers before starting the service 2024-11-20 18:18:05 +01:00
4624241254 common: update and integrate ntp 2024-11-18 17:01:54 +01:00
6a8b97a9a6 group_vars: update ssh public keys 2024-11-16 12:16:17 +01:00
e806c5ead1 host_vers: use dedicated NAT IPs on gw11 and gw21 2024-11-16 12:14:21 +01:00
ca8470c12d searxng: new role 2024-11-14 18:24:43 +01:00
132b9651f2 speedtest: enable automatic updates of docker images 2024-11-14 18:23:31 +01:00
90b6048276 netbox: bump to version 4.1.6 2024-11-11 18:26:10 +01:00
482003f869 dns: set a query-local-address that works in any condition 2024-11-05 23:27:36 +01:00
8657599a13 dns: fix resolving v6 only resources 2024-11-05 22:59:22 +01:00
f1ecb89957 netbox: bump to version 4.1.5 2024-10-30 20:18:14 +01:00
ebc957d8c2 netbox: bump to version 4.1.4 2024-10-21 19:06:31 +02:00
5e0e0ac3a0 web_svc: add uisp config to ansible 2024-10-06 17:45:18 +02:00
8aa7c9c0b3 group_vars: update fqdn for tileserver 2024-10-06 17:36:59 +02:00
6da2083d46 tileserver: also install docker.io
This will allow for easier management using commands such as docker ps,
or docker logs.
2024-10-06 17:29:10 +02:00
e9db35e119 speedtest: new role to be deployed on web server 2024-10-06 17:27:19 +02:00
21efe29341 simplify redirect statement 2024-10-06 17:18:20 +02:00
5a516d2a9e tileserver: remove unnecessary command statement 2024-10-06 14:26:00 +02:00
14217927ca tileserver: move from internal network to internet 2024-10-04 23:11:27 +02:00
d717dbe5d5 web_svc: don't lock cache for tileserver 2024-10-04 19:50:00 +02:00
0f40741750 tileserver: bump to version 5.0.0 2024-10-04 19:37:04 +02:00
f124fc3464 netbox: move from internal network to internet 2024-10-04 17:49:44 +02:00
cca02889c7 netbox: bump to version 4.1.3 2024-10-02 19:27:59 +02:00
b32df8865b netbox: bump to version 4.1.2 2024-09-27 11:54:51 +02:00
feeb89461d netbox: bump to version 4.1.1 2024-09-16 17:39:55 +02:00
2b8c2d2ab7 netbox: bump to version 4.1.0 2024-09-09 09:36:14 +02:00
5c84b63b17 netbox: bump to version 4.0.8 2024-08-12 14:34:44 +02:00
242a878265 netbox: bump to version 4.0.7 2024-07-18 20:20:24 +02:00
2396d9c4d6 nebtox: bump to version 4.0.6 2024-06-28 16:15:38 +02:00
5997b64db8 netbox: bump to version 4.0.5 2024-06-13 09:21:32 +02:00
37b955a65c netbox: fix psycopg dependency to use binary
the C variant will fail to compile
2024-05-27 22:50:47 +02:00
443414cfd1 netbox: bump version to 4.0.3 2024-05-27 22:50:30 +02:00
05b5757ffd netbox: bump to version 3.7.8 2024-05-06 19:21:08 +02:00
87b21ca773 netbox: bump to version 3.7.5 2024-04-17 19:49:23 +02:00
90cb6966a7 netbox: bump to version 3.7.4 2024-03-18 08:48:47 +01:00
8ad13bcd95 netbox: bump to version 3.7.3 2024-02-22 23:19:33 +01:00
3e9f20fa32 netbox: bump version to 3.7.2 2024-02-06 17:28:16 +01:00
42ac102e8f netbox: bump to version 3.7.1 2024-01-18 19:41:34 +01:00
2c17b101a3 netbox: bump to version 3.7.0 2024-01-03 12:31:09 +01:00
ea4a4f1c24 nbetbox: bump to version 3.6.7 2023-12-20 08:45:13 +01:00
e6d7a0ed9d dhcpd: increase default pool size to 4K 2023-12-14 11:53:48 +01:00
e9095ae0a3 mesh_wg: bump wgskex to version 0.3.3 2023-12-14 11:53:26 +01:00
8f4e99d4f3 dns_split: make compatiable with Debian 12 2023-12-14 11:52:36 +01:00
879a01649a fastd_key: use python3 instead of python 2023-12-14 11:52:14 +01:00
963b676f95 netbox: bump to version 3.6.6 2023-12-13 08:33:27 +01:00
0653790816 netbox: fix DB priviledge settings for current ansible versions 2023-11-21 10:39:39 +01:00
d9775e2071 netbox: bump version to 3.6.5 2023-11-21 10:33:53 +01:00
bbc30c025e netbox: bump to version 3.6.4 2023-10-19 09:55:00 +02:00
4eab827a06 netbox: bump to version 3.6.3 2023-09-27 20:45:22 +02:00
8aaf5235b2 netbox: bump to version 3.6.1 2023-09-06 22:32:46 +02:00
9e24b7cab0 netbox: bump to version 3.5.7 2023-07-31 13:57:11 +02:00
1465481113 nginx: rebase against Debian 12 config 2023-07-04 13:14:37 +02:00
22724967e0 chrony: rebase against Debian 12 config 2023-07-04 13:13:56 +02:00
9f057f2389 tileserver: pin to last version still working
with the current paths used in the config
2023-07-04 13:13:22 +02:00
65400002dd prometheus: ensure this role works with Debian 12 2023-07-04 13:13:01 +02:00
7ab2642b4b netbox: bump to version 3.5.4 2023-06-28 07:44:14 +02:00
de03068166 netbox: bump to version 3.5.2 2023-05-23 17:22:48 +02:00
cab4994899 netbox: bump to version 3.4.8 2023-04-24 18:03:44 +02:00
27c2f0b452 netbox: bump to version 3.4.6
Some checks failed
continuous-integration/drone/push Build is failing
2023-03-16 16:07:59 +01:00
Bastian Mäuser
806c1b3e51 Accomodate for InfluxData Key rotation
Some checks failed
continuous-integration/drone Build is failing
2023-02-10 11:28:29 +01:00
Bastian Mäuser
4bf5099ab2 Accomodate for new grafana repo location 2023-02-10 11:17:50 +01:00
5020612824 netbox: bump to version 3.4.4 2023-02-03 16:26:38 +01:00
a49ed72fe4 common: update zshrc from upstream (grml) 2023-01-26 08:52:59 +01:00
2de5cdfdaf mesh_wg: bump wgskex to 0.3.2 2023-01-06 23:00:22 +01:00
2a89b85d36 netbox: bump to version 3.4.2 2023-01-06 17:45:50 +01:00
5ab29feb17 netbox: bump to version 3.4.1 2022-12-17 10:38:06 +01:00
75827d1202 netbox: bump to version 3.3.4 2022-09-21 14:12:56 +02:00
fb4c22eabf netbox: bump to version 3.3.2 2022-09-02 21:57:22 +02:00
87664d0158 netbox: bump to version 3.2.7
Some checks failed
continuous-integration/drone/push Build is failing
2022-08-02 10:50:03 +02:00
9530ed5e09 netbox: bump to version 3.2.5 2022-06-22 14:43:38 +02:00
c7777e45da dns_auth: disable upstream update check 2022-06-06 12:39:16 +02:00
52a364d2ef netbox: bump to version 3.2.3 2022-05-25 13:48:43 +02:00
e429538540 netbox: bump to version 3.2.0 2022-04-12 18:54:30 +02:00
f4b94ff2c5 netbox: bump version to 3.1.9 2022-03-14 14:40:06 +01:00
4972d0cafb web_stats: fix grafana permission issue 2022-02-15 18:12:36 +01:00
c4456da825 netbox: bump to version 3.1.5
Some checks failed
continuous-integration/drone/push Build is failing
2022-01-08 18:55:23 +01:00
5b6ed5bcbf netbox: bump to version 3.1.4
Some checks failed
continuous-integration/drone/push Build is failing
2022-01-05 19:33:11 +01:00
1af34c4f90 netbox: bump version to 3.1.1
Some checks failed
continuous-integration/drone/push Build is failing
2021-12-19 10:11:55 +01:00
99c1add95f netbox: restart on config change 2021-12-19 10:11:01 +01:00
6c54d99914 netbox: rebase config against upstream
Some checks failed
continuous-integration/drone/push Build is failing
2021-12-19 10:10:36 +01:00
b9861845c3 netbox: bump version to 3.0.11
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-29 10:17:08 +01:00
df8b7ba21c netbox: bump version to 3.0.10
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-19 23:16:48 +01:00
32aefbb0f6 netbox: bump version to 3.0.9
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-08 17:33:44 +01:00
015e75fa2b netbox: service templates should use user/group from vars
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-08 17:29:25 +01:00
15d3da93b2 grafana: unify string escaping style
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-03 18:33:51 +01:00
629bb169ac common: unify string escaping style
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-03 18:29:04 +01:00
4c63ba2586 netbox: bump version to 3.0.8
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-03 18:25:58 +01:00
9aa91059d2 netbox: unify string escaping style
Some checks failed
continuous-integration/drone/push Build is failing
2021-11-03 18:25:33 +01:00
9c6d490f1c netbox: bump to version 3.0.7
Some checks failed
continuous-integration/drone/push Build is failing
2021-10-17 22:19:07 +02:00
f39df70307 telegraf: remove
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-29 21:34:03 +02:00
59248f4ef8 host_vars: enable ntp server on gateways
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-29 17:44:17 +02:00
4f45d615a5 apt: adjust config for bullseye
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-29 17:43:37 +02:00
9f50cb58b3 ntp: switch to chrony
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-29 17:42:39 +02:00
73a9300408 docker: also enable the service
Some checks reported errors
continuous-integration/drone/push Build was killed
2021-09-29 17:41:47 +02:00
26d5037e26 dns_split: fix for use with bullseye
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-27 18:14:46 +02:00
26bd85279c interfaces: mesh_wg: fix for use with bullseye 2021-09-27 18:14:18 +02:00
ef9303ecf7 netbox: bump version to 3.0.3
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-21 16:48:02 +02:00
ac79d8f35c interfaces: set gw mode more reliably
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-20 19:35:36 +02:00
e2ba2e8ca5 netbox: bump version to 3.0.2
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-15 10:50:00 +02:00
7214833ecc dns_resolver: fix sending TC on TCP connections
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-06 13:37:55 +02:00
c79f497a09 influxdb: use proper repo
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-06 13:37:18 +02:00
3d8072520e unifi: fix version for now (upgrade problems)
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-04 18:25:05 +02:00
0e7ecfca34 docker: use debian supplied packages 2021-09-04 18:24:48 +02:00
6c1c6b8abd netbox: bump version to 3.0.1
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-04 15:55:58 +02:00
779b361aec resolver: use acertmgr in standalone mode
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-03 13:57:47 +02:00
215610b2db dns_split: remove qps limit
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-01 17:35:01 +02:00
7c405d3b91 dns_resolver: make available for public
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-01 17:34:45 +02:00
1da5ef70e5 dns_auth: dns_resolver: use bullseye system packages
Some checks failed
continuous-integration/drone/push Build is failing
2021-09-01 17:34:03 +02:00
c196bc4483 prometheus: add retention setting
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-31 19:09:12 +02:00
8fabdc2550 netbox: bump version to 3.0.0
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-31 19:02:20 +02:00
Bastian Mäuser
5ad344163d Fix Yanic behaviour on Statserver
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-19 14:08:12 +02:00
0a696c67db netbox: add missing handler
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-17 13:17:16 +02:00
70ce064aa5 apt: add gnupg2
Some checks failed
continuous-integration/drone/push Build is failing
used to run apt-key via ansible
2021-08-16 17:17:21 +02:00
9c9258863a docker: use ansible_distribution_release
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-16 17:15:15 +02:00
Bastian Mäuser
29cc08a8be exip_ip: add rule to avoid VPN loops
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-03 18:21:43 +02:00
44fc0e626e exit_ip: add support for NAT pools 2021-08-03 18:19:26 +02:00
ad4b92cc7a Update linter skip_list
Some checks failed
continuous-integration/drone/push Build is failing
2021-08-01 11:18:04 +02:00
9b90a6012d Drone: Swap linter base image 2021-08-01 11:18:04 +02:00
61dcf426f1 Fix VXLAN vnis 2021-08-01 11:18:04 +02:00
484467cbaa Fix VXLAN VNI 2021-08-01 11:17:52 +02:00
fd33a9c571 Install dummy endpoint for connectivity tests
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-25 17:30:58 +02:00
0f19c36624 add mesh via vxlan over wireguard to gw11 and gw21
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-23 18:21:05 +02:00
41b090e30f gw11: add vxlan vni
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-23 15:24:21 +02:00
e1429adae1 interfaces: use more appropriate post-up instead of up
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-23 14:21:10 +02:00
87ddc40259 fastd_exporter: add dependency on go
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-23 13:11:41 +02:00
7034448b08 interfaces: use newer ifupdown2 version to fix gw mode
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-23 13:11:07 +02:00
8b501255fb fastd: remove deprecated method xsalsa20-poly1305
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-22 16:56:59 +02:00
5c34da3e62 respondd: bump to version 4fd2e3e6
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-22 08:33:14 +02:00
bf3784af19 node_exporter: bump to version 1.2.0
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-20 16:27:33 +02:00
56775c0cdd fastd: fix fastd_key with python3
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-20 16:26:59 +02:00
5682d78dbb vars: allow dns transfers from FAN
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-19 16:35:42 +02:00
f5db4f6daf netbox: bump to version 2.11.9
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-13 09:19:04 +02:00
b28004bf35 netbox: run upgrade script 2021-07-13 09:18:26 +02:00
ce397c7a62 netbox: bump version to 2.11.7
Some checks failed
continuous-integration/drone/push Build is failing
2021-07-05 16:11:30 +02:00
92b6f4bbd9 arp_cache: increase v6 entries
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-22 22:59:46 +02:00
d71be0fcd3 README: document passlib requirement
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-22 22:59:14 +02:00
c33111a9fb netbox: fix paths in netbox-rq service file
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-22 19:05:22 +02:00
9a153e9644 interfaces: try to fix boot order (again)
Some checks failed
continuous-integration/drone/push Build is failing
After and Berfore as per https://github.com/CumulusNetworks/ifupdown2/pull/190/files
2021-06-16 15:32:43 +02:00
01ab94aa27 web_svc: improve caching for tiles
Some checks failed
continuous-integration/drone/push Build is failing
2021-06-14 16:54:09 +02:00
9e369291b6 exit_ip: add rate limit to v6 nd
Some checks failed
continuous-integration/drone/push Build is failing
values were provided by awlnx
2021-06-14 16:46:00 +02:00
f8380524ec tileserver: pull on deployment, fix path for 3.1.x 2021-06-08 22:07:40 +02:00
4da5ac5ab6 use auto discovered python instead of legacy 2021-06-08 21:17:45 +02:00
6cf940b71f netbox: bump version to 2.11.4 2021-05-31 16:34:15 +02:00
cc0c0823e9 netbox: bump version to 2.10.6 2021-03-10 16:36:08 +01:00
b517df3151 Set Telegraf Config Permissions to 740
Some checks failed
continuous-integration/drone/push Build is failing
2021-01-12 14:23:36 +01:00
Bastian Mäuser
e7d3167f51 Write hostname instead of fqdn
Some checks failed
continuous-integration/drone/push Build is failing
2021-01-10 19:16:16 +01:00
Bastian Mäuser
755c1c5af1 Add Telegraf Role
Some checks failed
continuous-integration/drone/push Build is failing
2021-01-10 19:11:32 +01:00
Bastian Mäuser
879cfc0f40 Add Variable required for Telegraf Role 2021-01-10 19:11:09 +01:00
d4a9ccf43d netbox: bump to 2.10.1 and add systemd service
Some checks failed
continuous-integration/drone/push Build is failing
2020-12-16 19:32:58 +01:00
0484e91693 dns_auth: support dns slaves
Some checks failed
continuous-integration/drone/push Build is failing
2020-12-07 17:18:07 +01:00
19faa44f0c mesh_wg: adjust MTU to min values rather than max
Some checks failed
continuous-integration/drone/push Build is failing
2020-12-02 23:39:15 +01:00
ebe2eac3a7 dns_*: prevent DoH
Some checks failed
continuous-integration/drone/push Build is failing
by returning NXDOMAIN for use-application-dns.net
2020-11-28 23:39:47 +01:00
1c0d2f25d2 dns_*: use dnsdist as frontend 2020-11-28 23:36:50 +01:00
5cd6b06053 mesh_wg: increase the mtu so wg has to fragment
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-25 18:28:22 +01:00
5422d3ad82 dns_*: remove TLS on localhost
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-25 18:27:25 +01:00
0baec7972f stats: migrate to new host, enable for dnsdist
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-25 18:26:28 +01:00
f955ce6119 web_svc: more caching
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 22:41:09 +01:00
bf1b7e434d dns_resolver: new role for resolver only
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 22:40:48 +01:00
f882c6e41a grafana: fix typo
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 21:04:40 +01:00
d0ff422b67 dns_split: rename from dns 2020-11-24 20:52:14 +01:00
6534749691 grafana: add switch to install rendering deps
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 20:36:35 +01:00
3baf4139ac web_*: cleanup, add VXoWG api endpoint
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 20:29:53 +01:00
e8435cdd9b apt: fix unattended upgrads and apt download speed 2020-11-24 20:09:18 +01:00
309105d948 Add NGINX Role tailored for stateserver usage
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 18:22:03 +01:00
d909edc169 Changes regardings stats
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 14:44:37 +01:00
46406323c1 rename grafana to stats
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-24 14:03:55 +01:00
990ce64971 node_exporter: use TLS and basic auth
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-23 23:42:15 +01:00
333c4b82e9 yanic: make suitable for grafana host
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-23 22:22:23 +01:00
1b4ed18171 nginx: add default to not break web_gw
Some checks failed
continuous-integration/drone/push Build is failing
2020-11-23 19:52:14 +01:00
1f0b671545 mesh_wg: new role for VXLAN over WG meshing
Some checks failed
continuous-integration/drone/push Build is failing
This is still work in progress, as such it is only enabled on the test
gateway.
2020-11-23 19:44:52 +01:00
97c095f75f interfaces: cleanup / use more ifupdown2 features
All checks were successful
continuous-integration/drone/push Build is passing
2020-11-23 19:03:13 +01:00
ac35c8c635 yanic: fix config template
All checks were successful
continuous-integration/drone/push Build is passing
change needed to be compatible with current upstream
2020-11-23 19:02:19 +01:00
4c020cea41 unify whitespace before }}
All checks were successful
continuous-integration/drone/push Build is passing
2020-11-16 23:18:52 +01:00
56e026ba14 dhcp: cleanup/unify whitespace usage
All checks were successful
continuous-integration/drone/push Build is passing
2020-11-05 18:54:26 +01:00
ae6b1bc58a dns: use dedicated certificate for dnsdist 2020-11-05 18:54:01 +01:00
29627c5e36 dns: use dnsdist from upstream repo 2020-11-05 18:53:33 +01:00
f6c4f927f4 dns: also offer DoT
All checks were successful
continuous-integration/drone/push Build is passing
2020-11-04 23:16:27 +01:00
1464ef73cb new host: grafana.regensburg.freifunk.net
new role: influxdb
2020-11-04 23:15:34 +01:00
af56fd8dcd nginx: support ip anonymization
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-20 15:59:08 +02:00
2070c32a26 dns_auth: new role
All checks were successful
continuous-integration/drone/push Build is passing
also apply role to ns1.regensburg.freifunk.net
2020-10-20 15:26:50 +02:00
dd93bd6b11 dns: use list instead of with_items
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-08 22:31:20 +02:00
1b12b54a8d common: use list instead of with_items
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-08 22:30:36 +02:00
40a64d1e77 netbox: fix syntax error
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-08 22:29:54 +02:00
b239dfb38f interfaces: use ipfdown2 version 3.0.0 2020-10-08 12:31:03 +02:00
cc736cc94e host_vars: update v6 prefixes
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-07 20:29:32 +02:00
3582e84b09 git: remove role, integrate into common
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-06 10:33:48 +02:00
ea4f70a483 drop debian stretch support
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-06 10:30:42 +02:00
dc6f2e1e5b web-svc: rename to web_svc
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-06 10:17:06 +02:00
610498fc31 web-gw: rename to web_gw 2020-10-06 10:16:33 +02:00
0de11eb6ed gw-admin-ssh-keys: rename to root_keys
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-06 10:14:45 +02:00
d7291018a4 fastd-exporter: rename to fastd_exporter 2020-10-06 10:13:54 +02:00
c29bed27dc exit-ip: rename to exit_ip 2020-10-06 10:13:16 +02:00
3b501e041a arp-cache: rename to arp_cache 2020-10-06 10:12:47 +02:00
3d12cf0a7e mesh-interfaces: rename to interfaces
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-06 10:05:53 +02:00
bc7805391c vars: add netbox host to node metrics
All checks were successful
continuous-integration/drone/push Build is passing
2020-10-06 10:02:50 +02:00
150 changed files with 4768 additions and 2109 deletions

4
.ansible-lint Normal file
View File

@ -0,0 +1,4 @@
skip_list:
- meta-no-info
- package-latest
- risky-file-permissions

View File

@ -6,7 +6,6 @@ type: docker
steps:
- name: lint
image: alpine:latest
image: cytopia/ansible-lint:latest
commands:
- apk add git ansible ansible-lint
- ansible-lint -x305,403,701
- ansible-lint

1
.gitignore vendored
View File

@ -2,3 +2,4 @@
__pycache__
site.retry
*.pyc
ff-ansible.code-workspace

View File

@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
## Requirements
The python package netaddr is required on the host running ansible.
The python packages netaddr and passlib are required on the host running ansible.
The vault password must be stored in `.vault_pass`.
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
The *only* supported distributions to deploy roles on is debian buster.
## Running Ansible

View File

@ -1,5 +1,6 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
library = ./library
nocows = 1

View File

@ -2,6 +2,20 @@
acertmgr_mode: webdir
dnsdist_targets:
- gw11.regensburg.freifunk.net:8053
- gw21.regensburg.freifunk.net:8053
- gw31.regensburg.freifunk.net:8053
- resolver.regensburg.freifunk.net:8053
dns_slaves:
- 195.201.117.207
- 2a01:4f8:1c0c:7dda::1
- 213.166.224.14
- 2a02:958:0:1::e
- 213.166.225.14
- 2a02:958:0:1::1:e
fastd_targets:
- gw11.regensburg.freifunk.net:9281
- gw21.regensburg.freifunk.net:9281
@ -25,21 +39,24 @@ gre_matrix:
- { id: 26, a: gw21, b: gw31 }
# - { id: 33, a: gw22, b: gw31 }
netbox_domain: netbox.ffrgb
netbox_domain: netbox.regensburg.freifunk.net
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
node_targets:
- ns1.regensburg.freifunk.net:9100
- stats.regensburg.freifunk.net:9100
- tiles.regensburg.freifunk.net:9100
- gw11.regensburg.freifunk.net:9100
- gw21.regensburg.freifunk.net:9100
- gw31.regensburg.freifunk.net:9100
- web.regensburg.freifunk.net:9100
- stats.ffrgb:9100
- resolver.regensburg.freifunk.net:9100
- netbox.regensburg.freifunk.net:9100
- unms.ffrgb:9100
- unifi.ffrgb:9100
- tiles.ffrgb:9100
ntp_servers:
- 0.de.pool.ntp.org
@ -47,6 +64,10 @@ ntp_servers:
- 2.de.pool.ntp.org
- 3.de.pool.ntp.org
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -54,8 +75,17 @@ pve_targets:
- pve01.ffrgb
- pve02.ffrgb
searxng_domain: sx.regensburg.freifunk.net
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
site: ffrgb
site_domain: regensburg.freifunk.net
speedtest_domain: speed.regensburg.freifunk.net
speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
speedtest_secret: "{{ vault_speedtest_secret }}"
tileserver_domain: tiles.regensburg.freifunk.net
web_services:
- { id: tiles, domain: tiles.regensburg.freifunk.net }
- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }

View File

@ -1,134 +1,137 @@
$ANSIBLE_VAULT;1.1;AES256
33336336363031356335646231313439663164663337323062393465653638346538613762323532
3130356238303530316134623963616261663162393061300a653332613538633462353265353965
63653131386233643635343732346336653164303236626666613963353963616634653939623135
3231653165646661300a326563353632613937663137323562663364623133306338346633643832
38613536373436643539623064386566653738316532666166333538656664623966376639363962
63636332636331633762326539653863313233633032663063633136356562353737383365316238
62633432363661613162616230313437306439376265623563343564343532366266616536346432
38376465626236316434613631336465626363663263613232313662336133396434336437656464
34323863643366326633613632636662353232323563616138356537613762666561393133383265
65313162396434396662613131333261643966313366326435373831393338656361643733343837
64316462393361336630623563386336323138653833636464623163343134393033303865326161
33323461333334616333336466636436383764303362396561333830626137333462333564316364
38393437666662346630663137643132626133383965353030663632636237663433383462326165
30376436643137333361383839306537613535653564306164643363643330613031363630633964
62396238396530306431633362343739633230383934373364303733366136633136363761303762
33373165323939343063633965623733363934363330353662623134653438303337636161343132
66393361363838323731303564653834316265333363303662376630333930346534363133363861
62396533666365303065333330363066343238386438636661633233363831343838316131353633
38643764386166656632313938386133366233366130626636323330326466376566613563383561
62383038336566356533643336393430353365623932376161393438653465653962383130363433
34393437343238383634323432633134353664386136633533383463616235326239383966633431
36363532623932326432366330343332376264666537333234333234616638653830363633313465
38343038666336353634633238356662666338646661646265306564633861333461336231313834
64663166356432376564633163303636643963323032393737383537323639616333373133626264
32303466316562666338356235376133653833623936373131373237393334393665306561366636
66623437663334326631353132303030663236393762336639313861663962353363653831373563
62386633306463306634633862326632313063393362353438623437376138363433623934666162
37373662393437363965623162303934333230343962626233366630396531326665383065386161
65663666356431366335633339366637303137353765656638316535613933343237656563663863
65313230616338653030343034663937666134653336383732393538396337326238343761323137
30626138666262666465393036363133356563653437376666376366613635306162653739396531
64613664626663626462343737626266636132313366393861313436383137313765623165333734
35333036633234303733373161626331363333393062613933623931356234363735663165386338
61333961666638326134396431393335633435666135383738376335623135663934356437623062
66323833353065653866613264663262653731373865656363666466303330356563356434343161
34363564363564393132326264626134383630653437626536623166363965306363653539336461
36366538383134376564376665336231663532656464393832346166653462306235666139633265
34663235353765316633333865313439663736323462653232633362633333663539613934346136
31363536303338633333393064366234643762396364356539363966623936663764353161383136
34383432386537646566653964313731623761316161663136386532663332333262313861613932
35356566303364326436306235323463623331613663383031343335323537346530653637663939
34613333323738303731636362323735346561343332376137616339386163346134646566353231
65656264626131306130663761663763336464306563313835633432333761623633666433613830
63356265343839396162363333646630346364643661303331663236306535306465626435326662
62313963663636363366356132616239323632623733656137316663303031356631323235353634
64613035346633313366633138353737303565303434363139616466636163323137346238623562
61333066633833303232333934373039623762323435333261633835356466303564666132656362
62613939323735343163376165653634333834353334663532383866313232663533643138663766
31353138356562386135366130373063306538633465323363313361316438366631366463323730
62393637353931653930303230626665303066646539663338363133613431306532623865343531
64366263653062643334336132336466383563636630323539373336343330616531323962326537
64306535623135396537363735633039636335623561343435613864656330376631613434613866
31393166633361633063323538623361653135306539346366383264336634353633626136663731
35383332373338333935376438346232326236613430306533316561333438383238306666346465
36356235373466303536346363393661393838336331313536383662353438333662366563353038
66383237613132613636356461653037373437336264626539333763643261326239313065336463
34323361613565663336343131613530616462633331653134613431393839303364363831303337
39393732646234383936316637343066633761636231326639663239306231303834306631393933
32323335666262666232363638306562353866353338646234353631323533316532383235336632
33643934343836366631336666643730656137626466666232396535356664313132383838363832
39613664643761653461326234643539643831616537363836656561303562633064613238383233
33616336666462333461343766383063353361313032643230636132343631613636666636666639
38386136656565653439323162363035623665623139326366326431343861393664636664363934
61353761326136346636393261663335383664646531616366363436306461313063646264356561
63393931313266633734616362376630616535396635343363326361653434353631303836326433
64313533646331336338353533643031316638386330626362313938623736316134633062393930
31306332623364393839313761353564313563326462313637663635663661396638373130363866
30326263383730356135663433623138663239363765363664636133653462653262393766363966
37303862363131646236333134366664653061343735303035383663383539353732313935313933
37323461343530306632626631373238333636303135653535626631343862663639306136323363
30343731356434333030303332636637363364643363666136353266383138613066353732326665
32366234373864663333323035306334613937656666396437646335383839663336633364613338
63306635663762373331646535373638343436376431646564666239633631376465623730353935
66383262623838376339373735396131303434616132373832633061616132393931643830633864
37663931613633656339383062336462383661363463323632396636633965373439383938626635
38336330383139653365653664383934663838306531373164626136613338343861353262663431
30653265333065663664646564376466303838373961626436396631356366363832613930346664
34643962363862643732653631333665366134343332313863316164323465383138386262336336
32343365386362346237656361386163323062376232346137336365363731396639346137343735
62633436643265636262376639383635336536353131666661326238653339626666383562323763
63373636636530306461633035616163643962633033363565323164343034633666346133343638
37613463333461373663336630313834316333366466336539333135356338343731636231663530
38623738636534333762376434336336326166373363643864316233343735386234616663636534
32393838623939343536346634633339613837373735353565313138333864383632383533396264
36363430356237636235316631313664336265633333313137373861666333663865393065393531
30386335613531353837363738366232313036343731343566306166646466353164336136393330
65323933613266363739363231663563656437396231316666303437633564613465313937383038
32643465346130323738336364356331663163323236333764653566306664623164626437363465
34333165343034633135336234633765336333623333643632353335656238393863623062623665
39393434643538373633653630353963346132663366656532303764333838336562663735613737
39363865353736663263303565336263643333613238336462313839323738373063393639303531
34633739366531326666633634366230363431303663383432323463643665316136643434343839
66313030623561366431353863633666636262336637636235326434366536393830343433336462
34666631343862346239346434666462613836343161663234646439643562316564666632316665
66376137313231376433333163396564343435303434326235626239336237653332316232343361
30666531393863616132323837333931323534633561626263333534646530623433613633383061
36393361613736393333633166346465363762336232303530393262666366303763303862383632
30336437313339643861663635623334323330653030396432623932613433343836626238373530
35353535366237663865333832356661613635353138356438386333323734386237626532343665
31373061616234633336386661323164663934336464316364343036633336376234656263346530
64333336383861396261316436636638653934643463666263346430366238663663383834313266
65396434313161333532323036336538653830303232343364656365353339623165346164393039
62356561366461643831656466316266616335646163303438353735393830636434386335623632
32623835613262653566306561333835316334613633613138643235343265376238343932363264
65666334633663366338306566346433626431656131393233393661396361366365333733303130
38353435396462636633336238373131386562333063386235366233633030663861316161653362
36306431663639663137313762396338323933663036343130633438326435383934633861343262
39623431326362643833353532336233653664643733323432326466666165373333313266626565
38656465623362323966333238336262323563353038666635666137303064663333363730633335
31306139323831366363346331383834646635316166393334326535323339363038353365353538
31356164656235373536323830333135333931373764636439363135316532613530333734613964
66393233383132623536643664643862336162396630383932383731626233643966636437393461
30356262393661623737653439633336656635323134613336626336343666363138303931323064
36366333393330333365663965646664333561646434306463333135653130646337623035393434
66636261346534653263356230633838633033373566623138626264656236336630373634636430
39633136666565343332663330323937393565643338663433656466323535613064326233626637
63393064363434393634333863363761643433326438336634306438376235393632643332346339
63306437336431613535356138336666613862343437306330393566346332666534646230313265
66663839333730636538343630363933353039343064316330666631646565386438613232383031
63393963333063343437383130356331356162616266383231383535313530393264323232623934
30363861373261303966613361336335356233306530343435313730393166383536323937373666
33613033633530393933333265306265626632663266383834666334336364623864333735343735
35316132636333323566666339333039653862666264353638336336356334393030663733306264
61613661613166366238646264343239393735653437383539343731373266386238323532643739
38643262343666656661356338623035343934383765313939363537393434623965623437363239
61653034656535313937316639663166386432623034383864356465623032353636643737326336
38376436343133643263336435636638356465396566623037633334643863643165663765383161
33653530643836343334643734346335653131366439336139646131396237323862323132616339
35383739633133643864646163616661633032666532663861393638343232323437363263663435
65626561303137353330646162326464666236653633346636333864333366323336613638393365
36396262306266396638613736626637633163343938366130363133303535613131383562393333
63643830666437663931633231336432303561326231366639376130303564663564363766343834
3934
31633832313136353531623833383865383736333164376632363635333439613763643062663632
3736376165623664376436643138653435393239636333370a643363343061303436613238373237
36653730376133363061333536626436363366393335303932663736316631633630323634353531
3734353134396561660a616339303762313430616234383138326438383432646564356662393536
61376161343965656365646238393261356133326131613730343234336139366461333032396531
38653031363934623231336661363233393562383434323633353139336530383432383736353937
65633935373261653134653839353233643439616266613531373938393231643736333436353234
65646665626531323566326561353333666535666430613961666232646632303662343832643661
35373166323439623137383164663838393766326237336234326635383930323365326431343338
61343434363961633532656466653732626135306334303634383235643531396535326536636264
37343930623235363632623963346637363964666664636266373137363037383036633233643130
30323036653637656131623332613463303937323133653064623333396534336661306432323536
38373534303235323230306139663736663430633463663166393033613435616662336335643137
32366439333661313930636234346265306233393966623832613834623263356337356162396335
34353362613163323936613930666339303839393431303461363565623561363034306538396237
38326263303033376435623037653365636362653831623066653263623236613566623962313266
34336233343530366236313131323962666163383035633361333637343732356338626265613338
36643663336161663636343864623864323735613838373562376431643338346662393731373833
38313839393433626630363635323232373534303437656561316231653536306264386331333666
36323330626164363730643337623262303335333438303432373465343235303836366362383336
39666631363362383338616536666432373738336131653765353635373365623030393365636630
38303033306664356162316262346434343239646230663062643566336132613535393835366236
66306435653364323335623665316264646631383066373837653536316135316130393766356162
33326431643162383539323161626163316532373831386334643761636630616162666236613766
38633738333331616336363736396635306630363561613966656538633432363661313432373731
39303764303362336536396130613637653530376437333336613465643539396330623261356534
64633761643065313038656261326638343032353832376262653135663162353434323936353862
31663738353965303963353962626534303333303037336431373631396635363938326133336330
63353333616664663934636433653434626162323064653430666565613061623239613561643838
66356662303137383639336432633432636235306165306339623632316134306431376163616465
32636132656232303162333238393837383731633931363865356634643736326139313638333230
39316662306432333333333266333234646539646532316536383932666435366136346138626136
64373362366239633964616638363666656564323436636432663937666565653436613465366461
65376562303639363332636532386535386365656636346365333330386132383637636239653730
63333361303037393936653064336439653932373739336564333132303639343835376633666631
66613138343730636563626131623437343232303964626562633332303761626331383662373531
39663463656361303236666661356564373432333062303363313532333938633337363536343930
37376464393438613564653465353037313536626466643131336133336161316437316433663032
62633465613634373238383937643037346336336135353230386538353933616436646534366435
31323363666266373662626362663164653863326239303462363739383730643962333230343733
37393831383666393064626437323861353739363762346330666436356466316464393838366133
34653131653838643063396633346132336439393132353661373063623865643465306238326538
63313366386263623333636636376637383536353663643266653431626365666139393764663633
62366234376231393261646366383733633565303433353631343239313362646161663433653632
61303231616366386435666232353531306331613638633531613364663130643433336232633164
64373131303135316135376339353366313635653466663765323931616232333539333639623033
39626233316430303062336234623966376564386365613265363866666636626435306664336636
39346139316331306333666332393631306433623365303064383831643864336634303737633434
39303364633530343531373964353335333832636433313865303765393665633838316531343035
34666237353834613337353063666333353764666431376235393534613534363163333732373061
36663537363938373235326537326139366562656264393930653630383332383466333435386233
32613737303431333537326264343065306361653562633064393762643161313666663262313236
65386430306432653563623666646439376163383433653561333461383933383835373563396137
62383861393963313534616437663465333834663235356439363735633133623365383839613037
34303465363033313739373631363261313130616663336662346132653239313562386664353432
64373961663563393362303166633630343665663437373562613461343266646332313963653965
39363632313864343437333038623364323161376237386333616636303364373964343464643330
31613431313562353862306236623233636264653635643264333364336533623036356530343465
33366131333365393333373062623666663065316666363736633562363934336534313464353239
30666365303330363962653731626266376433666135333435313236386163653336386134633630
65336335346539666431643036636663643936326635636438636438646230353962646335396461
64623238343632346265376537323462316162633437633463656235626366666235653231303736
34316166363139336536396631663435386434396336346331663333353338353466346433393062
31343662316464356663356539303934633336613335373732353165366266303837303364616537
31356135313732633232343362663932656363633162623539323938643239383333306638346236
36666564323336346234313239656463626138313364656637353434303266613232353334666539
34666437356531393933656338373834303130663132303433376338643833643236333639663530
32653536643035303536353431623463353762393539363634636566396134353362633038333831
33633632666331666665373664633138323536633264653339663463326236343862656563323835
66633038346237356638646133626239336233633261626464626238636363666431646661366337
32396137303664363734666238346636653531666461306335343636303861653533356266643833
39633939666534663033336462336633636264336133633630366166356163306539613830636432
66326661646430366332363530333338373136656234613030616338383531313138666435313562
33346262353934636564613730396536333731653036303333343039393534643837663234346234
30303032623565316234343834303061303333346539636138343334663131646463363863663062
31343432383238623733346563323533636466346538616334646338366465356165613434623730
37323930623539353764643939643963353238646230396337633362363664613431303032656639
38613961633439613837636531653163383633373263343235303766613736616636613066316463
63346337383864363562373562643636343764626433383634643064313831373833356132393737
39356534623536373066663933356535356532636332343661333166663433666433363661343861
63393734656534363761313862613364616161303735323563656265323362313061343332346238
35353534663137653466396432353437333739363631373332316165663964653335363034636131
33363933333764306265306161336165306234616161313466393233363431363061633730653437
65313636366162303763663530386239343833626139643439306161623066313638323361353831
63323531353939356337613865663737373661343362353362326637666666383535633030626163
36386464326134333965623262356532353161316533626331623266623630383331313037376365
37353164306433633563386436653235616661366639343035306533643732326232366537633635
33306338386561353564643537353736663434663931343263333764633961666464373461346335
65323462313761653361343236326632393835613538616436666534363366626637376262326462
32366530383439646137383737303634613136396135633136316233326230323466383932616630
66316561333961346130306531623936376636646330373237623034633135303630353566333037
34656233316663656661623731633034643332336631356436653134366162396336643331623135
65646466633236393036383639623066663963653431343836626664383431363663653535383565
64333432343561623633316232623864386161376163333238623066636533353330336566313835
66653265346331393238343862353162383234303334626261643065656637386434636564663665
63616339663261616534376661393837343335373638366264323732353032363731376332653936
64393262346230636366336133616366646533373530356235316561643232333664343462386539
38396665626131646234613466396334346431316638333436633637353836313933656134383031
38633838323163383536323735626132323565643136663030643436303363333264373061663430
65613836313531636264633333346331343038373466653231613830383435386364636237303965
65663635633732663636333764623133373864356363313535333136613039313035663633386338
61343930323665616464643235396232393134373537616635663231343763346434626665393966
31613835666563333261373533316364346538393438636636633862353431333030623933663130
31626337303733373034666562363064373936656435636637356365386363346664306134376339
37383335646339636265656134383432396438383732303066396636373834373037663062336335
61346438636134333763346265653766396165626365633237373466346438363330633562353731
61313630373137303131326134613264356462333363643463643861666239623937636535336536
30313234623936316439643164316139386366336630616266653338383337653561656337343837
66613234363738306235316632316666376231306561653865353636373835646263393932316134
30313433613664306533386133376232323737633934396135626532323830346336353631383539
38666264343962646237313332396535643863393535303437346262613861646663303037333736
63326534313964613663376635306162653639623735633139326161323232653462343063383036
39616233613664626161663131383366663435626432626663623638646163666535316461383531
39663130646564373563323965386331353036366230343635363266323864623633663333656561
33353131623065623839396634653735396262656261323963363261643761373137616232666665
39643835383034383439393638363438633931323437613365643935383766333535643537633633
63633133303166326432613932396331356263626166343436386463376537656231656438313563
30653664383935383161303865363338393933363334653631616432643037626433356561636634
34316436383462386331393231633161383362666532363561326631613137656464306262313034
35636334623861323836326265396664373461313034343231316261616330313938333263666665
39616163346632623764666337313561626233636363343036363331663932616530346230653663
62373661306566373638383962356563323430613262326534663663383162396263306335613462
39326162663161663264626437353064306238646664376666336534326263313061393133373636
33346161376136636536393264363332633561373037326566313137366265383635376366343036
30613763633264303536396535303236353138393032336461666131356464343930656665326535
64393130376166383538353866323265303562326239626233636237626664346631646264386439
65383730333534656361366438316536613138303334343665396438336164663064373838323534
64626631363131663462303131333735633337653335623939383264363163633765326438313965
32623662383464316133623538616139623433336435316166346336663761343536393662393733
35333938383137383863653966363837366639303634616239643235653932643132323033373238
38323734353563383133333538316236393162636237313061363663303764343533626466373137
32656561383633633166386437653361313363666334636639353833323461663030313736613831
30613832306137323637653330306637323530613935333263373338346430393265333839636566
39336662326637363038653734323230626234346433313830656264633732666430663265383031
65313864386637303563636239646633393335616231613531633762326430633231343264363236
32346662623562356432

View File

@ -3,13 +3,22 @@
batman_ipv4: 10.90.32.11/19
batman_ipv6: fdef:f10f:1337:cafe::11/64
batman_algo: BATMAN_IV
global_ipv6: 2a00:9d80:6000:0101::11/64
global_ipv6: 2001:678:ddc:11::11/64
nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 11
site_code: ffrgb_cty
nat_pool: 194.156.22.12-194.156.22.13
ntp_server: true

View File

@ -8,8 +8,15 @@ nextnode4: 10.90.32.1
nextnode6: fdef:f10f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3665730
mesh_wg_port: 20010
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
fastd_port: 10010
gateway_id: 12
site_code: ffrgb_cty
ntp_server: true

View File

@ -3,13 +3,22 @@
batman_ipv4: 10.90.64.21/19
batman_ipv6: fdef:f20f:1337:cafe::21/64
batman_algo: BATMAN_IV
global_ipv6: 2a00:9d80:6000:0102::21/64
global_ipv6: 2001:678:ddc:21::21/64
nextnode4: 10.90.64.1
nextnode6: fdef:f20f:1337:cafe::1
mtu: 1312
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
fastd_port: 10020
gateway_id: 21
site_code: ffrgb_uml
nat_pool: 194.156.22.22-194.156.22.23
ntp_server: true

View File

@ -10,6 +10,13 @@ mtu: 1312
fastd_port: 10020
vx_wg_vni: 11781694
mesh_wg_port: 20020
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
gateway_id: 22
site_code: ffrgb_uml
ntp_server: true

View File

@ -3,13 +3,22 @@
batman_ipv4: 10.90.96.31/19
batman_ipv6: fdef:f30f:1337:cafe::31/64
batman_algo: BATMAN_IV
global_ipv6: 2a00:9d80:6000:0103::31/64
global_ipv6: 2001:678:ddc:31::31/64
nextnode4: 10.90.96.1
nextnode6: fdef:f30f:1337:cafe::1
mtu: 1312
vx_wg_vni: 3120917
mesh_wg_port: 20030
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
fastd_port: 10030
gateway_id: 31
site_code: ffrgb_tst
nat_pool: 194.156.22.32-194.156.22.33
ntp_server: true

View File

@ -0,0 +1,3 @@
---
acertmgr_mode: standalone

View File

@ -0,0 +1,31 @@
---
grafana_rendering: True
# yanic needs this
site_code: ffrgb_cty
yanic_publisher: true
yanic_repondd_enable: false
yanic_respondd_interface: ens18
yanic_respondd_ip: true
yanic_nodes_prune_after: 60d
yanic_nodes_offline_after: 5m
yanic_meshviewer_enable: false
yanic_nodelist_enable: true
yanic_database_delete_after: 720d
yanic_dbc_repondd_enable: false
yanic_influxdb:
- enable: true
host: http://127.0.0.1:8086
database: ffrgb
username: "admin"
password: "{{ vault_yanic_influx_pw }}"

9
hosts
View File

@ -2,9 +2,12 @@
gw11.regensburg.freifunk.net
gw21.regensburg.freifunk.net
gw31.regensburg.freifunk.net
netbox.regensburg.freifunk.net
ns1.regensburg.freifunk.net
resolver.regensburg.freifunk.net
stats.regensburg.freifunk.net
sx.regensburg.freifunk.net
tiles.regensburg.freifunk.net
web.regensburg.freifunk.net
stats.ffrgb ansible_host=10.90.224.100
unms.ffrgb ansible_host=10.90.224.101
unifi.ffrgb ansible_host=10.90.224.102
tiles.ffrgb ansible_host=10.90.224.103
netbox.ffrgb ansible_host=10.90.224.104

View File

@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
EXAMPLES = '''
# Generates a fastd key
@ -23,7 +23,7 @@ if __name__ == '__main__':
# create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
# generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
handle.write('secret "%s";\n' % secret)
changed = True

View File

@ -1,7 +1,7 @@
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// Lines below have the format "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
@ -19,50 +19,73 @@
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "jessie")
// ${distro_codename} Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
// List of packages to not update (regexp are supported)
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
@ -70,11 +93,20 @@ Unattended-Upgrade::InstallOnShutdown "false";
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";
// Do automatic removal of new unused dependencies after the upgrade
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
@ -82,7 +114,8 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in.
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
@ -92,10 +125,40 @@ Unattended-Upgrade::Automatic-Reboot "false";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "200";
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

View File

@ -8,6 +8,7 @@
name:
- apt-transport-https
- debian-goodies
- gnupg2
- lsof
- unattended-upgrades

View File

@ -8,4 +8,4 @@
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,13 @@
---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald
service: name=systemd-journald state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs
command: update-initramfs -u -k all

View File

@ -0,0 +1,79 @@
---
- name: Install misc software
apt:
name:
- ca-certificates
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- wget
- zsh
- fail2ban
- name: Install software on KVM VMs
apt:
name:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: Enable serial console on KVM VMs
lineinfile:
path: "/etc/default/grub"
state: "present"
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
notify: update-grub
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"

View File

@ -0,0 +1,25 @@
---
- name: Install misc software
apt:
name:
- dnsutils
- htop
- ipmitool
- less
- rsync
- vim-nox
- wget
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh

View File

@ -0,0 +1,11 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony
- name: Start chrony
service: name=chrony state=started enabled=yes

View File

@ -1,75 +1,21 @@
---
- name: Install misc software
apt: name={{ item }}
with_items:
- dnsutils
- git
- htop
- less
- mtr-tiny
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim-nox
- zsh
- fail2ban
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
- name: Install software on KVM VMs
apt: name={{ item }}
with_items:
- acpid
- qemu-guest-agent
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: use new-style network interface names
file: path=/etc/systemd/network/{{ item }} state=absent
with_items:
- 50-virtio-kernel-names.link
- 99-default.link
notify: update-initramfs
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"
- name: Setup chrony
include: chrony.yml

View File

@ -0,0 +1,53 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 10.90.0.0/16
allow 2001:678:ddc::/48
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

View File

@ -2,5 +2,5 @@
dhcpd_interfaces: br-{{ site_code }}
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
name_server: "{{ batman_ipv4 | ipaddr('address') }}"

View File

@ -2,7 +2,7 @@
# option definitions common to all supported networks...
option domain-name "{{ site_domain }}";
option domain-name-servers {{nextnode4}}, {{ name_server }};
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
local-address {{ batman_ipv4 | ipaddr('address') }};

View File

@ -1,28 +0,0 @@
---
- name: Install powerdns
apt: name={{ item }}
with_items:
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
tags: dns
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- pdns
- pdns-recursor

View File

@ -0,0 +1,4 @@
---
- name: Restart powerdns
service: name=pdns state=restarted

View File

@ -0,0 +1,22 @@
---
- name: Install powerdns
apt:
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
- name: Start the powerdns services
service: name=pdns state=started enabled=yes

View File

@ -0,0 +1,35 @@
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
#################################
# dname-processing If we should support DNAME records
#
# dname-processing=no
dname-processing=yes
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify=
# security-poll-suffix Domain name from which to query security update notifications
#
security-poll-suffix=

View File

@ -0,0 +1,10 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name=pdns-recursor state=restarted
- name: Restart dnsdist
service: name=dnsdist state=restarted

View File

@ -0,0 +1,4 @@
---
dependencies:
- { role: acertmgr }

View File

@ -0,0 +1,35 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-recursor
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Configure powerdns
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
notify: Restart powerdns
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns-recursor

View File

@ -0,0 +1,15 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

View File

@ -0,0 +1,24 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
addLocal('{{ ansible_default_ipv6.address }}')
setACL({'0.0.0.0/0', '::/0'})
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -0,0 +1,53 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
#
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=5353
#################################
# query-local-address Source IP address for sending queries
#
query-local-address=::,0.0.0.0
#################################
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns

View File

@ -1,7 +1,13 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart powerdns
service: name={{ item }} state=restarted
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

View File

@ -0,0 +1,47 @@
---
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-bind
- pdns-recursor
- pdns-server
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
notify: Restart dnsdist
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
notify: Run acertmgr
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
- name: Configure powerdns
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
notify: Restart powerdns
with_items:
- bind/ffrgb.zone
- bind/90.10.in-addr.arpa.zone
- bindbackend.conf
- pdns.conf
- recursor.conf
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the dns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

View File

@ -0,0 +1,15 @@
---
{{ ansible_fqdn }}:
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
user: _dnsdist
group: _dnsdist
perm: '400'
format: crt,ca
action: '/usr/sbin/service dnsdist restart'
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
user: _dnsdist
group: _dnsdist
perm: '400'
format: key
action: '/usr/sbin/service dnsdist restart'

View File

@ -0,0 +1,20 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
newServer({address='127.0.0.1:5353', name='localhost'})
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
-- HTTP Endpoint for Prometheus
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -12,12 +12,6 @@ launch=bind
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
#

View File

@ -25,19 +25,17 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=53
local-port=5353
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
# query-local-address Source IP address for sending queries
#
{% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %}
query-local-address=::,0.0.0.0
#################################
# quiet Suppress logging of questions and answers

View File

@ -1,17 +1,10 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- python-docker
- docker.io
- python3-docker
- name: Enable docker
service: name=docker state=started enabled=yes

View File

@ -1,4 +0,0 @@
---
conntrack_max: 131072
fastd_instances: 3

View File

@ -0,0 +1,5 @@
---
conntrack_max: 131072
fastd_instances: 3
nat_pool: "{{ ansible_default_ipv4.address }}"

View File

@ -4,12 +4,14 @@
:INPUT ACCEPT [1:136]
:OUTPUT ACCEPT [2:472]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
COMMIT
*filter
:INPUT ACCEPT [1124:131621]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [1151:175226]

View File

@ -1,9 +1,13 @@
# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
:FORWARD ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
COMMIT

View File

@ -11,7 +11,6 @@ interface "vpn-{{ site_code }}{{ item }}";
method "null";
method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes;

View File

@ -1,4 +1,4 @@
---
dependencies:
- { role: git }
- { role: go }

View File

@ -1,7 +0,0 @@
---
- name: Install git
apt: name=git
- name: Install ca-certificates
apt: name=ca-certificates

View File

@ -0,0 +1,3 @@
---
grafana_rendering: False

View File

@ -1,10 +1,38 @@
---
- name: Enable grafana apt-key
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Retrieve Grafana Key and avoid apt_key
block:
- name: grafana |no apt key
ansible.builtin.get_url:
url: https://apt.grafana.com/gpg.key
dest: /usr/share/keyrings/grafana.key
- name: Enable grafana repository
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
- name: Install grafana
apt: name=grafana
- name: Install grafana rendering dependencies
apt:
name:
- libxdamage1
- libxext6
- libxi6
- libxtst6
- libnss3
- libnss3
- libcups2
- libxss1
- libxrandr2
- libasound2
- libatk1.0-0
- libatk-bridge2.0-0
- libpangocairo-1.0-0
- libpango-1.0-0
- libcairo2
- libatspi2.0-0
- libgtk3.0-cil
- libgdk3.0-cil
- libx11-xcb-dev
when: grafana_rendering

View File

@ -0,0 +1,23 @@
---
- name: Import Influxdb GPG siging key with store
ansible.builtin.get_url:
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
dest: /etc/apt/trusted.gpg.d/influxdb.key
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
- name: Convert key
ansible.builtin.command:
argv:
- gpg
- --dearmor
- /etc/apt/trusted.gpg.d/influxdb.key
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
- name: Enable InfluxDB repository
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
state: present
- name: Install influxdb
apt: name=influxdb

View File

@ -1,8 +1,9 @@
[Unit]
Description=ifupdown2 networking initialization
Description=Network initialization
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
DefaultDependencies=no
Before=network.target shutdown.target network-online.target
After=local-fs.target network-pre.target
Before=shutdown.target network.target network-online.target
Conflicts=shutdown.target
[Service]
@ -10,6 +11,7 @@ Type=oneshot
RemainAfterExit=yes
SyslogIdentifier=networking
TimeoutStopSec=30s
EnvironmentFile=/etc/default/networking
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload

View File

@ -1,10 +1,13 @@
---
- name: Install dependencies
apt: name=python-pkg-resources
apt:
name:
- bridge-utils
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
- name: Install ifupdown2
apt: name=ifupdown2 state=latest
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
- name: Uninstall ifupdown
apt: name=ifupdown state=absent

View File

@ -14,6 +14,8 @@ iface br-{{ site_code }}
{% if global_ipv6 is defined %}
address {{ global_ipv6 }}
{% endif %}
#
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
# bat-{{ site_code }}
auto bat-{{ site_code }}
@ -21,18 +23,14 @@ iface bat-{{ site_code }}
hwaddress f2:00:90:00:{{ gateway_id }}:20
mtu 1500
#
batman-hop-penalty 5
batman-ifaces dmy-{{ site_code }}
batman-ifaces-ignore-regex .*_.*
batman-routing-algo {{ batman_algo }}
#
# TODO use batman-xyz instead of batctl
# see /usr/share/ifupdown2/addons/batman_adv.py
#
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
# dmy-{{ site_code }}

1
roles/mesh_wg/files/ping Normal file
View File

@ -0,0 +1 @@
OK

View File

@ -0,0 +1,4 @@
---
- name: Reload interfaces
command: /sbin/ifreload -a

View File

@ -0,0 +1,25 @@
---
- name: Install wireguard
apt: name=wireguard-tools
- name: Create wireguard config directory
file:
path: /etc/wireguard
state: directory
mode: 0700
- name: Configure wireguard options
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
notify: Reload interfaces
- name: Configure mesh interfaces
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
notify: Reload interfaces
- name: Install wgskex
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
- name: Install ping endpoint
copy: src=ping dest=/var/www/html/ping

View File

@ -0,0 +1,21 @@
# {{ ansible_managed }}
# vx-{{ site_code }}
auto vx-{{ site_code }}
iface vx-{{ site_code }}
mtu 1350
vxlan-physdev wg-{{ site_code }}
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
up ip link set vx-{{ site_code }} up
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
down ip link set vx-{{ site_code }} down
post-down ip -6 link del vx-{{ site_code }}
# wg-{{ site_code }}
auto wg-{{ site_code }}
iface wg-{{ site_code }}
address fe80::{{ gateway_id }}/128
ipv6-addrgen no
pre-up ip link add dev wg-{{ site_code }} type wireguard
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
post-up ip link set wg-{{ site_code }} mtu 1420

View File

@ -0,0 +1,3 @@
[Interface]
PrivateKey = {{ mesh_wg_privkey }}
ListenPort = {{ mesh_wg_port }}

View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 2.8.7
netbox_version: 4.1.8

View File

@ -0,0 +1,13 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart netbox
service: name=netbox state=restarted
- name: Restart netbox-rq
service: name=netbox-rq state=restarted

View File

@ -15,7 +15,7 @@
- libssl-dev
- libxml2-dev
- libxslt1-dev
- python-setuptools
- python3-setuptools
- python3-dev
- python3-pip
- python3-venv
@ -25,85 +25,107 @@
apt:
name:
- postgresql
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db:
name: '{{ netbox_dbname }}'
become: true
become_user: postgres
- python3-psycopg2
- name: Configure PostgreSQL user
postgresql_user:
db: '{{ netbox_dbname }}'
name: '{{ netbox_dbuser }}'
password: '{{ netbox_dbpass }}'
priv: ALL
state: present
name: "{{ netbox_dbuser }}"
password: "{{ netbox_dbpass }}"
become: true
become_user: postgres
- name: Configure PostgreSQL database
postgresql_db:
name: "{{ netbox_dbname }}"
owner: "{{ netbox_dbuser }}"
become: true
become_user: postgres
- name: Install redis
apt: name=redis-server
# TODO configure redis?
- name: Unpack netbox
unarchive:
src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
dest: /opt
remote_src: yes
creates: '/opt/netbox-{{ netbox_version }}'
creates: "/opt/netbox-{{ netbox_version }}"
register: netbox_unarchive
- name: Configure netbox
template:
src: configuration.py.j2
dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
owner: '{{ netbox_user }}'
group: '{{ netbox_group }}'
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
notify: Restart netbox
- name: Install venv
pip:
requirements: '/opt/netbox-{{ netbox_version }}/requirements.txt'
virtualenv: '/opt/netbox-{{ netbox_version }}/venv'
virtualenv_command: '/usr/bin/python3 -m venv'
- name: Configure gunicorn
template:
src: gunicorn.py.j2
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
- name: Netbox file permissions
file:
path: '/opt/netbox-{{ netbox_version }}'
owner: '{{ netbox_user }}'
group: '{{ netbox_group }}'
mode: preserve
state: directory
recursive: yes
create: no
path: "/opt/netbox-{{ netbox_version }}"
owner: "{{ netbox_user }}"
group: "{{ netbox_group }}"
recurse: yes
- name: Fix psycopg variant
lineinfile:
path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
regexp: '^psycopg\[.*,pool\]==(.*)$'
line: 'psycopg[binary,pool]==\1'
backrefs: yes
register: netbox_psycopg_fix
- name: Run upgrade script
command:
cmd: ./upgrade.sh
chdir: "/opt/netbox-{{ netbox_version }}"
become: true
become_user: "{{ netbox_user }}"
when: netbox_unarchive.changed or netbox_psycopg_fix.changed
# TODO - still manual work
# * Run Database Migrations
# * Create a Super User
# * Collect Static Files
# * Gunicorn Configuration
# * systemd Configuration
# * Create a super user
# * Migrate media files
- name: Install netbox housekeeping cronjob
template:
src: netbox-housekeeping.sh.j2
dest: /etc/cron.daily/netbox-housekeeping.sh
mode: 0755
- name: Ensure certificates are available
command: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
changed_when: True
creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
-days 730 -subj "/CN={{ netbox_domain }}"
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
notify: Restart nginx
#- name: Configure certificate manager for netbox
# template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
# notify: Run acertmgr
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ netbox_domain }}"
when: "'kitchen' in group_names"
- name: Configure certificate manager for netbox
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template:
src: vhost.j2
dest: /etc/nginx/sites-available/netbox
owner: root
mode: '0644'
mode: "0644"
notify: Restart nginx
- name: Enable vhost
@ -111,6 +133,20 @@
src: /etc/nginx/sites-available/netbox
dest: /etc/nginx/sites-enabled/netbox
state: link
owner: root
mode: preserve
notify: Restart nginx
- name: Install systemd units
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
with_items:
- netbox
- netbox-rq
notify:
- Reload systemd
- Restart netbox
- Restart netbox-rq
- name: Enable services
service: name={{ item }} state=started enabled=yes
with_items:
- netbox
- netbox-rq

View File

@ -33,8 +33,10 @@ REDIS = {
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 0,
'DEFAULT_TIMEOUT': 300,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
},
'caching': {
'HOST': 'localhost',
@ -44,8 +46,10 @@ REDIS = {
# 'SENTINEL_SERVICE': 'netbox',
'PASSWORD': '',
'DATABASE': 1,
'DEFAULT_TIMEOUT': 300,
'SSL': False,
# Set this to True to skip TLS certificate verification
# This can expose the connection to attacks, be careful
# 'INSECURE_SKIP_TLS_VERIFY': False,
}
}
@ -65,32 +69,13 @@ SECRET_KEY = '{{ netbox_secret }}'
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
# application errors (assuming correct email settings are provided).
ADMINS = [
# ['John Doe', 'jdoe@example.com'],
# ('John Doe', 'jdoe@example.com'),
]
# URL schemes that are allowed within links in NetBox
ALLOWED_URL_SCHEMES = (
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
)
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
BANNER_TOP = ''
BANNER_BOTTOM = ''
# Text to include on the login page above the login form. HTML is allowed.
BANNER_LOGIN = ''
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
CACHE_TIMEOUT = 900
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
CHANGELOG_RETENTION = 90
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@ -119,10 +104,6 @@ EMAIL = {
'FROM_EMAIL': '',
}
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
ENFORCE_GLOBAL_UNIQUE = False
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
EXEMPT_VIEW_PERMISSIONS = [
@ -145,22 +126,18 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
# https://docs.djangoproject.com/en/stable/topics/logging/
LOGGING = {}
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
# authenticated to NetBox indefinitely.
LOGIN_PERSISTENCE = False
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
# are permitted to access most data in NetBox but not make any changes.
LOGIN_REQUIRED = True
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
# re-authenticate. (Default: 1209600 [14 days])
LOGIN_TIMEOUT = None
# Setting this to True will display a "maintenance mode" banner at the top of every page.
MAINTENANCE_MODE = False
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
# all objects by specifying "?limit=0".
MAX_PAGE_SIZE = 1000
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
# the default value of this setting is derived from the installed location.
# MEDIA_ROOT = '/opt/netbox/netbox/media'
@ -178,20 +155,6 @@ MAX_PAGE_SIZE = 1000
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
METRICS_ENABLED = False
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
NAPALM_USERNAME = ''
NAPALM_PASSWORD = ''
# NAPALM timeout (in seconds). (Default: 30)
NAPALM_TIMEOUT = 30
# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
# be provided as a dictionary.
NAPALM_ARGS = {}
# Determine how many objects to display per page within a list. (Default: 50)
PAGINATE_COUNT = 50
# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = []
@ -204,24 +167,13 @@ PLUGINS = []
# }
# }
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
# prefer IPv4 instead.
PREFER_IPV4 = False
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
# Remote authentication support
REMOTE_AUTH_ENABLED = False
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
RELEASE_CHECK_TIMEOUT = 24 * 3600
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
# version check or use the URL below to check for release in the official NetBox repository.
@ -232,10 +184,16 @@ RELEASE_CHECK_URL = None
# this setting is derived from the installed location.
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
# Maximum execution time for background tasks, in seconds.
RQ_DEFAULT_TIMEOUT = 300
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
# this setting is derived from the installed location.
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
# The name to use for the session cookie.
SESSION_COOKIE_NAME = 'sessionid'
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.

View File

@ -0,0 +1,16 @@
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
bind = '127.0.0.1:8001'
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
# n is the number of CPU cores present.
workers = 5
# Number of threads per worker process
threads = 3
# Timeout (in seconds) for a request to complete
timeout = 120
# The maximum number of requests a worker can handle before being respawned
max_requests = 5000
max_requests_jitter = 500

View File

@ -0,0 +1,9 @@
#!/bin/sh
# This shell script invokes NetBox's housekeeping management command, which
# intended to be run nightly. This script can be copied into your system's
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
# within the cron configuration file.
#
# If NetBox has been installed into a nonstandard location, update the paths
# below.
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

View File

@ -0,0 +1,21 @@
[Unit]
Description=NetBox Request Queue Worker
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,22 @@
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User={{ netbox_user }}
Group={{ netbox_group }}
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox-{{ netbox_version }}
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
Restart=on-failure
RestartSec=30
PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -10,7 +10,7 @@ server {
}
location / {
return 301 https://{{ netbox_domain }}$request_uri;
return 301 https://$host$request_uri;
}
}
@ -30,9 +30,9 @@ server {
location / {
client_max_body_size 32M;
proxy_pass http://localhost:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8001;
}
}

View File

@ -0,0 +1,3 @@
---
nginx_anonymize: False

View File

@ -30,7 +30,7 @@
- /etc/nginx/dhparam.pem
- name: Configure nginx
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
notify: Restart nginx
- name: Configure default vhost
@ -41,7 +41,7 @@
- name: Ensure network and dns are available before nginx
lineinfile:
dest: /lib/systemd/system/nginx.service
line: "After=network-online.target nss-lookup.target"
line: "After=network-online.target remote-fs.target nss-lookup.target"
regexp: "^After="
- name: Start nginx

View File

@ -47,7 +47,32 @@ http {
# Logging Settings
##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log;
##

View File

@ -1,4 +1,4 @@
---
node_exporter_version: 1.0.1
node_exporter_version: 1.2.0
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz

View File

@ -1 +1 @@
OPTIONS=""
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"

View File

@ -9,6 +9,27 @@
- name: Configure node_exporter
copy: src=node_exporter dest=/etc/default/node_exporter
- name: Create configuration directory
file: path=/etc/node_exporter state=directory
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
notify: Restart node_exporter
- name: Ensure correct certificate permissions
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
notify: Restart node_exporter
- name: Configure node_exporter TLS
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
notify: Restart node_exporter
- name: Install systemd unit
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
notify:

View File

@ -0,0 +1,6 @@
tls_server_config:
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
basic_auth_users:
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}

View File

@ -1,7 +0,0 @@
---
- name: Restart ntp
service: name=ntp state=restarted
- name: Restart ntpd
service: name=ntpd state=restarted

View File

@ -1,11 +0,0 @@
---
- name: Install ntp
apt: name=ntp
- name: Configure ntp
template: src=ntp.conf.j2 dest=/etc/ntp.conf
notify: Restart ntp
- name: Start the ntp service
service: name=ntp state=started enabled=yes

View File

@ -1,17 +0,0 @@
# {{ ansible_managed }}
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

View File

@ -6,7 +6,7 @@
- name: Install dependencies
apt:
name:
- python-setuptools
- python3-pip
- python3-setuptools
- virtualenv
@ -22,6 +22,13 @@
- Reload systemd
- Restart prometheus-pve-exporter
- name: Configure prometheus retention
lineinfile:
path: /etc/default/prometheus
regexp: '^ARGS=.*$'
line: 'ARGS="--storage.tsdb.retention.time=365d"'
notify: Restart prometheus
- name: Configure prometheus
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
notify: Restart prometheus

View File

@ -27,12 +27,29 @@ rule_files:
scrape_configs:
{% if node_targets is defined %}
- job_name: node
scheme: https
basic_auth:
username: prometheus
password: {{ prometheus_node_pass }}
tls_config:
insecure_skip_verify: true
static_configs:
- targets:
{% for target in node_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if dnsdist_targets is defined %}
- job_name: dnsdist
basic_auth:
username: prometheus
password: {{ prometheus_dnsdist_pass }}
static_configs:
- targets:
{% for target in dnsdist_targets %}
- {{ target }}
{% endfor %}
{% endif %}
{% if fastd_targets is defined %}
- job_name: fastd
static_configs:

View File

@ -19,6 +19,6 @@ interface br-{{ site_code }} {
AdvRouterAddr on;
};
{% endif %}
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
};
};

View File

@ -4,4 +4,4 @@ batman_interface: bat-{{ site_code }}
main_bridge: br-{{ site_code }}
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
respondd_announce_git_version: fc2d8d78d53d1908ad16b79b66f79557ccd9a83a
respondd_announce_git_version: 4fd2e3e6eb15c2a52b7401c88a105ff483934689

View File

@ -7,6 +7,10 @@
git: repo={{ respondd_announce_git_root }} dest=/opt/{{ site_code }}/respondd-announce/ version={{ respondd_announce_git_version }}
notify: Restart respondd
- name: Configure respondd
template: src=respondd.conf.j2 dest=/opt/{{ site_code }}/respondd.conf
notify: Restart respondd
- name: Install systemd unit
template: src=respondd.service.j2 dest=/lib/systemd/system/respondd.service
notify:

View File

@ -0,0 +1,20 @@
# Default settings
[Defaults]
# Listen port, defaults to 1001
Port: 1001
# Default multicast listen addresses
MulticastLinkAddress: ff02::2:1001
MulticastSiteAddress: ff05::2:1001
# Default domain to use
DefaultDomain: {{ site_code }}
# Default domain type
DomainType: batadv
# A domain
[{{ site_code }}]
# Batman interface, mandatory
BatmanInterface: {{ batman_interface }}
# Other listen interfaces
Interfaces: {{ main_bridge }}
# IPv4 gateway option for ddhcpd
IPv4Gateway: {{ batman_ipv4 | ipaddr('address') }}

Some files were not shown because too many files have changed in this diff Show More