Compare commits
196 Commits
netbox-pro
...
master
Author | SHA1 | Date | |
---|---|---|---|
360963a935 | |||
1f81547c60 | |||
4a8f51ba6c | |||
4624241254 | |||
6a8b97a9a6 | |||
e806c5ead1 | |||
ca8470c12d | |||
132b9651f2 | |||
90b6048276 | |||
482003f869 | |||
8657599a13 | |||
f1ecb89957 | |||
ebc957d8c2 | |||
5e0e0ac3a0 | |||
8aa7c9c0b3 | |||
6da2083d46 | |||
e9db35e119 | |||
21efe29341 | |||
5a516d2a9e | |||
14217927ca | |||
d717dbe5d5 | |||
0f40741750 | |||
f124fc3464 | |||
cca02889c7 | |||
b32df8865b | |||
feeb89461d | |||
2b8c2d2ab7 | |||
5c84b63b17 | |||
242a878265 | |||
2396d9c4d6 | |||
5997b64db8 | |||
37b955a65c | |||
443414cfd1 | |||
05b5757ffd | |||
87b21ca773 | |||
90cb6966a7 | |||
8ad13bcd95 | |||
3e9f20fa32 | |||
42ac102e8f | |||
2c17b101a3 | |||
ea4a4f1c24 | |||
e6d7a0ed9d | |||
e9095ae0a3 | |||
8f4e99d4f3 | |||
879a01649a | |||
963b676f95 | |||
0653790816 | |||
d9775e2071 | |||
bbc30c025e | |||
4eab827a06 | |||
8aaf5235b2 | |||
9e24b7cab0 | |||
1465481113 | |||
22724967e0 | |||
9f057f2389 | |||
65400002dd | |||
7ab2642b4b | |||
de03068166 | |||
cab4994899 | |||
27c2f0b452 | |||
|
806c1b3e51 | ||
|
4bf5099ab2 | ||
5020612824 | |||
a49ed72fe4 | |||
2de5cdfdaf | |||
2a89b85d36 | |||
5ab29feb17 | |||
75827d1202 | |||
fb4c22eabf | |||
87664d0158 | |||
9530ed5e09 | |||
c7777e45da | |||
52a364d2ef | |||
e429538540 | |||
f4b94ff2c5 | |||
4972d0cafb | |||
c4456da825 | |||
5b6ed5bcbf | |||
1af34c4f90 | |||
99c1add95f | |||
6c54d99914 | |||
b9861845c3 | |||
df8b7ba21c | |||
32aefbb0f6 | |||
015e75fa2b | |||
15d3da93b2 | |||
629bb169ac | |||
4c63ba2586 | |||
9aa91059d2 | |||
9c6d490f1c | |||
f39df70307 | |||
59248f4ef8 | |||
4f45d615a5 | |||
9f50cb58b3 | |||
73a9300408 | |||
26d5037e26 | |||
26bd85279c | |||
ef9303ecf7 | |||
ac79d8f35c | |||
e2ba2e8ca5 | |||
7214833ecc | |||
c79f497a09 | |||
3d8072520e | |||
0e7ecfca34 | |||
6c1c6b8abd | |||
779b361aec | |||
215610b2db | |||
7c405d3b91 | |||
1da5ef70e5 | |||
c196bc4483 | |||
8fabdc2550 | |||
|
5ad344163d | ||
0a696c67db | |||
70ce064aa5 | |||
9c9258863a | |||
|
29cc08a8be | ||
44fc0e626e | |||
ad4b92cc7a | |||
9b90a6012d | |||
61dcf426f1 | |||
484467cbaa | |||
fd33a9c571 | |||
0f19c36624 | |||
41b090e30f | |||
e1429adae1 | |||
87ddc40259 | |||
7034448b08 | |||
8b501255fb | |||
5c34da3e62 | |||
bf3784af19 | |||
56775c0cdd | |||
5682d78dbb | |||
f5db4f6daf | |||
b28004bf35 | |||
ce397c7a62 | |||
92b6f4bbd9 | |||
d71be0fcd3 | |||
c33111a9fb | |||
9a153e9644 | |||
01ab94aa27 | |||
9e369291b6 | |||
f8380524ec | |||
4da5ac5ab6 | |||
6cf940b71f | |||
cc0c0823e9 | |||
b517df3151 | |||
|
e7d3167f51 | ||
|
755c1c5af1 | ||
|
879cfc0f40 | ||
d4a9ccf43d | |||
0484e91693 | |||
19faa44f0c | |||
ebe2eac3a7 | |||
1c0d2f25d2 | |||
5cd6b06053 | |||
5422d3ad82 | |||
0baec7972f | |||
f955ce6119 | |||
bf1b7e434d | |||
f882c6e41a | |||
d0ff422b67 | |||
6534749691 | |||
3baf4139ac | |||
e8435cdd9b | |||
309105d948 | |||
d909edc169 | |||
46406323c1 | |||
990ce64971 | |||
333c4b82e9 | |||
1b4ed18171 | |||
1f0b671545 | |||
97c095f75f | |||
ac35c8c635 | |||
4c020cea41 | |||
56e026ba14 | |||
ae6b1bc58a | |||
29627c5e36 | |||
f6c4f927f4 | |||
1464ef73cb | |||
af56fd8dcd | |||
2070c32a26 | |||
dd93bd6b11 | |||
1b12b54a8d | |||
40a64d1e77 | |||
b239dfb38f | |||
cc736cc94e | |||
3582e84b09 | |||
ea4f70a483 | |||
dc6f2e1e5b | |||
610498fc31 | |||
0de11eb6ed | |||
d7291018a4 | |||
c29bed27dc | |||
3b501e041a | |||
3d12cf0a7e | |||
bc7805391c |
4
.ansible-lint
Normal file
4
.ansible-lint
Normal file
@ -0,0 +1,4 @@
|
||||
skip_list:
|
||||
- meta-no-info
|
||||
- package-latest
|
||||
- risky-file-permissions
|
@ -6,7 +6,6 @@ type: docker
|
||||
|
||||
steps:
|
||||
- name: lint
|
||||
image: alpine:latest
|
||||
image: cytopia/ansible-lint:latest
|
||||
commands:
|
||||
- apk add git ansible ansible-lint
|
||||
- ansible-lint -x305,403,701
|
||||
- ansible-lint
|
||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,3 +2,4 @@
|
||||
__pycache__
|
||||
site.retry
|
||||
*.pyc
|
||||
ff-ansible.code-workspace
|
||||
|
@ -3,11 +3,11 @@ Ansible Freifunk Regensburg
|
||||
|
||||
## Requirements
|
||||
|
||||
The python package netaddr is required on the host running ansible.
|
||||
The python packages netaddr and passlib are required on the host running ansible.
|
||||
|
||||
The vault password must be stored in `.vault_pass`.
|
||||
|
||||
The *only* supported distributions to deploy roles on is debian stretch and buster (stretch may be too old for prometheus).
|
||||
The *only* supported distributions to deploy roles on is debian buster.
|
||||
|
||||
|
||||
## Running Ansible
|
||||
|
@ -1,5 +1,6 @@
|
||||
[defaults]
|
||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||
interpreter_python = auto
|
||||
inventory = ./hosts
|
||||
library = ./library
|
||||
nocows = 1
|
||||
|
@ -2,6 +2,20 @@
|
||||
|
||||
acertmgr_mode: webdir
|
||||
|
||||
dnsdist_targets:
|
||||
- gw11.regensburg.freifunk.net:8053
|
||||
- gw21.regensburg.freifunk.net:8053
|
||||
- gw31.regensburg.freifunk.net:8053
|
||||
- resolver.regensburg.freifunk.net:8053
|
||||
|
||||
dns_slaves:
|
||||
- 195.201.117.207
|
||||
- 2a01:4f8:1c0c:7dda::1
|
||||
- 213.166.224.14
|
||||
- 2a02:958:0:1::e
|
||||
- 213.166.225.14
|
||||
- 2a02:958:0:1::1:e
|
||||
|
||||
fastd_targets:
|
||||
- gw11.regensburg.freifunk.net:9281
|
||||
- gw21.regensburg.freifunk.net:9281
|
||||
@ -25,21 +39,24 @@ gre_matrix:
|
||||
- { id: 26, a: gw21, b: gw31 }
|
||||
# - { id: 33, a: gw22, b: gw31 }
|
||||
|
||||
netbox_domain: netbox.ffrgb
|
||||
netbox_domain: netbox.regensburg.freifunk.net
|
||||
netbox_dbname: netbox
|
||||
netbox_dbuser: netbox
|
||||
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
||||
netbox_secret: "{{ vault_netbox_secret }}"
|
||||
|
||||
node_targets:
|
||||
- ns1.regensburg.freifunk.net:9100
|
||||
- stats.regensburg.freifunk.net:9100
|
||||
- tiles.regensburg.freifunk.net:9100
|
||||
- gw11.regensburg.freifunk.net:9100
|
||||
- gw21.regensburg.freifunk.net:9100
|
||||
- gw31.regensburg.freifunk.net:9100
|
||||
- web.regensburg.freifunk.net:9100
|
||||
- stats.ffrgb:9100
|
||||
- resolver.regensburg.freifunk.net:9100
|
||||
- netbox.regensburg.freifunk.net:9100
|
||||
- unms.ffrgb:9100
|
||||
- unifi.ffrgb:9100
|
||||
- tiles.ffrgb:9100
|
||||
|
||||
ntp_servers:
|
||||
- 0.de.pool.ntp.org
|
||||
@ -47,6 +64,10 @@ ntp_servers:
|
||||
- 2.de.pool.ntp.org
|
||||
- 3.de.pool.ntp.org
|
||||
|
||||
prometheus_dnsdist_pass: "{{ vault_prometheus_dnsdist_pass }}"
|
||||
|
||||
prometheus_node_pass: "{{ vault_prometheus_node_pass }}"
|
||||
|
||||
prometheus_pve_user: prometheus@pve
|
||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||
|
||||
@ -54,8 +75,17 @@ pve_targets:
|
||||
- pve01.ffrgb
|
||||
- pve02.ffrgb
|
||||
|
||||
searxng_domain: sx.regensburg.freifunk.net
|
||||
searxng_domains: sx.ffrgb.net sx.regensburg.freifunk.net
|
||||
|
||||
site: ffrgb
|
||||
site_domain: regensburg.freifunk.net
|
||||
|
||||
speedtest_domain: speed.regensburg.freifunk.net
|
||||
speedtest_domains: speed.ffrgb.net speed.regensburg.freifunk.net
|
||||
speedtest_secret: "{{ vault_speedtest_secret }}"
|
||||
|
||||
tileserver_domain: tiles.regensburg.freifunk.net
|
||||
|
||||
web_services:
|
||||
- { id: tiles, domain: tiles.regensburg.freifunk.net }
|
||||
- { id: uisp, domain: uisp.regensburg.freifunk.net, domains: uisp.ffrgb.net uisp.regensburg.freifunk.net }
|
||||
|
@ -1,134 +1,137 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33336336363031356335646231313439663164663337323062393465653638346538613762323532
|
||||
3130356238303530316134623963616261663162393061300a653332613538633462353265353965
|
||||
63653131386233643635343732346336653164303236626666613963353963616634653939623135
|
||||
3231653165646661300a326563353632613937663137323562663364623133306338346633643832
|
||||
38613536373436643539623064386566653738316532666166333538656664623966376639363962
|
||||
63636332636331633762326539653863313233633032663063633136356562353737383365316238
|
||||
62633432363661613162616230313437306439376265623563343564343532366266616536346432
|
||||
38376465626236316434613631336465626363663263613232313662336133396434336437656464
|
||||
34323863643366326633613632636662353232323563616138356537613762666561393133383265
|
||||
65313162396434396662613131333261643966313366326435373831393338656361643733343837
|
||||
64316462393361336630623563386336323138653833636464623163343134393033303865326161
|
||||
33323461333334616333336466636436383764303362396561333830626137333462333564316364
|
||||
38393437666662346630663137643132626133383965353030663632636237663433383462326165
|
||||
30376436643137333361383839306537613535653564306164643363643330613031363630633964
|
||||
62396238396530306431633362343739633230383934373364303733366136633136363761303762
|
||||
33373165323939343063633965623733363934363330353662623134653438303337636161343132
|
||||
66393361363838323731303564653834316265333363303662376630333930346534363133363861
|
||||
62396533666365303065333330363066343238386438636661633233363831343838316131353633
|
||||
38643764386166656632313938386133366233366130626636323330326466376566613563383561
|
||||
62383038336566356533643336393430353365623932376161393438653465653962383130363433
|
||||
34393437343238383634323432633134353664386136633533383463616235326239383966633431
|
||||
36363532623932326432366330343332376264666537333234333234616638653830363633313465
|
||||
38343038666336353634633238356662666338646661646265306564633861333461336231313834
|
||||
64663166356432376564633163303636643963323032393737383537323639616333373133626264
|
||||
32303466316562666338356235376133653833623936373131373237393334393665306561366636
|
||||
66623437663334326631353132303030663236393762336639313861663962353363653831373563
|
||||
62386633306463306634633862326632313063393362353438623437376138363433623934666162
|
||||
37373662393437363965623162303934333230343962626233366630396531326665383065386161
|
||||
65663666356431366335633339366637303137353765656638316535613933343237656563663863
|
||||
65313230616338653030343034663937666134653336383732393538396337326238343761323137
|
||||
30626138666262666465393036363133356563653437376666376366613635306162653739396531
|
||||
64613664626663626462343737626266636132313366393861313436383137313765623165333734
|
||||
35333036633234303733373161626331363333393062613933623931356234363735663165386338
|
||||
61333961666638326134396431393335633435666135383738376335623135663934356437623062
|
||||
66323833353065653866613264663262653731373865656363666466303330356563356434343161
|
||||
34363564363564393132326264626134383630653437626536623166363965306363653539336461
|
||||
36366538383134376564376665336231663532656464393832346166653462306235666139633265
|
||||
34663235353765316633333865313439663736323462653232633362633333663539613934346136
|
||||
31363536303338633333393064366234643762396364356539363966623936663764353161383136
|
||||
34383432386537646566653964313731623761316161663136386532663332333262313861613932
|
||||
35356566303364326436306235323463623331613663383031343335323537346530653637663939
|
||||
34613333323738303731636362323735346561343332376137616339386163346134646566353231
|
||||
65656264626131306130663761663763336464306563313835633432333761623633666433613830
|
||||
63356265343839396162363333646630346364643661303331663236306535306465626435326662
|
||||
62313963663636363366356132616239323632623733656137316663303031356631323235353634
|
||||
64613035346633313366633138353737303565303434363139616466636163323137346238623562
|
||||
61333066633833303232333934373039623762323435333261633835356466303564666132656362
|
||||
62613939323735343163376165653634333834353334663532383866313232663533643138663766
|
||||
31353138356562386135366130373063306538633465323363313361316438366631366463323730
|
||||
62393637353931653930303230626665303066646539663338363133613431306532623865343531
|
||||
64366263653062643334336132336466383563636630323539373336343330616531323962326537
|
||||
64306535623135396537363735633039636335623561343435613864656330376631613434613866
|
||||
31393166633361633063323538623361653135306539346366383264336634353633626136663731
|
||||
35383332373338333935376438346232326236613430306533316561333438383238306666346465
|
||||
36356235373466303536346363393661393838336331313536383662353438333662366563353038
|
||||
66383237613132613636356461653037373437336264626539333763643261326239313065336463
|
||||
34323361613565663336343131613530616462633331653134613431393839303364363831303337
|
||||
39393732646234383936316637343066633761636231326639663239306231303834306631393933
|
||||
32323335666262666232363638306562353866353338646234353631323533316532383235336632
|
||||
33643934343836366631336666643730656137626466666232396535356664313132383838363832
|
||||
39613664643761653461326234643539643831616537363836656561303562633064613238383233
|
||||
33616336666462333461343766383063353361313032643230636132343631613636666636666639
|
||||
38386136656565653439323162363035623665623139326366326431343861393664636664363934
|
||||
61353761326136346636393261663335383664646531616366363436306461313063646264356561
|
||||
63393931313266633734616362376630616535396635343363326361653434353631303836326433
|
||||
64313533646331336338353533643031316638386330626362313938623736316134633062393930
|
||||
31306332623364393839313761353564313563326462313637663635663661396638373130363866
|
||||
30326263383730356135663433623138663239363765363664636133653462653262393766363966
|
||||
37303862363131646236333134366664653061343735303035383663383539353732313935313933
|
||||
37323461343530306632626631373238333636303135653535626631343862663639306136323363
|
||||
30343731356434333030303332636637363364643363666136353266383138613066353732326665
|
||||
32366234373864663333323035306334613937656666396437646335383839663336633364613338
|
||||
63306635663762373331646535373638343436376431646564666239633631376465623730353935
|
||||
66383262623838376339373735396131303434616132373832633061616132393931643830633864
|
||||
37663931613633656339383062336462383661363463323632396636633965373439383938626635
|
||||
38336330383139653365653664383934663838306531373164626136613338343861353262663431
|
||||
30653265333065663664646564376466303838373961626436396631356366363832613930346664
|
||||
34643962363862643732653631333665366134343332313863316164323465383138386262336336
|
||||
32343365386362346237656361386163323062376232346137336365363731396639346137343735
|
||||
62633436643265636262376639383635336536353131666661326238653339626666383562323763
|
||||
63373636636530306461633035616163643962633033363565323164343034633666346133343638
|
||||
37613463333461373663336630313834316333366466336539333135356338343731636231663530
|
||||
38623738636534333762376434336336326166373363643864316233343735386234616663636534
|
||||
32393838623939343536346634633339613837373735353565313138333864383632383533396264
|
||||
36363430356237636235316631313664336265633333313137373861666333663865393065393531
|
||||
30386335613531353837363738366232313036343731343566306166646466353164336136393330
|
||||
65323933613266363739363231663563656437396231316666303437633564613465313937383038
|
||||
32643465346130323738336364356331663163323236333764653566306664623164626437363465
|
||||
34333165343034633135336234633765336333623333643632353335656238393863623062623665
|
||||
39393434643538373633653630353963346132663366656532303764333838336562663735613737
|
||||
39363865353736663263303565336263643333613238336462313839323738373063393639303531
|
||||
34633739366531326666633634366230363431303663383432323463643665316136643434343839
|
||||
66313030623561366431353863633666636262336637636235326434366536393830343433336462
|
||||
34666631343862346239346434666462613836343161663234646439643562316564666632316665
|
||||
66376137313231376433333163396564343435303434326235626239336237653332316232343361
|
||||
30666531393863616132323837333931323534633561626263333534646530623433613633383061
|
||||
36393361613736393333633166346465363762336232303530393262666366303763303862383632
|
||||
30336437313339643861663635623334323330653030396432623932613433343836626238373530
|
||||
35353535366237663865333832356661613635353138356438386333323734386237626532343665
|
||||
31373061616234633336386661323164663934336464316364343036633336376234656263346530
|
||||
64333336383861396261316436636638653934643463666263346430366238663663383834313266
|
||||
65396434313161333532323036336538653830303232343364656365353339623165346164393039
|
||||
62356561366461643831656466316266616335646163303438353735393830636434386335623632
|
||||
32623835613262653566306561333835316334613633613138643235343265376238343932363264
|
||||
65666334633663366338306566346433626431656131393233393661396361366365333733303130
|
||||
38353435396462636633336238373131386562333063386235366233633030663861316161653362
|
||||
36306431663639663137313762396338323933663036343130633438326435383934633861343262
|
||||
39623431326362643833353532336233653664643733323432326466666165373333313266626565
|
||||
38656465623362323966333238336262323563353038666635666137303064663333363730633335
|
||||
31306139323831366363346331383834646635316166393334326535323339363038353365353538
|
||||
31356164656235373536323830333135333931373764636439363135316532613530333734613964
|
||||
66393233383132623536643664643862336162396630383932383731626233643966636437393461
|
||||
30356262393661623737653439633336656635323134613336626336343666363138303931323064
|
||||
36366333393330333365663965646664333561646434306463333135653130646337623035393434
|
||||
66636261346534653263356230633838633033373566623138626264656236336630373634636430
|
||||
39633136666565343332663330323937393565643338663433656466323535613064326233626637
|
||||
63393064363434393634333863363761643433326438336634306438376235393632643332346339
|
||||
63306437336431613535356138336666613862343437306330393566346332666534646230313265
|
||||
66663839333730636538343630363933353039343064316330666631646565386438613232383031
|
||||
63393963333063343437383130356331356162616266383231383535313530393264323232623934
|
||||
30363861373261303966613361336335356233306530343435313730393166383536323937373666
|
||||
33613033633530393933333265306265626632663266383834666334336364623864333735343735
|
||||
35316132636333323566666339333039653862666264353638336336356334393030663733306264
|
||||
61613661613166366238646264343239393735653437383539343731373266386238323532643739
|
||||
38643262343666656661356338623035343934383765313939363537393434623965623437363239
|
||||
61653034656535313937316639663166386432623034383864356465623032353636643737326336
|
||||
38376436343133643263336435636638356465396566623037633334643863643165663765383161
|
||||
33653530643836343334643734346335653131366439336139646131396237323862323132616339
|
||||
35383739633133643864646163616661633032666532663861393638343232323437363263663435
|
||||
65626561303137353330646162326464666236653633346636333864333366323336613638393365
|
||||
36396262306266396638613736626637633163343938366130363133303535613131383562393333
|
||||
63643830666437663931633231336432303561326231366639376130303564663564363766343834
|
||||
3934
|
||||
31633832313136353531623833383865383736333164376632363635333439613763643062663632
|
||||
3736376165623664376436643138653435393239636333370a643363343061303436613238373237
|
||||
36653730376133363061333536626436363366393335303932663736316631633630323634353531
|
||||
3734353134396561660a616339303762313430616234383138326438383432646564356662393536
|
||||
61376161343965656365646238393261356133326131613730343234336139366461333032396531
|
||||
38653031363934623231336661363233393562383434323633353139336530383432383736353937
|
||||
65633935373261653134653839353233643439616266613531373938393231643736333436353234
|
||||
65646665626531323566326561353333666535666430613961666232646632303662343832643661
|
||||
35373166323439623137383164663838393766326237336234326635383930323365326431343338
|
||||
61343434363961633532656466653732626135306334303634383235643531396535326536636264
|
||||
37343930623235363632623963346637363964666664636266373137363037383036633233643130
|
||||
30323036653637656131623332613463303937323133653064623333396534336661306432323536
|
||||
38373534303235323230306139663736663430633463663166393033613435616662336335643137
|
||||
32366439333661313930636234346265306233393966623832613834623263356337356162396335
|
||||
34353362613163323936613930666339303839393431303461363565623561363034306538396237
|
||||
38326263303033376435623037653365636362653831623066653263623236613566623962313266
|
||||
34336233343530366236313131323962666163383035633361333637343732356338626265613338
|
||||
36643663336161663636343864623864323735613838373562376431643338346662393731373833
|
||||
38313839393433626630363635323232373534303437656561316231653536306264386331333666
|
||||
36323330626164363730643337623262303335333438303432373465343235303836366362383336
|
||||
39666631363362383338616536666432373738336131653765353635373365623030393365636630
|
||||
38303033306664356162316262346434343239646230663062643566336132613535393835366236
|
||||
66306435653364323335623665316264646631383066373837653536316135316130393766356162
|
||||
33326431643162383539323161626163316532373831386334643761636630616162666236613766
|
||||
38633738333331616336363736396635306630363561613966656538633432363661313432373731
|
||||
39303764303362336536396130613637653530376437333336613465643539396330623261356534
|
||||
64633761643065313038656261326638343032353832376262653135663162353434323936353862
|
||||
31663738353965303963353962626534303333303037336431373631396635363938326133336330
|
||||
63353333616664663934636433653434626162323064653430666565613061623239613561643838
|
||||
66356662303137383639336432633432636235306165306339623632316134306431376163616465
|
||||
32636132656232303162333238393837383731633931363865356634643736326139313638333230
|
||||
39316662306432333333333266333234646539646532316536383932666435366136346138626136
|
||||
64373362366239633964616638363666656564323436636432663937666565653436613465366461
|
||||
65376562303639363332636532386535386365656636346365333330386132383637636239653730
|
||||
63333361303037393936653064336439653932373739336564333132303639343835376633666631
|
||||
66613138343730636563626131623437343232303964626562633332303761626331383662373531
|
||||
39663463656361303236666661356564373432333062303363313532333938633337363536343930
|
||||
37376464393438613564653465353037313536626466643131336133336161316437316433663032
|
||||
62633465613634373238383937643037346336336135353230386538353933616436646534366435
|
||||
31323363666266373662626362663164653863326239303462363739383730643962333230343733
|
||||
37393831383666393064626437323861353739363762346330666436356466316464393838366133
|
||||
34653131653838643063396633346132336439393132353661373063623865643465306238326538
|
||||
63313366386263623333636636376637383536353663643266653431626365666139393764663633
|
||||
62366234376231393261646366383733633565303433353631343239313362646161663433653632
|
||||
61303231616366386435666232353531306331613638633531613364663130643433336232633164
|
||||
64373131303135316135376339353366313635653466663765323931616232333539333639623033
|
||||
39626233316430303062336234623966376564386365613265363866666636626435306664336636
|
||||
39346139316331306333666332393631306433623365303064383831643864336634303737633434
|
||||
39303364633530343531373964353335333832636433313865303765393665633838316531343035
|
||||
34666237353834613337353063666333353764666431376235393534613534363163333732373061
|
||||
36663537363938373235326537326139366562656264393930653630383332383466333435386233
|
||||
32613737303431333537326264343065306361653562633064393762643161313666663262313236
|
||||
65386430306432653563623666646439376163383433653561333461383933383835373563396137
|
||||
62383861393963313534616437663465333834663235356439363735633133623365383839613037
|
||||
34303465363033313739373631363261313130616663336662346132653239313562386664353432
|
||||
64373961663563393362303166633630343665663437373562613461343266646332313963653965
|
||||
39363632313864343437333038623364323161376237386333616636303364373964343464643330
|
||||
31613431313562353862306236623233636264653635643264333364336533623036356530343465
|
||||
33366131333365393333373062623666663065316666363736633562363934336534313464353239
|
||||
30666365303330363962653731626266376433666135333435313236386163653336386134633630
|
||||
65336335346539666431643036636663643936326635636438636438646230353962646335396461
|
||||
64623238343632346265376537323462316162633437633463656235626366666235653231303736
|
||||
34316166363139336536396631663435386434396336346331663333353338353466346433393062
|
||||
31343662316464356663356539303934633336613335373732353165366266303837303364616537
|
||||
31356135313732633232343362663932656363633162623539323938643239383333306638346236
|
||||
36666564323336346234313239656463626138313364656637353434303266613232353334666539
|
||||
34666437356531393933656338373834303130663132303433376338643833643236333639663530
|
||||
32653536643035303536353431623463353762393539363634636566396134353362633038333831
|
||||
33633632666331666665373664633138323536633264653339663463326236343862656563323835
|
||||
66633038346237356638646133626239336233633261626464626238636363666431646661366337
|
||||
32396137303664363734666238346636653531666461306335343636303861653533356266643833
|
||||
39633939666534663033336462336633636264336133633630366166356163306539613830636432
|
||||
66326661646430366332363530333338373136656234613030616338383531313138666435313562
|
||||
33346262353934636564613730396536333731653036303333343039393534643837663234346234
|
||||
30303032623565316234343834303061303333346539636138343334663131646463363863663062
|
||||
31343432383238623733346563323533636466346538616334646338366465356165613434623730
|
||||
37323930623539353764643939643963353238646230396337633362363664613431303032656639
|
||||
38613961633439613837636531653163383633373263343235303766613736616636613066316463
|
||||
63346337383864363562373562643636343764626433383634643064313831373833356132393737
|
||||
39356534623536373066663933356535356532636332343661333166663433666433363661343861
|
||||
63393734656534363761313862613364616161303735323563656265323362313061343332346238
|
||||
35353534663137653466396432353437333739363631373332316165663964653335363034636131
|
||||
33363933333764306265306161336165306234616161313466393233363431363061633730653437
|
||||
65313636366162303763663530386239343833626139643439306161623066313638323361353831
|
||||
63323531353939356337613865663737373661343362353362326637666666383535633030626163
|
||||
36386464326134333965623262356532353161316533626331623266623630383331313037376365
|
||||
37353164306433633563386436653235616661366639343035306533643732326232366537633635
|
||||
33306338386561353564643537353736663434663931343263333764633961666464373461346335
|
||||
65323462313761653361343236326632393835613538616436666534363366626637376262326462
|
||||
32366530383439646137383737303634613136396135633136316233326230323466383932616630
|
||||
66316561333961346130306531623936376636646330373237623034633135303630353566333037
|
||||
34656233316663656661623731633034643332336631356436653134366162396336643331623135
|
||||
65646466633236393036383639623066663963653431343836626664383431363663653535383565
|
||||
64333432343561623633316232623864386161376163333238623066636533353330336566313835
|
||||
66653265346331393238343862353162383234303334626261643065656637386434636564663665
|
||||
63616339663261616534376661393837343335373638366264323732353032363731376332653936
|
||||
64393262346230636366336133616366646533373530356235316561643232333664343462386539
|
||||
38396665626131646234613466396334346431316638333436633637353836313933656134383031
|
||||
38633838323163383536323735626132323565643136663030643436303363333264373061663430
|
||||
65613836313531636264633333346331343038373466653231613830383435386364636237303965
|
||||
65663635633732663636333764623133373864356363313535333136613039313035663633386338
|
||||
61343930323665616464643235396232393134373537616635663231343763346434626665393966
|
||||
31613835666563333261373533316364346538393438636636633862353431333030623933663130
|
||||
31626337303733373034666562363064373936656435636637356365386363346664306134376339
|
||||
37383335646339636265656134383432396438383732303066396636373834373037663062336335
|
||||
61346438636134333763346265653766396165626365633237373466346438363330633562353731
|
||||
61313630373137303131326134613264356462333363643463643861666239623937636535336536
|
||||
30313234623936316439643164316139386366336630616266653338383337653561656337343837
|
||||
66613234363738306235316632316666376231306561653865353636373835646263393932316134
|
||||
30313433613664306533386133376232323737633934396135626532323830346336353631383539
|
||||
38666264343962646237313332396535643863393535303437346262613861646663303037333736
|
||||
63326534313964613663376635306162653639623735633139326161323232653462343063383036
|
||||
39616233613664626161663131383366663435626432626663623638646163666535316461383531
|
||||
39663130646564373563323965386331353036366230343635363266323864623633663333656561
|
||||
33353131623065623839396634653735396262656261323963363261643761373137616232666665
|
||||
39643835383034383439393638363438633931323437613365643935383766333535643537633633
|
||||
63633133303166326432613932396331356263626166343436386463376537656231656438313563
|
||||
30653664383935383161303865363338393933363334653631616432643037626433356561636634
|
||||
34316436383462386331393231633161383362666532363561326631613137656464306262313034
|
||||
35636334623861323836326265396664373461313034343231316261616330313938333263666665
|
||||
39616163346632623764666337313561626233636363343036363331663932616530346230653663
|
||||
62373661306566373638383962356563323430613262326534663663383162396263306335613462
|
||||
39326162663161663264626437353064306238646664376666336534326263313061393133373636
|
||||
33346161376136636536393264363332633561373037326566313137366265383635376366343036
|
||||
30613763633264303536396535303236353138393032336461666131356464343930656665326535
|
||||
64393130376166383538353866323265303562326239626233636237626664346631646264386439
|
||||
65383730333534656361366438316536613138303334343665396438336164663064373838323534
|
||||
64626631363131663462303131333735633337653335623939383264363163633765326438313965
|
||||
32623662383464316133623538616139623433336435316166346336663761343536393662393733
|
||||
35333938383137383863653966363837366639303634616239643235653932643132323033373238
|
||||
38323734353563383133333538316236393162636237313061363663303764343533626466373137
|
||||
32656561383633633166386437653361313363666334636639353833323461663030313736613831
|
||||
30613832306137323637653330306637323530613935333263373338346430393265333839636566
|
||||
39336662326637363038653734323230626234346433313830656264633732666430663265383031
|
||||
65313864386637303563636239646633393335616231613531633762326430633231343264363236
|
||||
32346662623562356432
|
||||
|
@ -3,13 +3,22 @@
|
||||
batman_ipv4: 10.90.32.11/19
|
||||
batman_ipv6: fdef:f10f:1337:cafe::11/64
|
||||
batman_algo: BATMAN_IV
|
||||
global_ipv6: 2a00:9d80:6000:0101::11/64
|
||||
global_ipv6: 2001:678:ddc:11::11/64
|
||||
nextnode4: 10.90.32.1
|
||||
nextnode6: fdef:f10f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 3665730
|
||||
|
||||
mesh_wg_port: 20010
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
|
||||
|
||||
fastd_port: 10010
|
||||
|
||||
gateway_id: 11
|
||||
|
||||
site_code: ffrgb_cty
|
||||
|
||||
nat_pool: 194.156.22.12-194.156.22.13
|
||||
|
||||
ntp_server: true
|
||||
|
@ -8,8 +8,15 @@ nextnode4: 10.90.32.1
|
||||
nextnode6: fdef:f10f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 3665730
|
||||
|
||||
mesh_wg_port: 20010
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_cty }}"
|
||||
|
||||
fastd_port: 10010
|
||||
|
||||
gateway_id: 12
|
||||
|
||||
site_code: ffrgb_cty
|
||||
|
||||
ntp_server: true
|
||||
|
@ -3,13 +3,22 @@
|
||||
batman_ipv4: 10.90.64.21/19
|
||||
batman_ipv6: fdef:f20f:1337:cafe::21/64
|
||||
batman_algo: BATMAN_IV
|
||||
global_ipv6: 2a00:9d80:6000:0102::21/64
|
||||
global_ipv6: 2001:678:ddc:21::21/64
|
||||
nextnode4: 10.90.64.1
|
||||
nextnode6: fdef:f20f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 11781694
|
||||
|
||||
mesh_wg_port: 20020
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
|
||||
|
||||
fastd_port: 10020
|
||||
|
||||
gateway_id: 21
|
||||
|
||||
site_code: ffrgb_uml
|
||||
|
||||
nat_pool: 194.156.22.22-194.156.22.23
|
||||
|
||||
ntp_server: true
|
||||
|
@ -10,6 +10,13 @@ mtu: 1312
|
||||
|
||||
fastd_port: 10020
|
||||
|
||||
vx_wg_vni: 11781694
|
||||
|
||||
mesh_wg_port: 20020
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
|
||||
|
||||
gateway_id: 22
|
||||
|
||||
site_code: ffrgb_uml
|
||||
|
||||
ntp_server: true
|
||||
|
@ -3,13 +3,22 @@
|
||||
batman_ipv4: 10.90.96.31/19
|
||||
batman_ipv6: fdef:f30f:1337:cafe::31/64
|
||||
batman_algo: BATMAN_IV
|
||||
global_ipv6: 2a00:9d80:6000:0103::31/64
|
||||
global_ipv6: 2001:678:ddc:31::31/64
|
||||
nextnode4: 10.90.96.1
|
||||
nextnode6: fdef:f30f:1337:cafe::1
|
||||
mtu: 1312
|
||||
|
||||
vx_wg_vni: 3120917
|
||||
|
||||
mesh_wg_port: 20030
|
||||
mesh_wg_privkey: "{{ vault_mesh_wg_privkey_tst }}"
|
||||
|
||||
fastd_port: 10030
|
||||
|
||||
gateway_id: 31
|
||||
|
||||
site_code: ffrgb_tst
|
||||
|
||||
nat_pool: 194.156.22.32-194.156.22.33
|
||||
|
||||
ntp_server: true
|
||||
|
3
host_vars/resolver.regensburg.freifunk.net
Normal file
3
host_vars/resolver.regensburg.freifunk.net
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
|
||||
acertmgr_mode: standalone
|
31
host_vars/stats.regensburg.freifunk.net
Normal file
31
host_vars/stats.regensburg.freifunk.net
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
|
||||
grafana_rendering: True
|
||||
|
||||
# yanic needs this
|
||||
site_code: ffrgb_cty
|
||||
|
||||
yanic_publisher: true
|
||||
|
||||
yanic_repondd_enable: false
|
||||
|
||||
yanic_respondd_interface: ens18
|
||||
yanic_respondd_ip: true
|
||||
|
||||
yanic_nodes_prune_after: 60d
|
||||
yanic_nodes_offline_after: 5m
|
||||
|
||||
yanic_meshviewer_enable: false
|
||||
|
||||
yanic_nodelist_enable: true
|
||||
|
||||
yanic_database_delete_after: 720d
|
||||
|
||||
yanic_dbc_repondd_enable: false
|
||||
|
||||
yanic_influxdb:
|
||||
- enable: true
|
||||
host: http://127.0.0.1:8086
|
||||
database: ffrgb
|
||||
username: "admin"
|
||||
password: "{{ vault_yanic_influx_pw }}"
|
9
hosts
9
hosts
@ -2,9 +2,12 @@
|
||||
gw11.regensburg.freifunk.net
|
||||
gw21.regensburg.freifunk.net
|
||||
gw31.regensburg.freifunk.net
|
||||
netbox.regensburg.freifunk.net
|
||||
ns1.regensburg.freifunk.net
|
||||
resolver.regensburg.freifunk.net
|
||||
stats.regensburg.freifunk.net
|
||||
sx.regensburg.freifunk.net
|
||||
tiles.regensburg.freifunk.net
|
||||
web.regensburg.freifunk.net
|
||||
stats.ffrgb ansible_host=10.90.224.100
|
||||
unms.ffrgb ansible_host=10.90.224.101
|
||||
unifi.ffrgb ansible_host=10.90.224.102
|
||||
tiles.ffrgb ansible_host=10.90.224.103
|
||||
netbox.ffrgb ansible_host=10.90.224.104
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/usr/bin/env python
|
||||
#!/usr/bin/env python3
|
||||
|
||||
EXAMPLES = '''
|
||||
# Generates a fastd key
|
||||
@ -23,7 +23,7 @@ if __name__ == '__main__':
|
||||
# create file with restrictive permissions
|
||||
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0o600), 'w') as handle:
|
||||
# generate fastd secret
|
||||
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
|
||||
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip().decode()
|
||||
handle.write('secret "%s";\n' % secret)
|
||||
|
||||
changed = True
|
||||
|
@ -1,7 +1,7 @@
|
||||
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||
// upgraded.
|
||||
//
|
||||
// Lines below have the format format is "keyword=value,...". A
|
||||
// Lines below have the format "keyword=value,...". A
|
||||
// package will be upgraded only if the values in its metadata match
|
||||
// all the supplied keywords in a line. (In other words, omitted
|
||||
// keywords are wild cards.) The keywords originate from the Release
|
||||
@ -19,50 +19,73 @@
|
||||
// Within lines unattended-upgrades allows 2 macros whose values are
|
||||
// derived from /etc/debian_version:
|
||||
// ${distro_id} Installed origin.
|
||||
// ${distro_codename} Installed codename (eg, "jessie")
|
||||
// ${distro_codename} Installed codename (eg, "buster")
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
// Codename based matching:
|
||||
// This will follow the migration of a release through different
|
||||
// archives (e.g. from testing to stable and later oldstable).
|
||||
// "o=Debian,n=jessie";
|
||||
// "o=Debian,n=jessie-updates";
|
||||
// "o=Debian,n=jessie-proposed-updates";
|
||||
// "o=Debian,n=jessie,l=Debian-Security";
|
||||
// Software will be the latest available for the named release,
|
||||
// but the Debian release itself will not be automatically upgraded.
|
||||
"origin=Debian,codename=${distro_codename}-updates";
|
||||
// "origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
|
||||
|
||||
// Archive or Suite based matching:
|
||||
// Note that this will silently match a different release after
|
||||
// migration to the specified archive (e.g. testing becomes the
|
||||
// new stable).
|
||||
"origin=Debian,codename=${distro_codename}";
|
||||
"origin=Debian,codename=${distro_codename}-updates";
|
||||
"origin=Debian,codename=${distro_codename}-proposed-updates";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
// "o=Debian,a=stable";
|
||||
// "o=Debian,a=stable-updates";
|
||||
// "o=Debian,a=proposed-updates";
|
||||
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
|
||||
};
|
||||
|
||||
// List of packages to not update (regexp are supported)
|
||||
// Python regular expressions, matching packages to exclude from upgrading
|
||||
Unattended-Upgrade::Package-Blacklist {
|
||||
// "vim";
|
||||
// "libc6";
|
||||
// "libc6-dev";
|
||||
// "libc6-i686";
|
||||
// The following matches all packages starting with linux-
|
||||
// "linux-";
|
||||
|
||||
// Use $ to explicitely define the end of a package name. Without
|
||||
// the $, "libc6" would match all of them.
|
||||
// "libc6$";
|
||||
// "libc6-dev$";
|
||||
// "libc6-i686$";
|
||||
|
||||
// Special characters need escaping
|
||||
// "libstdc\+\+6$";
|
||||
|
||||
// The following matches packages like xen-system-amd64, xen-utils-4.1,
|
||||
// xenstore-utils and libxenstore3.0
|
||||
// "(lib)?xen(store)?";
|
||||
|
||||
// For more information about Python regular expressions, see
|
||||
// https://docs.python.org/3/howto/regex.html
|
||||
};
|
||||
|
||||
// This option allows you to control if on a unclean dpkg exit
|
||||
// unattended-upgrades will automatically run
|
||||
// dpkg --force-confold --configure -a
|
||||
// The default is true, to ensure updates keep getting installed
|
||||
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
|
||||
// Split the upgrade into the smallest possible chunks so that
|
||||
// they can be interrupted with SIGUSR1. This makes the upgrade
|
||||
// they can be interrupted with SIGTERM. This makes the upgrade
|
||||
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||
// is running is possible (with a small delay)
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
//Unattended-Upgrade::MinimalSteps "true";
|
||||
|
||||
// Install all unattended-upgrades when the machine is shuting down
|
||||
// instead of doing it in the background while the machine is running
|
||||
// This will (obviously) make shutdown slower
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
// Install all updates when the machine is shutting down
|
||||
// instead of doing it in the background while the machine is running.
|
||||
// This will (obviously) make shutdown slower.
|
||||
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
|
||||
// This allows more time for unattended-upgrades to shut down gracefully
|
||||
// or even install a few packages in InstallOnShutdown mode, but is still a
|
||||
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
|
||||
// Users enabling InstallOnShutdown mode are advised to increase
|
||||
// InhibitDelayMaxSec even further, possibly to 30 minutes.
|
||||
//Unattended-Upgrade::InstallOnShutdown "false";
|
||||
|
||||
// Send email to this address for problems or packages upgrades
|
||||
// If empty or unset then no email is sent, make sure that you
|
||||
@ -70,11 +93,20 @@ Unattended-Upgrade::InstallOnShutdown "false";
|
||||
// 'mailx' must be installed. E.g. "user@example.com"
|
||||
Unattended-Upgrade::Mail "root";
|
||||
|
||||
// Set this value to "true" to get emails only on errors. Default
|
||||
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||
Unattended-Upgrade::MailOnlyOnError "true";
|
||||
// Set this value to one of:
|
||||
// "always", "only-on-error" or "on-change"
|
||||
// If this is not set, then any legacy MailOnlyOnError (boolean) value
|
||||
// is used to chose between "only-on-error" and "on-change"
|
||||
Unattended-Upgrade::MailReport "only-on-error";
|
||||
|
||||
// Do automatic removal of new unused dependencies after the upgrade
|
||||
// Remove unused automatically installed kernel-related packages
|
||||
// (kernel images, kernel headers and kernel version locked tools).
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
||||
|
||||
// Do automatic removal of newly unused dependencies after the upgrade
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
||||
|
||||
// Do automatic removal of unused packages after the upgrade
|
||||
// (equivalent to apt-get autoremove)
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||
|
||||
@ -82,7 +114,8 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||
// the file /var/run/reboot-required is found after the upgrade
|
||||
Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
// Automatically reboot even if there are users currently logged in.
|
||||
// Automatically reboot even if there are users currently logged in
|
||||
// when Unattended-Upgrade::Automatic-Reboot is set to true
|
||||
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
|
||||
|
||||
// If automatic reboot is enabled and needed, reboot at the specific
|
||||
@ -92,10 +125,40 @@ Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
// Use apt bandwidth limit feature, this example limits the download
|
||||
// speed to 70kb/sec
|
||||
Acquire::http::Dl-Limit "200";
|
||||
//Acquire::http::Dl-Limit "70";
|
||||
|
||||
// Enable logging to syslog. Default is False
|
||||
// Unattended-Upgrade::SyslogEnable "false";
|
||||
|
||||
// Specify syslog facility. Default is daemon
|
||||
// Unattended-Upgrade::SyslogFacility "daemon";
|
||||
|
||||
// Download and install upgrades only on AC power
|
||||
// (i.e. skip or gracefully stop updates on battery)
|
||||
// Unattended-Upgrade::OnlyOnACPower "true";
|
||||
|
||||
// Download and install upgrades only on non-metered connection
|
||||
// (i.e. skip or gracefully stop updates on a metered connection)
|
||||
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
|
||||
|
||||
// Verbose logging
|
||||
// Unattended-Upgrade::Verbose "false";
|
||||
|
||||
// Print debugging information both in unattended-upgrades and
|
||||
// in unattended-upgrade-shutdown
|
||||
// Unattended-Upgrade::Debug "false";
|
||||
|
||||
// Allow package downgrade if Pin-Priority exceeds 1000
|
||||
// Unattended-Upgrade::Allow-downgrade "false";
|
||||
|
||||
// When APT fails to mark a package to be upgraded or installed try adjusting
|
||||
// candidates of related packages to help APT's resolver in finding a solution
|
||||
// where the package can be upgraded or installed.
|
||||
// This is a workaround until APT's resolver is fixed to always find a
|
||||
// solution if it exists. (See Debian bug #711128.)
|
||||
// The fallback is enabled by default, except on Debian's sid release because
|
||||
// uninstallable packages are frequent there.
|
||||
// Disabling the fallback speeds up unattended-upgrades when there are
|
||||
// uninstallable packages at the expense of rarely keeping back packages which
|
||||
// could be upgraded or installed.
|
||||
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
|
||||
|
@ -8,6 +8,7 @@
|
||||
name:
|
||||
- apt-transport-https
|
||||
- debian-goodies
|
||||
- gnupg2
|
||||
- lsof
|
||||
- unattended-upgrades
|
||||
|
||||
|
@ -8,4 +8,4 @@
|
||||
- { key: 'net.ipv4.neigh.default.gc_thresh3', value: 8192 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh1', value: 2048 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh2', value: 4096 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 8192 }
|
||||
- { key: 'net.ipv6.neigh.default.gc_thresh3', value: 32768 }
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Restart chrony
|
||||
service: name=chrony state=restarted
|
||||
|
||||
- name: Restart journald
|
||||
service: name=systemd-journald state=restarted
|
||||
|
||||
- name: update-grub
|
||||
command: update-grub
|
||||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
79
roles/common/tasks/Debian.yml
Normal file
79
roles/common/tasks/Debian.yml
Normal file
@ -0,0 +1,79 @@
|
||||
---
|
||||
|
||||
- name: Install misc software
|
||||
apt:
|
||||
name:
|
||||
- ca-certificates
|
||||
- dnsutils
|
||||
- git
|
||||
- htop
|
||||
- less
|
||||
- mtr-tiny
|
||||
- net-tools
|
||||
- openssl
|
||||
- psmisc
|
||||
- pydf
|
||||
- rsync
|
||||
- sudo
|
||||
- vim-nox
|
||||
- wget
|
||||
- zsh
|
||||
- fail2ban
|
||||
|
||||
- name: Install software on KVM VMs
|
||||
apt:
|
||||
name:
|
||||
- acpid
|
||||
- qemu-guest-agent
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
notify: update-initramfs
|
||||
|
||||
- name: Enable serial console on KVM VMs
|
||||
lineinfile:
|
||||
path: "/etc/default/grub"
|
||||
state: "present"
|
||||
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
|
||||
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
|
||||
notify: update-grub
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
|
||||
- name: Prevent normal users from running su
|
||||
lineinfile:
|
||||
path: /etc/pam.d/su
|
||||
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||
line: "auth required pam_wheel.so"
|
||||
|
||||
- name: Configure journald retention
|
||||
lineinfile:
|
||||
path: "/etc/systemd/journald.conf"
|
||||
state: "present"
|
||||
regexp: "^#?MaxRetentionSec=.*"
|
||||
line: "MaxRetentionSec=7day"
|
||||
notify: Restart journald
|
||||
|
||||
- name: Set logrotate.conf to daily
|
||||
replace:
|
||||
path: "/etc/logrotate.conf"
|
||||
regexp: "(?:weekly|monthly)"
|
||||
replace: "daily"
|
||||
|
||||
- name: Set logrotate.conf rotation to 7
|
||||
replace:
|
||||
path: "/etc/logrotate.conf"
|
||||
regexp: "rotate [0-9]+"
|
||||
replace: "rotate 7"
|
25
roles/common/tasks/Proxmox.yml
Normal file
25
roles/common/tasks/Proxmox.yml
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
|
||||
- name: Install misc software
|
||||
apt:
|
||||
name:
|
||||
- dnsutils
|
||||
- htop
|
||||
- ipmitool
|
||||
- less
|
||||
- rsync
|
||||
- vim-nox
|
||||
- wget
|
||||
- zsh
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||
- { src: "motd", dest: "/etc/motd" }
|
||||
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
11
roles/common/tasks/chrony.yml
Normal file
11
roles/common/tasks/chrony.yml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
|
||||
- name: Install chrony
|
||||
apt: name=chrony
|
||||
|
||||
- name: Configure chrony
|
||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
||||
notify: Restart chrony
|
||||
|
||||
- name: Start chrony
|
||||
service: name=chrony state=started enabled=yes
|
@ -1,75 +1,21 @@
|
||||
---
|
||||
|
||||
- name: Install misc software
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- dnsutils
|
||||
- git
|
||||
- htop
|
||||
- less
|
||||
- mtr-tiny
|
||||
- net-tools
|
||||
- openssl
|
||||
- psmisc
|
||||
- pydf
|
||||
- rsync
|
||||
- sudo
|
||||
- vim-nox
|
||||
- zsh
|
||||
- fail2ban
|
||||
- name: Cleanup
|
||||
apt: autoclean=yes
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- name: Install software on KVM VMs
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- acpid
|
||||
- qemu-guest-agent
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
manager: apt
|
||||
when: ansible_os_family == "Debian"
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
- { src: 'motd', dest: '/etc/motd' }
|
||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
||||
- name: Proxmox
|
||||
include: Proxmox.yml
|
||||
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
|
||||
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
- name: Debian
|
||||
include: Debian.yml
|
||||
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
notify: update-initramfs
|
||||
|
||||
- name: use new-style network interface names
|
||||
file: path=/etc/systemd/network/{{ item }} state=absent
|
||||
with_items:
|
||||
- 50-virtio-kernel-names.link
|
||||
- 99-default.link
|
||||
notify: update-initramfs
|
||||
|
||||
- name: Prevent normal users from running su
|
||||
lineinfile:
|
||||
path: /etc/pam.d/su
|
||||
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
||||
line: 'auth required pam_wheel.so'
|
||||
|
||||
- name: Configure journald retention
|
||||
lineinfile:
|
||||
path: "/etc/systemd/journald.conf"
|
||||
state: "present"
|
||||
regexp: "^#?MaxRetentionSec=.*"
|
||||
line: "MaxRetentionSec=7day"
|
||||
notify: Restart journald
|
||||
|
||||
- name: Set logrotate.conf to daily
|
||||
replace:
|
||||
path: "/etc/logrotate.conf"
|
||||
regexp: "(?:weekly|monthly)"
|
||||
replace: "daily"
|
||||
|
||||
- name: Set logrotate.conf rotation to 7
|
||||
replace:
|
||||
path: "/etc/logrotate.conf"
|
||||
regexp: "rotate [0-9]+"
|
||||
replace: "rotate 7"
|
||||
- name: Setup chrony
|
||||
include: chrony.yml
|
||||
|
53
roles/common/templates/chrony.conf.j2
Normal file
53
roles/common/templates/chrony.conf.j2
Normal file
@ -0,0 +1,53 @@
|
||||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||
# information about usable directives.
|
||||
|
||||
# Include configuration files found in /etc/chrony/conf.d.
|
||||
confdir /etc/chrony/conf.d
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ntp_server is defined and ntp_server is true %}
|
||||
allow 10.90.0.0/16
|
||||
allow 2001:678:ddc::/48
|
||||
{% endif -%}
|
||||
|
||||
# This directive specify the location of the file containing ID/key pairs for
|
||||
# NTP authentication.
|
||||
keyfile /etc/chrony/chrony.keys
|
||||
|
||||
# This directive specify the file into which chronyd will store the rate
|
||||
# information.
|
||||
driftfile /var/lib/chrony/chrony.drift
|
||||
|
||||
# Save NTS keys and cookies.
|
||||
ntsdumpdir /var/lib/chrony
|
||||
|
||||
# Uncomment the following line to turn logging on.
|
||||
#log tracking measurements statistics
|
||||
|
||||
# Log files location.
|
||||
logdir /var/log/chrony
|
||||
|
||||
# Stop bad estimates upsetting machine clock.
|
||||
maxupdateskew 100.0
|
||||
|
||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
|
||||
rtcsync
|
||||
|
||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||
# one second, but only in the first three clock updates.
|
||||
makestep 1 3
|
||||
|
||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
||||
# This directive must be commented out when using time sources serving
|
||||
# leap-smeared time.
|
||||
leapsectz right/UTC
|
@ -2,5 +2,5 @@
|
||||
|
||||
dhcpd_interfaces: br-{{ site_code }}
|
||||
dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
|
||||
dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
|
||||
dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
|
||||
name_server: "{{ batman_ipv4 | ipaddr('address') }}"
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
# option definitions common to all supported networks...
|
||||
option domain-name "{{ site_domain }}";
|
||||
option domain-name-servers {{nextnode4}}, {{ name_server }};
|
||||
option domain-name-servers {{ nextnode4 }}, {{ name_server }};
|
||||
|
||||
local-address {{ batman_ipv4 | ipaddr('address') }};
|
||||
|
||||
|
@ -1,28 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt: name={{ item }}
|
||||
with_items:
|
||||
- pdns-backend-bind
|
||||
- pdns-recursor
|
||||
- pdns-server
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
|
||||
tags: dns
|
||||
notify: Restart powerdns
|
||||
with_items:
|
||||
- bind/ffrgb.zone
|
||||
- bind/90.10.in-addr.arpa.zone
|
||||
- bindbackend.conf
|
||||
- pdns.conf
|
||||
- recursor.conf
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
4
roles/dns_auth/handlers/main.yml
Normal file
4
roles/dns_auth/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
- name: Restart powerdns
|
||||
service: name=pdns state=restarted
|
22
roles/dns_auth/tasks/main.yml
Normal file
22
roles/dns_auth/tasks/main.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- pdns-server
|
||||
- pdns-backend-sqlite3
|
||||
- sqlite3
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/powerdns.sqlite3
|
||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name=pdns state=started enabled=yes
|
35
roles/dns_auth/templates/pdns.conf.j2
Normal file
35
roles/dns_auth/templates/pdns.conf.j2
Normal file
@ -0,0 +1,35 @@
|
||||
#################################
|
||||
# allow-axfr-ips Allow zonetransfers only to these subnets
|
||||
#
|
||||
# allow-axfr-ips=127.0.0.0/8,::1
|
||||
allow-axfr-ips=127.0.0.1,::1,{{ dns_slaves | join(',') }}
|
||||
|
||||
#################################
|
||||
# dname-processing If we should support DNAME records
|
||||
#
|
||||
# dname-processing=no
|
||||
dname-processing=yes
|
||||
|
||||
#################################
|
||||
# launch Which backends to launch and order to query them in
|
||||
#
|
||||
# launch=
|
||||
launch=gsqlite3
|
||||
|
||||
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
||||
|
||||
#################################
|
||||
# master Act as a master
|
||||
#
|
||||
# master=no
|
||||
master=yes
|
||||
|
||||
#################################
|
||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||
#
|
||||
# only-notify=0.0.0.0/0,::/0
|
||||
only-notify=
|
||||
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
security-poll-suffix=
|
10
roles/dns_resolver/handlers/main.yml
Normal file
10
roles/dns_resolver/handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart powerdns
|
||||
service: name=pdns-recursor state=restarted
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
4
roles/dns_resolver/meta/main.yml
Normal file
4
roles/dns_resolver/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
35
roles/dns_resolver/tasks/main.yml
Normal file
35
roles/dns_resolver/tasks/main.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-recursor
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the dns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns-recursor
|
15
roles/dns_resolver/templates/certs.j2
Normal file
15
roles/dns_resolver/templates/certs.j2
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
{{ ansible_fqdn }}:
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service dnsdist restart'
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service dnsdist restart'
|
24
roles/dns_resolver/templates/dnsdist.conf.j2
Normal file
24
roles/dns_resolver/templates/dnsdist.conf.j2
Normal file
@ -0,0 +1,24 @@
|
||||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ ansible_default_ipv4.address }}')
|
||||
addLocal('{{ ansible_default_ipv6.address }}')
|
||||
|
||||
setACL({'0.0.0.0/0', '::/0'})
|
||||
|
||||
addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
|
||||
|
||||
newServer({address='127.0.0.1:5353', name='localhost'})
|
||||
|
||||
addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
|
||||
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
|
||||
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
|
||||
|
||||
-- HTTP Endpoint for Prometheus
|
||||
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
53
roles/dns_resolver/templates/recursor.conf.j2
Normal file
53
roles/dns_resolver/templates/recursor.conf.j2
Normal file
@ -0,0 +1,53 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
#################################
|
||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||
#
|
||||
#allow-from=127.0.0.0/8
|
||||
|
||||
#################################
|
||||
# config-dir Location of configuration directory (recursor.conf)
|
||||
#
|
||||
config-dir=/etc/powerdns
|
||||
|
||||
#################################
|
||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||
#
|
||||
# dnssec=process-no-validate
|
||||
dnssec=off
|
||||
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=5353
|
||||
|
||||
#################################
|
||||
# query-local-address Source IP address for sending queries
|
||||
#
|
||||
query-local-address=::,0.0.0.0
|
||||
|
||||
#################################
|
||||
# quiet Suppress logging of questions and answers
|
||||
#
|
||||
quiet=yes
|
||||
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
# security-poll-suffix=secpoll.powerdns.com.
|
||||
security-poll-suffix=
|
||||
|
||||
#################################
|
||||
# setgid If set, change group id to this gid for more security
|
||||
#
|
||||
setgid=pdns
|
||||
|
||||
#################################
|
||||
# setuid If set, change user id to this uid for more security
|
||||
#
|
||||
setuid=pdns
|
@ -1,7 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart powerdns
|
||||
service: name={{ item }} state=restarted
|
||||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
47
roles/dns_split/tasks/main.yml
Normal file
47
roles/dns_split/tasks/main.yml
Normal file
@ -0,0 +1,47 @@
|
||||
---
|
||||
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-backend-bind
|
||||
- pdns-recursor
|
||||
- pdns-server
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
-out /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Configure certificate manager
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src={{ item }}.j2 dest=/etc/powerdns/{{ item }}
|
||||
notify: Restart powerdns
|
||||
with_items:
|
||||
- bind/ffrgb.zone
|
||||
- bind/90.10.in-addr.arpa.zone
|
||||
- bindbackend.conf
|
||||
- pdns.conf
|
||||
- recursor.conf
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the dns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns
|
||||
- pdns-recursor
|
15
roles/dns_split/templates/certs.j2
Normal file
15
roles/dns_split/templates/certs.j2
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
|
||||
{{ ansible_fqdn }}:
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service dnsdist restart'
|
||||
- path: /etc/dnsdist/{{ ansible_fqdn }}.key
|
||||
user: _dnsdist
|
||||
group: _dnsdist
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service dnsdist restart'
|
20
roles/dns_split/templates/dnsdist.conf.j2
Normal file
20
roles/dns_split/templates/dnsdist.conf.j2
Normal file
@ -0,0 +1,20 @@
|
||||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ batman_ipv4 | ipaddr('address') }}')
|
||||
addLocal('{{ batman_ipv6 | ipaddr('address') }}')
|
||||
|
||||
newServer({address='127.0.0.1:5353', name='localhost'})
|
||||
|
||||
addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
|
||||
|
||||
-- Disable DoH: see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
|
||||
addAction('use-application-dns.net', RCodeAction(DNSRCode.NXDOMAIN))
|
||||
|
||||
-- HTTP Endpoint for Prometheus
|
||||
webserver('0.0.0.0:8053', '{{ prometheus_dnsdist_pass }}', '{{ prometheus_dnsdist_pass }}', {}, '194.156.22.3, 2001:678:ddc::3')
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
@ -12,12 +12,6 @@ launch=bind
|
||||
# local-address=0.0.0.0
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-ipv6 Local IP address to which we bind
|
||||
#
|
||||
# local-ipv6=::
|
||||
local-ipv6=
|
||||
|
||||
#################################
|
||||
# local-port The port on which we listen
|
||||
#
|
@ -25,19 +25,17 @@ forward-zones=ffrgb=127.0.0.1:5300,90.10.in-addr.arpa=127.0.0.1:5300
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
local-address=127.0.0.1,{{ batman_ipv4 | ipaddr('address') }},{{ batman_ipv6 | ipaddr('address') }}
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=53
|
||||
local-port=5353
|
||||
|
||||
#################################
|
||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
||||
# query-local-address Source IP address for sending queries
|
||||
#
|
||||
{% if global_ipv6 is defined %}
|
||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||
{% endif %}
|
||||
query-local-address=::,0.0.0.0
|
||||
|
||||
#################################
|
||||
# quiet Suppress logging of questions and answers
|
@ -1,17 +1,10 @@
|
||||
---
|
||||
|
||||
- name: Enable docker apt-key
|
||||
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
||||
|
||||
- name: Enable docker repository
|
||||
apt_repository:
|
||||
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||
filename: docker
|
||||
|
||||
- name: Install docker
|
||||
apt:
|
||||
name:
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- python-docker
|
||||
- docker.io
|
||||
- python3-docker
|
||||
|
||||
- name: Enable docker
|
||||
service: name=docker state=started enabled=yes
|
||||
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
|
||||
conntrack_max: 131072
|
||||
fastd_instances: 3
|
5
roles/exit_ip/defaults/main.yml
Normal file
5
roles/exit_ip/defaults/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
conntrack_max: 131072
|
||||
fastd_instances: 3
|
||||
nat_pool: "{{ ansible_default_ipv4.address }}"
|
@ -4,12 +4,14 @@
|
||||
:INPUT ACCEPT [1:136]
|
||||
:OUTPUT ACCEPT [2:472]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
|
||||
-A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j SNAT --to-source {{ nat_pool }}
|
||||
COMMIT
|
||||
*filter
|
||||
:INPUT ACCEPT [1124:131621]
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
|
||||
:FORWARD ACCEPT [0:0]
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
:OUTPUT ACCEPT [1151:175226]
|
@ -1,9 +1,13 @@
|
||||
# {{ ansible_managed }}
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
|
||||
-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
|
||||
:FORWARD ACCEPT [0:0]
|
||||
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -m limit --limit 200/sec -j ACCEPT
|
||||
-A OUTPUT -o br-{{ site_code }} -p icmpv6 --icmpv6-type 135 -j DROP
|
||||
COMMIT
|
@ -11,7 +11,6 @@ interface "vpn-{{ site_code }}{{ item }}";
|
||||
|
||||
method "null";
|
||||
method "salsa2012+umac";
|
||||
method "xsalsa20-poly1305";
|
||||
|
||||
secure handshakes yes;
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: git }
|
||||
- { role: go }
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install git
|
||||
apt: name=git
|
||||
|
||||
- name: Install ca-certificates
|
||||
apt: name=ca-certificates
|
3
roles/grafana/defaults/main.yml
Normal file
3
roles/grafana/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
|
||||
grafana_rendering: False
|
@ -1,10 +1,38 @@
|
||||
---
|
||||
|
||||
- name: Enable grafana apt-key
|
||||
apt_key: url='https://packages.grafana.com/gpg.key'
|
||||
- name: Retrieve Grafana Key and avoid apt_key
|
||||
block:
|
||||
- name: grafana |no apt key
|
||||
ansible.builtin.get_url:
|
||||
url: https://apt.grafana.com/gpg.key
|
||||
dest: /usr/share/keyrings/grafana.key
|
||||
|
||||
- name: Enable grafana repository
|
||||
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
|
||||
apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
|
||||
|
||||
- name: Install grafana
|
||||
apt: name=grafana
|
||||
|
||||
- name: Install grafana rendering dependencies
|
||||
apt:
|
||||
name:
|
||||
- libxdamage1
|
||||
- libxext6
|
||||
- libxi6
|
||||
- libxtst6
|
||||
- libnss3
|
||||
- libnss3
|
||||
- libcups2
|
||||
- libxss1
|
||||
- libxrandr2
|
||||
- libasound2
|
||||
- libatk1.0-0
|
||||
- libatk-bridge2.0-0
|
||||
- libpangocairo-1.0-0
|
||||
- libpango-1.0-0
|
||||
- libcairo2
|
||||
- libatspi2.0-0
|
||||
- libgtk3.0-cil
|
||||
- libgdk3.0-cil
|
||||
- libx11-xcb-dev
|
||||
when: grafana_rendering
|
||||
|
23
roles/influxdb/tasks/main.yml
Normal file
23
roles/influxdb/tasks/main.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
|
||||
- name: Import Influxdb GPG siging key with store
|
||||
ansible.builtin.get_url:
|
||||
url: "https://repos.influxdata.com/influxdata-archive_compat.key"
|
||||
dest: /etc/apt/trusted.gpg.d/influxdb.key
|
||||
checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
|
||||
|
||||
- name: Convert key
|
||||
ansible.builtin.command:
|
||||
argv:
|
||||
- gpg
|
||||
- --dearmor
|
||||
- /etc/apt/trusted.gpg.d/influxdb.key
|
||||
creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
|
||||
|
||||
- name: Enable InfluxDB repository
|
||||
ansible.builtin.apt_repository:
|
||||
repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
|
||||
state: present
|
||||
|
||||
- name: Install influxdb
|
||||
apt: name=influxdb
|
@ -1,8 +1,9 @@
|
||||
[Unit]
|
||||
Description=ifupdown2 networking initialization
|
||||
Description=Network initialization
|
||||
Documentation=man:interfaces(5) man:ifup(8) man:ifdown(8)
|
||||
DefaultDependencies=no
|
||||
Before=network.target shutdown.target network-online.target
|
||||
After=local-fs.target network-pre.target
|
||||
Before=shutdown.target network.target network-online.target
|
||||
Conflicts=shutdown.target
|
||||
|
||||
[Service]
|
||||
@ -10,6 +11,7 @@ Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
SyslogIdentifier=networking
|
||||
TimeoutStopSec=30s
|
||||
EnvironmentFile=/etc/default/networking
|
||||
ExecStart=/usr/share/ifupdown2/sbin/start-networking start
|
||||
ExecStop=/usr/share/ifupdown2/sbin/start-networking stop
|
||||
ExecReload=/usr/share/ifupdown2/sbin/start-networking reload
|
@ -1,10 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Install dependencies
|
||||
apt: name=python-pkg-resources
|
||||
apt:
|
||||
name:
|
||||
- bridge-utils
|
||||
|
||||
# work-around to get a version new enough not to screw up forwarding setting on all interfaces
|
||||
- name: Install ifupdown2
|
||||
apt: name=ifupdown2 state=latest
|
||||
apt: deb=http://moepman.eu/tmp/ifupdown2_3.1.0-1_all.deb
|
||||
|
||||
- name: Uninstall ifupdown
|
||||
apt: name=ifupdown state=absent
|
@ -14,6 +14,8 @@ iface br-{{ site_code }}
|
||||
{% if global_ipv6 is defined %}
|
||||
address {{ global_ipv6 }}
|
||||
{% endif %}
|
||||
#
|
||||
post-up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
|
||||
|
||||
# bat-{{ site_code }}
|
||||
auto bat-{{ site_code }}
|
||||
@ -21,18 +23,14 @@ iface bat-{{ site_code }}
|
||||
hwaddress f2:00:90:00:{{ gateway_id }}:20
|
||||
mtu 1500
|
||||
#
|
||||
batman-hop-penalty 5
|
||||
batman-ifaces dmy-{{ site_code }}
|
||||
batman-ifaces-ignore-regex .*_.*
|
||||
batman-routing-algo {{ batman_algo }}
|
||||
#
|
||||
# TODO use batman-xyz instead of batctl
|
||||
# see /usr/share/ifupdown2/addons/batman_adv.py
|
||||
#
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} gw_mode server 100000 100000
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} it 5000
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} multicast_mode 0
|
||||
up /usr/sbin/batctl -m bat-{{ site_code }} ra {{ batman_algo }}
|
||||
up echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} gw server
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} hp 5
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} it 5000
|
||||
post-up /usr/sbin/batctl meshif bat-{{ site_code }} mff 1
|
||||
|
||||
|
||||
# dmy-{{ site_code }}
|
1
roles/mesh_wg/files/ping
Normal file
1
roles/mesh_wg/files/ping
Normal file
@ -0,0 +1 @@
|
||||
OK
|
4
roles/mesh_wg/handlers/main.yml
Normal file
4
roles/mesh_wg/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
- name: Reload interfaces
|
||||
command: /sbin/ifreload -a
|
25
roles/mesh_wg/tasks/main.yml
Normal file
25
roles/mesh_wg/tasks/main.yml
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
|
||||
- name: Install wireguard
|
||||
apt: name=wireguard-tools
|
||||
|
||||
- name: Create wireguard config directory
|
||||
file:
|
||||
path: /etc/wireguard
|
||||
state: directory
|
||||
mode: 0700
|
||||
|
||||
- name: Configure wireguard options
|
||||
template: src=wg.conf.j2 dest=/etc/wireguard/wg-{{ site_code }}.conf mode=0600
|
||||
notify: Reload interfaces
|
||||
|
||||
- name: Configure mesh interfaces
|
||||
template: src=mesh_wg.conf.j2 dest=/etc/network/interfaces.d/mesh_wg.conf
|
||||
notify: Reload interfaces
|
||||
|
||||
- name: Install wgskex
|
||||
apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
|
||||
|
||||
|
||||
- name: Install ping endpoint
|
||||
copy: src=ping dest=/var/www/html/ping
|
21
roles/mesh_wg/templates/mesh_wg.conf.j2
Normal file
21
roles/mesh_wg/templates/mesh_wg.conf.j2
Normal file
@ -0,0 +1,21 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# vx-{{ site_code }}
|
||||
auto vx-{{ site_code }}
|
||||
iface vx-{{ site_code }}
|
||||
mtu 1350
|
||||
vxlan-physdev wg-{{ site_code }}
|
||||
pre-up ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
|
||||
up ip link set vx-{{ site_code }} up
|
||||
post-up batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
|
||||
down ip link set vx-{{ site_code }} down
|
||||
post-down ip -6 link del vx-{{ site_code }}
|
||||
|
||||
# wg-{{ site_code }}
|
||||
auto wg-{{ site_code }}
|
||||
iface wg-{{ site_code }}
|
||||
address fe80::{{ gateway_id }}/128
|
||||
ipv6-addrgen no
|
||||
pre-up ip link add dev wg-{{ site_code }} type wireguard
|
||||
pre-up wg setconf wg-{{ site_code }} /etc/wireguard/wg-{{ site_code }}.conf
|
||||
post-up ip link set wg-{{ site_code }} mtu 1420
|
3
roles/mesh_wg/templates/wg.conf.j2
Normal file
3
roles/mesh_wg/templates/wg.conf.j2
Normal file
@ -0,0 +1,3 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ mesh_wg_privkey }}
|
||||
ListenPort = {{ mesh_wg_port }}
|
@ -2,4 +2,4 @@
|
||||
|
||||
netbox_group: netbox
|
||||
netbox_user: netbox
|
||||
netbox_version: 2.8.7
|
||||
netbox_version: 4.1.8
|
||||
|
13
roles/netbox/handlers/main.yml
Normal file
13
roles/netbox/handlers/main.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart netbox
|
||||
service: name=netbox state=restarted
|
||||
|
||||
- name: Restart netbox-rq
|
||||
service: name=netbox-rq state=restarted
|
@ -15,7 +15,7 @@
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
- python-setuptools
|
||||
- python3-setuptools
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-venv
|
||||
@ -25,85 +25,107 @@
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db:
|
||||
name: '{{ netbox_dbname }}'
|
||||
become: true
|
||||
become_user: postgres
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user:
|
||||
db: '{{ netbox_dbname }}'
|
||||
name: '{{ netbox_dbuser }}'
|
||||
password: '{{ netbox_dbpass }}'
|
||||
priv: ALL
|
||||
state: present
|
||||
name: "{{ netbox_dbuser }}"
|
||||
password: "{{ netbox_dbpass }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db:
|
||||
name: "{{ netbox_dbname }}"
|
||||
owner: "{{ netbox_dbuser }}"
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Install redis
|
||||
apt: name=redis-server
|
||||
|
||||
# TODO configure redis?
|
||||
|
||||
- name: Unpack netbox
|
||||
unarchive:
|
||||
src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
|
||||
src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
|
||||
dest: /opt
|
||||
remote_src: yes
|
||||
creates: '/opt/netbox-{{ netbox_version }}'
|
||||
creates: "/opt/netbox-{{ netbox_version }}"
|
||||
register: netbox_unarchive
|
||||
|
||||
- name: Configure netbox
|
||||
template:
|
||||
src: configuration.py.j2
|
||||
dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
|
||||
owner: '{{ netbox_user }}'
|
||||
group: '{{ netbox_group }}'
|
||||
dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
|
||||
owner: "{{ netbox_user }}"
|
||||
group: "{{ netbox_group }}"
|
||||
notify: Restart netbox
|
||||
|
||||
- name: Install venv
|
||||
pip:
|
||||
requirements: '/opt/netbox-{{ netbox_version }}/requirements.txt'
|
||||
virtualenv: '/opt/netbox-{{ netbox_version }}/venv'
|
||||
virtualenv_command: '/usr/bin/python3 -m venv'
|
||||
- name: Configure gunicorn
|
||||
template:
|
||||
src: gunicorn.py.j2
|
||||
dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
|
||||
owner: "{{ netbox_user }}"
|
||||
group: "{{ netbox_group }}"
|
||||
|
||||
- name: Netbox file permissions
|
||||
file:
|
||||
path: '/opt/netbox-{{ netbox_version }}'
|
||||
owner: '{{ netbox_user }}'
|
||||
group: '{{ netbox_group }}'
|
||||
mode: preserve
|
||||
state: directory
|
||||
recursive: yes
|
||||
create: no
|
||||
path: "/opt/netbox-{{ netbox_version }}"
|
||||
owner: "{{ netbox_user }}"
|
||||
group: "{{ netbox_group }}"
|
||||
recurse: yes
|
||||
|
||||
- name: Fix psycopg variant
|
||||
lineinfile:
|
||||
path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
|
||||
regexp: '^psycopg\[.*,pool\]==(.*)$'
|
||||
line: 'psycopg[binary,pool]==\1'
|
||||
backrefs: yes
|
||||
register: netbox_psycopg_fix
|
||||
|
||||
- name: Run upgrade script
|
||||
command:
|
||||
cmd: ./upgrade.sh
|
||||
chdir: "/opt/netbox-{{ netbox_version }}"
|
||||
become: true
|
||||
become_user: "{{ netbox_user }}"
|
||||
when: netbox_unarchive.changed or netbox_psycopg_fix.changed
|
||||
|
||||
# TODO - still manual work
|
||||
# * Run Database Migrations
|
||||
# * Create a Super User
|
||||
# * Collect Static Files
|
||||
# * Gunicorn Configuration
|
||||
# * systemd Configuration
|
||||
# * Create a super user
|
||||
# * Migrate media files
|
||||
|
||||
- name: Install netbox housekeeping cronjob
|
||||
template:
|
||||
src: netbox-housekeeping.sh.j2
|
||||
dest: /etc/cron.daily/netbox-housekeeping.sh
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||
-days 730 -subj "/CN={{ netbox_domain }}"
|
||||
changed_when: True
|
||||
creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||
-days 730 -subj "/CN={{ netbox_domain }}"
|
||||
creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
|
||||
notify: Restart nginx
|
||||
|
||||
#- name: Configure certificate manager for netbox
|
||||
# template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
||||
# notify: Run acertmgr
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ netbox_domain }}"
|
||||
when: "'kitchen' in group_names"
|
||||
|
||||
- name: Configure certificate manager for netbox
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template:
|
||||
src: vhost.j2
|
||||
dest: /etc/nginx/sites-available/netbox
|
||||
owner: root
|
||||
mode: '0644'
|
||||
mode: "0644"
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
@ -111,6 +133,20 @@
|
||||
src: /etc/nginx/sites-available/netbox
|
||||
dest: /etc/nginx/sites-enabled/netbox
|
||||
state: link
|
||||
owner: root
|
||||
mode: preserve
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Install systemd units
|
||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
||||
with_items:
|
||||
- netbox
|
||||
- netbox-rq
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart netbox
|
||||
- Restart netbox-rq
|
||||
|
||||
- name: Enable services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- netbox
|
||||
- netbox-rq
|
||||
|
@ -33,8 +33,10 @@ REDIS = {
|
||||
# 'SENTINEL_SERVICE': 'netbox',
|
||||
'PASSWORD': '',
|
||||
'DATABASE': 0,
|
||||
'DEFAULT_TIMEOUT': 300,
|
||||
'SSL': False,
|
||||
# Set this to True to skip TLS certificate verification
|
||||
# This can expose the connection to attacks, be careful
|
||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
||||
},
|
||||
'caching': {
|
||||
'HOST': 'localhost',
|
||||
@ -44,8 +46,10 @@ REDIS = {
|
||||
# 'SENTINEL_SERVICE': 'netbox',
|
||||
'PASSWORD': '',
|
||||
'DATABASE': 1,
|
||||
'DEFAULT_TIMEOUT': 300,
|
||||
'SSL': False,
|
||||
# Set this to True to skip TLS certificate verification
|
||||
# This can expose the connection to attacks, be careful
|
||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
||||
}
|
||||
}
|
||||
|
||||
@ -65,32 +69,13 @@ SECRET_KEY = '{{ netbox_secret }}'
|
||||
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
|
||||
# application errors (assuming correct email settings are provided).
|
||||
ADMINS = [
|
||||
# ['John Doe', 'jdoe@example.com'],
|
||||
# ('John Doe', 'jdoe@example.com'),
|
||||
]
|
||||
|
||||
# URL schemes that are allowed within links in NetBox
|
||||
ALLOWED_URL_SCHEMES = (
|
||||
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
||||
)
|
||||
|
||||
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
|
||||
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
|
||||
BANNER_TOP = ''
|
||||
BANNER_BOTTOM = ''
|
||||
|
||||
# Text to include on the login page above the login form. HTML is allowed.
|
||||
BANNER_LOGIN = ''
|
||||
|
||||
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
|
||||
# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
|
||||
# BASE_PATH = 'netbox/'
|
||||
BASE_PATH = ''
|
||||
|
||||
# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
|
||||
CACHE_TIMEOUT = 900
|
||||
|
||||
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
|
||||
CHANGELOG_RETENTION = 90
|
||||
|
||||
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
|
||||
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
|
||||
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
|
||||
@ -119,10 +104,6 @@ EMAIL = {
|
||||
'FROM_EMAIL': '',
|
||||
}
|
||||
|
||||
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
|
||||
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
|
||||
ENFORCE_GLOBAL_UNIQUE = False
|
||||
|
||||
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
|
||||
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
|
||||
EXEMPT_VIEW_PERMISSIONS = [
|
||||
@ -145,22 +126,18 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
|
||||
# https://docs.djangoproject.com/en/stable/topics/logging/
|
||||
LOGGING = {}
|
||||
|
||||
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
|
||||
# authenticated to NetBox indefinitely.
|
||||
LOGIN_PERSISTENCE = False
|
||||
|
||||
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
||||
# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
|
||||
# are permitted to access most data in NetBox but not make any changes.
|
||||
LOGIN_REQUIRED = True
|
||||
|
||||
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
||||
# re-authenticate. (Default: 1209600 [14 days])
|
||||
LOGIN_TIMEOUT = None
|
||||
|
||||
# Setting this to True will display a "maintenance mode" banner at the top of every page.
|
||||
MAINTENANCE_MODE = False
|
||||
|
||||
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
|
||||
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
|
||||
# all objects by specifying "?limit=0".
|
||||
MAX_PAGE_SIZE = 1000
|
||||
|
||||
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
||||
# the default value of this setting is derived from the installed location.
|
||||
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
||||
@ -178,20 +155,6 @@ MAX_PAGE_SIZE = 1000
|
||||
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
|
||||
METRICS_ENABLED = False
|
||||
|
||||
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
|
||||
NAPALM_USERNAME = ''
|
||||
NAPALM_PASSWORD = ''
|
||||
|
||||
# NAPALM timeout (in seconds). (Default: 30)
|
||||
NAPALM_TIMEOUT = 30
|
||||
|
||||
# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
|
||||
# be provided as a dictionary.
|
||||
NAPALM_ARGS = {}
|
||||
|
||||
# Determine how many objects to display per page within a list. (Default: 50)
|
||||
PAGINATE_COUNT = 50
|
||||
|
||||
# Enable installed plugins. Add the name of each plugin to the list.
|
||||
PLUGINS = []
|
||||
|
||||
@ -204,24 +167,13 @@ PLUGINS = []
|
||||
# }
|
||||
# }
|
||||
|
||||
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
|
||||
# prefer IPv4 instead.
|
||||
PREFER_IPV4 = False
|
||||
|
||||
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
|
||||
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
|
||||
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
|
||||
|
||||
# Remote authentication support
|
||||
REMOTE_AUTH_ENABLED = False
|
||||
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
|
||||
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
|
||||
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
||||
REMOTE_AUTH_AUTO_CREATE_USER = True
|
||||
REMOTE_AUTH_DEFAULT_GROUPS = []
|
||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
|
||||
|
||||
# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
|
||||
RELEASE_CHECK_TIMEOUT = 24 * 3600
|
||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
|
||||
|
||||
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
||||
# version check or use the URL below to check for release in the official NetBox repository.
|
||||
@ -232,10 +184,16 @@ RELEASE_CHECK_URL = None
|
||||
# this setting is derived from the installed location.
|
||||
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
||||
|
||||
# Maximum execution time for background tasks, in seconds.
|
||||
RQ_DEFAULT_TIMEOUT = 300
|
||||
|
||||
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
||||
# this setting is derived from the installed location.
|
||||
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
||||
|
||||
# The name to use for the session cookie.
|
||||
SESSION_COOKIE_NAME = 'sessionid'
|
||||
|
||||
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
||||
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
||||
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
||||
|
16
roles/netbox/templates/gunicorn.py.j2
Normal file
16
roles/netbox/templates/gunicorn.py.j2
Normal file
@ -0,0 +1,16 @@
|
||||
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
||||
bind = '127.0.0.1:8001'
|
||||
|
||||
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
||||
# n is the number of CPU cores present.
|
||||
workers = 5
|
||||
|
||||
# Number of threads per worker process
|
||||
threads = 3
|
||||
|
||||
# Timeout (in seconds) for a request to complete
|
||||
timeout = 120
|
||||
|
||||
# The maximum number of requests a worker can handle before being respawned
|
||||
max_requests = 5000
|
||||
max_requests_jitter = 500
|
9
roles/netbox/templates/netbox-housekeeping.sh.j2
Normal file
9
roles/netbox/templates/netbox-housekeeping.sh.j2
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
# This shell script invokes NetBox's housekeeping management command, which
|
||||
# intended to be run nightly. This script can be copied into your system's
|
||||
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
|
||||
# within the cron configuration file.
|
||||
#
|
||||
# If NetBox has been installed into a nonstandard location, update the paths
|
||||
# below.
|
||||
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping
|
21
roles/netbox/templates/netbox-rq.service.j2
Normal file
21
roles/netbox/templates/netbox-rq.service.j2
Normal file
@ -0,0 +1,21 @@
|
||||
[Unit]
|
||||
Description=NetBox Request Queue Worker
|
||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User={{ netbox_user }}
|
||||
Group={{ netbox_group }}
|
||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
||||
|
||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
22
roles/netbox/templates/netbox.service.j2
Normal file
22
roles/netbox/templates/netbox.service.j2
Normal file
@ -0,0 +1,22 @@
|
||||
[Unit]
|
||||
Description=NetBox WSGI Service
|
||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User={{ netbox_user }}
|
||||
Group={{ netbox_group }}
|
||||
PIDFile=/var/tmp/netbox.pid
|
||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
||||
|
||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -10,7 +10,7 @@ server {
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ netbox_domain }}$request_uri;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
@ -30,9 +30,9 @@ server {
|
||||
location / {
|
||||
client_max_body_size 32M;
|
||||
|
||||
proxy_pass http://localhost:8001;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass http://localhost:8001;
|
||||
}
|
||||
}
|
||||
|
3
roles/nginx/defaults/main.yml
Normal file
3
roles/nginx/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
|
||||
nginx_anonymize: False
|
@ -30,7 +30,7 @@
|
||||
- /etc/nginx/dhparam.pem
|
||||
|
||||
- name: Configure nginx
|
||||
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
|
||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure default vhost
|
||||
@ -41,7 +41,7 @@
|
||||
- name: Ensure network and dns are available before nginx
|
||||
lineinfile:
|
||||
dest: /lib/systemd/system/nginx.service
|
||||
line: "After=network-online.target nss-lookup.target"
|
||||
line: "After=network-online.target remote-fs.target nss-lookup.target"
|
||||
regexp: "^After="
|
||||
|
||||
- name: Start nginx
|
||||
|
@ -47,7 +47,32 @@ http {
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
{% if nginx_anonymize %}
|
||||
map $remote_addr $ip_anonym1 {
|
||||
default 0.0.0;
|
||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
|
||||
"~(?P<ip>[^:]+:[^:]+):" $ip;
|
||||
}
|
||||
|
||||
map $remote_addr $ip_anonym2 {
|
||||
default .0;
|
||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
|
||||
"~(?P<ip>[^:]+:[^:]+):" ::;
|
||||
}
|
||||
|
||||
map $ip_anonym1$ip_anonym2 $ip_anonymized {
|
||||
default 0.0.0.0;
|
||||
"~(?P<ip>.*)" $ip;
|
||||
}
|
||||
|
||||
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
access_log /var/log/nginx/access.log anonymized;
|
||||
{% else %}
|
||||
access_log /var/log/nginx/access.log;
|
||||
{% endif %}
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
@ -1,4 +1,4 @@
|
||||
---
|
||||
|
||||
node_exporter_version: 1.0.1
|
||||
node_exporter_version: 1.2.0
|
||||
node_exporter_url: https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
OPTIONS=""
|
||||
OPTIONS="--web.config=/etc/node_exporter/web-config.yml"
|
||||
|
@ -9,6 +9,27 @@
|
||||
- name: Configure node_exporter
|
||||
copy: src=node_exporter dest=/etc/default/node_exporter
|
||||
|
||||
- name: Create configuration directory
|
||||
file: path=/etc/node_exporter state=directory
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/node_exporter/{{ ansible_fqdn }}.key
|
||||
-out /etc/node_exporter/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/node_exporter/{{ ansible_fqdn }}.crt
|
||||
notify: Restart node_exporter
|
||||
|
||||
- name: Ensure correct certificate permissions
|
||||
file: path=/etc/node_exporter/{{ ansible_fqdn }}.key owner=node_exporter mode=0400
|
||||
notify: Restart node_exporter
|
||||
|
||||
- name: Configure node_exporter TLS
|
||||
template: src=web-config.yml.j2 dest=/etc/node_exporter/web-config.yml
|
||||
notify: Restart node_exporter
|
||||
|
||||
- name: Install systemd unit
|
||||
template: src=node_exporter.service.j2 dest=/lib/systemd/system/node_exporter.service
|
||||
notify:
|
||||
|
6
roles/node_exporter/templates/web-config.yml.j2
Normal file
6
roles/node_exporter/templates/web-config.yml.j2
Normal file
@ -0,0 +1,6 @@
|
||||
tls_server_config:
|
||||
cert_file: /etc/node_exporter/{{ ansible_fqdn }}.crt
|
||||
key_file: /etc/node_exporter/{{ ansible_fqdn }}.key
|
||||
|
||||
basic_auth_users:
|
||||
prometheus: {{ prometheus_node_pass | password_hash('bcrypt', 'supersecret1salt1value') }}
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Restart ntp
|
||||
service: name=ntp state=restarted
|
||||
|
||||
- name: Restart ntpd
|
||||
service: name=ntpd state=restarted
|
@ -1,11 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install ntp
|
||||
apt: name=ntp
|
||||
|
||||
- name: Configure ntp
|
||||
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||
notify: Restart ntp
|
||||
|
||||
- name: Start the ntp service
|
||||
service: name=ntp state=started enabled=yes
|
@ -1,17 +0,0 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
restrict default kod nomodify notrap nopeer noquery
|
||||
restrict -6 default kod nomodify notrap nopeer noquery
|
||||
|
||||
restrict 127.0.0.1
|
||||
restrict -6 ::1
|
@ -6,7 +6,7 @@
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- python-setuptools
|
||||
- python3-pip
|
||||
- python3-setuptools
|
||||
- virtualenv
|
||||
|
||||
@ -22,6 +22,13 @@
|
||||
- Reload systemd
|
||||
- Restart prometheus-pve-exporter
|
||||
|
||||
- name: Configure prometheus retention
|
||||
lineinfile:
|
||||
path: /etc/default/prometheus
|
||||
regexp: '^ARGS=.*$'
|
||||
line: 'ARGS="--storage.tsdb.retention.time=365d"'
|
||||
notify: Restart prometheus
|
||||
|
||||
- name: Configure prometheus
|
||||
template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
|
||||
notify: Restart prometheus
|
||||
|
@ -27,12 +27,29 @@ rule_files:
|
||||
scrape_configs:
|
||||
{% if node_targets is defined %}
|
||||
- job_name: node
|
||||
scheme: https
|
||||
basic_auth:
|
||||
username: prometheus
|
||||
password: {{ prometheus_node_pass }}
|
||||
tls_config:
|
||||
insecure_skip_verify: true
|
||||
static_configs:
|
||||
- targets:
|
||||
{% for target in node_targets %}
|
||||
- {{ target }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if dnsdist_targets is defined %}
|
||||
- job_name: dnsdist
|
||||
basic_auth:
|
||||
username: prometheus
|
||||
password: {{ prometheus_dnsdist_pass }}
|
||||
static_configs:
|
||||
- targets:
|
||||
{% for target in dnsdist_targets %}
|
||||
- {{ target }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if fastd_targets is defined %}
|
||||
- job_name: fastd
|
||||
static_configs:
|
||||
|
@ -19,6 +19,6 @@ interface br-{{ site_code }} {
|
||||
AdvRouterAddr on;
|
||||
};
|
||||
{% endif %}
|
||||
RDNSS {{ batman_ipv6 | ipaddr('address')}} {
|
||||
RDNSS {{ batman_ipv6 | ipaddr('address') }} {
|
||||
};
|
||||
};
|
||||
|
@ -4,4 +4,4 @@ batman_interface: bat-{{ site_code }}
|
||||
main_bridge: br-{{ site_code }}
|
||||
|
||||
respondd_announce_git_root: https://github.com/ffnord/mesh-announce/
|
||||
respondd_announce_git_version: fc2d8d78d53d1908ad16b79b66f79557ccd9a83a
|
||||
respondd_announce_git_version: 4fd2e3e6eb15c2a52b7401c88a105ff483934689
|
||||
|
@ -7,6 +7,10 @@
|
||||
git: repo={{ respondd_announce_git_root }} dest=/opt/{{ site_code }}/respondd-announce/ version={{ respondd_announce_git_version }}
|
||||
notify: Restart respondd
|
||||
|
||||
- name: Configure respondd
|
||||
template: src=respondd.conf.j2 dest=/opt/{{ site_code }}/respondd.conf
|
||||
notify: Restart respondd
|
||||
|
||||
- name: Install systemd unit
|
||||
template: src=respondd.service.j2 dest=/lib/systemd/system/respondd.service
|
||||
notify:
|
||||
|
20
roles/respondd/templates/respondd.conf.j2
Normal file
20
roles/respondd/templates/respondd.conf.j2
Normal file
@ -0,0 +1,20 @@
|
||||
# Default settings
|
||||
[Defaults]
|
||||
# Listen port, defaults to 1001
|
||||
Port: 1001
|
||||
# Default multicast listen addresses
|
||||
MulticastLinkAddress: ff02::2:1001
|
||||
MulticastSiteAddress: ff05::2:1001
|
||||
# Default domain to use
|
||||
DefaultDomain: {{ site_code }}
|
||||
# Default domain type
|
||||
DomainType: batadv
|
||||
|
||||
# A domain
|
||||
[{{ site_code }}]
|
||||
# Batman interface, mandatory
|
||||
BatmanInterface: {{ batman_interface }}
|
||||
# Other listen interfaces
|
||||
Interfaces: {{ main_bridge }}
|
||||
# IPv4 gateway option for ddhcpd
|
||||
IPv4Gateway: {{ batman_ipv4 | ipaddr('address') }}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user