netbox: fix psycopg dependency to use binary

the C variant will fail to compile

group_vars/all/vars.yml

@@ -75,17 +75,6 @@ pve_targets:
 - pve01.ffrgb
 - pve02.ffrgb
 
-telegraf_influxdb_url: stats.regensburg.freifunk.net:8086
-telegraf_influxdb_database: wgstats
-telegraf_influxdb_username: admin
-telegraf_influxdb_password: "{{ vault_yanic_influx_pw }}"
-telegraf_plugins_base:
-  - name: wireguard
-    options:
-      devices:
-        - "wg-{{ site_code }}"
-
-
 site: ffrgb
 site_domain: regensburg.freifunk.net
 

host_vars/gw11.regensburg.freifunk.net

@@ -18,3 +18,5 @@ fastd_port: 10010
 gateway_id: 11
 
 site_code: ffrgb_cty
+
+ntp_server: true

host_vars/gw12.regensburg.freifunk.net

@@ -18,3 +18,5 @@ fastd_port: 10010
 gateway_id: 12
 
 site_code: ffrgb_cty
+
+ntp_server: true

host_vars/gw21.regensburg.freifunk.net

@@ -18,3 +18,5 @@ mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
 gateway_id: 21
 
 site_code: ffrgb_uml
+
+ntp_server: true

host_vars/gw22.regensburg.freifunk.net

@@ -18,3 +18,5 @@ mesh_wg_privkey: "{{ vault_mesh_wg_privkey_uml }}"
 gateway_id: 22
 
 site_code: ffrgb_uml
+
+ntp_server: true

host_vars/gw31.regensburg.freifunk.net

@@ -20,3 +20,5 @@ gateway_id: 31
 site_code: ffrgb_tst
 
 nat_pool: 194.156.22.32-194.156.22.33
+
+ntp_server: true

host_vars/resolver.regensburg.freifunk.net

@@ -0,0 +1,3 @@
+---
+
+acertmgr_mode: standalone

library/fastd_key

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 EXAMPLES = '''
 # Generates a fastd key

roles/apt/files/unattended-upgrades.conf

@@ -1,7 +1,7 @@
 // Unattended-Upgrade::Origins-Pattern controls which packages are
 // upgraded.
 //
-// Lines below have the format format is "keyword=value,...".  A
+// Lines below have the format "keyword=value,...".  A
 // package will be upgraded only if the values in its metadata match
 // all the supplied keywords in a line.  (In other words, omitted
 // keywords are wild cards.) The keywords originate from the Release
@@ -30,6 +30,7 @@ Unattended-Upgrade::Origins-Pattern {
 //      "origin=Debian,codename=${distro_codename}-proposed-updates";
         "origin=Debian,codename=${distro_codename},label=Debian";
         "origin=Debian,codename=${distro_codename},label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
         // Archive or Suite based matching:
         // Note that this will silently match a different release after
@@ -92,9 +93,11 @@ Unattended-Upgrade::Package-Blacklist {
 // 'mailx' must be installed. E.g. "user@example.com"
 Unattended-Upgrade::Mail "root";
 
-// Set this value to "true" to get emails only on errors. Default
-// is to always send a mail if Unattended-Upgrade::Mail is set
-Unattended-Upgrade::MailOnlyOnError "true";
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "only-on-error";
 
 // Remove unused automatically installed kernel-related packages
 // (kernel images, kernel headers and kernel version locked tools).
@@ -144,3 +147,18 @@ Unattended-Upgrade::Automatic-Reboot "false";
 // Print debugging information both in unattended-upgrades and
 // in unattended-upgrade-shutdown
 // Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

roles/common/tasks/main.yml

@@ -30,10 +30,10 @@
   copy: src={{ item.src }} dest={{ item.dest }}
   diff: no
   with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: 'motd', dest: '/etc/motd' }
-  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
@@ -52,8 +52,8 @@
 - name: Prevent normal users from running su
   lineinfile:
     path: /etc/pam.d/su
-    regexp: '^.*auth\s+required\s+pam_wheel.so$'
-    line: 'auth       required   pam_wheel.so'
+    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    line: "auth       required   pam_wheel.so"
 
 - name: Configure journald retention
   lineinfile:

roles/dhcpd/defaults/main.yml

@@ -2,5 +2,5 @@
 
 dhcpd_interfaces: br-{{ site_code }}
 dhcpd_first: "{{ batman_ipv4 | ipaddr('512') | ipaddr('address') }}"
-dhcpd_last: "{{ batman_ipv4 | ipaddr('2558') | ipaddr('address') }}"
+dhcpd_last: "{{ batman_ipv4 | ipaddr('4606') | ipaddr('address') }}"
 name_server: "{{ batman_ipv4 | ipaddr('address') }}"

roles/dns_auth/tasks/main.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Enable powerdns apt-key
-  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
-
-- name: Enable powerdns repository
-  apt_repository: repo='deb http://repo.powerdns.com/debian buster-auth-43 main'
-
 - name: Install powerdns
   apt:
     name:

roles/dns_auth/templates/pdns.conf.j2

@@ -29,3 +29,7 @@ master=yes
 #
 # only-notify=0.0.0.0/0,::/0
 only-notify=
+
+# security-poll-suffix  Domain name from which to query security update notifications
+#
+security-poll-suffix=

roles/dns_resolver/tasks/main.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Enable powerdns apt-key
-  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
-
-- name: Enable powerdns repository
-  apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main'
-
 - name: Install powerdns
   apt:
     name:

roles/dns_resolver/templates/dnsdist.conf.j2

@@ -5,10 +5,11 @@ addLocal('::1')
 addLocal('{{ ansible_default_ipv4.address }}')
 addLocal('{{ ansible_default_ipv6.address }}')
 
-addACL('194.156.22.0/24')
-addACL('2001:678:ddc::/48')
+setACL({'0.0.0.0/0', '::/0'})
 
-newServer({address='127.0.0.1:5353', qps=1, name='localhost'})
+addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())
+
+newServer({address='127.0.0.1:5353', name='localhost'})
 
 addTLSLocal('{{ ansible_default_ipv4.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('{{ ansible_default_ipv6.address }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')

roles/dns_split/tasks/main.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Enable powerdns apt-key
-  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
-
-- name: Enable powerdns repository
-  apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main'
-
 - name: Install powerdns
   apt:
     name:

roles/dns_split/templates/dnsdist.conf.j2

@@ -5,7 +5,7 @@ addLocal('::1')
 addLocal('{{ batman_ipv4 | ipaddr('address') }}')
 addLocal('{{ batman_ipv6 | ipaddr('address') }}')
 
-newServer({address='127.0.0.1:5353', qps=1, name='localhost'})
+newServer({address='127.0.0.1:5353', name='localhost'})
 
 addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}', '/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')

roles/dns_split/templates/pdns.conf.j2

@@ -12,12 +12,6 @@ launch=bind
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
-#################################
-# local-ipv6    Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
 #################################
 # local-port    The port on which we listen
 #

roles/dns_split/templates/recursor.conf.j2

@@ -32,13 +32,6 @@ local-address=127.0.0.1
 #
 local-port=5353
 
-#################################
-# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
-#
-{% if global_ipv6 is defined %}
-query-local-address6={{ global_ipv6 | ipaddr('address') }}
-{% endif %}
-
 #################################
 # quiet Suppress logging of questions and answers
 #

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
+    - docker.io
     - python3-docker
+
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/grafana/tasks/main.yml

@@ -1,10 +1,14 @@
 ---
 
-- name: Enable grafana apt-key
-  apt_key: url='https://packages.grafana.com/gpg.key'
+- name: Retrieve Grafana Key and avoid apt_key
+  block:
+    - name: grafana |no apt key
+      ansible.builtin.get_url:
+        url: https://apt.grafana.com/gpg.key
+        dest: /usr/share/keyrings/grafana.key
 
 - name: Enable grafana repository
-  apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
+  apt_repository: repo="deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main"
 
 - name: Install grafana
   apt: name=grafana

roles/influxdb/tasks/main.yml

@@ -1,10 +1,23 @@
 ---
 
-- name: Enable influxdb apt-key
-  apt_key: url='https://repos.influxdata.com/influxdb.key'
+- name: Import Influxdb GPG siging key with store
+  ansible.builtin.get_url:
+    url: "https://repos.influxdata.com/influxdata-archive_compat.key"
+    dest: /etc/apt/trusted.gpg.d/influxdb.key
+    checksum: "sha256:393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c"
 
-- name: Enable influxdb repository
-  apt_repository: repo='deb https://repos.influxdata.com/debian buster stable'
+- name: Convert key
+  ansible.builtin.command:
+    argv:
+      - gpg
+      - --dearmor
+      - /etc/apt/trusted.gpg.d/influxdb.key
+    creates: /etc/apt/trusted.gpg.d/influxdb.key.gpg
+
+- name: Enable InfluxDB repository
+  ansible.builtin.apt_repository:
+    repo: 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.key.gpg] https://repos.influxdata.com/debian stable main'
+    state: present
 
 - name: Install influxdb
   apt: name=influxdb

roles/interfaces/templates/mesh.conf.j2

@@ -14,6 +14,8 @@ iface br-{{ site_code }}
 {% if global_ipv6 is defined %}
 	address		{{ global_ipv6 }}
 {% endif %}
+	#
+	post-up		echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
 
 # bat-{{ site_code }}
 auto bat-{{ site_code }}
@@ -21,15 +23,14 @@ iface bat-{{ site_code }}
 	hwaddress	f2:00:90:00:{{ gateway_id }}:20
 	mtu		1500
 	#
-	batman-gw-mode		server
-	batman-hop-penalty	5
 	batman-ifaces		dmy-{{ site_code }}
 	batman-ifaces-ignore-regex	.*_.*
-	batman-multicast-mode	disabled
 	batman-routing-algo	{{ batman_algo }}
 	#
-	post-up		/usr/sbin/batctl -m bat-{{ site_code }} it 5000
-	post-up		echo 2 > /sys/class/net/bat-{{ site_code }}/brport/multicast_router
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} gw server
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} hp 5
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} it 5000
+	post-up		/usr/sbin/batctl meshif bat-{{ site_code }} mff 1
 
 
 # dmy-{{ site_code }}

roles/mesh_wg/tasks/main.yml

@@ -1,17 +1,7 @@
 ---
 
-- name: Enable backports
-  apt_repository: repo='deb http://deb.debian.org/debian buster-backports main'
-
-- name: Install kernel headers
-  apt: name=linux-headers-amd64
-
-- name: Install wireguard from backports
-  apt:
-    name:
-    - wireguard-dkms
-    - wireguard-tools
-    default_release: buster-backports
+- name: Install wireguard
+  apt: name=wireguard-tools
 
 - name: Create wireguard config directory
   file:
@@ -28,7 +18,8 @@
   notify: Reload interfaces
 
 - name: Install wgskex
-  apt: deb=http://moepman.eu/tmp/wgskex_0.1.0_amd64.deb
+  apt: deb=http://moepman.eu/tmp/wgskex_0.3.3_amd64.deb
+
 
 - name: Install ping endpoint
   copy: src=ping dest=/var/www/html/ping

roles/mesh_wg/templates/mesh_wg.conf.j2

@@ -3,11 +3,11 @@
 # vx-{{ site_code }}
 auto vx-{{ site_code }}
 iface vx-{{ site_code }}
+	mtu		1350
 	vxlan-physdev	wg-{{ site_code }}
 	pre-up		ip -6 link add vx-{{ site_code }} type vxlan id {{ vx_wg_vni }} local fe80::{{ gateway_id }} dev wg-{{ site_code }} noudpcsum dstport 8472
 	up		ip link set vx-{{ site_code }} up
-	post-up		ip link set vx-{{ site_code }} mtu 1350
-	post-up		batctl -m bat-{{ site_code }} if add vx-{{ site_code }}
+	post-up		batctl meshif bat-{{ site_code }} if add vx-{{ site_code }}
 	down		ip link set vx-{{ site_code }} down
 	post-down	ip -6 link del vx-{{ site_code }}
 

roles/netbox/defaults/main.yml

@@ -2,4 +2,4 @@
 
 netbox_group: netbox
 netbox_user: netbox
-netbox_version: 2.11.9
+netbox_version: 4.0.3

roles/netbox/tasks/main.yml

@@ -27,77 +27,95 @@
     - postgresql
     - python3-psycopg2
 
-- name: Configure PostgreSQL database
-  postgresql_db:
-    name: '{{ netbox_dbname }}'
+- name: Configure PostgreSQL user
+  postgresql_user:
+    name: "{{ netbox_dbuser }}"
+    password: "{{ netbox_dbpass }}"
   become: true
   become_user: postgres
 
-- name: Configure PostgreSQL user
-  postgresql_user:
-    db: '{{ netbox_dbname }}'
-    name: '{{ netbox_dbuser }}'
-    password: '{{ netbox_dbpass }}'
-    priv: ALL
-    state: present
+- name: Configure PostgreSQL database
+  postgresql_db:
+    name: "{{ netbox_dbname }}"
+    owner: "{{ netbox_dbuser }}"
   become: true
   become_user: postgres
 
 - name: Install redis
   apt: name=redis-server
 
-# TODO configure redis?
-
 - name: Unpack netbox
   unarchive:
-    src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
+    src: "https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz"
     dest: /opt
     remote_src: yes
-    creates: '/opt/netbox-{{ netbox_version }}'
+    creates: "/opt/netbox-{{ netbox_version }}"
   register: netbox_unarchive
 
 - name: Configure netbox
   template:
     src: configuration.py.j2
-    dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
-    owner: '{{ netbox_user }}'
-    group: '{{ netbox_group }}'
+    dest: "/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py"
+    owner: "{{ netbox_user }}"
+    group: "{{ netbox_group }}"
+  notify: Restart netbox
 
 - name: Configure gunicorn
   template:
     src: gunicorn.py.j2
-    dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py'
-    owner: '{{ netbox_user }}'
-    group: '{{ netbox_group }}'
+    dest: "/opt/netbox-{{ netbox_version }}/gunicorn.py"
+    owner: "{{ netbox_user }}"
+    group: "{{ netbox_group }}"
 
 - name: Netbox file permissions
   file:
-    path: '/opt/netbox-{{ netbox_version }}'
-    owner: '{{ netbox_user }}'
-    group: '{{ netbox_group }}'
+    path: "/opt/netbox-{{ netbox_version }}"
+    owner: "{{ netbox_user }}"
+    group: "{{ netbox_group }}"
     recurse: yes
 
+- name: Fix psycopg variant
+  lineinfile:
+    path: "/opt/netbox-{{ netbox_version }}/requirements.txt"
+    regexp: '^psycopg\[.*,pool\]==(.*)$'
+    line: 'psycopg[binary,pool]==\1'
+    backrefs: yes
+  register: netbox_psycopg_fix
+
 - name: Run upgrade script
   command:
     cmd: ./upgrade.sh
-    chdir: '/opt/netbox-{{ netbox_version }}'
+    chdir: "/opt/netbox-{{ netbox_version }}"
   become: true
-  become_user: '{{ netbox_user }}'
-  when: netbox_unarchive.changed
+  become_user: "{{ netbox_user }}"
+  when: netbox_unarchive.changed or netbox_psycopg_fix.changed
 
 # TODO - still manual work
 # * Create a super user
 # * Migrate media files
 
+- name: Install netbox housekeeping cronjob
+  template:
+    src: netbox-housekeeping.sh.j2
+    dest: /etc/cron.daily/netbox-housekeeping.sh
+    mode: 0755
+
 - name: Ensure certificates are available
   command:
     cmd: >
       openssl req -x509 -nodes -newkey rsa:2048
       -keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
       -days 730 -subj "/CN={{ netbox_domain }}"
-    creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
+    creates: "/etc/nginx/ssl/{{ netbox_domain }}.crt"
   notify: Restart nginx
 
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ netbox_domain }}"
+  when: "'kitchen' in group_names"
+
 - name: Configure certificate manager for netbox
   template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
   notify: Run acertmgr
@@ -107,7 +125,7 @@
     src: vhost.j2
     dest: /etc/nginx/sites-available/netbox
     owner: root
-    mode: '0644'
+    mode: "0644"
   notify: Restart nginx
 
 - name: Enable vhost

roles/netbox/templates/configuration.py.j2

@@ -34,6 +34,9 @@ REDIS = {
         'PASSWORD': '',
         'DATABASE': 0,
         'SSL': False,
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
     },
     'caching': {
         'HOST': 'localhost',
@@ -44,6 +47,9 @@ REDIS = {
         'PASSWORD': '',
         'DATABASE': 1,
         'SSL': False,
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
     }
 }
 
@@ -63,32 +69,13 @@ SECRET_KEY = '{{ netbox_secret }}'
 # Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
 # application errors (assuming correct email settings are provided).
 ADMINS = [
-    # ['John Doe', 'jdoe@example.com'],
+    # ('John Doe', 'jdoe@example.com'),
 ]
 
-# URL schemes that are allowed within links in NetBox
-ALLOWED_URL_SCHEMES = (
-    'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
-)
-
-# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
-# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
-BANNER_TOP = ''
-BANNER_BOTTOM = ''
-
-# Text to include on the login page above the login form. HTML is allowed.
-BANNER_LOGIN = ''
-
-# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
+# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
 # BASE_PATH = 'netbox/'
 BASE_PATH = ''
 
-# Cache timeout in seconds. Set to 0 to dissable caching. Defaults to 900 (15 minutes)
-CACHE_TIMEOUT = 900
-
-# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
-CHANGELOG_RETENTION = 90
-
 # API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
 # allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
 # CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
@@ -117,10 +104,6 @@ EMAIL = {
     'FROM_EMAIL': '',
 }
 
-# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
-# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
-ENFORCE_GLOBAL_UNIQUE = False
-
 # Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
 # by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
 EXEMPT_VIEW_PERMISSIONS = [
@@ -143,22 +126,18 @@ INTERNAL_IPS = ('127.0.0.1', '::1')
 #   https://docs.djangoproject.com/en/stable/topics/logging/
 LOGGING = {}
 
+# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
+# authenticated to NetBox indefinitely.
+LOGIN_PERSISTENCE = False
+
 # Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
-# are permitted to access most data in NetBox (excluding secrets) but not make any changes.
+# are permitted to access most data in NetBox but not make any changes.
 LOGIN_REQUIRED = True
 
 # The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
 # re-authenticate. (Default: 1209600 [14 days])
 LOGIN_TIMEOUT = None
 
-# Setting this to True will display a "maintenance mode" banner at the top of every page.
-MAINTENANCE_MODE = False
-
-# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
-# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
-# all objects by specifying "?limit=0".
-MAX_PAGE_SIZE = 1000
-
 # The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
 # the default value of this setting is derived from the installed location.
 # MEDIA_ROOT = '/opt/netbox/netbox/media'
@@ -176,20 +155,6 @@ MAX_PAGE_SIZE = 1000
 # Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
 METRICS_ENABLED = False
 
-# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
-NAPALM_USERNAME = ''
-NAPALM_PASSWORD = ''
-
-# NAPALM timeout (in seconds). (Default: 30)
-NAPALM_TIMEOUT = 30
-
-# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
-# be provided as a dictionary.
-NAPALM_ARGS = {}
-
-# Determine how many objects to display per page within a list. (Default: 50)
-PAGINATE_COUNT = 50
-
 # Enable installed plugins. Add the name of each plugin to the list.
 PLUGINS = []
 
@@ -202,14 +167,6 @@ PLUGINS = []
 #     }
 # }
 
-# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
-# prefer IPv4 instead.
-PREFER_IPV4 = False
-
-# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
-RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
-RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
-
 # Remote authentication support
 REMOTE_AUTH_ENABLED = False
 REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
@@ -218,9 +175,6 @@ REMOTE_AUTH_AUTO_CREATE_USER = True
 REMOTE_AUTH_DEFAULT_GROUPS = []
 REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
 
-# This determines how often the GitHub API is called to check the latest release of NetBox. Must be at least 1 hour.
-RELEASE_CHECK_TIMEOUT = 24 * 3600
-
 # This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
 # version check or use the URL below to check for release in the official NetBox repository.
 RELEASE_CHECK_URL = None
@@ -237,6 +191,9 @@ RQ_DEFAULT_TIMEOUT = 300
 # this setting is derived from the installed location.
 # SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
 
+# The name to use for the session cookie.
+SESSION_COOKIE_NAME = 'sessionid'
+
 # By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
 # local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
 # database access.) Note that the user as which NetBox runs must have read and write permissions to this path.

roles/netbox/templates/netbox-housekeeping.sh.j2

@@ -0,0 +1,9 @@
+#!/bin/sh
+# This shell script invokes NetBox's housekeeping management command, which
+# intended to be run nightly. This script can be copied into your system's
+# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
+# within the cron configuration file.
+#
+# If NetBox has been installed into a nonstandard location, update the paths
+# below.
+/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping

roles/netbox/templates/netbox-rq.service.j2

@@ -7,8 +7,8 @@ Wants=network-online.target
 [Service]
 Type=simple
 
-User=netbox
-Group=netbox
+User={{ netbox_user }}
+Group={{ netbox_group }}
 WorkingDirectory=/opt/netbox-{{ netbox_version }}
 
 ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker

roles/netbox/templates/netbox.service.j2

@@ -7,8 +7,8 @@ Wants=network-online.target
 [Service]
 Type=simple
 
-User=netbox
-Group=netbox
+User={{ netbox_user }}
+Group={{ netbox_group }}
 PIDFile=/var/tmp/netbox.pid
 WorkingDirectory=/opt/netbox-{{ netbox_version }}
 

roles/netbox/templates/vhost.j2

@@ -30,9 +30,9 @@ server {
 	location / {
 		client_max_body_size 32M;
 
+		proxy_pass http://localhost:8001;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_pass http://localhost:8001;
 	}
 }

roles/nginx/tasks/main.yml

@@ -41,7 +41,7 @@
 - name: Ensure network and dns are available before nginx
   lineinfile:
     dest: /lib/systemd/system/nginx.service
-    line: "After=network-online.target nss-lookup.target"
+    line: "After=network-online.target remote-fs.target nss-lookup.target"
     regexp: "^After="
 
 - name: Start nginx

roles/ntp/handlers/main.yml

@@ -1,7 +1,4 @@
 ---
 
-- name: Restart ntp
-  service: name=ntp state=restarted
-
-- name: Restart ntpd
-  service: name=ntpd state=restarted
+- name: Restart chrony
+  service: name=chrony state=restarted

roles/ntp/tasks/main.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: Install ntp
-  apt: name=ntp
+- name: Install chrony
+  apt: name=chrony
 
-- name: Configure ntp
-  template: src=ntp.conf.j2 dest=/etc/ntp.conf
-  notify: Restart ntp
+- name: Configure chrony
+  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
+  notify: Restart chrony
 
-- name: Start the ntp service
-  service: name=ntp state=started enabled=yes
+- name: Start chrony
+  service: name=chrony state=started enabled=yes

roles/ntp/templates/chrony.conf.j2

@@ -0,0 +1,53 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+{% for srv in ntp_servers %}
+server {{ srv }} iburst
+{% endfor %}
+{% if ntp_peers is defined %}
+
+{% for peer in ntp_peers %}
+peer {{ peer }}
+{% endfor %}
+{% endif %}
+
+{% if ntp_server is defined and ntp_server is true %}
+allow 10.90.0.0/16
+allow 2001:678:ddc::/48
+{% endif -%}
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC

roles/ntp/templates/ntp.conf.j2

@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-
-{% for srv in ntp_servers %}
-server {{ srv }} iburst
-{% endfor %}
-{% if ntp_peers is defined %}
-
-{% for peer in ntp_peers %}
-peer {{ peer }}
-{% endfor %}
-{% endif %}
-
-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
-
-restrict 127.0.0.1
-restrict -6 ::1

roles/prometheus/tasks/main.yml

@@ -6,6 +6,7 @@
 - name: Install dependencies
   apt:
     name:
+    - python3-pip
     - python3-setuptools
     - virtualenv
 
@@ -21,6 +22,13 @@
   - Reload systemd
   - Restart prometheus-pve-exporter
 
+- name: Configure prometheus retention
+  lineinfile:
+    path: /etc/default/prometheus
+    regexp: '^ARGS=.*$'
+    line: 'ARGS="--storage.tsdb.retention.time=365d"'
+  notify: Restart prometheus
+
 - name: Configure prometheus
   template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml
   notify: Restart prometheus

roles/telegraf/README.md

@@ -1,56 +0,0 @@
-Telegraf
-========
-
-An Ansible role to install, configure, and manage [Telegraf](https://github.com/influxdb/telegraf), the plugin-driven server agent for reporting metrics into InfluxDB.
-
-Requirements
-------------
-
-Prior knowledge/experience with InfluxDB and Telegraf is highly recommended. Full documentation is available [here](https://docs.influxdata.com).
-
-Installation
-------------
-
-Either clone this repository, or install through Ansible Galaxy directly using the command:
-
-```
-ansible-galaxy install rossmcdonald.telegraf
-```
-
-Role Variables
---------------
-
-The high-level variables are stored in the `defaults/main.yml` file. The most important ones being:
-
-```
-# Channel of Telegraf to install (currently only 'stable' is supported)
-telegraf_install_version: stable
-```
-
-More advanced configuration options are stored in the `vars/main.yml` file, which includes all of the necessary bells and whistles to tweak your configuration.
-
-Dependencies
-------------
-
-No other Ansible dependencies are required. This role was tested and developed with Ansible 1.9.4.
-
-Example Playbook
-----------------
-
-An example playbook is included in the `test.yml` file. There is also a `Vagrantfile`, which can be used for quick local testing leveraging [Vagrant](https://www.vagrantup.com/).
-
-Contributions and Feedback
---------------------------
-
-Any contributions are welcome. For any bugs or feature requests, please open an issue through Github.
-
-License
--------
-
-MIT
-
-Author
-------
-
-Created by [Ross McDonald](https://github.com/rossmcdonald).
-

roles/telegraf/Vagrantfile

@@ -1,40 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure(2) do |config|
-  config.vm.box = "ubuntu/trusty64"
-  # config.vm.box = "ubuntu/vivid64"
-  # config.vm.box = "relativkreativ/centos-7-minimal"
-  # config.vm.box = "box-cutter/fedora22"
-  # config.vm.box = "puppetlabs/centos-6.6-64-nocm"
-  # config.vm.box = "debian/jessie64"
-
-  BOX_COUNT = 1
-  (1..BOX_COUNT).each do |machine_id|
-    config.vm.define "telegraf#{machine_id}" do |machine|
-      machine.vm.hostname = "telegraf#{machine_id}"
-      # machine.vm.network "private_network", ip: "10.0.3.#{1+machine_id}", virtualbox__intnet: true
-      # machine.vm.network "public_network"
-      machine.vm.network "public_network", :bridge => 'en0: Wi-Fi (AirPort)'
-      
-      machine.vm.provider "virtualbox" do |v|
-        v.memory = 512
-        v.cpus = 1
-      end
-
-      if machine_id == BOX_COUNT
-        machine.vm.provision "ansible" do |ansible|
-          # ansible.verbose = 'vvvv'
-          ansible.limit = 'all'
-          ansible.playbook = "test.yml"
-          ansible.sudo = true
-          ansible.host_key_checking = false
-          ansible.extra_vars = {
-            is_vagrant: true,
-          }
-        end
-      end
-      
-    end
-  end
-end

roles/telegraf/defaults/main.yml

@@ -1,85 +0,0 @@
----
-# Channel of Telegraf to install
-telegraf_install_version: stable
-
-# The user and group telegraf should run under (should be set to telegraf unless needed otherwise)
-telegraf_runas_user: telegraf
-telegraf_runas_group: telegraf
-
-# Configuration Template
-telegraf_configuration_template: telegraf.conf.j2
-
-# Configuration Variables
-telegraf_tags:
-telegraf_aws_tags: false
-telegraf_aws_tags_prefix:
-
-telegraf_agent_interval: 10s
-telegraf_round_interval: "true"
-telegraf_metric_batch_size: "1000"
-telegraf_metric_buffer_limit: "10000"
-
-telegraf_collection_jitter: 0s
-telegraf_flush_interval: 10s
-telegraf_flush_jitter: 0s
-telegraf_debug: "false"
-telegraf_quiet: "false"
-telegraf_hostname:
-telegraf_omit_hostname: "false"
-telegraf_install_url:
-
-
-telegraf_influxdb_url: http://stats.regensburg.freifunk.net:8086
-telegraf_influxdb_database: telegraf
-telegraf_influxdb_precision: s
-telegraf_influxdb_retention_policy: autogen
-telegraf_influxdb_write_consistency: any
-telegraf_influxdb_ssl_ca:
-telegraf_influxdb_ssl_cert:
-telegraf_influxdb_ssl_key:
-telegraf_influxdb_insecure_skip_verify:
-
-telegraf_influxdb_timeout: 5s
-telegraf_influxdb_username: telegraf
-telegraf_influxdb_password:
-telegraf_influxdb_user_agent:
-telegraf_influxdb_udp_payload:
-
-telegraf_plugins_base:
-  - name: swap
-  - name: processes
-  - name: kernel
-  - name: netstat
-  - name: mem
-  - name: system
-  - name: cpu
-    options:
-      percpu: "true"
-      totalcpu: "true"
-      collect_cpu_time: "false"
-      report_active: "false"
-      fielddrop:
-        - "time_*"
-  - name: disk
-    options:
-      mountpoints:
-        - "/"
-      ignore_fs:
-        - "tmpfs"
-        - "devtmpfs"
-        - "devfs"
-  - name: diskio
-    options:
-      skip_serial_number: "true"
-  - name: procstat
-    options:
-      exe: "influxd"
-      prefix: "influxdb"
-  - name: net
-    options:
-      interfaces:
-        - "eth0"
-
-telegraf_plugins: "{{ telegraf_plugins_base }} + {{ telegraf_plugins_extra | default([]) }}"
-
-telegraf_influxdata_base_url: "https://repos.influxdata.com"

roles/telegraf/handlers/main.yml

@@ -1,30 +0,0 @@
----
-# The order here matters
-- name: restart telegraf
-  service:
-    name: telegraf
-    state: restarted
-  become: true
-  when: telegraf_start_service
-
-- name: pause
-  pause:
-    seconds: "{{ telegraf_start_delay }}"
-  when: telegraf_start_service
-
-## After version 2.2 of ansible 'listen' could be used to
-## group 'check status' and 'assert running' into a single listener
-- name: check status
-  command: service telegraf status
-  args:
-    warn: false
-  ignore_errors: yes
-  register: telegraf_service_status
-  become: true
-  when: telegraf_start_service
-
-- name: assert running
-  assert:
-    that:
-      - "telegraf_service_status.rc == 0"
-  when: telegraf_start_service

roles/telegraf/meta/main.yml

@@ -1,24 +0,0 @@
----
-galaxy_info:
-  author: Ross McDonald
-  description: Install and configure Telegraf, the plugin-driven server agent for reporting metrics into InfluxDB
-  company: InfluxData
-  license: MIT
-  min_ansible_version: 1.2
-  platforms:
-    - name: EL
-      versions:
-        - 6
-        - 7
-    - name: Ubuntu
-      versions:
-        - trusty
-        - utopic
-        - vivid
-    - name: Debian
-      versions:
-        - jessie
-        - wheezy
-  categories:
-    - monitoring
-dependencies: []

roles/telegraf/tasks/configure.yml

@@ -1,70 +0,0 @@
----
-- name: Retrieve ec2 facts
-  ec2_metadata_facts:
-  when: telegraf_aws_tags
-
-- name: Retrieve all ec2 tags on the instance
-  ec2_tag:
-    region: "{{ ansible_ec2_placement_region }}"
-    resource: "{{ ansible_ec2_instance_id }}"
-    state: list
-  when: telegraf_aws_tags
-  register: ec2_tags
-
-- name: get the rpm or apt package facts
-  package_facts:
-    manager: "auto"
-
-- name: Set templatized Telegraf configuration
-  template:
-    src: "{{ telegraf_configuration_template }}"
-    dest: "{{ telegraf_configuration_dir }}/telegraf.conf"
-    force: yes
-    backup: yes
-    owner: telegraf
-    group: telegraf
-    mode: 0740
-  when: telegraf_template_configuration
-  # If config changes, restart telegraf and confirm it remained running
-  notify:
-    - "restart telegraf"
-    - "pause"
-    - "check status"
-    - "assert running"
-
-- name: Test for sysvinit script
-  stat:
-    path: /etc/init.d/telegraf
-  register: telegraf_sysvinit_script
-
-- name: Modify user Telegraf should run as [sysvinit]
-  replace:
-    path: /etc/init.d/telegraf
-    regexp: USER=.*
-    replace: USER={{ telegraf_runas_user }}
-  when: telegraf_runas_user != "telegraf" and telegraf_sysvinit_script.stat.exists
-
-- name: Modify group Telegraf should run as [sysvinit]
-  replace:
-    path: /etc/init.d/telegraf
-    regexp: GROUP=.*
-    replace: GROUP={{ telegraf_runas_group }}
-  when: telegraf_runas_group != "telegraf" and telegraf_sysvinit_script.stat.exists
-
-- name: Create systemd service directory [systemd]
-  file:
-    path: /etc/systemd/system/telegraf.service.d
-    state: directory
-  when: telegraf_runas_user != "telegraf" and not telegraf_sysvinit_script.stat.exists
-
-- name: Modify user Telegraf should run as [systemd]
-  template:
-    src: systemd/system/telegraf.service.d/override.conf
-    dest: /etc/systemd/system/telegraf.service.d/override.conf
-  when: telegraf_runas_user != "telegraf" and not telegraf_sysvinit_script.stat.exists
-  register: telegraf_unit_file_updated
-
-- name: Reload systemd configuration [systemd]
-  systemd:
-    daemon_reload: yes
-  when: telegraf_unit_file_updated is defined and telegraf_unit_file_updated.changed

roles/telegraf/tasks/install-debian.yml

@@ -1,55 +0,0 @@
----
-- name: Install any necessary dependencies [Debian/Ubuntu]
-  apt:
-    name:
-      - python-httplib2
-      - python-apt
-      - curl
-      - apt-transport-https
-    state: present
-    update_cache: yes
-    cache_valid_time: 3600
-  register: apt_result
-  until: apt_result is success
-  retries: 2
-  delay: 5
-
-- name: Import InfluxData GPG signing key [Debian/Ubuntu]
-  apt_key:
-    url: "{{ telegraf_influxdata_base_url }}/influxdb.key"
-    state: present
-  when: telegraf_install_url is not defined or telegraf_install_url == None
-
-- name: Add InfluxData repository [Debian/Ubuntu]
-  apt_repository:
-    repo: deb {{ telegraf_influxdata_base_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ telegraf_install_version }}
-    state: present
-  when: telegraf_install_url is not defined or telegraf_install_url == None
-
-- name: Install Telegraf packages [Debian/Ubuntu]
-  apt:
-    name: telegraf
-    state: latest
-    update_cache: yes
-    cache_valid_time: 3600
-  register: apt_result
-  until: apt_result is success
-  retries: 2
-  delay: 5
-  when: telegraf_install_url is not defined or telegraf_install_url == None
-
-- name: Download Telegraf package via URL [Debian/Ubuntu]
-  get_url:
-    url: "{{ telegraf_install_url }}"
-    dest: /tmp/telegraf-ansible-download.deb
-  when: telegraf_install_url is defined and telegraf_install_url != None
-
-- name: Install downloaded Telegraf package [Debian/Ubuntu]
-  apt:
-    deb: /tmp/telegraf-ansible-download.deb
-    state: present
-  register: apt_result
-  until: apt_result is success
-  retries: 2
-  delay: 5
-  when: telegraf_install_url is defined and telegraf_install_url != None

roles/telegraf/tasks/install-redhat.yml

@@ -1,21 +0,0 @@
----
-- name: Add InfluxData repository file [RHEL/CentOS]
-  template:
-    src: etc/yum.repos.d/influxdata.repo.j2
-    dest: /etc/yum.repos.d/influxdata.repo
-    force: yes
-    backup: yes
-  when: telegraf_install_url is not defined or telegraf_install_url == None
-
-- name: Install Telegraf packages [RHEL/CentOS]
-  yum:
-    name: telegraf
-    state: latest
-    update_cache: yes
-  when: telegraf_install_url is not defined or telegraf_install_url == None
-
-- name: Install Telegraf from URL [RHEL/CentOS]
-  yum:
-    name: "{{ telegraf_install_url }}"
-    state: present
-  when: telegraf_install_url is defined and telegraf_install_url != None

roles/telegraf/tasks/install.yml

@@ -1,6 +0,0 @@
----
-- include: install-redhat.yml
-  when: ansible_os_family == "RedHat"
-
-- include: install-debian.yml
-  when: ansible_os_family == "Debian"

roles/telegraf/tasks/main.yml

@@ -1,10 +0,0 @@
----
-- include: install.yml
-  tags: [telegraf, install]
-
-- include: configure.yml
-  tags: [telegraf, configure]
-
-- include: start.yml
-  tags: [telegraf, start]
-  when: telegraf_start_service

roles/telegraf/tasks/start.yml

@@ -1,12 +0,0 @@
----
-- name: Start the Telegraf service
-  service:
-    name: telegraf
-    state: started
-    enabled: yes
-  # Only care to check the status if the state changed to 'started'
-  notify:
-    - "pause"
-    - "check status"
-    - "assert running"
-  become: true

roles/telegraf/templates/etc/yum.repos.d/influxdata.repo.j2

@@ -1,13 +0,0 @@
-[influxdb]
-name = InfluxDB Repository - {{ ansible_distribution }} $releasever
-{% if ansible_distribution|lower == "amazon" %}
-baseurl = "{{ telegraf_influxdata_base_url }}/centos/6/amd64/{{ telegraf_install_version }}"
-{% elif ansible_distribution|lower == "redhat" %}
-baseurl = {{ telegraf_influxdata_base_url }}/rhel/$releasever/$basearch/{{ telegraf_install_version }}
-{% else %}
-baseurl = {{ telegraf_influxdata_base_url }}/{{ ansible_distribution|lower }}/$releasever/$basearch/{{ telegraf_install_version }}
-{% endif %}
-enabled = 1
-gpgcheck = 1
-gpgkey = {{ telegraf_influxdata_base_url }}/influxdb.key
-sslverify = 1

roles/telegraf/templates/systemd/system/telegraf.service.d/override.conf

@@ -1,2 +0,0 @@
-[Service]
-User={{ telegraf_runas_user }}

roles/telegraf/templates/telegraf.conf.j2

@@ -1,181 +0,0 @@
-# Telegraf configuration
-
-# Telegraf is entirely plugin driven. All metrics are gathered from the
-# declared plugins.
-
-# Even if a plugin has no configuration, it must be declared in here
-# to be active. Declaring a plugin means just specifying the name
-# as a section with no variables. To deactivate a plugin, comment
-# out the name and any variables.
-
-# Use 'telegraf -config telegraf.toml -test' to see what metrics a config
-# file would generate.
-
-# One rule that plugins conform to is wherever a connection string
-# can be passed, the values '' and 'localhost' are treated specially.
-# They indicate to the plugin to use their own builtin configuration to
-# connect to the local system.
-
-# NOTE: The configuration has a few required parameters. They are marked
-# with 'required'. Be sure to edit those to make this configuration work.
-
-# Tags can also be specified via a normal map, but only one form at a time:
-[global_tags]
-{% if telegraf_tags is defined and telegraf_tags != None %}
-{% for key, value in telegraf_tags.items()%}
-   {{ key }} = "{{ value }}"
-{% endfor %}
-{% endif %}
-{% if telegraf_aws_tags == true and ec2_tags is defined and ec2_tags != None %}
-{% for key, value in ec2_tags.tags.items()%}
-   {{ telegraf_aws_tags_prefix }}{{ key }} = "{{ value }}"
-{% endfor %}
-{% endif %}
-
-# Configuration for telegraf agent
-[agent]
-  ## Default data collection interval for all inputs
-  interval = "{{ telegraf_agent_interval }}"
-  ## Rounds collection interval to 'interval'
-  ## ie, if interval="10s" then always collect on :00, :10, :20, etc.
-  round_interval = {{ telegraf_round_interval }}
-
-  ## Telegraf will send metrics to outputs in batches of at
-  ## most metric_batch_size metrics.
-  metric_batch_size = {{ telegraf_metric_batch_size }}
-  ## For failed writes, telegraf will cache metric_buffer_limit metrics for each
-  ## output, and will flush this buffer on a successful write. Oldest metrics
-  ## are dropped first when this buffer fills.
-  metric_buffer_limit = {{ telegraf_metric_buffer_limit }}
-
-  ## Collection jitter is used to jitter the collection by a random amount.
-  ## Each plugin will sleep for a random time within jitter before collecting.
-  ## This can be used to avoid many plugins querying things like sysfs at the
-  ## same time, which can have a measurable effect on the system.
-  collection_jitter = "{{ telegraf_collection_jitter }}"
-
-  ## Default flushing interval for all outputs. You shouldn't set this below
-  ## interval. Maximum flush_interval will be flush_interval + flush_jitter
-  flush_interval = "{{ telegraf_flush_interval }}"
-  ## Jitter the flush interval by a random amount. This is primarily to avoid
-  ## large write spikes for users running a large number of telegraf instances.
-  ## ie, a jitter of 5s and interval 10s means flushes will happen every 10-15s
-  flush_jitter = "{{ telegraf_flush_jitter }}"
-
-  ## Run telegraf in debug mode
-  debug = {{ telegraf_debug }}
-  ## Run telegraf in quiet mode
-  quiet = {{ telegraf_quiet }}
-
-  hostname = "{{ ansible_hostname }}"
-
-  ## If set to true, do no set the "host" tag in the telegraf agent.
-  omit_hostname = {{ telegraf_omit_hostname }}
-
-###############################################################################
-#                                  OUTPUTS                                    #
-###############################################################################
-
-[outputs]
-
-# Configuration for influxdb server to send metrics to
-[[outputs.influxdb]]
-  # The full HTTP or UDP endpoint URL for your InfluxDB instance.
-  # Multiple urls can be specified but it is assumed that they are part of the same
-  # cluster, this means that only ONE of the urls will be written to each interval.
-  # urls = ["udp://localhost:8089"] # UDP endpoint example
-  ## urls = [ "" ] # required
-  urls = ["{{ telegraf_influxdb_url }}"]
-  # The target database for metrics (telegraf will create it if not exists)
-  database = "{{ telegraf_influxdb_database }}" # required
-  # Precision of writes, valid values are n, u, ms, s, m, and h
-  # note: using second precision greatly helps InfluxDB compression
-  precision = "{{ telegraf_influxdb_precision }}"
-
-  ## Retention policy to write to.
-  retention_policy = "{{ telegraf_influxdb_retention_policy }}"
-  ## Write consistency (clusters only), can be: "any", "one", "quorom", "all"
-  write_consistency = "{{ telegraf_influxdb_write_consistency }}"
-
-  # Connection timeout (for the connection with InfluxDB), formatted as a string.
-  # If not provided, will default to 0 (no timeout)
-  timeout = "{{ telegraf_influxdb_timeout }}"
-{% if telegraf_influxdb_username is defined and telegraf_influxdb_username != None %}
-  username = "{{ telegraf_influxdb_username }}"
-{% endif %}
-  password = "{{ telegraf_influxdb_password }}"
-  # Set the user agent for HTTP POSTs (can be useful for log differentiation)
-{% if telegraf_influxdb_user_agent is defined and telegraf_influxdb_user_agent != None %}
-  user_agent = "{{ telegraf_influxdb_user_agent }}"
-{% endif %}
-  # Set UDP payload size, defaults to InfluxDB UDP Client default (512 bytes)
-{% if telegraf_influxdb_udp_payload is defined and telegraf_influxdb_udp_payload != None %}
-  udp_payload = {{ telegraf_influxdb_udp_payload }}
-{% endif %}
-
-  ## Optional SSL Config
-{% if telegraf_influxdb_ssl_ca is defined and telegraf_influxdb_ssl_ca != None %}
-  # ssl_ca = "{{ telegraf_influxdb_ssl_ca }}"
-{% endif %}
-{% if telegraf_influxdb_ssl_cert is defined and telegraf_influxdb_ssl_cert != None %}
-  # ssl_cert = "{{ telegraf_influxdb_ssl_cert }}"
-{% endif %}
-{% if telegraf_influxdb_ssl_key is defined and telegraf_influxdb_ssl_key != None %}
-  # ssl_key = "{{ telegraf_influxdb_ssl_key }}"
-{% endif %}
-
-{% if telegraf_influxdb_insecure_skip_verify is defined and telegraf_influxdb_insecure_skip_verify != None %}
-  ## Use SSL but skip chain & host verification
-  insecure_skip_verify = {{ telegraf_influxdb_insecure_skip_verify }}
-{% endif %}
-
-###############################################################################
-#                                  PLUGINS                                    #
-###############################################################################
-
-{% for plugin in telegraf_plugins %}
-[[inputs.{{ plugin.name }}]]
-{% if plugin.options is defined %}
-{% for key, value in plugin.options.items() %}
-{% if value is not mapping %}
-{% if value is sequence and value is not string %}
-{% if value[0] is number %}
-    {{ key }} = [ {{ value|join(', ') }} ]
-{% else %}
-    {{ key }} = [ "{{ value|join('", "') }}" ]
-{% endif %}
-{% else %}
-{% if value == "true" or value == "false" or value is number %}
-    {{ key }} = {{ value | lower }}
-{% else %}
-    {{ key }} = "{{ value }}"
-{% endif %}
-{% endif %}
-{% endif %}
-{% endfor %}
-{% for key, value in plugin.options.items() %}
-{% if value is mapping %}
-    [inputs.{{ plugin.name }}.{{ key }}]
-{% for lv2_key, lv2_value in value.items() %}
-{% if lv2_value is sequence and lv2_value is not string %}
-{% if lv2_value[0] is number %}
-      {{ lv2_key }} = [ {{ lv2_value|join(', ') }} ]
-{% else %}
-      {{ lv2_key }} = [ "{{ lv2_value|join('", "') }}" ]
-{% endif %}
-{% else %}
-{% if lv2_value == "true" or lv2_value == "false" or lv2_value is number %}
-      {{ lv2_key }} = {{ lv2_value | lower }}
-{% else %}
-      {{ lv2_key }} = "{{ lv2_value }}"
-{% endif %}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
-
-###############################################################################
-#                              service PLUGINS                                #
-###############################################################################

roles/telegraf/test.yml

@@ -1,8 +0,0 @@
-- hosts: all
-  vars_files:
-    - defaults/main.yml
-    - vars/main.yml
-  tasks:
-    - include: tasks/main.yml
-  handlers:
-    - include: handlers/main.yml

roles/telegraf/vars/main.yml

@@ -1,16 +0,0 @@
----
-
-# Whether or not the playbook is run locally
-# This should only be set in the Vagrantfile and not modified elsewhere
-is_vagrant: no
-
-# If yes, service will be started. Will not be started if set to no.
-telegraf_start_service: yes
-telegraf_start_delay: 6
-
-# If yes, will overwrite the packaged configuration with an Asnible/jinja2 template
-telegraf_template_configuration: yes
-
-# Path for finding Telegraf data. Added for backwards-compatibility.
-telegraf_binary_path: /usr/bin/telegraf
-telegraf_configuration_dir: /etc/telegraf

roles/tileserver/tasks/main.yml

@@ -21,7 +21,7 @@
 - name: Run tileserver container
   docker_container:
     name: tileserver
-    image: maptiler/tileserver-gl
+    image: maptiler/tileserver-gl:v4.1.1
     interactive: yes
     ports:
     - "80:80"

roles/unifi/tasks/main.yml

@@ -8,7 +8,7 @@
 - name: Run unifi container
   docker_container:
     name: unifi
-    image: jacobalberty/unifi:stable
+    image: jacobalberty/unifi:6.1.71
     env:
       RUNAS_UID0: "false"
       TZ: "Europe/Berlin"

roles/web_stats/templates/vhost.j2

@@ -27,6 +27,7 @@ server {
 	location / {
 		proxy_pass http://localhost:3000/;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header Host $http_host;
 	}
 
 	location /meshviewer {

site.yml

@@ -30,7 +30,6 @@
   hosts: [gw11.regensburg.freifunk.net, gw21.regensburg.freifunk.net, gw31.regensburg.freifunk.net]
   roles:
   - mesh_wg
-  - telegraf
 
 - name: Setup stats server
   hosts: stats.regensburg.freifunk.net