netbox: bump to version 3.7.5

against current debian default config

README.md

@@ -1,11 +1,68 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
 
-## Using
+## Usage
 
-TBA
+To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
 
-## Style / Contributing
+It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
 
-TBA/TBD
+
+## Current setup
+
+Currently the following hosts are installed:
+
+### Internal Servers
+
+| Hostname                  | OS        | Purpose                 |
+| ------------------------- | --------- | ----------------------- |
+| wurst.binary.kitchen      | Proxmox 8 | VM Host                 |
+| salat.binary.kitchen      | Proxmox 8 | VM Host                 |
+| weizen.binary.kitchen     | Proxmox 8 | VM Host                 |
+| bacon.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aveta.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| aeron.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
+| sulis.binary.kitchen      | Debian 12 | Shell                   |
+| nabia.binary.kitchen      | Debian 12 | Monitoring              |
+| epona.binary.kitchen      | Debian 12 | NetBox                  |
+| pizza.binary.kitchen      | Debian 11 | OpenHAB *               |
+| pancake.binary.kitchen    | Debian 12 | XRDP                    |
+| knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
+| bob.binary.kitchen        | Debian 12 | Gitea Actions           |
+| lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
+| tschunk.binary.kitchen    | Debian 11 | Strichliste             |
+| bowle.binary.kitchen      | Debian 12 | Files                   |
+| lock-auweg.binary.kitchen | Debian 11 | Doorlock                |
+
+\*: The main application is not managed by ansible but manually installed
+
+### External Servers
+
+| Hostname                      | OS        | Purpose                 |
+| ----------------------------- | --------- | ----------------------- |
+| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
+| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
+| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
+| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
+| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
+| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
+| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
+| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
+| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
+| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
+| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
+| aluminium.binary-kitchen.net  | Debian 12 | Zammad                  |
+| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
+| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
+| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
+| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
+| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
+| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
+| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
+| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
+| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
+| cadmium.binary-kitchen.neti   | Debian 12 | Event NetBox *          |
+| barium.binary-kitchen.net     | Debian 12 | Workadventure           |
+
+\*: The main application is not managed by ansible but manually installed

ansible.cfg

@@ -1,5 +1,6 @@
 [defaults]
 ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
+interpreter_python = auto
 inventory       = ./hosts
 nocows          = 1
 remote_user     = root

group_vars/all/vars.yml

@@ -5,6 +5,14 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
+authentik_domain: auth.binary-kitchen.de
+authentik_dbname: authentik
+authentik_dbuser: authentik
+authentik_dbpass: "{{ vault_authentik_dbpass }}"
+authentik_secret: "{{ vault_authentik_secret }}"
+
+bk23b_domain: 23b.binary-kitchen.de
+
 coturn_realm: turn.binary-kitchen.de
 coturn_secret: "{{ vault_coturn_secret }}"
 
@@ -14,16 +22,6 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
-drone_admin: moepman
-drone_domain: drone.binary-kitchen.de
-drone_dbname: drone
-drone_dbuser: drone
-drone_dbpass: "{{ vault_drone_dbpass }}"
-drone_uipass: "{{ vault_drone_uipass }}"
-drone_secret: "{{ vault_drone_secret }}"
-drone_gitea_client: "{{ vault_drone_gitea_client }}"
-drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
-
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
@@ -34,11 +32,20 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
 gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
-hackmd_domain: pad.binary-kitchen.de
-hackmd_dbname: hackmd
-hackmd_dbuser: hackmd
-hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
-hackmd_secret: "{{ vault_hackmd_secret }}"
+hedgedoc_domain: pad.binary-kitchen.de
+hedgedoc_dbname: hedgedoc
+hedgedoc_dbuser: hedgedoc
+hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
+hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
+
+icinga_domain: icinga.binary.kitchen
+icinga_dbname: icinga
+icinga_dbuser: icinga
+icinga_dbpass: "{{ vault_icinga_dbpass }}"
+icinga_server: nabia.binary.kitchen
+icingaweb_dbname: icingaweb
+icingaweb_dbuser: icingaweb
+icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
 
 jitsi_domain: jitsi.binary-kitchen.de
 jitsi_admin_email: exxess@binary-kitchen.de
@@ -58,16 +65,29 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
+- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 mail_trusted:
 - 213.166.246.0/28
+- 213.166.246.37/32
+- 213.166.246.45/32
+- 213.166.246.46/32
+- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
+- 2a02:958:0:f6::37/128
+- 2a02:958:0:f6::45/128
+- 2a02:958:0:f6::46/128
+- 2a02:958:0:f6::47/128
 mail_aliases:
+- "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
+- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
+- "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
+- "google@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "info@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "lebercast@binary-kitchen.de	anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
 - "loetworkshop@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
@@ -75,12 +95,14 @@ mail_aliases:
 - "openhab@binary-kitchen.de	noby@binary-kitchen.de"
 - "orga@ccc-r.de	orga@ccc-regensburg.de"
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
-- "paypal@binary-kitchen.de	timo.schindler@binary-kitchen.de"
+- "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
+- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
+- "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -94,25 +116,41 @@ mail_aliases:
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
+- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
+- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
 matrix_dbuser: matrix
 matrix_dbpass: "{{ vault_matrix_dbpass }}"
 
-nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
+mc_domain: minecraft.binary-kitchen.de
+
+netbox_domain: netbox.binary.kitchen
+netbox_dbname: netbox
+netbox_dbuser: netbox
+netbox_dbpass: "{{ vault_netbox_dbpass }}"
+netbox_secret: "{{ vault_netbox_secret }}"
 
 nextcloud_domain: oc.binary-kitchen.de
 nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-plk_domain: plk-regensburg.de
-plk_dbuser: plkdbuser
-plk_dbname: plkdb
-plk_dbpass: "{{ vault_plk_dbpass }}"
+omm_domain: omm.binary.kitchen
+
+pretalx_domain: fahrplan.eh21.easterhegg.eu
+pretalx_dbname: pretalx
+pretalx_dbuser: pretalx
+pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
+pretalx_mail: pretalx@binary-kitchen.de
+
+pretix_domain: pretix.events.binary-kitchen.de
+pretix_domainx: tickets.eh21.easterhegg.eu
+pretix_dbname: pretix
+pretix_dbuser: pretix
+pretix_dbpass: "{{ vault_pretix_dbpass }}"
+pretix_mail: pretix@binary-kitchen.de
 
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@@ -126,8 +164,6 @@ pve_targets:
 
 radius_secret: "{{ vault_radius_secret }}"
 
-rocketchat_domain: chat.binary-kitchen.de
-
 root_keys:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
@@ -135,3 +171,22 @@ root_keys:
 slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
+
+sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
+sssd_base_user: ou=people,dc=binary-kitchen,dc=de
+
+strichliste_domain: tschunk.binary.kitchen
+strichliste_dbname: strichliste
+strichliste_dbuser: strichliste
+strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
+
+vaultwarden_domain: vault.binary-kitchen.de
+vaultwarden_dbname: vaultwarden
+vaultwarden_dbuser: vaultwarden
+vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
+vaultwarden_token: "{{ vault_vaultwarden_token }}"
+vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
+
+workadventure_domain: wa.binary-kitchen.de
+
+zammad_domain: requests.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,59 +1,106 @@
 $ANSIBLE_VAULT;1.1;AES256
-37303932343462623335393066643531373533636435356462326537373532613534353266396435
-3636666364306637306266393933383963633032383265650a656563303332303134323135353239
-34633863333930316564633632313939643664373163373833636139366537646530383736343130
-6239373931306234620a353966346262646538306631656461613431636230333430663931643933
-31316362353439393838363666613932313635313864333135636530653238653162353033356437
-33353063363639346266313631393463623864636133623264613865336536613536343365386230
-65396263393862626139396430623134316632313637623631623762656139623664356331623066
-30323430613963313162616135303164663364336634326533346438373635366238356531613461
-30333736633965333163616437303566666239313962353531393530613265363833396136646262
-62633662666532396535316361303934613138373365633161393664313234663533363736323335
-38613762376234663564333333386265633138613839636132346638313430653639636339336239
-38633564333831326331326166666362353364303933393532643936313564386565643162623435
-36356437356631666137323039316430656566613436623062656562666139383635653039636463
-35393438323765303431333737356339343730303531333834306239366533393537626239376163
-31663332343136323264376234363264343136623365383833666638656531306362663462383033
-31633838643562613762363634653865353361303666363139636337386439626235336462653036
-30376461643839313665383430386534656265626139313034646438323861653530383637316139
-35313539636137303561646564616362313435666262343137616263396465356434363862323137
-38626464383039386139343665363538326539613837366437623362336639336133323463666235
-36346333356434363838363634343233323363333762653264333062656133623434666162356433
-37623862653862643335333931663063623166353534636430323230663838653532356335306632
-33646265343834363839653565326538353930663061376461646534386637376234646264343933
-65653763343236653630396238333232633461663333646531323337626235396231383931663264
-34363564366134663036643332346238373639646336396261316133326235636265323636663335
-35363537346466396432396162383131306438396431336138666663633132646662316165643333
-64633434623166343262623038623431343631333962663566303566393761653536303638643037
-63363963306139336235363537396432383131303763643966313937353537333739393031616439
-35343361646234663062633631323238656137373464386561656439313636613630323632616332
-39346239666266623038363066643865373762633532323431373431373165643662663661633365
-35353361383339623535336362313430616139396561623934346264323462663663383566393165
-35366637313861386465333530613530623832643333616538336436356134313832306139336361
-32393162373235356236343332363038393631626534643237383232323735633265333562633231
-61613164363962323236666365353830346664643263393532343562383736336535353364343638
-62386465323331653565306234646664393164666334383765336630346438633636353264636138
-31316231326236313839353465353230353935363330393035373234393039386134366534653636
-63323730383931353763383739393330316335373563393039366166313031373664636335363363
-38363131363565326431636361316562313037373664306333313366646336333162663664306539
-64636530363561393037373766383937616435313333653836363835383231633130396133663635
-36613531323732623264646666656139333766656562623430313964366236373663626135383437
-31643663663637613762313465656636396264623362643538323166356636303430613133383664
-66383332326437333638663562376665386237313533303437623765353661393561373338636130
-30383665333366643331366536646330633133643566393962633164643563613536363434393234
-66323931316535353632356432373262623962616264383430623436303637616165386433326231
-38633730636633643634343833313964653530663034333063313334636134646634363437346161
-32613061363032383732323263303830363532326239316538393739313730383530633862313039
-37653865303932313635656332663039376331393161623731623039653865623436363061626538
-32383934613335363534666461343135303235373262343634306130633536323839393139346662
-31623265323138353963623938616665383765366230656461383835346230346261623866366630
-65303965353432386136373562306434623739666262356663656266346439356435613362333563
-34366539353366346636376662363837303332373866323434366261326164633033353930383038
-36666433656365366663326163343034306439653262353733323232373133386436333637346563
-32626533336530633731336631333334353366306538663936643637346335303965626631316562
-33333061656234393661363766663630316662613764333231326434383465666234653238393965
-31636561396665383063613433653837363634623337623330666466353532633434383864343464
-38303436306165353433356536326466306530373635616531393462666336666435633235613937
-37343832333864643636366632623062363234633365326635386663376439383332306333653161
-34353830396165366534313334616161323461613066383561343563393330613464373862623062
-3536303066343262636636393861313539616636643339353562
+61333062333563653966393334326633643564313063346266663461633538366662623937373738
+3732396164303638643362316564393236353737346235380a666361396631656563303733343032
+66396531313139343062363639636334373836306237363733393635346261313832366330303436
+6362383638363931380a323066343834363138356662656439343131353330366532626538653434
+64663834333563333263356532326262333938613432356233656238313365663661636334333066
+63653561316239356638653834646261643564316535306133633832666365383238303364346466
+63393164646330623061633039316638656566346663616661633464303237386261316262623533
+63306266333063373333323030666264323564663032333637343134306231373964666630333538
+63626363383836363639663830643530376361613466613666303933363563663763636635363132
+36666432646233313663613563663565313537316164313964656461666336326331303035343062
+35323363373130333935373035663635626666613236376261623934366235633738323430666330
+33323130363839386331613334636531396665316336376265333231343763656637396437653733
+64366565336132333131346463356236343934663332633830373939616434613561613564313837
+34333039363962643333343961636165323766343531336465306438306365636137636662303165
+35346530313134346432303862643735376331376432616136306537653266333434336663373931
+35373235333937646165663238636232656336393330386161636435666637356632333832646137
+30333233636266623165663538303639663466363337323330383962383139643532623462663564
+63313262366236623232303732373136393139323562313733623763363864646432653037316465
+34306261303035306436396262333131366562643166333130393438393636623034656163653131
+65363530613064633462633238343834336538353766353766336132303333383164326363316365
+31303532363838306338626662313234343134306531353765333237303962303339366233366632
+35643565353766353962386135323765356130393731363633373238626332356637363339356437
+30386361363837373434363939373361343862393364316537633463653862666164613730306565
+36343762326337333235643862626566346235333934656631306461633934306230333365343731
+64643835323061613230336234343438383938653761393133656137626434653532636466313439
+31363362306539643635386237353466343733616334303762343964636533636662333661653839
+34663264613033373965336635663131396334616432653462346634626535393761666237623936
+31666439356261303134343938333433323538653337653937333830656163633965353235653539
+65353937333463343236636237313736313565613833653530333135623233363564393266353363
+33323236643634616263303133663631386638356561373730653930646265616634356364366361
+37666362363230313664343633343464383334386539616132636562626465326364353436356338
+61383736663733643132656266633837646366343637303264363465633536633962353235303336
+38376430343733386631623334386564616264386234613664366631313334626436313865356565
+33663433663963653835376666303664656438623337663536376234356465396534306362346162
+62323262323933336232376636353831633834656536633666643961396365306464303730626463
+36363631336236353730393035613333666465653861373766393731373863353330656366306263
+62316636333230366563623836316232323831393233366539363662646564373436623230343761
+61626235656438373566646365353761376139383962353635393439666365333332313035653433
+64316638363061613561306534616465646661326637633332333734626562353664666432616137
+32643636356261613430376535633837646437626132373735323366313738633134303962306163
+30366230333533663433616664343862346232363733623239353035656134366437313662353933
+32663261663937663437643233383562656537333364643435356639616136623036306231633839
+38386631643264636535323766643661626566323661313831326530636532383330633066336130
+39306631636433376361636637633135316662306636306137366531333662303238613434333534
+35633162316363333934623663303839343366376263343536333563663833323734356566623663
+64646437343935306230333034636431396439366237643839363035313164393666616235393034
+33323333626537633730303961613263363835343030363331633165663035336633613831326632
+35363738336534663934616338363764353562306139613464663533323863326331646464333533
+36363962653830613864393565623561646233313135386163623932363865343861313534663234
+32313466656532616638376238363937613264346265316135336137363961386161376364343063
+33316662343066336438336137353262646264656434333364343334373762303062386165663530
+63313666356633633936366162366332333163656164306533356530666166353635616364643830
+66336339663737616664616430373162386238636134303137386331393837353462623336663335
+34303038323037363165613935376262376464383265323462373638313530396537633031653530
+63613135373639623138333635343035303734383932336333303063666662333164643430393637
+64393262363235616666303366346137633132313066613731333064346139646361363832343730
+39666338303339663665363033653735346130313431306131306261636430396465323937623062
+32343433376438623965363338633639383738326561376665623461653539383666636535656663
+37353665363663356464366331313236653430313034613733363665633239656361623931646432
+30653632643062366333663830326663623766646535666534613933663333366466333033383165
+33373039303564656562636432303934383132666665656161323535333930346265623639316366
+38393764346265653734373136636538346361363966393732323362323733386631623762313366
+63313733653730336536393335623138383365303934303730343136613734663062326166316461
+35313363656335643531343561336662663434353031623733353035633063396366376664303364
+36643262633832363362306263376135346632386631346432333137623631343234333337643536
+35353135303330626663663963366139363265666434363364303266613564373337616564366566
+30646635633834616536333361303361313934316434393330333231613038346466306531646537
+39303131396562656334303536613964363936643435613035623065323963633764623432373235
+37393564626239333761626131643366306131346339356364373061353865653966326362613164
+62366562326234303865323934353734613364653161316131363964666439636561663361396239
+30353266303764396265656635616462653563613630616537353530613835656333353364333632
+39663939376633613133623839353133613066633333633135316132636435363330393966396431
+30656638653662356164393038323538643661333734623937653430643931623061666330633631
+63323834313733353635363535613666643361356363386465383961626331303435333363396230
+37313835633136323134623261626432653965366230656266356333653437386463396563613563
+62656562626131336230383965303962383464643832333361343838393338353365663766373031
+31633265653262356139323564663834616164313439346133386135333563323264313261336336
+39393166613865353164376130303536373931643436633133313361356166393432363631666361
+36366537363630333830333432333466363266666636643932636565613738346239383736306533
+32333838396638656134643538313033336137316638326232303837386537393737316237356237
+62646561333430303765656537373738316131306664626533646461333261306665626336376537
+35633736303262656236303230653564386130666362303132646166306432393962306366663432
+64353366353839643366376433646661376434313266326665343063653534343531623033316461
+37306439373366303236666338616364343163663165626665613761333838333366336238343633
+38663066623532353464653164616237353464363539313762396162653139393133323438643331
+66306562346136346363396235356264303164636662386166666436316338323462656537386335
+36373763313935666539643834653237336130336530653834643263373264353233643938393965
+30313637366236383433313161386531623936356161333462636566633036383635616638316434
+66313434393365333633336231656536353138303235616439643535376338326262663632313564
+65306534356531303835373231623234356337623234366137386437303864643764613731326137
+65376337386133353739376661353766343931383135363038353839376666306337323835613935
+33303730623132613462363538666638313533333564656164363731323463613230366230373664
+31303331396264353162383138643063313737366635333664343836346338353537366362613937
+35623934646239356339343339653337656330616565616232633232373036383562393362343332
+39316661623563333234656633666365303964366338303862333730656366626533326334613038
+39663332623862626230373135623235363064636163373737316262613233663031383366363563
+34613730343564373230306237656662636130333736393136366138333864313636343362613631
+64636266626637366530363763323930643336313339613930623835326431643663356365353865
+35653238333131363262346565653066383834633131303466636232653234363366646635656338
+31386163616237316361643134396230386338643339633562376436333238346665363938323462
+32336435663138393230366632633132333834303539303439313764623163383661396536383461
+31636365633765346262616235336666363932336366373438643531663539333431663231326362
+32326230363965356434343833383662393430333535636536323066373439653330373937636565
+61306565663734636630633730383736653736383765326638656433646637393033356665633831
+66353338633833346436666134343465623236626339613363623834333261313531

group_vars/auweg

@@ -0,0 +1,16 @@
+---
+
+dhcpd_failover: false
+dhcpd_primary: 172.23.13.3
+
+dns_primary: 172.23.13.3
+
+doorlock_domain: lock-auweg.binary.kitchen
+
+name_servers:
+- 172.23.13.3
+
+ntp_servers:
+- 172.23.12.61
+
+radius_cn: radius.binary.kitchen

group_vars/kitchen

@@ -4,6 +4,9 @@ dhcpd_failover: true
 dhcpd_primary: 172.23.2.3
 dhcpd_secondary: 172.23.2.4
 
+dns_primary: 172.23.2.3
+dns_secondary: 172.23.2.4
+
 name_servers:
 - 172.23.2.3
 - 172.23.2.4

host_vars/aeron.binary.kitchen

@@ -0,0 +1,7 @@
+---
+
+radius_hostname: radius3.binary.kitchen
+
+slapd_hostname: ldap3.binary.kitchen
+slapd_replica_id: 3
+slapd_role: slave

host_vars/argentum.binary-kitchen.net

@@ -0,0 +1,6 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,4 +3,5 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
+slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -1,9 +1,11 @@
 ---
 
+ntp_server: true
+
 ntp_servers:
 - ptbtime2.ptb.de
 - ntp1.rrze.uni-erlangen.de
-- ntps1-0.cs.tu-berlin.de
+- rustime01.rus.uni-stuttgart.de
 
 ntp_peers:
 - 172.23.1.60
@@ -11,4 +13,5 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
+slapd_replica_id: 1
 slapd_role: slave

host_vars/barium.binary-kitchen.net

@@ -0,0 +1,2 @@
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/bowle.binary.kitchen

@@ -0,0 +1,8 @@
+---
+
+nfs_exports:
+- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
+- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
+- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
+
+uau_reboot: "false"

host_vars/fluorine.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

host_vars/knoedel.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/krypton.binary-kitchen.net

@@ -2,3 +2,4 @@
 
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/lasagne.binary.kitchen

@@ -0,0 +1,11 @@
+---
+
+root_keys_host:
+- "# Thomas Basler"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
+- "# Ralf Ramsauer"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "false"

host_vars/lock-auweg.binary.kitchen

@@ -0,0 +1,5 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/magnesium.binary-kitchen.net

@@ -0,0 +1,3 @@
+---
+
+acertmgr_mode: standalone

host_vars/molybdenum.binary-kitchen.net

@@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/nitrogen.binary-kitchen.net

@@ -3,3 +3,5 @@
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
+
+nginx_anonymize: True

host_vars/oxygen.binary-kitchen.net

@@ -1,3 +1,4 @@
 ---
 
-uau_reboot: "false"
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/pancake.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/pizza.binary.kitchen

@@ -4,8 +4,7 @@ root_keys_host:
 - "# Thomas Basler"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
 - "# Ralf Ramsauer"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 - "# Thomas Schmid"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
 

host_vars/rhodium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/ruthenium.binary-kitchen.net

@@ -2,6 +2,6 @@
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
 
 uau_reboot: "false"

host_vars/strontium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -0,0 +1,4 @@
+---
+
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,4 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/tschunk.binary.kitchen

@@ -0,0 +1,7 @@
+---
+
+root_keys_host:
+- "# Thomas Schmid"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+
+uau_reboot: "true"

host_vars/weizen.binary.kitchen

@@ -0,0 +1,8 @@
+---
+
+ntp_server: true
+
+ntp_servers:
+- ptbtime1.ptb.de
+- ntp1.rrze.uni-erlangen.de
+- rustime01.rus.uni-stuttgart.de

host_vars/wurst.binary.kitchen

@@ -1,9 +1,11 @@
 ---
 
+ntp_server: true
+
 ntp_servers:
 - ptbtime1.ptb.de
 - ntp1.rrze.uni-erlangen.de
-- ntps1-0.cs.tu-berlin.de
+- rustime01.rus.uni-stuttgart.de
 
 ntp_peers:
 - 172.23.2.3

host_vars/yttrium.binary-kitchen.net

@@ -1,5 +1,6 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -4,10 +4,19 @@ bacon.binary.kitchen ansible_host=172.23.2.3
 aveta.binary.kitchen ansible_host=172.23.2.4
 sulis.binary.kitchen ansible_host=172.23.2.5
 nabia.binary.kitchen ansible_host=172.23.2.6
+epona.binary.kitchen ansible_host=172.23.2.7
 pizza.binary.kitchen ansible_host=172.23.2.33
+pancake.binary.kitchen ansible_host=172.23.2.34
+knoedel.binary.kitchen ansible_host=172.23.2.35
 bob.binary.kitchen ansible_host=172.23.2.37
-bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
+lasagne.binary.kitchen ansible_host=172.23.2.38
+tschunk.binary.kitchen ansible_host=172.23.2.39
+bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
+[auweg]
+weizen.binary.kitchen ansible_host=172.23.12.61
+aeron.binary.kitchen ansible_host=172.23.13.3
+lock-auweg.binary.kitchen ansible_host=172.23.13.12
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -19,9 +28,16 @@ oxygen.binary-kitchen.net
 fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
+magnesium.binary-kitchen.net
+aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
 technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
+rhodium.binary-kitchen.net
+palladium.binary-kitchen.net
+argentum.binary-kitchen.net
+cadmium.binary-kitchen.net
+barium.binary-kitchen.net

roles/23b/handlers/main.yml

@@ -3,11 +3,11 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart drone
-  service: name=drone state=restarted
+- name: Restart 23b
+  service: name=23b state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/23b/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create 23b group
+  group: name=23b
+
+- name: Create 23b user
+  user:
+    name: 23b
+    home: /opt/23b
+    shell: /bin/bash
+    group: 23b
+    groups: docker
+
+# docker-compolse.yml is managed outside ansible
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for 23b
+  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
+  notify: Restart nginx
+
+- name: Systemd unit for 23b
+  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
+  notify:
+  - Reload systemd
+  - Restart 23b
+
+- name: Start the 23b service
+  service: name=23b state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ bk23b_domain }}"

roles/23b/templates/23b.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=23b service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=23b
+Group=23b
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/23b/23b/23b
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/23b/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ drone_domain }}:
-- path: /etc/nginx/ssl/{{ drone_domain }}.key
+{{ bk23b_domain }}:
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ drone_domain }}.crt
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/23b/templates/vhost.j2

@@ -2,7 +2,7 @@ server {
 	listen 80;
 	listen [::]:80;
 
-	server_name {{ hackmd_domain }};
+	server_name {{ bk23b_domain }};
 
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
@@ -10,7 +10,7 @@ server {
 	}
 
 	location / {
-		return 301 https://{{ hackmd_domain }}$request_uri;
+		return 301 https://{{ bk23b_domain }}$request_uri;
 	}
 }
 
@@ -18,21 +18,19 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 
-	server_name {{ hackmd_domain }};
+	server_name {{ bk23b_domain }};
 
-	ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
+	ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
 
 	# set max upload size
 	client_max_body_size 8M;
 
 	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_pass http://localhost:3000;
-		proxy_http_version 1.1;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "Upgrade";
+		proxy_set_header X-Forwarded-Proto $scheme;
 	}
-
 }

roles/act_runner/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+
+actrunner_user: act_runner
+actrunner_group: act_runner
+
+actrunner_version: 0.2.6
+actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart act_runner
+  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Create group
+  group: name={{ actrunner_group }}
+
+- name: Create user
+  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
+
+- name: Create directories
+  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
+  with_items:
+  - /etc/act_runner
+  - /var/lib/act_runner
+
+- name: Download act_runner binary
+  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
+  register: runner_download
+
+- name: Symlink act_runner binary
+  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
+  when: runner_download.changed
+  notify: Restart act_runner
+
+- name: Configure act_runner
+  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
+  notify: Restart act_runner
+
+- name: Install systemd unit
+  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
+  notify:
+  - Reload systemd
+  - Restart act_runner
+
+- name: Enable act_runner
+  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/var/lib/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User={{ actrunner_user }}
+
+[Install]
+WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: warn
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 4
+  # Extra environment variables to run jobs.
+  envs:
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: [
+    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
+    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
+    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
+  ]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/authentik/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart authentik
+  service: name=authentik state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create authentik group
+  group: name=authentik
+
+- name: Create authentik user
+  user:
+    name: authentik
+    home: /opt/authentik
+    shell: /bin/bash
+    group: authentik
+    groups: docker
+
+- name: Configure authentik container
+  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
+  notify: Restart authentik
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for authentik
+  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
+  notify: Restart nginx
+
+- name: Systemd unit for authentik
+  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
+  notify:
+  - Reload systemd
+  - Restart authentik
+
+- name: Start the authentik service
+  service: name=authentik state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik.service.j2

@@ -0,0 +1,28 @@
+[Unit]
+Description=authentik service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=authentik
+Group=authentik
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/authentik
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ authentik_domain }}:
+- path: /etc/nginx/ssl/{{ authentik_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -0,0 +1,75 @@
+---
+version: "3.4"
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ./database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: {{ authentik_dbpass }}
+      POSTGRES_USER: {{ authentik_dbuser }}
+      POSTGRES_DB: {{ authentik_dbname }}
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    ports:
+      - "127.0.0.1:9000:9000"
+    depends_on:
+      - postgresql
+      - redis
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
+      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
+      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
+      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    depends_on:
+      - postgresql
+      - redis

roles/authentik/templates/vhost.j2

@@ -0,0 +1,41 @@
+map $http_upgrade $connection_upgrade {
+	default	upgrade;
+	''	close;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ authentik_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ authentik_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ authentik_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
+
+	location / {
+		proxy_pass http://localhost:9000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

roles/bk_dss/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dss_uwsgi_port: 5001
-dss_version: 0.8.4
+dss_version: 0.8.5

roles/bk_dss/tasks/main.yml

@@ -44,3 +44,8 @@
 - name: Enable vhosts
   file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
   notify: Restart nginx
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ dss_domain }}"

roles/bk_dss/templates/config.cfg.j2

@@ -1,12 +1,14 @@
 DEBUG = True
+REMEMBER_COOKIE_SECURE = True
 SECRET_KEY = "{{ dss_secret }}"
+SESSION_COOKIE_SECURE = True
 SESSION_TIMEOUT = 3600
 
 LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 
@@ -28,7 +30,7 @@ USER_ATTRS = {
 	'userPassword' : '{pass}'
 }
 
-GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
+GROUP_FILTER = "(objectClass=posixGroup)"
 
 REDIS_HOST = "127.0.0.1"
 REDIS_PASSWD = None

roles/common/defaults/main.yml

@@ -6,3 +6,6 @@ logrotate_excludes:
 - "/etc/logrotate.d/dbconfig-common"
 - "/etc/logrotate.d/btmp"
 - "/etc/logrotate.d/wtmp"
+
+sshd_password_authentication: "no"
+sshd_permit_root_login: "prohibit-password"

roles/common/files/50-virtio-kernel-names.link

@@ -1,10 +0,0 @@
-# udev 226 introduced predictable interface names for virtio;
-# disable this for upgrades. You can remove this file if you update your
-# network configuration to move to the ens* names instead.
-# See /usr/share/doc/udev/README.Debian.gz for details about predictable
-# network interface names.
-[Match]
-Driver=virtio_net
-
-[Link]
-NamePolicy=onboard kernel

roles/common/files/99-default.link

@@ -1,6 +0,0 @@
-# This machine is most likely a virtualized guest, where the old persistent
-# network interface mechanism (75-persistent-net-generator.rules) did not work.
-# This file disables /lib/systemd/network/99-default.link to avoid
-# changing network interface names on upgrade. Please read
-# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
-# supported mechanism.

roles/common/handlers/main.yml

@@ -1,7 +1,16 @@
 ---
 
+- name: Restart chrony
+  service: name=chrony state=restarted
+
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
+- name: Restart sshd
+  service: name=sshd state=restarted
+
+- name: update-grub
+  command: update-grub
+
 - name: update-initramfs
   command: update-initramfs -u -k all

roles/common/tasks/Debian.yml

@@ -3,7 +3,10 @@
 - name: Install misc software
   apt:
     name:
+    - apt-transport-https
     - dnsutils
+    - fdisk
+    - gnupg2
     - htop
     - less
     - net-tools
@@ -13,6 +16,7 @@
     - rsync
     - sudo
     - vim-nox
+    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -26,35 +30,32 @@
   copy: src={{ item.src }} dest={{ item.dest }}
   diff: no
   with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: 'motd', dest: '/etc/motd' }
-  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
 
-- name: Create LDAP client config
-  template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
-
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
   notify: update-initramfs
 
-# TODO template /etc/network/interfaces
-
-- name: Fix network interface names
-  copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
-  with_items:
-  - 50-virtio-kernel-names.link
-  - 99-default.link
-  notify: update-initramfs
+- name: Enable serial console on KVM VMs
+  lineinfile:
+    path: "/etc/default/grub"
+    state: "present"
+    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
+    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
+  notify: update-grub
+  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
 
 - name: Prevent normal users from running su
   lineinfile:
     path: /etc/pam.d/su
-    regexp: '^.*auth\s+required\s+pam_wheel.so$'
-    line: 'auth       required   pam_wheel.so'
+    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    line: "auth       required   pam_wheel.so"
 
 - name: Configure journald retention
   lineinfile:
@@ -89,16 +90,25 @@
   set_fact:
     logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
 
-- name: 'Set logrotate.d/* to daily'
+- name: "Set logrotate.d/* to daily"
   replace:
     path: "{{ item }}"
     regexp: "(?:weekly|monthly)"
     replace: "daily"
   loop: "{{ logrotateconfigpaths }}"
 
-- name: 'Set /etc/logrotate.d/* rotation to 7'
+- name: "Set /etc/logrotate.d/* rotation to 7"
   replace:
     path: "{{ item }}"
     regexp: "rotate [0-9]+"
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
+
+- name: Configure sshd
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart sshd

roles/common/tasks/FreeBSD.yml

@@ -1,14 +0,0 @@
----
-
-- name: Install misc software
-  pkgng:
-    name:
-    - vim-lite
-    - htop
-    - zsh
-
-- name: Configure misc software
-  copy: src={{ item.src }} dest={{ item.dest }}
-  with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }

roles/common/tasks/Proxmox.yml

@@ -13,11 +13,12 @@
 
 - name: Configure misc software
   copy: src={{ item.src }} dest={{ item.dest }}
+  diff: no
   with_items:
-  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: 'motd', dest: '/etc/motd' }
-  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh

roles/common/tasks/chrony.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Install chrony
+  apt: name=chrony
+
+- name: Configure chrony
+  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
+  notify: Restart chrony

roles/common/tasks/main.yml

@@ -2,21 +2,20 @@
 
 - name: Cleanup
   apt: autoclean=yes
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == "Debian"
 
 - name: Gather package facts
   package_facts:
     manager: apt
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == "Debian"
 
 - name: Proxmox
   include: Proxmox.yml
-  when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
+  when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
 
 - name: Debian
   include: Debian.yml
-  when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
+  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
 
-- name: FreeBSD
-  include: FreeBSD.yml
-  when: ansible_distribution == 'FreeBSD'
+- name: Setup chrony
+  include: chrony.yml

roles/common/templates/chrony.conf.j2

@@ -0,0 +1,52 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+{% for srv in ntp_servers %}
+server {{ srv }} iburst
+{% endfor %}
+{% if ntp_peers is defined %}
+
+{% for peer in ntp_peers %}
+peer {{ peer }}
+{% endfor %}
+{% endif %}
+
+{% if ntp_server is defined and ntp_server is true %}
+allow 172.23.0.0/16
+{% endif -%}
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC

roles/common/templates/ldap.conf.j2

@@ -1,19 +0,0 @@
-#
-# LDAP Defaults
-#
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-BASE	{{ ldap_base }}
-URI	{{ ldap_uri }}
-
-#SIZELIMIT	12
-#TIMELIMIT	15
-#DEREF		never
-
-# TLS certificates (needed for GnuTLS)
-TLS_REQCERT demand
-TLS_CACERTDIR /etc/ssl/certs
-TLS_CACERT /etc/ssl/certs/ca-certificates.crt
-

roles/common/templates/sshd_config.j2

@@ -0,0 +1,132 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ sshd_permit_root_login }}
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+{% endif %}
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ sshd_password_authentication }}
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

roles/coturn/handlers/main.yml

@@ -1,4 +1,10 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
 - name: Restart coturn
   service: name=coturn state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr

roles/coturn/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }

roles/coturn/tasks/main.yml

@@ -3,6 +3,28 @@
 - name: Install coturn
   apt: name=coturn
 
+- name: Create coturn service override directory
+  file: path=/etc/systemd/system/coturn.service.d state=directory
+
+- name: Configure coturn service override
+  template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
+  notify:
+  - Reload systemd
+  - Restart coturn
+
+- name: Create gitea directories
+  file: path={{ item }} state=directory owner=turnserver
+  with_items:
+  - /etc/turnserver
+  - /etc/turnserver/certs
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
+  notify: Run acertmgr
+
 - name: Configure coturn
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:

roles/coturn/templates/certs.j2

@@ -0,0 +1,15 @@
+---
+
+{{ coturn_realm }}:
+- path: /etc/turnserver/certs/{{ coturn_realm }}.key
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service coturn restart'
+- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
+  user: turnserver
+  group: turnserver
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service coturn restart'

roles/coturn/templates/coturn.override.j2

@@ -0,0 +1,2 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE

roles/coturn/templates/turnserver.conf.j2

@@ -1,52 +1,60 @@
 # Coturn TURN SERVER configuration file
 #
-# Boolean values note: where boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
-# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
-# If the value is missed, then it means 'true'.
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# If the value is missing, then it means 'true' by default.
 #
 
 # Listener interface device (optional, Linux only).
-# NOT RECOMMENDED. 
+# NOT RECOMMENDED.
 #
 #listening-device=eth0
 
 # TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the 
+# Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-#listening-port=3478
+listening-port=443
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server 
+# port(s), too - if allowed by configuration. The TURN server
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, we currently support SSL version 3 and 
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports
 # TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, we support DTLS version 1.
+# For secure UDP connections, Coturn supports DTLS version 1.
 #
-#tls-listening-port=5349
+tls-listening-port=443
 
 # Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one". 
+# default (or zero) value means "listening port plus one".
 # This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server 
-# supports RFC 5780 only if it is started with more than one 
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
 # listening IP address of the same family (IPv4 or IPv6).
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
 #alt-listening-port=0
-							 
+
 # Alternative listening port for TLS and DTLS protocols.
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
-	
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+
 # Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options, 
+# If no IP(s) specified in the config file or in the command line options,
 # then all IPv4 and IPv6 system IPs will be used for listening.
 #
 #listening-ip=172.17.19.101
@@ -61,7 +69,7 @@
 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 #
 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-# 
+#
 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 #
 # There may be multiple aux-server options, each will be used for listening
@@ -73,7 +81,7 @@
 # (recommended for older Linuxes only)
 # Automatically balance UDP traffic over auxiliary servers (if configured).
 # The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this 
+# The TURN client must support 300 ALTERNATE-SERVER response for this
 # functionality.
 #
 #udp-self-balance
@@ -83,13 +91,13 @@
 #
 #relay-device=eth1
 
-# Relay address (the local IP address that will be used to relay the 
+# Relay address (the local IP address that will be used to relay the
 # packets to the peer).
 # Multiple relay addresses may be used.
 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
 #
 # If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it 
+# policy: it will decide itself which relay addresses to be used, and it
 # will always be using the client socket IP address as the relay IP address
 # of the TURN session (if the requested relay address family is the same
 # as the family of the client socket).
@@ -112,12 +120,15 @@
 # that option must be used several times, each entry must
 # have form "-X <public-ip/private-ip>", to map all involved addresses.
 # RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself 
+# if the addresses are mapped properly, even when the TURN server itself
 # is behind A NAT.
 #
 # By default, this value is empty, and no address mapping is used.
 #
-#external-ip=60.70.80.91
+external-ip={{ ansible_default_ipv4.address }}
+{% if ansible_default_ipv6.address is defined %}
+external-ip={{ ansible_default_ipv6.address }}
+{% endif %}
 #
 #OR:
 #
@@ -127,18 +138,18 @@
 
 # Number of the relay threads to handle the established connections
 # (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a 
-# single thread, in the same thread with the listener process 
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
 # (the authentication thread will still be a separate thread).
 #
-# If this parameter is not set, then the default OS-dependent 
+# If this parameter is not set, then the default OS-dependent
 # thread pattern algorithm will be employed. Usually the default
-# algorithm is the most optimal, so you have to change this option
-# only if you want to make some fine tweaks. 
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks.
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or 
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
 # 1 (one) value is set.
 #
 #relay-threads=0
@@ -148,15 +159,15 @@
 #
 #min-port=49152
 #max-port=65535
-	
+
 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
 #verbose
-	
+
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
-# Not recommended under any normal circumstances.
-#	
+# Not recommended under normal circumstances.
+#
 #Verbose
 
 # Uncomment to use fingerprints in the TURN messages.
@@ -169,58 +180,69 @@ fingerprint
 #
 #lt-cred-mech
 
-# This option is opposite to lt-cred-mech. 
+# This option is the opposite of lt-cred-mech.
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined, 
-# in this file or in command line or in usersdb file, then
+# then no-auth is default. If at least one user is defined,
+# in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
 
+# Enable prometheus exporter
+# If enabled the turnserver will expose an endpoint with stats on a prometheus format
+# this endpoint is listening on a different port to not conflict with other configurations.
+#
+# You can simply run the turnserver and access the port 9641 and path /metrics
+#
+# For mor info on the prometheus exporter and metrics
+# https://prometheus.io/docs/introduction/overview/
+# https://prometheus.io/docs/concepts/data_model/
+#
+#prometheus
+
 # TURN REST API flag.
 # (Time Limited Long Term Credential)
 # Flag that sets a special authorization option that is based upon authentication secret.
 #
 # This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page 
+# "TURN REST API" link in the project's page
 # https://github.com/coturn/coturn/
 #
 # This option is used with timestamp:
-# 
+#
 # usercombo -> "timestamp:userid"
 # turn user -> usercombo
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, the timestamp alone can be used.
-# This option is just turning on secret-based authentication.
-# The actual value of the secret is defined either by option static-auth-secret,
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
-# 
+#
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
-# Be aware that use-auth-secret overrides some part of lt-cred-mech.
-# Notice that this feature depends internally on lt-cred-mech, so if you set
-# use-auth-secret then it enables internally automatically lt-cred-mech option
-# like if you enable both.
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
 #
-# You can use only one of the to auth mechanisms in the same time because,
-# both mechanism use the username and password validation in different way.
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
 #
-# This way be aware that you can't use both auth mechnaism in the same time!
-# Use in config either the lt-cred-mech or the use-auth-secret
+# Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 use-auth-secret
 
-# 'Static' authentication secret value (a string) for TURN REST API only. 
+# 'Static' authentication secret value (a string) for TURN REST API only.
 # If not set, then the turn server
-# will try to use the 'dynamic' value in turn_secret table
-# in user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that other mode is 'dynamic'.
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
 #
 static-auth-secret={{ coturn_secret }}
 
@@ -234,10 +256,10 @@ static-auth-secret={{ coturn_secret }}
 #
 #oauth
 
-# 'Static' user accounts for long term credentials mechanism, only.
+# 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process, 
-# so that they can NOT be changed while the turnserver is running.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
@@ -255,7 +277,7 @@ static-auth-secret={{ coturn_secret }}
 # password. If it has 0x then it is a key, otherwise it is a password).
 #
 # The corresponding user account entry in the config file will be:
-# 
+#
 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
 # Or, equivalently, with open clear password (less secure):
 #user=ninefingers:youhavetoberealistic
@@ -263,83 +285,83 @@ static-auth-secret={{ coturn_secret }}
 
 # SQLite database file name.
 #
-# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
-# 
+#
 #userdb=/var/db/turndb
 
-# PostgreSQL database connection string in the case that we are using PostgreSQL
+# PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see 
+# versions connection string format, see
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 
-# MySQL database connection string in the case that we are using MySQL
+# MySQL database connection string in the case that you are using MySQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
-# Optional connection string parameters for the secure communications (SSL): 
-# ca, capath, cert, key, cipher 
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
 # command options description).
 #
-# Use string format as below (space separated parameters, all optional):
+# Use the string format below (space separated parameters, all optional):
 #
 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
 
-# If you want to use in the MySQL connection string the password in encrypted format,
-# then set in this option the MySQL password encryption secret key file.
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
 #
-# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format! 
-# If you want to use cleartext password then do not set this option!
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# If you want to use a cleartext password then do not set this option!
 #
-# This is the file path which contain secret key of aes encryption while using password encryption.
+# This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 
-# MongoDB database connection string in the case that we are using MongoDB
+# MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 
-# Redis database connection string in the case that we are using Redis
+# Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use string format as below (space separated parameters, all optional):
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string. 
-# Use string format as below (space separated parameters, all optional):
+# The connection string has the same parameters as redis-userdb connection string.
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
-# The default realm to be used for the users when no explicit 
-# origin/realm relationship was found in the database, or if the TURN
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials 
+# and the userdb file). Must be used with long-term credentials
 # mechanism or with TURN REST API.
 #
-# Note: If default realm is not specified at all, then realm falls back to the host domain name.
-#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
 realm={{ coturn_realm }}
 
-# The flag that sets the origin consistency 
-# check: across the session, all requests must have the same
+# This flag sets the origin consistency
+# check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
@@ -359,7 +381,7 @@ realm={{ coturn_realm }}
 
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporary suppressed (within
+# that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
@@ -380,17 +402,17 @@ realm={{ coturn_realm }}
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
-no-tcp
+#no-tcp
 
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
-no-tls
+#no-tls
 
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
-no-dtls
+#no-dtls
 
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
@@ -403,11 +425,11 @@ no-dtls
 #no-tcp-relay
 
 # Uncomment if extra security is desired,
-# with nonce value having limited lifetime.
-# By default, the nonce value is unique for a session,
-# and has unlimited lifetime. 
-# Set this option to limit the nonce lifetime. 
-# It defaults to 600 secs (10 min) if no value is provided. After that delay, 
+# with nonce value having a limited lifetime.
+# The nonce value is unique for a session.
+# Set this option to limit the nonce lifetime.
+# Set it to 0 for unlimited lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
 #stale-nonce=600
@@ -433,13 +455,14 @@ no-dtls
 #permission-lifetime=300
 
 # Certificate file.
-# Use an absolute path or path relative to the 
+# Use an absolute path or path relative to the
 # configuration file.
+# Use PEM file format.
 #
 #cert=/usr/local/etc/turn_server_cert.pem
 
 # Private key file.
-# Use an absolute path or path relative to the 
+# Use an absolute path or path relative to the
 # configuration file.
 # Use PEM file format.
 #
@@ -455,29 +478,29 @@ no-dtls
 #
 #cipher-list="DEFAULT"
 
-# CA file in OpenSSL format. 
+# CA file in OpenSSL format.
 # Forces TURN server to verify the client SSL certificates.
-# By default it is not set: there is no default value and the client
+# By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 
-# Curve name for EC ciphers, if supported by OpenSSL 
-# library (TLS and DTLS). The default value is prime256v1, 
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 # an optimal curve will be automatically calculated, if not defined
 # by this option.
 #
 #ec-curve-name=prime256v1
 
-# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 
-# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
-#dh2066
+#dh1066
 
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
@@ -485,21 +508,21 @@ no-dtls
 #dh-file=<DH-PEM-file-name>
 
 # Flag to prevent stdout log messages.
-# By default, all log messages are going to both stdout and to 
-# the configured log file. With this option everything will be 
-# going to the configured log only (unless the log file itself is stdout).
+# By default, all log messages go to both stdout and to
+# the configured log file. With this option everything will
+# go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 
 # Option to set the log file name.
-# By default, the turnserver tries to open a log file in 
-# /var/log, /var/tmp, /tmp and current directories directories
-# (which open operation succeeds first that file will be used).
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything 
+# The special names are "stdout" and "-" - they will force everything
 # to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog). 
-# In the runtime, the logfile can be reset with the SIGHUP signal 
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
 # to the turnserver process.
 #
 #log-file=/var/tmp/turn.log
@@ -514,41 +537,51 @@ syslog
 #
 #simple-log
 
+# Enable full ISO-8601 timestamp in all logs.
+#new-log-timestamp
+
+# Set timestamp format (in strftime(1) format)
+#new-log-timestamp-format "%FT%T%z"
+
+# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
+# Enable binding logging and UDP endpoint logs in verbose log mode.
+#log-binding
+
 # Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in form of 
+# will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
-# as the client network endpoint address family. 
-# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. 
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
 # The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server options are provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection". 
-# If the port number is omitted, then the default port 
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
 # number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of 
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed 
-# in square brackets in such resource identifiers, for example: 
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 # Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and 
-# the load will be distributed equally. For example, if we have 4 alternate servers, 
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server 
-# address can be used more than one time with the alternate-server option, so this 
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if you have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
 # can emulate "weighting" of the servers.
 #
-# Examples: 
+# Examples:
 #alternate-server=1.2.3.4:5678
 #alternate-server=11.22.33.44:56789
 #alternate-server=5.6.7.8
 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-			
-# Option to set alternative server for TLS & DTLS services in form of 
-# <ip>:<port>. If the port number is omitted, then the default port 
-# number 5349 for the TLS/DTLS protocols will be used. See the previous 
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
 # option for the functionality description.
 #
-# Examples: 
+# Examples:
 #tls-alternate-server=1.2.3.4:5678
 #tls-alternate-server=11.22.33.44:56789
 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
@@ -559,6 +592,15 @@ syslog
 #
 #stun-only
 
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+#no-software-attribute
+
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
@@ -567,7 +609,7 @@ syslog
 
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
-# rest-api-separator=:	
+# rest-api-separator=:
 
 # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
@@ -575,9 +617,9 @@ syslog
 # (To avoid any security issue that allowing loopback access may raise,
 # the no-loopback-peers option is replaced by allow-loopback-peers.)
 #
-# Allow it only for testing in a development environment! 
-# In production it adds a possible security vulnerability, so for security reasons 
-# it is not allowed using it together with empty cli-password. 
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
 #
 #allow-loopback-peers
 
@@ -586,18 +628,18 @@ syslog
 #
 no-multicast-peers
 
-# Option to set the max time, in seconds, allowed for full allocation establishment. 
+# Option to set the max time, in seconds, allowed for full allocation establishment.
 # Default is 60 seconds.
 #
 #max-allocate-timeout=60
 
-# Option to allow or ban specific ip addresses or ranges of ip addresses. 
-# If an ip address is specified as both allowed and denied, then the ip address is 
-# considered to be allowed. This is useful when you wish to ban a range of ip 
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
 # addresses, except for a few specific ips within that range.
 #
 # This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the 
+# machines reachable by the turn server, but would otherwise be unreachable from the
 # internet (e.g. when the turn server is sitting behind a NAT)
 #
 # Examples:
@@ -619,22 +661,22 @@ no-multicast-peers
 #
 mobility
 
-# Allocate Address Family according 
-# If enabled then TURN server allocates address family according  the TURN 
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
 # Client <=> Server communication address family.
-# (By default coTURN works according RFC 6156.)
+# (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 
 
 # User name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current user ID to that user.
+# will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 
 # Group name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current group ID to that group.
+# will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 
@@ -654,8 +696,8 @@ mobility
 #cli-port=5766
 
 # CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended to use the encrypted
-# for of the password (see the -P command in the turnadmin utility).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
@@ -684,10 +726,14 @@ mobility
 #
 #web-admin-listen-on-workers
 
-# Server relay. NON-STANDARD AND DANGEROUS OPTION. 
-# Only for those applications when we want to run 
+#acme-redirect=http://redirectserver/.well-known/acme-challenge/
+# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
+# Default is '', i.e. no special handling for such requests.
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when you want to run
 # server applications on the relay endpoints.
-# This option eliminates the IP permissions check on 
+# This option eliminates the IP permissions check on
 # the packets incoming to the relay endpoints.
 #
 #server-relay
@@ -703,6 +749,6 @@ mobility
 
 # Do not allow an TLS/DTLS version of protocol
 #
-no-tlsv1
-no-tlsv1_1
-no-tlsv1_2
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2

roles/dhcpd/templates/default/isc-dhcp-server.j2

@@ -3,10 +3,12 @@
 #
 
 # Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
-#DHCPD_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
 
 # Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
-#DHCPD_PID=/var/run/dhcpd.pid
+#DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
 
 # Additional options to start dhcpd with.
 #	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
@@ -14,4 +16,6 @@
 
 # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
 #	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-INTERFACES="eth0"
+INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
+INTERFACESv6=""
+INTERFACES="{{ ansible_default_ipv4['interface'] }}"

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -3,13 +3,24 @@
 # option definitions common to all supported networks...
 option domain-name "binary.kitchen";
 option domain-name-servers {{ name_servers | join(', ') }};
+option domain-search "binary.kitchen";
 option ntp-servers 172.23.1.60, 172.23.2.3;
 
+# options related to Mitel SIP-DECT
+option space sipdect;
+option local-encapsulation code 43 = encapsulate sipdect;
+option sipdect.ommip1 code 10 = ip-address;
+option sipdect.ommip2 code 19 = ip-address;
+option sipdect.syslogip code 14 = ip-address;
+option sipdect.syslogport code 15 = integer 16;
+option magic_str code 224 = text;
+
 default-lease-time 7200;
 max-lease-time 28800;
 
 # Use this to enble / disable dynamic dns updates globally.
-ddns-update-style none;
+ddns-update-style interim;
+ddns-updates on;
 
 # If this DHCP server is the official DHCP server for the local
 # network, the authoritative directive should be uncommented.
@@ -61,6 +72,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
 # Users
 subnet 172.23.3.0 netmask 255.255.255.0 {
   option routers 172.23.3.1;
+  ddns-domainname "users.binary.kitchen";
+  option domain-search "binary.kitchen", "users.binary.kitchen";
   pool {
 {% if dhcpd_failover == true %}
     failover peer "failover-partner";
@@ -80,6 +93,46 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
   }
 }
 
+# Management Auweg
+subnet 172.23.12.0 netmask 255.255.255.0 {
+  option routers 172.23.12.1;
+}
+
+# Services Auweg
+subnet 172.23.13.0 netmask 255.255.255.0 {
+  allow bootp;
+  option routers 172.23.13.1;
+}
+
+# Users Auweg
+subnet 172.23.14.0 netmask 255.255.255.0 {
+  option routers 172.23.14.1;
+  option domain-search "binary.kitchen", "users.binary.kitchen";
+  pool {
+{% if dhcpd_failover == true %}
+    failover peer "failover-partner";
+{% endif %}
+    range 172.23.14.10 172.23.14.230;
+  }
+}
+
+# MQTT Auweg
+subnet 172.23.15.0 netmask 255.255.255.0 {
+  option routers 172.23.15.1;
+  pool {
+{% if dhcpd_failover == true %}
+    failover peer "failover-partner";
+{% endif %}
+    range 172.23.15.10 172.23.15.240;
+  }
+}
+
+# DDNS zones
+
+zone users.binary.kitchen {
+  primary {{ dns_primary }};
+}
+
 
 # Fixed IPs
 
@@ -89,7 +142,7 @@ host ap01 {
 }
 
 host ap04 {
-  hardware ethernet 44:48:c1:ce:90:06;
+  hardware ethernet 74:9e:75:ce:93:54;
   fixed-address ap04.binary.kitchen;
 }
 
@@ -98,34 +151,44 @@ host ap05 {
   fixed-address ap05.binary.kitchen;
 }
 
+host ap06 {
+  hardware ethernet 94:b4:0f:c0:1d:a0;
+  fixed-address ap06.binary.kitchen;
+}
+
+host ap11 {
+  hardware ethernet 18:64:72:c6:c2:0c;
+  fixed-address ap11.binary.kitchen;
+}
+
+host ap12 {
+  hardware ethernet 18:64:72:c6:c4:98;
+  fixed-address ap12.binary.kitchen;
+}
+
 host bowle {
   hardware ethernet ac:1f:6b:25:16:b6;
   fixed-address bowle.binary.kitchen;
 }
 
 host cannelloni {
-  hardware ethernet 00:10:f3:15:88:ac;
+  hardware ethernet b8:27:eb:18:5c:11;
   fixed-address cannelloni.binary.kitchen;
 }
 
-host cashdesk {
-  hardware ethernet 00:0b:ca:94:13:f1;
-  fixed-address cashdesk.binary.kitchen;
-}
-
 host fusilli {
   hardware ethernet b8:27:eb:1d:b9:bf;
   fixed-address fusilli.binary.kitchen;
 }
 
-host garlic {
-  hardware ethernet b8:27:eb:56:2b:7c;
-  fixed-address garlic.binary.kitchen;
+host habdisplay1 {
+  hardware ethernet b8:27:eb:b6:62:be;
+  fixed-address habdisplay1.mqtt.binary.kitchen;
 }
 
-host homer {
-  hardware ethernet b8:27:eb:24:b2:12;
-  fixed-address homer.binary.kitchen;
+host habdisplay2 {
+  hardware ethernet b8:27:eb:df:0b:7b;
+  fixed-address habdisplay2.mqtt.binary.kitchen;
 }
 
 host klopi {
@@ -139,7 +202,7 @@ host lock {
 }
 
 host maccaroni {
-  hardware ethernet b8:27:eb:18:5c:11;
+  hardware ethernet b8:27:eb:f5:9e:a1;
   fixed-address maccaroni.binary.kitchen;
 }
 
@@ -159,22 +222,22 @@ host mpcnc {
 }
 
 host noodlehub {
-  hardware ethernet b8:27:eb:eb:e5:88;
+  hardware ethernet b8:27:eb:56:2b:7c;
   fixed-address noodlehub.binary.kitchen;
 }
 
+host openhabgw1 {
+  hardware ethernet dc:a6:32:bf:e2:3e;
+  fixed-address openhabgw1.mqtt.binary.kitchen;
+}
+
 host pizza {
   hardware ethernet 52:54:00:17:02:21;
   fixed-address pizza.binary.kitchen;
 }
 
-host punsch {
-  hardware ethernet 00:21:85:1b:7f:3d;
-  fixed-address punsch.binary.kitchen;
-}
-
 host spaghetti {
-  hardware ethernet b8:27:eb:e3:e9:f1;
+  hardware ethernet b8:27:eb:eb:e5:88;
   fixed-address spaghetti.binary.kitchen;
 }
 
@@ -217,6 +280,34 @@ host voip04 {
 }
 
 
+# Mitel SIP-DECT
+
+host rfp01 {
+  hardware ethernet 00:30:42:1B:73:5A;
+  fixed-address 172.23.1.111;
+  option host-name "rfp01";
+  option sipdect.ommip1 172.23.2.35;
+  option magic_str = "OpenMobilitySIP-DECT";
+}
+
+host rfp02 {
+  hardware ethernet 00:30:42:21:D4:D5;
+  fixed-address 172.23.1.112;
+  option host-name "rfp02";
+  option sipdect.ommip1 172.23.2.35;
+  option magic_str = "OpenMobilitySIP-DECT";
+}
+
+host rfp11 {
+  hardware ethernet 00:30:42:1B:8B:9B;
+  fixed-address 172.23.12.111;
+  option host-name "rfp11";
+  option sipdect.ommip1 172.23.2.35;
+  option magic_str = "OpenMobilitySIP-DECT";
+}
+
+
+
 # OMAPI
 
 omapi-port 7911;

roles/dns_extern/tasks/main.yml

@@ -5,11 +5,21 @@
     name:
     - pdns-server
     - pdns-backend-sqlite3
+    - sqlite3
 
 - name: Configure powerdns
   template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
   notify: Restart powerdns
 
+- name: Initialize database
+  command:
+    cmd: >
+      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
+      /var/lib/powerdns/powerdns.sqlite3
+    creates: /var/lib/powerdns/powerdns.sqlite3
+  become: true
+  become_user: pdns
+
 - name: Copy update policy script
   copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
   notify: Restart powerdns

roles/dns_extern/templates/pdns.conf.j2

@@ -1,5 +1,4 @@
-local-address=0.0.0.0
-local-ipv6=::
+local-address=0.0.0.0, ::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
@@ -11,3 +10,4 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
 {% endif %}
 allow-dnsupdate-from=0.0.0.0/0,::/0
 lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
+security-poll-suffix=

roles/dns_intern/handlers/main.yml

@@ -5,3 +5,6 @@
   with_items:
    - pdns
    - pdns-recursor
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted

roles/dns_intern/tasks/main.yml

@@ -3,8 +3,11 @@
 - name: Install powerdns
   apt:
     name:
+    - dnsdist
+    - pdns-backend-sqlite3
     - pdns-server
     - pdns-recursor
+    - sqlite3
 
 - name: Create zone directory
   file: path=/etc/powerdns/bind/ state=directory
@@ -19,8 +22,28 @@
   - bind/23.172.in-addr.arpa.zone
   - bind/binary.kitchen.zone
 
+- name: Initialize database
+  command:
+    cmd: >
+      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
+      /var/lib/powerdns/pdns.sqlite3
+    creates: /var/lib/powerdns/pdns.sqlite3
+  become: true
+  become_user: pdns
+
+# TODO
+# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
+
+# TODO
+# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
+
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
 - name: Start the powerdns services
   service: name={{ item }} state=started enabled=yes
   with_items:
+  - dnsdist
   - pdns
   - pdns-recursor

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,52 +1,57 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2020051101; serial
+@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+					2024030100; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns.binary.kitchen.
+				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
 2.0				IN	PTR	erx-bk.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
-4.0				IN	PTR	pf-bk.binary.kitchen.
-5.0				IN	PTR	pf-rz.binary.kitchen.
+4.0				IN	PTR	erx-auweg.binary.kitchen.
 ; Management
 1.1				IN	PTR	v2301.core.binary.kitchen.
 11.1				IN	PTR	ups1.binary.kitchen.
 21.1				IN	PTR	pdu1.binary.kitchen.
 22.1				IN	PTR	pdu2.binary.kitchen.
 23.1				IN	PTR	pdu3.binary.kitchen.
-31.1				IN	PTR	sw01.binary.kitchen.
-32.1				IN	PTR	sw02.binary.kitchen.
-33.1				IN	PTR	sw03.binary.kitchen.
+31.1				IN	PTR	sw-butchery.binary.kitchen.
+32.1				IN	PTR	sw-mini.binary.kitchen.
+33.1				IN	PTR	sw-rack.binary.kitchen.
 41.1				IN	PTR	ap01.binary.kitchen.
 42.1				IN	PTR	ap02.binary.kitchen.
-43.1				IN	PTR	ap03.binary.kitchen.
 44.1				IN	PTR	ap04.binary.kitchen.
 45.1				IN	PTR	ap05.binary.kitchen.
+46.1				IN	PTR	ap06.binary.kitchen.
 51.1				IN	PTR	modem.binary.kitchen.
 60.1				IN	PTR	wurst.binary.kitchen.
 80.1				IN	PTR	wurst-bmc.binary.kitchen.
 82.1				IN	PTR	bowle-bmc.binary.kitchen.
 101.1				IN	PTR	nbe-w13b.binary.kitchen.
 102.1				IN	PTR	nbe-tr8.binary.kitchen.
+111.1				IN	PTR	rfp01.binary.kitchen.
+112.1				IN	PTR	rfp02.binary.kitchen.
 ; Services
 1.2				IN	PTR	v2302.core.binary.kitchen.
-2.2				IN	PTR	ns.binary.kitchen.
 3.2				IN	PTR	bacon.binary.kitchen.
 4.2				IN	PTR	aveta.binary.kitchen.
 5.2				IN	PTR	sulis.binary.kitchen.
 6.2				IN	PTR	nabia.binary.kitchen.
-11.2				IN	PTR	homer.binary.kitchen.
+7.2				IN	PTR	epona.binary.kitchen.
 12.2				IN	PTR	lock.binary.kitchen.
 13.2				IN	PTR	matrix.binary.kitchen.
 33.2				IN	PTR	pizza.binary.kitchen.
+34.2				IN	PTR	pancake.binary.kitchen.
+35.2				IN	PTR	knoedel.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
-44.2				IN	PTR	cashdesk.binary.kitchen.
+37.2				IN	PTR	bob.binary.kitchen.
+38.2				IN	PTR	lasagne.binary.kitchen.
+39.2				IN	PTR	tschunk.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -56,32 +61,48 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 240.3				IN	PTR	fusilli.binary.kitchen.
 241.3				IN	PTR	klopi.binary.kitchen.
 242.3				IN	PTR	mpcnc.binary.kitchen.
-243.3				IN	PTR	garlic.binary.kitchen.
 244.3				IN	PTR	mirror.binary.kitchen.
 245.3				IN	PTR	spaghetti.binary.kitchen.
 246.3				IN	PTR	maccaroni.binary.kitchen.
-247.3				IN	PTR	pve02-bmc.tmp.binary.kitchen.
-248.3				IN	PTR	pve02.tmp.binary.kitchen.
-249.3				IN	PTR	ffrgb.binary.kitchen.
 250.3				IN	PTR	cannelloni.binary.kitchen.
 251.3				IN	PTR	noodlehub.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
+7.4				IN	PTR	lasagne.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
+241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
+242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
+245.4				IN	PTR	logo1.mqtt.binary.kitchen.
+246.4				IN	PTR	logo2.mqtt.binary.kitchen.
+250.4				IN	PTR	moodlights1.mqtt.binary.kitchen.
+251.4				IN	PTR	openhabgw1.mqtt.binary.kitchen.
+252.4				IN	PTR	homematic-ccu2.mqtt.binary.kitchen.
 ; Management RZ
 1.9				IN	PTR	switch0.erx-rz.binary.kitchen.
 61.9				IN	PTR	salat.binary.kitchen.
 81.9				IN	PTR	salat-bmc.binary.kitchen.
 ; Services RZ
-23.8				IN	PTR	cernunnos.binary.kitchen.
 ; VPN RZ (ER-X)
-1.10				IN	PTR	wg1.erx-rz.binary.kitchen.
+1.10				IN	PTR	wg0.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
-; VPN RZ (pf)
-$GENERATE 2-254 $.11		IN	PTR	vpn-${0,3,d}-11.binary.kitchen.
+; Management Auweg
+31.12				IN	PTR	sw-auweg.binary.kitchen.
+41.12				IN	PTR	ap11.binary.kitchen.
+42.12				IN	PTR	ap12.binary.kitchen.
+61.12				IN	PTR	weizen.binary.kitchen.
+111.12				IN	PTR	rfp11.binary.kitchen.
+; Services Auweg
+3.13				IN	PTR	aeron.binary.kitchen.
+12.13				IN	PTR	lock-auweg.binary.kitchen.
+; Clients Auweg
+$GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
+; MQTT
+$GENERATE 10-240 $.15		IN	PTR	dhcp-${0,3,d}-15.binary.kitchen.
 ; Point-to-Point
 1.96				IN	PTR	v400.erx-bk.binary.kitchen.
 2.96				IN	PTR	v400.core.binary.kitchen.
-1.97				IN	PTR	wg0.erx-rz.binary.kitchen.
-2.97				IN	PTR	wg0.erx-bk.binary.kitchen.
+1.97				IN	PTR	wg1.erx-rz.binary.kitchen.
+2.97				IN	PTR	wg1.erx-bk.binary.kitchen.
+5.97				IN	PTR	wg2.erx-rz.binary.kitchen.
+6.97				IN	PTR	wg2.erx-auweg.binary.kitchen.

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,67 +1,80 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2020051101; serial
+@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+					2024030100; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns.binary.kitchen.
+				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns2.binary.kitchen.
+; Subdomains
+users				IN	NS	ns1.binary.kitchen.
+users				IN	NS	ns2.binary.kitchen.
 ; External
 				IN	A	213.166.246.4
 www				IN	A	213.166.246.4
 ; Aliases
 3dprinter			IN	A	172.23.3.251
+icinga				IN	A	172.23.2.6
 ldap				IN	A	172.23.2.3
 ldap				IN	A	172.23.2.4
 ldap				IN	A	213.166.246.2
 ldap1				IN	A	172.23.2.3
 ldap2				IN	A	172.23.2.4
+ldap3				IN	A	172.23.13.3
 ldapm				IN	A	213.166.246.2
 librenms			IN	A	172.23.2.6
-racktables			IN	A	172.23.2.6
+netbox				IN	A	172.23.2.7
+ns1				IN	A	172.23.2.3
+ns2				IN	A	172.23.2.4
+omm				IN	A	172.23.2.35
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
 erx-bk				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
-pf-bk				IN	A	172.23.0.4
-pf-rz				IN	A	172.23.0.5
+erx-auweg			IN	A	172.23.0.4
 ; Management
 v2301.core			IN	A	172.23.1.1
 ups1				IN	A	172.23.1.11
 pdu1				IN	A	172.23.1.21
 pdu2				IN	A	172.23.1.22
 pdu3				IN	A	172.23.1.23
-sw01				IN	A	172.23.1.31
-sw02				IN	A	172.23.1.32
-sw03				IN	A	172.23.1.33
+sw-butchery			IN	A	172.23.1.31
+sw-mini				IN	A	172.23.1.32
+sw-rack				IN	A	172.23.1.33
 ap01				IN	A	172.23.1.41
 ap02				IN	A	172.23.1.42
-ap03				IN	A	172.23.1.43
 ap04				IN	A	172.23.1.44
 ap05				IN	A	172.23.1.45
+ap06				IN	A	172.23.1.46
 modem				IN	A	172.23.1.51
 wurst				IN	A	172.23.1.60
 wurst-bmc			IN	A	172.23.1.80
 bowle-bmc			IN	A	172.23.1.82
 nbe-w13b			IN	A	172.23.1.101
 nbe-tr8				IN	A	172.23.1.102
+rfp01				IN	A	172.23.1.111
+rfp02				IN	A	172.23.1.112
 ; Services
 v2302.core			IN	A	172.23.2.1
-ns				IN	A	172.23.2.2
 bacon				IN	A	172.23.2.3
 aveta				IN	A	172.23.2.4
 sulis				IN	A	172.23.2.5
 nabia				IN	A	172.23.2.6
-homer				IN	A	172.23.2.11
+epona				IN	A	172.23.2.7
 lock				IN	A	172.23.2.12
 matrix				IN	A	172.23.2.13
 pizza				IN	A	172.23.2.33
+pancake				IN	A	172.23.2.34
+knoedel				IN	A	172.23.2.35
 schweinshaxn			IN	A	172.23.2.36
-cashdesk			IN	A	172.23.2.44
+bob				IN	A	172.23.2.37
+lasagne				IN	A	172.23.2.38
+tschunk				IN	A	172.23.2.39
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -71,32 +84,48 @@ $GENERATE 10-230 dhcp-${0,3,d}-03	IN	A	172.23.3.$
 fusilli				IN	A	172.23.3.240
 klopi				IN	A	172.23.3.241
 mpcnc				IN	A	172.23.3.242
-garlic				IN	A	172.23.3.243
 mirror				IN	A	172.23.3.244
 spaghetti			IN	A	172.23.3.245
 maccaroni			IN	A	172.23.3.246
-pve02-bmc.tmp			IN	A	172.23.3.247
-pve02.tmp			IN	A	172.23.3.248
-ffrgb				IN	A	172.23.3.249
 cannelloni			IN	A	172.23.3.250
 noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
+lasagne.mqtt			IN	A	172.23.4.7
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
+habdisplay1.mqtt		IN	A	172.23.4.241
+habdisplay2.mqtt		IN	A	172.23.4.242
+logo1.mqtt			IN	A	172.23.4.245
+logo2.mqtt			IN	A	172.23.4.246
+moodlights1.mqtt		IN	A	172.23.4.250
+openhabgw1.mqtt			IN	A	172.23.4.251
+homematic-ccu2.mqtt		IN	A	172.23.4.252
 ; Management RZ
 switch0.erx-rz			IN	A	172.23.9.1
 salat				IN	A	172.23.9.61
 salat-bmc			IN	A	172.23.9.81
 ; Services RZ
-cernunnos			IN	A	172.23.8.23
+; Management Auweg
+sw-auweg			IN	A	172.23.12.31
+ap11				IN	A	172.23.12.41
+ap12				IN	A	172.23.12.42
+weizen				IN	A	172.23.12.61
+rfp11				IN	A	172.23.12.111
+; Services Auweg
+aeron				IN	A	172.23.13.3
+lock-auweg			IN	A	172.23.13.12
+; Clients Auweg
+$GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
+; MQTT Auweg
+$GENERATE 10-240 dhcp-${0,3,d}-15	IN	A	172.23.15.$
 ; VPN RZ (ER-X)
-wg1.erx-rz			IN	A	172.23.10.1
+wg0.erx-rz			IN	A	172.23.10.1
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A	172.23.10.$
-; VPN RZ (pf)
-$GENERATE 2-254 vpn-${0,3,d}-11	IN	A	172.23.11.$
 ; Point-to-Point
 v400.erx-bk			IN	A	172.23.96.1
 v400.core			IN	A	172.23.96.2
-wg0.erx-rz			IN	A	172.23.97.1
-wg0.erx-bk			IN	A	172.23.97.2
+wg1.erx-rz			IN	A	172.23.97.1
+wg1.erx-bk			IN	A	172.23.97.2
+wg2.erx-rz			IN	A	172.23.97.5
+wg2.erx-auweg			IN	A	172.23.97.6

roles/dns_intern/templates/dnsdist.conf.j2

@@ -0,0 +1,27 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1')
+addLocal('::1')
+addLocal('{{ ansible_default_ipv4.address }}')
+
+-- define downstream servers/pools
+newServer({address='127.0.0.1:5300', pool='authdns'})
+newServer({address='127.0.0.1:5353', pool='resolve'})
+
+{% if dns_secondary is defined %}
+-- allow AXFR/IXFR only from slaves
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
+{% endif %}
+
+-- allow NOTIFY only from master
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
+
+-- use auth servers for own zones
+addAction('binary.kitchen', PoolAction('authdns'))
+addAction('23.172.in-addr.arpa', PoolAction('authdns'))
+
+-- use resolver for anything else
+addAction(AllRule(), PoolAction('resolve'))
+
+-- disable security status polling via DNS
+setSecurityPollSuffix('')

roles/dns_intern/templates/pdns.conf.j2

@@ -1,46 +1,90 @@
 # {{ ansible_managed }}
 
+{% if ansible_default_ipv4.address == dns_primary %}
 #################################
-# launch        Which backends to launch and order to query them in
+# allow-dnsupdate-from  A global setting to allow DNS updates from these IP ranges.
 #
-# launch=
-launch=bind
+# allow-dnsupdate-from=127.0.0.0/8,::1
+allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
 
 #################################
-# local-address Local IP addresses to which we bind
+# dnsupdate	Enable/Disable DNS update (RFC2136) support.  Default is no.
+#
+# dnsupdate=no
+dnsupdate=yes
+{% endif %}
+
+#################################
+# launch	Which backends to launch and order to query them in
+#
+# launch=
+launch=bind,gsqlite3
+
+#################################
+# local-address	Local IP addresses to which we bind
 #
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
 #################################
-# local-ipv6    Local IP address to which we bind
-#
-# local-ipv6=::
-local-ipv6=
-
-#################################
-# local-port    The port on which we listen
+# local-port	The port on which we listen
 #
 # local-port=53
 local-port=5300
 
+{% if ansible_default_ipv4.address == dns_primary %}
 #################################
-# security-poll-suffix  Domain name from which to query security update notifications
+# master	Act as a master
+#
+# master=no
+master=yes
+
+{% if dns_secondary is defined %}
+#################################
+# only-notify   Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+only-notify={{ dns_secondary }}
+{% endif %}
+{% endif %}
+
+#################################
+# security-poll-suffix	Domain name from which to query security update notifications
 #
 # security-poll-suffix=secpoll.powerdns.com.
 security-poll-suffix=
 
 #################################
-# setgid        If set, change group id to this gid for more security
+# setgid	If set, change group id to this gid for more security
 #
 setgid=pdns
 
 #################################
-# setuid        If set, change user id to this uid for more security
+# setuid	If set, change user id to this uid for more security
 #
 setuid=pdns
 
+{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
 #################################
-# bind-config   Location of the Bind configuration file to parse.
+# slave	Act as a slave
+#
+# slave=no
+slave=yes
+
+#################################
+# trusted-notification-proxy	IP address of incoming notification proxy
+#
+# trusted-notification-proxy=
+trusted-notification-proxy=127.0.0.1,::1
+{% endif %}
+
+#################################
+# bind-config	Location of named.conf
 #
 bind-config=/etc/powerdns/bindbackend.conf
+
+#################################
+# gsqlite3-database	Filename of the SQLite3 database
+#
+# gsqlite3-database=
+gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

roles/dns_intern/templates/recursor.conf.j2

@@ -1,61 +1,55 @@
 # {{ ansible_managed }}
 
 #################################
-# allow-from    If set, only allow these comma separated netmasks to recurse
+# allow-from	If set, only allow these comma separated netmasks to recurse
 #
-#allow-from=127.0.0.0/8
+# allow-from=127.0.0.0/8
 
 #################################
-# config-dir    Location of configuration directory (recursor.conf)
+# config-dir	Location of configuration directory (recursor.conf)
 #
 config-dir=/etc/powerdns
 
 #################################
-# dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
 #
-# dnssec=process-no-validate
+# dnssec=process
 dnssec=off
 
 #################################
-# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
+# local-address	IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-# forward-zones=
-forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
+local-address=127.0.0.1
 
 #################################
-# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
+# local-port	port to listen on
 #
-local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
+local-port=5353
 
 #################################
-# local-port    port to listen on
-#
-local-port=53
-
-#################################
-# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+# query-local-address6	Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
 #
 {% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}
 {% endif %}
 
 #################################
-# quiet Suppress logging of questions and answers
+# quiet	Suppress logging of questions and answers
 #
 quiet=yes
 
 #################################
-# security-poll-suffix  Domain name from which to query security update notifications
+# security-poll-suffix	Domain name from which to query security update notifications
 #
 # security-poll-suffix=secpoll.powerdns.com.
 security-poll-suffix=
 
 #################################
-# setgid        If set, change group id to this gid for more security
+# setgid	If set, change group id to this gid for more security
 #
 setgid=pdns
 
 #################################
-# setuid        If set, change user id to this uid for more security
+# setuid	If set, change user id to this uid for more security
 #
 setuid=pdns

roles/docker/tasks/main.yml

@@ -1,17 +1,10 @@
 ---
 
-- name: Enable docker apt-key
-  apt_key: url='https://download.docker.com/linux/debian/gpg'
-
-- name: Enable docker repository
-  apt_repository:
-    repo: 'deb https://download.docker.com/linux/debian buster stable'
-    filename: docker
-
 - name: Install docker
   apt:
     name:
-    - docker-ce
-    - docker-ce-cli
-    - containerd.io
-    - python-docker
+    - docker.io
+    - python3-docker
+
+- name: Enable docker
+  service: name=docker state=started enabled=yes

roles/doorlock/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/doorlock/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
+      -days 730 -subj "/CN={{ doorlock_domain }}"
+    creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  notify: Restart nginx
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+  vars:
+    acme_dnskey_san_domains:
+    - "{{ doorlock_domain }}"
+
+- name: Configure certificate manager for doorlock
+  template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
+  notify: Run acertmgr

roles/doorlock/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ doorlock_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/drone/files/drone.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=drone.io server
-After=network-online.target
-
-[Service]
-Type=simple
-User=drone
-EnvironmentFile=/etc/default/drone
-ExecStart=/opt/drone/bin/drone-server
-Restart=always
-RestartSec=5s
-
-[Install]
-WantedBy=multi-user.target

roles/drone/tasks/main.yml

@@ -1,52 +0,0 @@
----
-
-- name: Create user
-  user: name=drone
-
-# TODO install drone to /opt/drone/bin
-# currently it is manually compiled
-
-- name: Configure drone
-  template: src=drone.j2 dest=/etc/default/drone
-  notify: Restart drone
-
-- name: Install PostgreSQL
-  apt:
-    name:
-    - postgresql
-    - python-psycopg2
-
-- name: Configure PostgreSQL database
-  postgresql_db: name={{ drone_dbname }}
-  become: true
-  become_user: postgres
-
-- name: Configure PostgreSQL user
-  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
-  become: true
-  become_user: postgres
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for drone
-  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
-  notify: Restart nginx
-
-- name: Install systemd unit
-  copy: src=drone.service dest=/lib/systemd/system/drone.service
-  notify:
-  - Reload systemd
-  - Restart drone
-
-- name: Enable drone
-  service: name=drone enabled=yes

roles/drone/templates/drone.j2

@@ -1,10 +0,0 @@
-DRONE_AGENTS_ENABLED=true
-DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
-DRONE_DATABASE_DRIVER=postgres
-DRONE_GITEA_SERVER=https://{{ gitea_domain }}
-DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
-DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
-DRONE_RPC_SECRET={{ drone_secret }}
-DRONE_SERVER_HOST={{ drone_domain }}
-DRONE_SERVER_PROTO=https
-DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -1,31 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ drone_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ drone_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ drone_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
-
-	location / {
-		client_max_body_size 128M;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_pass http://localhost:8080;
-	}
-}

roles/drone_runner/tasks/main.yml

@@ -1,20 +0,0 @@
----
-
-- name: Run runner container
-  docker_container:
-    name: runner
-    image: drone/drone-runner-docker:1
-    env:
-      DRONE_RPC_PROTO: "https"
-      DRONE_RPC_HOST: "{{ drone_domain }}"
-      DRONE_RPC_SECRET: "{{ drone_secret }}"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
-      DRONE_UI_USERNAME: "admin"
-      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
-    ports:
-    - "3000:3000"
-    restart_policy: unless-stopped
-    state: started
-    volumes:
-    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -0,0 +1,15 @@
+---
+
+eh21.easterhegg.eu engel.eh21.easterhegg.eu:
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -0,0 +1,68 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/eh21;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://engel.eh21.easterhegg.eu$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name engel.eh21.easterhegg.eu;
+
+	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
+	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
+
+	root /var/www/engel/public;
+
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+	}
+}

roles/event_web/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/event_web/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - php-fpm
+
+- name: Create vhost directory
+  file: path=/var/www/eh21 state=directory owner=www-data group=www-data
+
+- name: Create vhost directory
+  file: path=/var/www/engel state=directory owner=www-data group=www-data
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/eh21.easterhegg.eu.key -out /etc/nginx/ssl/eh21.easterhegg.eu.crt -days 730 -subj "/CN=eh21.easterhegg.eu" creates=/etc/nginx/ssl/eh21.easterhegg.eu.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager
+  copy: src=certs dest=/etc/acertmgr/eh21.easterhegg.eu.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  copy: src=vhost dest=/etc/nginx/sites-available/www
+  notify: Restart nginx
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link
+  notify: Restart nginx
+
+- name: Start php8.2-fpm
+  service: name=php8.2-fpm state=started enabled=yes