forked from infra/ansible
Compare commits
411 Commits
Author | SHA1 | Date |
---|---|---|
Markus | b9e886fd01 | |
Markus | 581757a3f0 | |
Markus | 79217219fb | |
Markus | 9bee86f6ba | |
Markus | bd75c4283a | |
Markus | 8b6e02f91f | |
Markus | f791a1cd8d | |
Markus | 50ea038b51 | |
Markus | 15166b92a2 | |
Markus | 88764a7fb5 | |
Markus | f1e3189a1d | |
Markus | 477357b00e | |
Markus | d860c5a538 | |
Markus | 849a8f491d | |
Markus | 6e766fdc5b | |
Markus | 631ba79ba4 | |
Thomas Basler | 3c1a92a4b6 | |
Thomas Basler | e2c7bed035 | |
Thomas Basler | 07a0e22d35 | |
Thomas Basler | f72960bbc8 | |
Markus | 51e673ca94 | |
Markus | b99c41b938 | |
Markus | f839bd1db9 | |
Markus | d5f8a39219 | |
Markus | 36bf2bbc3f | |
Markus | 34b1d83233 | |
Markus | 0e9d3092e6 | |
Markus | 7b03d89096 | |
Markus | 07686bbf73 | |
Markus | b3c04b5675 | |
Markus | b058a8d891 | |
Markus | d5b11f15d2 | |
Markus | ec9b306469 | |
Markus | 9ac34b1079 | |
Markus | 40a2a28676 | |
Markus | 574afd2b83 | |
Markus | a219a7ecaf | |
Markus | 265aa863fd | |
Markus | dffb4be7d0 | |
Markus | 67066c88c7 | |
Markus | db0cc8517a | |
Markus | d8ab43dc29 | |
Markus | b919df64ce | |
Markus | 91e88b07b3 | |
Markus | f29fccefbe | |
Markus | 668b9418db | |
Markus | 8c7629c409 | |
Markus | a23e1598bf | |
Markus | 9b9a844867 | |
Markus | d1682eb5f2 | |
Markus | c6db7e5805 | |
Markus | cfa3c48827 | |
Markus | b61d00aeca | |
Markus | 4a56b35fdd | |
Markus | cf373d84ec | |
Markus | c3ce352580 | |
Markus | 6f5b4891d4 | |
Markus | 937961174f | |
Markus | b2b7045f61 | |
Markus | 83d6c87415 | |
Markus | 79230057af | |
Markus | 3e13f04758 | |
Markus | aa53ae45ca | |
Markus | 4e4999d409 | |
Markus | 1d1c1d0381 | |
Markus | 40559373ba | |
Markus | b990c6c1c3 | |
Markus | 84cb7be90d | |
Markus | eca8792bb5 | |
Markus | e4f934264f | |
Markus | ce477eceb2 | |
Markus | b7142615fb | |
Markus | 20b0cb26ff | |
Markus | eb430ed0ee | |
Markus | 700fa97feb | |
Markus | 21c64883f0 | |
Markus | cca5e2f3df | |
Markus | 5a54bdfe67 | |
Markus | 05e5e2d6a0 | |
Markus | 1fa4fb24aa | |
Markus | 3642f4db11 | |
Markus | a5c5957554 | |
Markus | 17b59ae656 | |
Markus | 9c072a4678 | |
Markus | 02496ae591 | |
Markus | d5d762f73e | |
Markus | e85e1f43ea | |
Markus | 22c743baec | |
Markus | d10886f284 | |
Markus | 198a5908b2 | |
Markus | 07d14163fb | |
Markus | d0429f9984 | |
Markus | 7ba5813e39 | |
Markus | 2d499a0967 | |
Markus | 58c875c4dc | |
Markus | 6bf772b761 | |
Markus | 66f751b4fb | |
Markus | b656aef36d | |
Markus | fc452e7d60 | |
Markus | 2aec019f3b | |
Markus | 6b600be79c | |
Markus | a3995263f2 | |
Markus | d4e75761aa | |
Markus | aa05825fb2 | |
Markus | ad41c02741 | |
Markus | c0852557af | |
Markus | 586a02e545 | |
Markus | 1c0b1e6032 | |
Markus | 003c4ee83d | |
Markus | 4c55923b1c | |
Markus | 089136b71c | |
Markus | ce825b105c | |
Markus | d120a95789 | |
Markus | d2aa747d52 | |
Markus | 565177b6d6 | |
Markus | f6b8724b93 | |
Markus | ac8c0318a9 | |
Markus | 35de5eb253 | |
Markus | 6c14018f4a | |
Markus | b4ef06572b | |
Markus | a12e0bf43b | |
Markus | f484efbd54 | |
Markus | d21c73e317 | |
Markus | 48f2330a84 | |
Markus | 7c4c262fd3 | |
Markus | 1ea08a8776 | |
Markus | c1da05cdaf | |
Markus | 06d0895b96 | |
Markus | 6279bd0caa | |
Markus | a9668ff6d7 | |
Markus | c06ba3f0c3 | |
Markus | 46d97d75bf | |
Markus | 8cefd0363b | |
Markus | 0c53d9dc3e | |
Markus | d448fe5384 | |
Markus | 0430a7e456 | |
Markus | adadbc9663 | |
Markus | 7cbb6abff9 | |
Markus | 4e1880d394 | |
Markus | 5d1b2ab959 | |
Markus | 837c9fc20a | |
Markus | 4103a23f48 | |
Markus | 35a7acafd4 | |
Markus | b2d6066acb | |
Markus | d662fd6689 | |
Thomas Basler | 70d4edc0d6 | |
Markus | 63b0d62938 | |
Thomas | 4993782513 | |
Markus | 3b1b600c8e | |
Markus | a0d455d3ed | |
Markus | f0bd56d813 | |
Markus | a1a8a75787 | |
Markus | 0b1ee06e0c | |
Markus | f2abb27a08 | |
Markus | 1e3a163dca | |
Markus | 631f34baea | |
Markus | 6696697892 | |
Markus | fcb2638d8f | |
Markus | b4146fc919 | |
Markus | d9678ba6f5 | |
Markus | 0154bded19 | |
Markus | b5bfc03f2f | |
Markus | 4344bd7d45 | |
Markus | 234e889d9d | |
Markus | 5f39fd3ea7 | |
Markus | 6b5c59183e | |
Markus | 9e20fd1c19 | |
Markus | a7d391e0de | |
Markus | 9e9bfade44 | |
Markus | 64badc0d8f | |
Markus | 0c1df72dce | |
Markus | fdf91000d5 | |
Markus | b86945f714 | |
Markus | 14c055bff0 | |
Markus | a08b2c047e | |
Markus | a59ac1435e | |
Markus | c23b065e68 | |
Markus | a40afba368 | |
Markus | db8e6f2576 | |
Markus | cc35e0da6c | |
Markus | 26a36701f5 | |
Markus | 7403383a4f | |
Markus | b710872b20 | |
raven | 4dd1f87e73 | |
Markus | 33e0419253 | |
Thomas Basler | ab693499f4 | |
Thomas Basler | 7e3ee25048 | |
Markus | ce8e6d6cd2 | |
Markus | e1e8da8a2b | |
Markus | cd80847a57 | |
Markus | d5ec34c47e | |
Markus | 227926ff12 | |
Kishi85 | 5ddc8ee09a | |
Markus | d2c83c01fc | |
Markus | 3e0cdbe023 | |
Markus | e1856f6ceb | |
Thomas Basler | 3dbdbc226b | |
Thomas Basler | 5cbaf1b4a6 | |
Thomas Basler | 447fcbaad5 | |
Thomas Basler | ec6b1d4725 | |
Thomas Basler | ad96a50ae8 | |
Thomas Basler | ca244db889 | |
Thomas Basler | 73b36d8bc3 | |
Thomas Basler | a1a3091507 | |
Thomas Basler | 541c061c7d | |
Thomas Basler | 2d645a13f4 | |
Thomas Basler | 9eef0c7739 | |
Thomas Basler | f565853cd2 | |
Thomas Basler | 9c2cf94ea2 | |
Thomas Basler | 7c40f82c6c | |
Thomas Basler | bd96df2eb0 | |
Thomas Basler | 3c09971484 | |
Thomas Basler | fabf719de5 | |
Thomas Basler | 44241e5df5 | |
Thomas Basler | da9b432864 | |
Markus | e956702e86 | |
Markus | 8bf2704c9b | |
Markus | 4f57cf5f62 | |
Markus | 02c5e0fa8f | |
Markus | 9e194d1d6d | |
Markus | 29b0201507 | |
Markus | 3214cdacd1 | |
Markus | c57ce61df4 | |
Markus | cec001156b | |
Markus | dbb9a58354 | |
Markus | 82f0b278a6 | |
Markus | b87119a1df | |
Markus | 792d7dcc90 | |
Markus | 359f2f68d7 | |
Kishi85 | 93e01f3650 | |
Markus | 69348ed49b | |
Markus | 43a672b064 | |
Markus | beb8fafd1a | |
Markus | e63ad7a34d | |
Markus | cd90151635 | |
Markus | 239d2b6f9b | |
Markus | 3c901c5e2e | |
Markus | 0893017a01 | |
Markus | 3fcc39c852 | |
Markus | 3cd42908be | |
Markus | dac19a26b6 | |
Markus | cece722363 | |
Markus | 9675522a88 | |
Markus | cc62b843ed | |
Markus | 6d3f81e32d | |
Markus | c002c52c25 | |
Markus | 01811b089e | |
Markus | 84c167e9ed | |
Markus | 79668ac85d | |
Markus | 16bdd2cc5a | |
Markus | 848bf5c82c | |
Markus | 224d6ef256 | |
Markus | dcc8dfa14b | |
Markus | 45cb1623cf | |
Markus | 1541f5c7a8 | |
Markus | c23bc49529 | |
Thomas Basler | 3325ebe70e | |
Thomas Basler | 0dfc8ca853 | |
Thomas Basler | 9ea7156394 | |
Markus | 347ad26fb6 | |
Markus | bb2ae97f13 | |
Markus | a22c68a76a | |
Thomas | e0c869819b | |
Thomas | b23c62e0e9 | |
Markus | 56b1e62d4b | |
Markus | 4633eab53a | |
Markus | 9373745171 | |
Markus | 7eb37b6cf6 | |
Markus | ca91b3d82d | |
Markus | bd1b350862 | |
Markus | 3991fdee84 | |
Markus | 608ef53d4e | |
Kishi85 | 0abe05dc00 | |
Kishi85 | e4f346182b | |
Markus | c708de4a40 | |
Markus | 59fcac1337 | |
Markus | f003f62989 | |
Markus | 4ac6936b54 | |
Markus | 7f05bf752d | |
Markus | 8f69ef75f1 | |
Markus | 7fb80dc1e3 | |
Markus | e47e17cf75 | |
Markus | 2276e4efe5 | |
Kishi85 | 1465af44a6 | |
Kishi85 | d3e0e7c8da | |
Kishi85 | 77a8cc93f0 | |
Markus | 60e4ce380d | |
Markus | 8541e74ee1 | |
Markus | 46bcaf8320 | |
Markus | 75c6a18217 | |
Markus | 6aff25be20 | |
Markus | f470dd313a | |
Markus | c7e01371c9 | |
Markus | 4ff1651100 | |
Thomas Basler | a9e7ab626b | |
Markus | 758a2efa03 | |
Markus | 931d97359e | |
Markus | 3c56af2906 | |
Markus | ae88007179 | |
Markus | 4af3743d75 | |
Markus | 933fa6387e | |
Markus | 966e96f2f9 | |
Markus | f367fb6e76 | |
Markus | af2c7e6c2d | |
Markus | e44d76a7be | |
Markus | 7ad28a20d0 | |
Markus | 8e8b2be194 | |
Markus | cb2887adff | |
Markus | ab82b09431 | |
Markus | 75ec080860 | |
Markus | 577706dbbe | |
Markus | 7bc18ea42f | |
Markus | 813d32fd6b | |
Markus | 364cda3347 | |
Markus | 291a84b65a | |
Thomas Basler | 61d2b601e9 | |
Thomas Basler | 9ff860d6ec | |
Thomas Basler | 60cfb76658 | |
Thomas Basler | 24e5d5d3fb | |
Thomas Basler | f54e173040 | |
Markus | b89409207b | |
Markus | a1ab02769e | |
Markus | 10bcd42d02 | |
Markus | d2ad4fe142 | |
Markus | 37a8d9c739 | |
Markus | d67048b79b | |
Markus | 1de1c7e7ea | |
Markus | 6b3f6ae80b | |
Markus | 4d67b3fc6e | |
Markus | e8dde1ec94 | |
Markus | 35794adb90 | |
Markus | a09942a01e | |
Markus | 58e68d1255 | |
Markus | 21172dbbd7 | |
Markus | 980a705dd6 | |
Markus | 7f30b97d69 | |
Markus | 51065764da | |
Markus | cdfd65e83f | |
Markus | 9a70e83037 | |
Markus | 43cf634b96 | |
Markus | 77d9ebcd13 | |
Markus | 6dceeeb9a4 | |
Markus | f19e8af40f | |
Markus | 1f967c2925 | |
Markus | 2eb5440c3c | |
Markus | 0d288bf6e1 | |
Markus | 865c58bd4c | |
Markus | 1b0db12005 | |
Markus | 36b75e1c6a | |
Markus | 0dd467e564 | |
Markus | 2438917f79 | |
Markus | 26bdefaa10 | |
Markus | de1a36efb1 | |
Markus | ead1afc293 | |
Markus | 869a84dc3d | |
Markus | 7ac10f0e7d | |
Markus | 5e9360bd48 | |
Markus | 2f6ae888b5 | |
Markus | be35ad698f | |
Markus | 3be8cce6d8 | |
Markus | 41a94d7142 | |
Markus | e03d7ab821 | |
Markus | 5266df5c52 | |
Markus | f0c55693a8 | |
Markus | 241c706625 | |
Markus | 1b9b5badd3 | |
Markus | 7a4ec7aae1 | |
Markus | 09043f39ca | |
Markus | cbee52e0bc | |
Markus | c163f271e3 | |
Markus | 870cce1e12 | |
Markus | f96090ca5d | |
Markus | 5406efcef1 | |
Markus | 046fe91aef | |
Markus | 139c8d9904 | |
Markus | 1b34fd4944 | |
Markus | d2c46eae8c | |
Markus | b2442be2d8 | |
Markus | 7b1f998af2 | |
Markus | 3e1cdb6bf5 | |
Markus | e8dcf169e2 | |
Markus | e0a5d012ee | |
Markus | 1aebd59435 | |
Markus | 66ee1f011e | |
Markus | be3c4f3cf7 | |
Markus | 0c1e89c24e | |
Markus | f18c07e9fa | |
Markus | a5620befbe | |
Markus | c93b864f03 | |
Markus | 5156bdf33c | |
Markus | 9e7f968c7b | |
Markus | e54a60e828 | |
Markus | 19242491f5 | |
Markus | 1a5f7b7e3f | |
Markus | ae725e673c | |
Markus | 8a27fe96b1 | |
Markus | b03c92eba0 | |
Markus | 90cbfdb435 | |
Markus | dae9ba85e4 | |
Markus | 57709979eb | |
Markus | a7373f86f3 | |
Markus | 4cc75159d2 | |
Markus | ac892a93cb | |
Markus | 15fbe6c29c | |
Markus | 39e5ad9e20 | |
Markus | 482ac2078d | |
Markus | 2514396745 | |
Markus | b1589a0ec1 | |
Markus | df78e0119f | |
Markus | 30652ebe5d | |
Markus | 777d56712e |
67
README.md
67
README.md
|
@ -1,11 +1,68 @@
|
||||||
# Binary Kitchen Ansible Playbooks
|
# Binary Kitchen Ansible Playbooks
|
||||||
|
|
||||||
This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
|
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
|
||||||
|
|
||||||
## Using
|
## Usage
|
||||||
|
|
||||||
TBA
|
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
|
||||||
|
|
||||||
## Style / Contributing
|
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
|
||||||
|
|
||||||
TBA/TBD
|
|
||||||
|
## Current setup
|
||||||
|
|
||||||
|
Currently the following hosts are installed:
|
||||||
|
|
||||||
|
### Internal Servers
|
||||||
|
|
||||||
|
| Hostname | OS | Purpose |
|
||||||
|
| ------------------------- | --------- | ----------------------- |
|
||||||
|
| wurst.binary.kitchen | Proxmox 8 | VM Host |
|
||||||
|
| salat.binary.kitchen | Proxmox 8 | VM Host |
|
||||||
|
| weizen.binary.kitchen | Proxmox 8 | VM Host |
|
||||||
|
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
||||||
|
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
||||||
|
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
|
||||||
|
| sulis.binary.kitchen | Debian 12 | Shell |
|
||||||
|
| nabia.binary.kitchen | Debian 12 | Monitoring |
|
||||||
|
| epona.binary.kitchen | Debian 12 | NetBox |
|
||||||
|
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
|
||||||
|
| pancake.binary.kitchen | Debian 12 | XRDP |
|
||||||
|
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
|
||||||
|
| bob.binary.kitchen | Debian 12 | Gitea Actions |
|
||||||
|
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
|
||||||
|
| tschunk.binary.kitchen | Debian 11 | Strichliste |
|
||||||
|
| bowle.binary.kitchen | Debian 12 | Files |
|
||||||
|
| lock-auweg.binary.kitchen | Debian 11 | Doorlock |
|
||||||
|
|
||||||
|
\*: The main application is not managed by ansible but manually installed
|
||||||
|
|
||||||
|
### External Servers
|
||||||
|
|
||||||
|
| Hostname | OS | Purpose |
|
||||||
|
| ----------------------------- | --------- | ----------------------- |
|
||||||
|
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
|
||||||
|
| lithium.binary-kitchen.net | Debian 12 | Mail |
|
||||||
|
| beryllium.binary-kitchen.net | Debian 12 | Web * |
|
||||||
|
| boron.binary-kitchen.net | Debian 12 | Gitea |
|
||||||
|
| carbon.binary-kitchen.net | Debian 12 | Jabber |
|
||||||
|
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
|
||||||
|
| oxygen.binary-kitchen.net | Debian 12 | Shell |
|
||||||
|
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
|
||||||
|
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
|
||||||
|
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
|
||||||
|
| magnesium.binary-kitchen.net | Debian 12 | TURN |
|
||||||
|
| aluminium.binary-kitchen.net | Debian 12 | Zammad |
|
||||||
|
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
|
||||||
|
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
|
||||||
|
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
|
||||||
|
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
|
||||||
|
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
|
||||||
|
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
|
||||||
|
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
|
||||||
|
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
|
||||||
|
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
|
||||||
|
| cadmium.binary-kitchen.neti | Debian 12 | Event NetBox * |
|
||||||
|
| barium.binary-kitchen.net | Debian 12 | Workadventure |
|
||||||
|
|
||||||
|
\*: The main application is not managed by ansible but manually installed
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
[defaults]
|
[defaults]
|
||||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||||
|
interpreter_python = auto
|
||||||
inventory = ./hosts
|
inventory = ./hosts
|
||||||
nocows = 1
|
nocows = 1
|
||||||
remote_user = root
|
remote_user = root
|
||||||
|
|
|
@ -5,6 +5,14 @@ acertmgr_mode: webdir
|
||||||
acme_dnskey_file: /etc/acertmgr/nsupdate.key
|
acme_dnskey_file: /etc/acertmgr/nsupdate.key
|
||||||
acme_dnskey_server: neon.binary-kitchen.net
|
acme_dnskey_server: neon.binary-kitchen.net
|
||||||
|
|
||||||
|
authentik_domain: auth.binary-kitchen.de
|
||||||
|
authentik_dbname: authentik
|
||||||
|
authentik_dbuser: authentik
|
||||||
|
authentik_dbpass: "{{ vault_authentik_dbpass }}"
|
||||||
|
authentik_secret: "{{ vault_authentik_secret }}"
|
||||||
|
|
||||||
|
bk23b_domain: 23b.binary-kitchen.de
|
||||||
|
|
||||||
coturn_realm: turn.binary-kitchen.de
|
coturn_realm: turn.binary-kitchen.de
|
||||||
coturn_secret: "{{ vault_coturn_secret }}"
|
coturn_secret: "{{ vault_coturn_secret }}"
|
||||||
|
|
||||||
|
@ -14,16 +22,6 @@ dns_axfr_ips:
|
||||||
|
|
||||||
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
|
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
|
||||||
|
|
||||||
drone_admin: moepman
|
|
||||||
drone_domain: drone.binary-kitchen.de
|
|
||||||
drone_dbname: drone
|
|
||||||
drone_dbuser: drone
|
|
||||||
drone_dbpass: "{{ vault_drone_dbpass }}"
|
|
||||||
drone_uipass: "{{ vault_drone_uipass }}"
|
|
||||||
drone_secret: "{{ vault_drone_secret }}"
|
|
||||||
drone_gitea_client: "{{ vault_drone_gitea_client }}"
|
|
||||||
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
|
|
||||||
|
|
||||||
dss_domain: dss.binary-kitchen.de
|
dss_domain: dss.binary-kitchen.de
|
||||||
dss_secret: "{{ vault_dss_secret }}"
|
dss_secret: "{{ vault_dss_secret }}"
|
||||||
|
|
||||||
|
@ -34,11 +32,20 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
|
||||||
gitea_secret: "{{ vault_gitea_secret }}"
|
gitea_secret: "{{ vault_gitea_secret }}"
|
||||||
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
||||||
|
|
||||||
hackmd_domain: pad.binary-kitchen.de
|
hedgedoc_domain: pad.binary-kitchen.de
|
||||||
hackmd_dbname: hackmd
|
hedgedoc_dbname: hedgedoc
|
||||||
hackmd_dbuser: hackmd
|
hedgedoc_dbuser: hedgedoc
|
||||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
||||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
||||||
|
|
||||||
|
icinga_domain: icinga.binary.kitchen
|
||||||
|
icinga_dbname: icinga
|
||||||
|
icinga_dbuser: icinga
|
||||||
|
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
||||||
|
icinga_server: nabia.binary.kitchen
|
||||||
|
icingaweb_dbname: icingaweb
|
||||||
|
icingaweb_dbuser: icingaweb
|
||||||
|
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
||||||
|
|
||||||
jitsi_domain: jitsi.binary-kitchen.de
|
jitsi_domain: jitsi.binary-kitchen.de
|
||||||
jitsi_admin_email: exxess@binary-kitchen.de
|
jitsi_admin_email: exxess@binary-kitchen.de
|
||||||
|
@ -58,16 +65,29 @@ mail_domain: binary-kitchen.de
|
||||||
mail_domains:
|
mail_domains:
|
||||||
- ccc-r.de
|
- ccc-r.de
|
||||||
- ccc-regensburg.de
|
- ccc-regensburg.de
|
||||||
|
- eh21.easterhegg.eu
|
||||||
- makerspace-regensburg.de
|
- makerspace-regensburg.de
|
||||||
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
|
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
|
||||||
mail_server: mail.binary-kitchen.de
|
mail_server: mail.binary-kitchen.de
|
||||||
mailman_domain: lists.binary-kitchen.de
|
mailman_domain: lists.binary-kitchen.de
|
||||||
mail_trusted:
|
mail_trusted:
|
||||||
- 213.166.246.0/28
|
- 213.166.246.0/28
|
||||||
|
- 213.166.246.37/32
|
||||||
|
- 213.166.246.45/32
|
||||||
|
- 213.166.246.46/32
|
||||||
|
- 213.166.246.47/32
|
||||||
- 213.166.246.250/32
|
- 213.166.246.250/32
|
||||||
- 2a02:958:0:f6::/124
|
- 2a02:958:0:f6::/124
|
||||||
|
- 2a02:958:0:f6::37/128
|
||||||
|
- 2a02:958:0:f6::45/128
|
||||||
|
- 2a02:958:0:f6::46/128
|
||||||
|
- 2a02:958:0:f6::47/128
|
||||||
mail_aliases:
|
mail_aliases:
|
||||||
|
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
||||||
|
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
|
||||||
|
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
|
||||||
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
||||||
|
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||||
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||||
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
||||||
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||||
|
@ -75,12 +95,14 @@ mail_aliases:
|
||||||
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
|
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
|
||||||
- "orga@ccc-r.de orga@ccc-regensburg.de"
|
- "orga@ccc-r.de orga@ccc-regensburg.de"
|
||||||
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
|
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
|
||||||
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
|
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
|
||||||
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
|
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
|
||||||
|
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
|
||||||
|
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
|
||||||
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
||||||
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
||||||
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
||||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
|
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||||
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
|
@ -94,25 +116,41 @@ mail_aliases:
|
||||||
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||||
|
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
|
||||||
|
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
|
||||||
|
|
||||||
matrix_domain: matrix.binary-kitchen.de
|
matrix_domain: matrix.binary-kitchen.de
|
||||||
matrix_dbname: matrix
|
matrix_dbname: matrix
|
||||||
matrix_dbuser: matrix
|
matrix_dbuser: matrix
|
||||||
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
||||||
|
|
||||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
mc_domain: minecraft.binary-kitchen.de
|
||||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
|
||||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
netbox_domain: netbox.binary.kitchen
|
||||||
|
netbox_dbname: netbox
|
||||||
|
netbox_dbuser: netbox
|
||||||
|
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
||||||
|
netbox_secret: "{{ vault_netbox_secret }}"
|
||||||
|
|
||||||
nextcloud_domain: oc.binary-kitchen.de
|
nextcloud_domain: oc.binary-kitchen.de
|
||||||
nextcloud_dbname: owncloud
|
nextcloud_dbname: owncloud
|
||||||
nextcloud_dbuser: owncloud
|
nextcloud_dbuser: owncloud
|
||||||
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
||||||
|
|
||||||
plk_domain: plk-regensburg.de
|
omm_domain: omm.binary.kitchen
|
||||||
plk_dbuser: plkdbuser
|
|
||||||
plk_dbname: plkdb
|
pretalx_domain: fahrplan.eh21.easterhegg.eu
|
||||||
plk_dbpass: "{{ vault_plk_dbpass }}"
|
pretalx_dbname: pretalx
|
||||||
|
pretalx_dbuser: pretalx
|
||||||
|
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
|
||||||
|
pretalx_mail: pretalx@binary-kitchen.de
|
||||||
|
|
||||||
|
pretix_domain: pretix.events.binary-kitchen.de
|
||||||
|
pretix_domainx: tickets.eh21.easterhegg.eu
|
||||||
|
pretix_dbname: pretix
|
||||||
|
pretix_dbuser: pretix
|
||||||
|
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
||||||
|
pretix_mail: pretix@binary-kitchen.de
|
||||||
|
|
||||||
prometheus_pve_user: prometheus@pve
|
prometheus_pve_user: prometheus@pve
|
||||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||||
|
@ -126,8 +164,6 @@ pve_targets:
|
||||||
|
|
||||||
radius_secret: "{{ vault_radius_secret }}"
|
radius_secret: "{{ vault_radius_secret }}"
|
||||||
|
|
||||||
rocketchat_domain: chat.binary-kitchen.de
|
|
||||||
|
|
||||||
root_keys:
|
root_keys:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
||||||
|
@ -135,3 +171,22 @@ root_keys:
|
||||||
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
||||||
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
||||||
slapd_san: ldap.binary.kitchen
|
slapd_san: ldap.binary.kitchen
|
||||||
|
|
||||||
|
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||||
|
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
|
||||||
|
|
||||||
|
strichliste_domain: tschunk.binary.kitchen
|
||||||
|
strichliste_dbname: strichliste
|
||||||
|
strichliste_dbuser: strichliste
|
||||||
|
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
|
||||||
|
|
||||||
|
vaultwarden_domain: vault.binary-kitchen.de
|
||||||
|
vaultwarden_dbname: vaultwarden
|
||||||
|
vaultwarden_dbuser: vaultwarden
|
||||||
|
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
|
||||||
|
vaultwarden_token: "{{ vault_vaultwarden_token }}"
|
||||||
|
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
|
||||||
|
|
||||||
|
workadventure_domain: wa.binary-kitchen.de
|
||||||
|
|
||||||
|
zammad_domain: requests.binary-kitchen.de
|
||||||
|
|
|
@ -1,59 +1,106 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
37303932343462623335393066643531373533636435356462326537373532613534353266396435
|
61333062333563653966393334326633643564313063346266663461633538366662623937373738
|
||||||
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
|
3732396164303638643362316564393236353737346235380a666361396631656563303733343032
|
||||||
34633863333930316564633632313939643664373163373833636139366537646530383736343130
|
66396531313139343062363639636334373836306237363733393635346261313832366330303436
|
||||||
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
|
6362383638363931380a323066343834363138356662656439343131353330366532626538653434
|
||||||
31316362353439393838363666613932313635313864333135636530653238653162353033356437
|
64663834333563333263356532326262333938613432356233656238313365663661636334333066
|
||||||
33353063363639346266313631393463623864636133623264613865336536613536343365386230
|
63653561316239356638653834646261643564316535306133633832666365383238303364346466
|
||||||
65396263393862626139396430623134316632313637623631623762656139623664356331623066
|
63393164646330623061633039316638656566346663616661633464303237386261316262623533
|
||||||
30323430613963313162616135303164663364336634326533346438373635366238356531613461
|
63306266333063373333323030666264323564663032333637343134306231373964666630333538
|
||||||
30333736633965333163616437303566666239313962353531393530613265363833396136646262
|
63626363383836363639663830643530376361613466613666303933363563663763636635363132
|
||||||
62633662666532396535316361303934613138373365633161393664313234663533363736323335
|
36666432646233313663613563663565313537316164313964656461666336326331303035343062
|
||||||
38613762376234663564333333386265633138613839636132346638313430653639636339336239
|
35323363373130333935373035663635626666613236376261623934366235633738323430666330
|
||||||
38633564333831326331326166666362353364303933393532643936313564386565643162623435
|
33323130363839386331613334636531396665316336376265333231343763656637396437653733
|
||||||
36356437356631666137323039316430656566613436623062656562666139383635653039636463
|
64366565336132333131346463356236343934663332633830373939616434613561613564313837
|
||||||
35393438323765303431333737356339343730303531333834306239366533393537626239376163
|
34333039363962643333343961636165323766343531336465306438306365636137636662303165
|
||||||
31663332343136323264376234363264343136623365383833666638656531306362663462383033
|
35346530313134346432303862643735376331376432616136306537653266333434336663373931
|
||||||
31633838643562613762363634653865353361303666363139636337386439626235336462653036
|
35373235333937646165663238636232656336393330386161636435666637356632333832646137
|
||||||
30376461643839313665383430386534656265626139313034646438323861653530383637316139
|
30333233636266623165663538303639663466363337323330383962383139643532623462663564
|
||||||
35313539636137303561646564616362313435666262343137616263396465356434363862323137
|
63313262366236623232303732373136393139323562313733623763363864646432653037316465
|
||||||
38626464383039386139343665363538326539613837366437623362336639336133323463666235
|
34306261303035306436396262333131366562643166333130393438393636623034656163653131
|
||||||
36346333356434363838363634343233323363333762653264333062656133623434666162356433
|
65363530613064633462633238343834336538353766353766336132303333383164326363316365
|
||||||
37623862653862643335333931663063623166353534636430323230663838653532356335306632
|
31303532363838306338626662313234343134306531353765333237303962303339366233366632
|
||||||
33646265343834363839653565326538353930663061376461646534386637376234646264343933
|
35643565353766353962386135323765356130393731363633373238626332356637363339356437
|
||||||
65653763343236653630396238333232633461663333646531323337626235396231383931663264
|
30386361363837373434363939373361343862393364316537633463653862666164613730306565
|
||||||
34363564366134663036643332346238373639646336396261316133326235636265323636663335
|
36343762326337333235643862626566346235333934656631306461633934306230333365343731
|
||||||
35363537346466396432396162383131306438396431336138666663633132646662316165643333
|
64643835323061613230336234343438383938653761393133656137626434653532636466313439
|
||||||
64633434623166343262623038623431343631333962663566303566393761653536303638643037
|
31363362306539643635386237353466343733616334303762343964636533636662333661653839
|
||||||
63363963306139336235363537396432383131303763643966313937353537333739393031616439
|
34663264613033373965336635663131396334616432653462346634626535393761666237623936
|
||||||
35343361646234663062633631323238656137373464386561656439313636613630323632616332
|
31666439356261303134343938333433323538653337653937333830656163633965353235653539
|
||||||
39346239666266623038363066643865373762633532323431373431373165643662663661633365
|
65353937333463343236636237313736313565613833653530333135623233363564393266353363
|
||||||
35353361383339623535336362313430616139396561623934346264323462663663383566393165
|
33323236643634616263303133663631386638356561373730653930646265616634356364366361
|
||||||
35366637313861386465333530613530623832643333616538336436356134313832306139336361
|
37666362363230313664343633343464383334386539616132636562626465326364353436356338
|
||||||
32393162373235356236343332363038393631626534643237383232323735633265333562633231
|
61383736663733643132656266633837646366343637303264363465633536633962353235303336
|
||||||
61613164363962323236666365353830346664643263393532343562383736336535353364343638
|
38376430343733386631623334386564616264386234613664366631313334626436313865356565
|
||||||
62386465323331653565306234646664393164666334383765336630346438633636353264636138
|
33663433663963653835376666303664656438623337663536376234356465396534306362346162
|
||||||
31316231326236313839353465353230353935363330393035373234393039386134366534653636
|
62323262323933336232376636353831633834656536633666643961396365306464303730626463
|
||||||
63323730383931353763383739393330316335373563393039366166313031373664636335363363
|
36363631336236353730393035613333666465653861373766393731373863353330656366306263
|
||||||
38363131363565326431636361316562313037373664306333313366646336333162663664306539
|
62316636333230366563623836316232323831393233366539363662646564373436623230343761
|
||||||
64636530363561393037373766383937616435313333653836363835383231633130396133663635
|
61626235656438373566646365353761376139383962353635393439666365333332313035653433
|
||||||
36613531323732623264646666656139333766656562623430313964366236373663626135383437
|
64316638363061613561306534616465646661326637633332333734626562353664666432616137
|
||||||
31643663663637613762313465656636396264623362643538323166356636303430613133383664
|
32643636356261613430376535633837646437626132373735323366313738633134303962306163
|
||||||
66383332326437333638663562376665386237313533303437623765353661393561373338636130
|
30366230333533663433616664343862346232363733623239353035656134366437313662353933
|
||||||
30383665333366643331366536646330633133643566393962633164643563613536363434393234
|
32663261663937663437643233383562656537333364643435356639616136623036306231633839
|
||||||
66323931316535353632356432373262623962616264383430623436303637616165386433326231
|
38386631643264636535323766643661626566323661313831326530636532383330633066336130
|
||||||
38633730636633643634343833313964653530663034333063313334636134646634363437346161
|
39306631636433376361636637633135316662306636306137366531333662303238613434333534
|
||||||
32613061363032383732323263303830363532326239316538393739313730383530633862313039
|
35633162316363333934623663303839343366376263343536333563663833323734356566623663
|
||||||
37653865303932313635656332663039376331393161623731623039653865623436363061626538
|
64646437343935306230333034636431396439366237643839363035313164393666616235393034
|
||||||
32383934613335363534666461343135303235373262343634306130633536323839393139346662
|
33323333626537633730303961613263363835343030363331633165663035336633613831326632
|
||||||
31623265323138353963623938616665383765366230656461383835346230346261623866366630
|
35363738336534663934616338363764353562306139613464663533323863326331646464333533
|
||||||
65303965353432386136373562306434623739666262356663656266346439356435613362333563
|
36363962653830613864393565623561646233313135386163623932363865343861313534663234
|
||||||
34366539353366346636376662363837303332373866323434366261326164633033353930383038
|
32313466656532616638376238363937613264346265316135336137363961386161376364343063
|
||||||
36666433656365366663326163343034306439653262353733323232373133386436333637346563
|
33316662343066336438336137353262646264656434333364343334373762303062386165663530
|
||||||
32626533336530633731336631333334353366306538663936643637346335303965626631316562
|
63313666356633633936366162366332333163656164306533356530666166353635616364643830
|
||||||
33333061656234393661363766663630316662613764333231326434383465666234653238393965
|
66336339663737616664616430373162386238636134303137386331393837353462623336663335
|
||||||
31636561396665383063613433653837363634623337623330666466353532633434383864343464
|
34303038323037363165613935376262376464383265323462373638313530396537633031653530
|
||||||
38303436306165353433356536326466306530373635616531393462666336666435633235613937
|
63613135373639623138333635343035303734383932336333303063666662333164643430393637
|
||||||
37343832333864643636366632623062363234633365326635386663376439383332306333653161
|
64393262363235616666303366346137633132313066613731333064346139646361363832343730
|
||||||
34353830396165366534313334616161323461613066383561343563393330613464373862623062
|
39666338303339663665363033653735346130313431306131306261636430396465323937623062
|
||||||
3536303066343262636636393861313539616636643339353562
|
32343433376438623965363338633639383738326561376665623461653539383666636535656663
|
||||||
|
37353665363663356464366331313236653430313034613733363665633239656361623931646432
|
||||||
|
30653632643062366333663830326663623766646535666534613933663333366466333033383165
|
||||||
|
33373039303564656562636432303934383132666665656161323535333930346265623639316366
|
||||||
|
38393764346265653734373136636538346361363966393732323362323733386631623762313366
|
||||||
|
63313733653730336536393335623138383365303934303730343136613734663062326166316461
|
||||||
|
35313363656335643531343561336662663434353031623733353035633063396366376664303364
|
||||||
|
36643262633832363362306263376135346632386631346432333137623631343234333337643536
|
||||||
|
35353135303330626663663963366139363265666434363364303266613564373337616564366566
|
||||||
|
30646635633834616536333361303361313934316434393330333231613038346466306531646537
|
||||||
|
39303131396562656334303536613964363936643435613035623065323963633764623432373235
|
||||||
|
37393564626239333761626131643366306131346339356364373061353865653966326362613164
|
||||||
|
62366562326234303865323934353734613364653161316131363964666439636561663361396239
|
||||||
|
30353266303764396265656635616462653563613630616537353530613835656333353364333632
|
||||||
|
39663939376633613133623839353133613066633333633135316132636435363330393966396431
|
||||||
|
30656638653662356164393038323538643661333734623937653430643931623061666330633631
|
||||||
|
63323834313733353635363535613666643361356363386465383961626331303435333363396230
|
||||||
|
37313835633136323134623261626432653965366230656266356333653437386463396563613563
|
||||||
|
62656562626131336230383965303962383464643832333361343838393338353365663766373031
|
||||||
|
31633265653262356139323564663834616164313439346133386135333563323264313261336336
|
||||||
|
39393166613865353164376130303536373931643436633133313361356166393432363631666361
|
||||||
|
36366537363630333830333432333466363266666636643932636565613738346239383736306533
|
||||||
|
32333838396638656134643538313033336137316638326232303837386537393737316237356237
|
||||||
|
62646561333430303765656537373738316131306664626533646461333261306665626336376537
|
||||||
|
35633736303262656236303230653564386130666362303132646166306432393962306366663432
|
||||||
|
64353366353839643366376433646661376434313266326665343063653534343531623033316461
|
||||||
|
37306439373366303236666338616364343163663165626665613761333838333366336238343633
|
||||||
|
38663066623532353464653164616237353464363539313762396162653139393133323438643331
|
||||||
|
66306562346136346363396235356264303164636662386166666436316338323462656537386335
|
||||||
|
36373763313935666539643834653237336130336530653834643263373264353233643938393965
|
||||||
|
30313637366236383433313161386531623936356161333462636566633036383635616638316434
|
||||||
|
66313434393365333633336231656536353138303235616439643535376338326262663632313564
|
||||||
|
65306534356531303835373231623234356337623234366137386437303864643764613731326137
|
||||||
|
65376337386133353739376661353766343931383135363038353839376666306337323835613935
|
||||||
|
33303730623132613462363538666638313533333564656164363731323463613230366230373664
|
||||||
|
31303331396264353162383138643063313737366635333664343836346338353537366362613937
|
||||||
|
35623934646239356339343339653337656330616565616232633232373036383562393362343332
|
||||||
|
39316661623563333234656633666365303964366338303862333730656366626533326334613038
|
||||||
|
39663332623862626230373135623235363064636163373737316262613233663031383366363563
|
||||||
|
34613730343564373230306237656662636130333736393136366138333864313636343362613631
|
||||||
|
64636266626637366530363763323930643336313339613930623835326431643663356365353865
|
||||||
|
35653238333131363262346565653066383834633131303466636232653234363366646635656338
|
||||||
|
31386163616237316361643134396230386338643339633562376436333238346665363938323462
|
||||||
|
32336435663138393230366632633132333834303539303439313764623163383661396536383461
|
||||||
|
31636365633765346262616235336666363932336366373438643531663539333431663231326362
|
||||||
|
32326230363965356434343833383662393430333535636536323066373439653330373937636565
|
||||||
|
61306565663734636630633730383736653736383765326638656433646637393033356665633831
|
||||||
|
66353338633833346436666134343465623236626339613363623834333261313531
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
dhcpd_failover: false
|
||||||
|
dhcpd_primary: 172.23.13.3
|
||||||
|
|
||||||
|
dns_primary: 172.23.13.3
|
||||||
|
|
||||||
|
doorlock_domain: lock-auweg.binary.kitchen
|
||||||
|
|
||||||
|
name_servers:
|
||||||
|
- 172.23.13.3
|
||||||
|
|
||||||
|
ntp_servers:
|
||||||
|
- 172.23.12.61
|
||||||
|
|
||||||
|
radius_cn: radius.binary.kitchen
|
|
@ -4,6 +4,9 @@ dhcpd_failover: true
|
||||||
dhcpd_primary: 172.23.2.3
|
dhcpd_primary: 172.23.2.3
|
||||||
dhcpd_secondary: 172.23.2.4
|
dhcpd_secondary: 172.23.2.4
|
||||||
|
|
||||||
|
dns_primary: 172.23.2.3
|
||||||
|
dns_secondary: 172.23.2.4
|
||||||
|
|
||||||
name_servers:
|
name_servers:
|
||||||
- 172.23.2.3
|
- 172.23.2.3
|
||||||
- 172.23.2.4
|
- 172.23.2.4
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
radius_hostname: radius3.binary.kitchen
|
||||||
|
|
||||||
|
slapd_hostname: ldap3.binary.kitchen
|
||||||
|
slapd_replica_id: 3
|
||||||
|
slapd_role: slave
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"
|
|
@ -3,4 +3,5 @@
|
||||||
radius_hostname: radius2.binary.kitchen
|
radius_hostname: radius2.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap2.binary.kitchen
|
slapd_hostname: ldap2.binary.kitchen
|
||||||
|
slapd_replica_id: 2
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
ntp_server: true
|
||||||
|
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- ptbtime2.ptb.de
|
- ptbtime2.ptb.de
|
||||||
- ntp1.rrze.uni-erlangen.de
|
- ntp1.rrze.uni-erlangen.de
|
||||||
- ntps1-0.cs.tu-berlin.de
|
- rustime01.rus.uni-stuttgart.de
|
||||||
|
|
||||||
ntp_peers:
|
ntp_peers:
|
||||||
- 172.23.1.60
|
- 172.23.1.60
|
||||||
|
@ -11,4 +13,5 @@ ntp_peers:
|
||||||
radius_hostname: radius1.binary.kitchen
|
radius_hostname: radius1.binary.kitchen
|
||||||
|
|
||||||
slapd_hostname: ldap1.binary.kitchen
|
slapd_hostname: ldap1.binary.kitchen
|
||||||
|
slapd_replica_id: 1
|
||||||
slapd_role: slave
|
slapd_role: slave
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
nfs_exports:
|
||||||
|
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
|
||||||
|
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
|
||||||
|
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
|
||||||
|
|
||||||
|
uau_reboot: "false"
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
@ -2,3 +2,4 @@
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "# Thomas Basler"
|
||||||
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
||||||
|
- "# Ralf Ramsauer"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
||||||
|
- "# Thomas Schmid"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
|
||||||
|
uau_reboot: "false"
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
acertmgr_mode: standalone
|
|
@ -4,3 +4,4 @@ grafana_domain: zelle.binary-kitchen.de
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"
|
||||||
|
|
|
@ -3,3 +3,5 @@
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
||||||
|
|
||||||
|
nginx_anonymize: True
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
uau_reboot: "false"
|
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
|
||||||
|
sshd_password_authentication: "yes"
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
@ -4,8 +4,7 @@ root_keys_host:
|
||||||
- "# Thomas Basler"
|
- "# Thomas Basler"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
|
||||||
- "# Ralf Ramsauer"
|
- "# Ralf Ramsauer"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
|
|
||||||
- "# Thomas Schmid"
|
- "# Thomas Schmid"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
|
@ -2,6 +2,6 @@
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
|
||||||
|
|
||||||
uau_reboot: "false"
|
uau_reboot: "false"
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
root_keys_host:
|
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
|
||||||
|
sshd_password_authentication: "yes"
|
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
root_keys_host:
|
||||||
|
- "# Thomas Schmid"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
|
||||||
|
uau_reboot: "true"
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
ntp_server: true
|
||||||
|
|
||||||
|
ntp_servers:
|
||||||
|
- ptbtime1.ptb.de
|
||||||
|
- ntp1.rrze.uni-erlangen.de
|
||||||
|
- rustime01.rus.uni-stuttgart.de
|
|
@ -1,9 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
ntp_server: true
|
||||||
|
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- ptbtime1.ptb.de
|
- ptbtime1.ptb.de
|
||||||
- ntp1.rrze.uni-erlangen.de
|
- ntp1.rrze.uni-erlangen.de
|
||||||
- ntps1-0.cs.tu-berlin.de
|
- rustime01.rus.uni-stuttgart.de
|
||||||
|
|
||||||
ntp_peers:
|
ntp_peers:
|
||||||
- 172.23.2.3
|
- 172.23.2.3
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
|
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
||||||
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
|
||||||
|
|
18
hosts
18
hosts
|
@ -4,10 +4,19 @@ bacon.binary.kitchen ansible_host=172.23.2.3
|
||||||
aveta.binary.kitchen ansible_host=172.23.2.4
|
aveta.binary.kitchen ansible_host=172.23.2.4
|
||||||
sulis.binary.kitchen ansible_host=172.23.2.5
|
sulis.binary.kitchen ansible_host=172.23.2.5
|
||||||
nabia.binary.kitchen ansible_host=172.23.2.6
|
nabia.binary.kitchen ansible_host=172.23.2.6
|
||||||
|
epona.binary.kitchen ansible_host=172.23.2.7
|
||||||
pizza.binary.kitchen ansible_host=172.23.2.33
|
pizza.binary.kitchen ansible_host=172.23.2.33
|
||||||
|
pancake.binary.kitchen ansible_host=172.23.2.34
|
||||||
|
knoedel.binary.kitchen ansible_host=172.23.2.35
|
||||||
bob.binary.kitchen ansible_host=172.23.2.37
|
bob.binary.kitchen ansible_host=172.23.2.37
|
||||||
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
|
lasagne.binary.kitchen ansible_host=172.23.2.38
|
||||||
|
tschunk.binary.kitchen ansible_host=172.23.2.39
|
||||||
|
bowle.binary.kitchen ansible_host=172.23.2.62
|
||||||
salat.binary.kitchen ansible_host=172.23.9.61
|
salat.binary.kitchen ansible_host=172.23.9.61
|
||||||
|
[auweg]
|
||||||
|
weizen.binary.kitchen ansible_host=172.23.12.61
|
||||||
|
aeron.binary.kitchen ansible_host=172.23.13.3
|
||||||
|
lock-auweg.binary.kitchen ansible_host=172.23.13.12
|
||||||
[fan_rz]
|
[fan_rz]
|
||||||
helium.binary-kitchen.net
|
helium.binary-kitchen.net
|
||||||
lithium.binary-kitchen.net
|
lithium.binary-kitchen.net
|
||||||
|
@ -19,9 +28,16 @@ oxygen.binary-kitchen.net
|
||||||
fluorine.binary-kitchen.net
|
fluorine.binary-kitchen.net
|
||||||
neon.binary-kitchen.net
|
neon.binary-kitchen.net
|
||||||
sodium.binary-kitchen.net
|
sodium.binary-kitchen.net
|
||||||
|
magnesium.binary-kitchen.net
|
||||||
|
aluminium.binary-kitchen.net
|
||||||
krypton.binary-kitchen.net
|
krypton.binary-kitchen.net
|
||||||
yttrium.binary-kitchen.net
|
yttrium.binary-kitchen.net
|
||||||
zirconium.binary-kitchen.net
|
zirconium.binary-kitchen.net
|
||||||
molybdenum.binary-kitchen.net
|
molybdenum.binary-kitchen.net
|
||||||
technetium.binary-kitchen.net
|
technetium.binary-kitchen.net
|
||||||
ruthenium.binary-kitchen.net
|
ruthenium.binary-kitchen.net
|
||||||
|
rhodium.binary-kitchen.net
|
||||||
|
palladium.binary-kitchen.net
|
||||||
|
argentum.binary-kitchen.net
|
||||||
|
cadmium.binary-kitchen.net
|
||||||
|
barium.binary-kitchen.net
|
||||||
|
|
|
@ -3,11 +3,11 @@
|
||||||
- name: Reload systemd
|
- name: Reload systemd
|
||||||
systemd: daemon_reload=yes
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
- name: Run acertmgr
|
- name: Restart 23b
|
||||||
command: /usr/bin/acertmgr
|
service: name=23b state=restarted
|
||||||
|
|
||||||
- name: Restart drone
|
|
||||||
service: name=drone state=restarted
|
|
||||||
|
|
||||||
- name: Restart nginx
|
- name: Restart nginx
|
||||||
service: name=nginx state=restarted
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /usr/bin/acertmgr
|
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- docker-compose
|
||||||
|
|
||||||
|
- name: Create 23b group
|
||||||
|
group: name=23b
|
||||||
|
|
||||||
|
- name: Create 23b user
|
||||||
|
user:
|
||||||
|
name: 23b
|
||||||
|
home: /opt/23b
|
||||||
|
shell: /bin/bash
|
||||||
|
group: 23b
|
||||||
|
groups: docker
|
||||||
|
|
||||||
|
# docker-compolse.yml is managed outside ansible
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure certificate manager for 23b
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Systemd unit for 23b
|
||||||
|
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart 23b
|
||||||
|
|
||||||
|
- name: Start the 23b service
|
||||||
|
service: name=23b state=started enabled=yes
|
||||||
|
|
||||||
|
- name: Enable monitoring
|
||||||
|
include_role: name=icinga-monitor tasks_from=http
|
||||||
|
vars:
|
||||||
|
vhost: "{{ bk23b_domain }}"
|
|
@ -0,0 +1,28 @@
|
||||||
|
[Unit]
|
||||||
|
Description=23b service using docker compose
|
||||||
|
Requires=docker.service
|
||||||
|
After=docker.service
|
||||||
|
Before=nginx.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
|
||||||
|
User=23b
|
||||||
|
Group=23b
|
||||||
|
|
||||||
|
Restart=always
|
||||||
|
TimeoutStartSec=1200
|
||||||
|
|
||||||
|
WorkingDirectory=/opt/23b/23b/23b
|
||||||
|
|
||||||
|
# Make sure no old containers are running
|
||||||
|
ExecStartPre=/usr/bin/docker-compose down -v
|
||||||
|
|
||||||
|
# Compose up
|
||||||
|
ExecStart=/usr/bin/docker-compose up
|
||||||
|
|
||||||
|
# Compose down, remove containers and volumes
|
||||||
|
ExecStop=/usr/bin/docker-compose down -v
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,13 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
{{ drone_domain }}:
|
{{ bk23b_domain }}:
|
||||||
- path: /etc/nginx/ssl/{{ drone_domain }}.key
|
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: key
|
format: key
|
||||||
action: '/usr/sbin/service nginx restart'
|
action: '/usr/sbin/service nginx restart'
|
||||||
- path: /etc/nginx/ssl/{{ drone_domain }}.crt
|
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
|
@ -2,7 +2,7 @@ server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
server_name {{ hackmd_domain }};
|
server_name {{ bk23b_domain }};
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
default_type "text/plain";
|
default_type "text/plain";
|
||||||
|
@ -10,7 +10,7 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 301 https://{{ hackmd_domain }}$request_uri;
|
return 301 https://{{ bk23b_domain }}$request_uri;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,21 +18,19 @@ server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name {{ hackmd_domain }};
|
server_name {{ bk23b_domain }};
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
|
ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
|
||||||
ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
|
ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
|
||||||
|
|
||||||
# set max upload size
|
# set max upload size
|
||||||
client_max_body_size 8M;
|
client_max_body_size 8M;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
proxy_pass http://localhost:5000;
|
||||||
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_pass http://localhost:3000;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
actrunner_user: act_runner
|
||||||
|
actrunner_group: act_runner
|
||||||
|
|
||||||
|
actrunner_version: 0.2.10
|
||||||
|
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Reload systemd
|
||||||
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
|
- name: Restart act_runner
|
||||||
|
service: name=act_runner state=restarted
|
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Create group
|
||||||
|
group: name={{ actrunner_group }}
|
||||||
|
|
||||||
|
- name: Create user
|
||||||
|
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
|
||||||
|
|
||||||
|
- name: Create directories
|
||||||
|
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
|
||||||
|
with_items:
|
||||||
|
- /etc/act_runner
|
||||||
|
- /var/lib/act_runner
|
||||||
|
|
||||||
|
- name: Download act_runner binary
|
||||||
|
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
|
||||||
|
register: runner_download
|
||||||
|
|
||||||
|
- name: Symlink act_runner binary
|
||||||
|
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
|
||||||
|
when: runner_download.changed
|
||||||
|
notify: Restart act_runner
|
||||||
|
|
||||||
|
- name: Configure act_runner
|
||||||
|
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
|
||||||
|
notify: Restart act_runner
|
||||||
|
|
||||||
|
- name: Install systemd unit
|
||||||
|
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart act_runner
|
||||||
|
|
||||||
|
- name: Enable act_runner
|
||||||
|
service: name=act_runner state=started enabled=yes
|
|
@ -0,0 +1,16 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Gitea Actions runner
|
||||||
|
Documentation=https://gitea.com/gitea/act_runner
|
||||||
|
After=docker.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
|
||||||
|
ExecReload=/bin/kill -s HUP $MAINPID
|
||||||
|
WorkingDirectory=/var/lib/act_runner
|
||||||
|
TimeoutSec=0
|
||||||
|
RestartSec=10
|
||||||
|
Restart=always
|
||||||
|
User={{ actrunner_user }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,86 @@
|
||||||
|
log:
|
||||||
|
# The level of logging, can be trace, debug, info, warn, error, fatal
|
||||||
|
level: warn
|
||||||
|
|
||||||
|
runner:
|
||||||
|
# Where to store the registration result.
|
||||||
|
file: .runner
|
||||||
|
# Execute how many tasks concurrently at the same time.
|
||||||
|
capacity: 4
|
||||||
|
# Extra environment variables to run jobs.
|
||||||
|
envs:
|
||||||
|
# Extra environment variables to run jobs from a file.
|
||||||
|
# It will be ignored if it's empty or the file doesn't exist.
|
||||||
|
env_file: .env
|
||||||
|
# The timeout for a job to be finished.
|
||||||
|
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
|
||||||
|
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
|
||||||
|
timeout: 3h
|
||||||
|
# Whether skip verifying the TLS certificate of the Gitea instance.
|
||||||
|
insecure: false
|
||||||
|
# The timeout for fetching the job from the Gitea instance.
|
||||||
|
fetch_timeout: 5s
|
||||||
|
# The interval for fetching the job from the Gitea instance.
|
||||||
|
fetch_interval: 2s
|
||||||
|
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
|
||||||
|
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
|
||||||
|
# If it's empty when registering, it will ask for inputting labels.
|
||||||
|
# If it's empty when execute `deamon`, will use labels in `.runner` file.
|
||||||
|
labels: [
|
||||||
|
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
|
||||||
|
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
|
||||||
|
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
|
||||||
|
]
|
||||||
|
|
||||||
|
cache:
|
||||||
|
# Enable cache server to use actions/cache.
|
||||||
|
enabled: true
|
||||||
|
# The directory to store the cache data.
|
||||||
|
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
|
||||||
|
dir: ""
|
||||||
|
# The host of the cache server.
|
||||||
|
# It's not for the address to listen, but the address to connect from job containers.
|
||||||
|
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
|
||||||
|
host: ""
|
||||||
|
# The port of the cache server.
|
||||||
|
# 0 means to use a random available port.
|
||||||
|
port: 0
|
||||||
|
# The external cache server URL. Valid only when enable is true.
|
||||||
|
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
|
||||||
|
# The URL should generally end with "/".
|
||||||
|
external_server: ""
|
||||||
|
|
||||||
|
container:
|
||||||
|
# Specifies the network to which the container will connect.
|
||||||
|
# Could be host, bridge or the name of a custom network.
|
||||||
|
# If it's empty, act_runner will create a network automatically.
|
||||||
|
network: ""
|
||||||
|
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
|
||||||
|
privileged: false
|
||||||
|
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
|
||||||
|
options:
|
||||||
|
# The parent directory of a job's working directory.
|
||||||
|
# If it's empty, /workspace will be used.
|
||||||
|
workdir_parent:
|
||||||
|
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
|
||||||
|
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
|
||||||
|
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
|
||||||
|
# valid_volumes:
|
||||||
|
# - data
|
||||||
|
# - /src/*.json
|
||||||
|
# If you want to allow any volume, please use the following configuration:
|
||||||
|
# valid_volumes:
|
||||||
|
# - '**'
|
||||||
|
valid_volumes: []
|
||||||
|
# overrides the docker client host with the specified one.
|
||||||
|
# If it's empty, act_runner will find an available docker host automatically.
|
||||||
|
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
|
||||||
|
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
|
||||||
|
docker_host: ""
|
||||||
|
# Pull docker image(s) even if already present
|
||||||
|
force_pull: false
|
||||||
|
|
||||||
|
host:
|
||||||
|
# The parent directory of a job's working directory.
|
||||||
|
# If it's empty, $HOME/.cache/act/ will be used.
|
||||||
|
workdir_parent:
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Reload systemd
|
||||||
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
|
- name: Restart authentik
|
||||||
|
service: name=authentik state=restarted
|
||||||
|
|
||||||
|
- name: Restart nginx
|
||||||
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /usr/bin/acertmgr
|
|
@ -0,0 +1,51 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- docker-compose
|
||||||
|
|
||||||
|
- name: Create authentik group
|
||||||
|
group: name=authentik
|
||||||
|
|
||||||
|
- name: Create authentik user
|
||||||
|
user:
|
||||||
|
name: authentik
|
||||||
|
home: /opt/authentik
|
||||||
|
shell: /bin/bash
|
||||||
|
group: authentik
|
||||||
|
groups: docker
|
||||||
|
|
||||||
|
- name: Configure authentik container
|
||||||
|
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
|
||||||
|
notify: Restart authentik
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure certificate manager for authentik
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Systemd unit for authentik
|
||||||
|
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart authentik
|
||||||
|
|
||||||
|
- name: Start the authentik service
|
||||||
|
service: name=authentik state=started enabled=yes
|
||||||
|
|
||||||
|
- name: Enable monitoring
|
||||||
|
include_role: name=icinga-monitor tasks_from=http
|
||||||
|
vars:
|
||||||
|
vhost: "{{ authentik_domain }}"
|
|
@ -0,0 +1,28 @@
|
||||||
|
[Unit]
|
||||||
|
Description=authentik service using docker compose
|
||||||
|
Requires=docker.service
|
||||||
|
After=docker.service
|
||||||
|
Before=nginx.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
|
||||||
|
User=authentik
|
||||||
|
Group=authentik
|
||||||
|
|
||||||
|
Restart=always
|
||||||
|
TimeoutStartSec=1200
|
||||||
|
|
||||||
|
WorkingDirectory=/opt/authentik
|
||||||
|
|
||||||
|
# Make sure no old containers are running
|
||||||
|
ExecStartPre=/usr/bin/docker-compose down -v
|
||||||
|
|
||||||
|
# Compose up
|
||||||
|
ExecStart=/usr/bin/docker-compose up
|
||||||
|
|
||||||
|
# Compose down, remove containers and volumes
|
||||||
|
ExecStop=/usr/bin/docker-compose down -v
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
{{ authentik_domain }}:
|
||||||
|
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
||||||
|
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
|
@ -0,0 +1,75 @@
|
||||||
|
---
|
||||||
|
version: "3.4"
|
||||||
|
services:
|
||||||
|
postgresql:
|
||||||
|
image: docker.io/library/postgres:12-alpine
|
||||||
|
restart: unless-stopped
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
|
||||||
|
start_period: 20s
|
||||||
|
interval: 30s
|
||||||
|
retries: 5
|
||||||
|
timeout: 5s
|
||||||
|
volumes:
|
||||||
|
- ./database:/var/lib/postgresql/data
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: {{ authentik_dbpass }}
|
||||||
|
POSTGRES_USER: {{ authentik_dbuser }}
|
||||||
|
POSTGRES_DB: {{ authentik_dbname }}
|
||||||
|
redis:
|
||||||
|
image: docker.io/library/redis:alpine
|
||||||
|
command: --save 60 1 --loglevel warning
|
||||||
|
restart: unless-stopped
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||||
|
start_period: 20s
|
||||||
|
interval: 30s
|
||||||
|
retries: 5
|
||||||
|
timeout: 3s
|
||||||
|
volumes:
|
||||||
|
- ./redis:/data
|
||||||
|
server:
|
||||||
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
|
||||||
|
restart: unless-stopped
|
||||||
|
command: server
|
||||||
|
environment:
|
||||||
|
AUTHENTIK_REDIS__HOST: redis
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||||
|
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
|
||||||
|
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
|
||||||
|
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
|
||||||
|
volumes:
|
||||||
|
- ./media:/media
|
||||||
|
- ./custom-templates:/templates
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:9000:9000"
|
||||||
|
depends_on:
|
||||||
|
- postgresql
|
||||||
|
- redis
|
||||||
|
worker:
|
||||||
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
|
||||||
|
restart: unless-stopped
|
||||||
|
command: worker
|
||||||
|
environment:
|
||||||
|
AUTHENTIK_REDIS__HOST: redis
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||||
|
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
|
||||||
|
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
|
||||||
|
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
|
||||||
|
# `user: root` and the docker socket volume are optional.
|
||||||
|
# See more for the docker socket integration here:
|
||||||
|
# https://goauthentik.io/docs/outposts/integrations/docker
|
||||||
|
# Removing `user: root` also prevents the worker from fixing the permissions
|
||||||
|
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
|
||||||
|
# (1000:1000 by default)
|
||||||
|
user: root
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- ./media:/media
|
||||||
|
- ./certs:/certs
|
||||||
|
- ./custom-templates:/templates
|
||||||
|
depends_on:
|
||||||
|
- postgresql
|
||||||
|
- redis
|
|
@ -0,0 +1,41 @@
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ authentik_domain }};
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ authentik_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ authentik_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:9000;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
dss_uwsgi_port: 5001
|
dss_uwsgi_port: 5001
|
||||||
dss_version: 0.8.4
|
dss_version: 0.8.5
|
||||||
|
|
|
@ -44,3 +44,8 @@
|
||||||
- name: Enable vhosts
|
- name: Enable vhosts
|
||||||
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
|
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable monitoring
|
||||||
|
include_role: name=icinga-monitor tasks_from=http
|
||||||
|
vars:
|
||||||
|
vhost: "{{ dss_domain }}"
|
||||||
|
|
|
@ -1,12 +1,14 @@
|
||||||
DEBUG = True
|
DEBUG = True
|
||||||
|
REMEMBER_COOKIE_SECURE = True
|
||||||
SECRET_KEY = "{{ dss_secret }}"
|
SECRET_KEY = "{{ dss_secret }}"
|
||||||
|
SESSION_COOKIE_SECURE = True
|
||||||
SESSION_TIMEOUT = 3600
|
SESSION_TIMEOUT = 3600
|
||||||
|
|
||||||
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
|
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
|
||||||
LDAP_URI = "{{ ldap_uri }}"
|
LDAP_URI = "{{ ldap_uri }}"
|
||||||
LDAP_BASE = "{{ ldap_base }}"
|
LDAP_BASE = "{{ ldap_base }}"
|
||||||
|
|
||||||
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
|
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
|
||||||
|
|
||||||
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
|
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
|
||||||
|
|
||||||
|
@ -28,7 +30,7 @@ USER_ATTRS = {
|
||||||
'userPassword' : '{pass}'
|
'userPassword' : '{pass}'
|
||||||
}
|
}
|
||||||
|
|
||||||
GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
|
GROUP_FILTER = "(objectClass=posixGroup)"
|
||||||
|
|
||||||
REDIS_HOST = "127.0.0.1"
|
REDIS_HOST = "127.0.0.1"
|
||||||
REDIS_PASSWD = None
|
REDIS_PASSWD = None
|
||||||
|
|
|
@ -6,3 +6,6 @@ logrotate_excludes:
|
||||||
- "/etc/logrotate.d/dbconfig-common"
|
- "/etc/logrotate.d/dbconfig-common"
|
||||||
- "/etc/logrotate.d/btmp"
|
- "/etc/logrotate.d/btmp"
|
||||||
- "/etc/logrotate.d/wtmp"
|
- "/etc/logrotate.d/wtmp"
|
||||||
|
|
||||||
|
sshd_password_authentication: "no"
|
||||||
|
sshd_permit_root_login: "prohibit-password"
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,10 +0,0 @@
|
||||||
# udev 226 introduced predictable interface names for virtio;
|
|
||||||
# disable this for upgrades. You can remove this file if you update your
|
|
||||||
# network configuration to move to the ens* names instead.
|
|
||||||
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
|
|
||||||
# network interface names.
|
|
||||||
[Match]
|
|
||||||
Driver=virtio_net
|
|
||||||
|
|
||||||
[Link]
|
|
||||||
NamePolicy=onboard kernel
|
|
|
@ -1,6 +0,0 @@
|
||||||
# This machine is most likely a virtualized guest, where the old persistent
|
|
||||||
# network interface mechanism (75-persistent-net-generator.rules) did not work.
|
|
||||||
# This file disables /lib/systemd/network/99-default.link to avoid
|
|
||||||
# changing network interface names on upgrade. Please read
|
|
||||||
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
|
|
||||||
# supported mechanism.
|
|
|
@ -1,7 +1,16 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Restart chrony
|
||||||
|
service: name=chrony state=restarted
|
||||||
|
|
||||||
- name: Restart journald
|
- name: Restart journald
|
||||||
service: name=systemd-journald state=restarted
|
service: name=systemd-journald state=restarted
|
||||||
|
|
||||||
|
- name: Restart sshd
|
||||||
|
service: name=sshd state=restarted
|
||||||
|
|
||||||
|
- name: update-grub
|
||||||
|
command: update-grub
|
||||||
|
|
||||||
- name: update-initramfs
|
- name: update-initramfs
|
||||||
command: update-initramfs -u -k all
|
command: update-initramfs -u -k all
|
||||||
|
|
|
@ -3,7 +3,10 @@
|
||||||
- name: Install misc software
|
- name: Install misc software
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
|
- apt-transport-https
|
||||||
- dnsutils
|
- dnsutils
|
||||||
|
- fdisk
|
||||||
|
- gnupg2
|
||||||
- htop
|
- htop
|
||||||
- less
|
- less
|
||||||
- net-tools
|
- net-tools
|
||||||
|
@ -13,6 +16,7 @@
|
||||||
- rsync
|
- rsync
|
||||||
- sudo
|
- sudo
|
||||||
- vim-nox
|
- vim-nox
|
||||||
|
- wget
|
||||||
- zsh
|
- zsh
|
||||||
|
|
||||||
- name: Install software on KVM VMs
|
- name: Install software on KVM VMs
|
||||||
|
@ -26,35 +30,32 @@
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
diff: no
|
diff: no
|
||||||
with_items:
|
with_items:
|
||||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||||
- { src: 'motd', dest: '/etc/motd' }
|
- { src: "motd", dest: "/etc/motd" }
|
||||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||||
|
|
||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
|
||||||
- name: Create LDAP client config
|
|
||||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
|
||||||
|
|
||||||
- name: Disable hibernation/resume
|
- name: Disable hibernation/resume
|
||||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||||
notify: update-initramfs
|
notify: update-initramfs
|
||||||
|
|
||||||
# TODO template /etc/network/interfaces
|
- name: Enable serial console on KVM VMs
|
||||||
|
lineinfile:
|
||||||
- name: Fix network interface names
|
path: "/etc/default/grub"
|
||||||
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
|
state: "present"
|
||||||
with_items:
|
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
|
||||||
- 50-virtio-kernel-names.link
|
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
|
||||||
- 99-default.link
|
notify: update-grub
|
||||||
notify: update-initramfs
|
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||||
|
|
||||||
- name: Prevent normal users from running su
|
- name: Prevent normal users from running su
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/pam.d/su
|
path: /etc/pam.d/su
|
||||||
regexp: '^.*auth\s+required\s+pam_wheel.so$'
|
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
|
||||||
line: 'auth required pam_wheel.so'
|
line: "auth required pam_wheel.so"
|
||||||
|
|
||||||
- name: Configure journald retention
|
- name: Configure journald retention
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -89,16 +90,25 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
|
||||||
|
|
||||||
- name: 'Set logrotate.d/* to daily'
|
- name: "Set logrotate.d/* to daily"
|
||||||
replace:
|
replace:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
regexp: "(?:weekly|monthly)"
|
regexp: "(?:weekly|monthly)"
|
||||||
replace: "daily"
|
replace: "daily"
|
||||||
loop: "{{ logrotateconfigpaths }}"
|
loop: "{{ logrotateconfigpaths }}"
|
||||||
|
|
||||||
- name: 'Set /etc/logrotate.d/* rotation to 7'
|
- name: "Set /etc/logrotate.d/* rotation to 7"
|
||||||
replace:
|
replace:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
regexp: "rotate [0-9]+"
|
regexp: "rotate [0-9]+"
|
||||||
replace: "rotate 7"
|
replace: "rotate 7"
|
||||||
loop: "{{ logrotateconfigpaths }}"
|
loop: "{{ logrotateconfigpaths }}"
|
||||||
|
|
||||||
|
- name: Configure sshd
|
||||||
|
template:
|
||||||
|
src: sshd_config.j2
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
notify: Restart sshd
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Install misc software
|
|
||||||
pkgng:
|
|
||||||
name:
|
|
||||||
- vim-lite
|
|
||||||
- htop
|
|
||||||
- zsh
|
|
||||||
|
|
||||||
- name: Configure misc software
|
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
|
||||||
with_items:
|
|
||||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
|
||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
|
|
@ -13,11 +13,12 @@
|
||||||
|
|
||||||
- name: Configure misc software
|
- name: Configure misc software
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
|
diff: no
|
||||||
with_items:
|
with_items:
|
||||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
- { src: ".zshrc", dest: "/root/.zshrc" }
|
||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
|
||||||
- { src: 'motd', dest: '/etc/motd' }
|
- { src: "motd", dest: "/etc/motd" }
|
||||||
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
|
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
|
||||||
|
|
||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install chrony
|
||||||
|
apt: name=chrony
|
||||||
|
|
||||||
|
- name: Configure chrony
|
||||||
|
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
||||||
|
notify: Restart chrony
|
|
@ -2,21 +2,20 @@
|
||||||
|
|
||||||
- name: Cleanup
|
- name: Cleanup
|
||||||
apt: autoclean=yes
|
apt: autoclean=yes
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
package_facts:
|
package_facts:
|
||||||
manager: apt
|
manager: apt
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
- name: Proxmox
|
- name: Proxmox
|
||||||
include: Proxmox.yml
|
include: Proxmox.yml
|
||||||
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
|
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
|
||||||
|
|
||||||
- name: Debian
|
- name: Debian
|
||||||
include: Debian.yml
|
include: Debian.yml
|
||||||
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
|
||||||
|
|
||||||
- name: FreeBSD
|
- name: Setup chrony
|
||||||
include: FreeBSD.yml
|
include: chrony.yml
|
||||||
when: ansible_distribution == 'FreeBSD'
|
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||||
|
# information about usable directives.
|
||||||
|
|
||||||
|
# Include configuration files found in /etc/chrony/conf.d.
|
||||||
|
confdir /etc/chrony/conf.d
|
||||||
|
|
||||||
|
{% for srv in ntp_servers %}
|
||||||
|
server {{ srv }} iburst
|
||||||
|
{% endfor %}
|
||||||
|
{% if ntp_peers is defined %}
|
||||||
|
|
||||||
|
{% for peer in ntp_peers %}
|
||||||
|
peer {{ peer }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if ntp_server is defined and ntp_server is true %}
|
||||||
|
allow 172.23.0.0/16
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
# This directive specify the location of the file containing ID/key pairs for
|
||||||
|
# NTP authentication.
|
||||||
|
keyfile /etc/chrony/chrony.keys
|
||||||
|
|
||||||
|
# This directive specify the file into which chronyd will store the rate
|
||||||
|
# information.
|
||||||
|
driftfile /var/lib/chrony/chrony.drift
|
||||||
|
|
||||||
|
# Save NTS keys and cookies.
|
||||||
|
ntsdumpdir /var/lib/chrony
|
||||||
|
|
||||||
|
# Uncomment the following line to turn logging on.
|
||||||
|
#log tracking measurements statistics
|
||||||
|
|
||||||
|
# Log files location.
|
||||||
|
logdir /var/log/chrony
|
||||||
|
|
||||||
|
# Stop bad estimates upsetting machine clock.
|
||||||
|
maxupdateskew 100.0
|
||||||
|
|
||||||
|
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||||
|
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
|
||||||
|
rtcsync
|
||||||
|
|
||||||
|
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||||
|
# one second, but only in the first three clock updates.
|
||||||
|
makestep 1 3
|
||||||
|
|
||||||
|
# Get TAI-UTC offset and leap seconds from the system tz database.
|
||||||
|
# This directive must be commented out when using time sources serving
|
||||||
|
# leap-smeared time.
|
||||||
|
leapsectz right/UTC
|
|
@ -1,19 +0,0 @@
|
||||||
#
|
|
||||||
# LDAP Defaults
|
|
||||||
#
|
|
||||||
|
|
||||||
# See ldap.conf(5) for details
|
|
||||||
# This file should be world readable but not world writable.
|
|
||||||
|
|
||||||
BASE {{ ldap_base }}
|
|
||||||
URI {{ ldap_uri }}
|
|
||||||
|
|
||||||
#SIZELIMIT 12
|
|
||||||
#TIMELIMIT 15
|
|
||||||
#DEREF never
|
|
||||||
|
|
||||||
# TLS certificates (needed for GnuTLS)
|
|
||||||
TLS_REQCERT demand
|
|
||||||
TLS_CACERTDIR /etc/ssl/certs
|
|
||||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
|
||||||
|
|
|
@ -0,0 +1,132 @@
|
||||||
|
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||||
|
|
||||||
|
# This is the sshd server system-wide configuration file. See
|
||||||
|
# sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||||
|
|
||||||
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
|
# OpenSSH is to specify options with their default value where
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
|
||||||
|
#Port 22
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
|
||||||
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
#LoginGraceTime 2m
|
||||||
|
PermitRootLogin {{ sshd_permit_root_login }}
|
||||||
|
#StrictModes yes
|
||||||
|
#MaxAuthTries 6
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||||
|
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
|
||||||
|
AuthorizedKeysCommand {{ sshd_authkeys_command }}
|
||||||
|
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
|
||||||
|
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
|
||||||
|
{% else %}
|
||||||
|
AuthorizedKeysCommandUser nobody
|
||||||
|
{% endif %}
|
||||||
|
{% else %}
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
#HostbasedAuthentication no
|
||||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
|
# HostbasedAuthentication
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
PasswordAuthentication {{ sshd_password_authentication }}
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Change to yes to enable challenge-response passwords (beware issues with
|
||||||
|
# some PAM modules and threads)
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
#GSSAPIAuthentication no
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
|
#GSSAPIKeyExchange no
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding yes
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
PrintMotd no
|
||||||
|
#PrintLastLog yes
|
||||||
|
#TCPKeepAlive yes
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
#Compression delayed
|
||||||
|
#ClientAliveInterval 0
|
||||||
|
#ClientAliveCountMax 3
|
||||||
|
#UseDNS no
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
# Allow client to pass locale environment variables
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
|
@ -1,4 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Reload systemd
|
||||||
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
- name: Restart coturn
|
- name: Restart coturn
|
||||||
service: name=coturn state=restarted
|
service: name=coturn state=restarted
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /usr/bin/acertmgr
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: acertmgr }
|
|
@ -3,6 +3,28 @@
|
||||||
- name: Install coturn
|
- name: Install coturn
|
||||||
apt: name=coturn
|
apt: name=coturn
|
||||||
|
|
||||||
|
- name: Create coturn service override directory
|
||||||
|
file: path=/etc/systemd/system/coturn.service.d state=directory
|
||||||
|
|
||||||
|
- name: Configure coturn service override
|
||||||
|
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
|
||||||
|
notify:
|
||||||
|
- Reload systemd
|
||||||
|
- Restart coturn
|
||||||
|
|
||||||
|
- name: Create gitea directories
|
||||||
|
file: path={{ item }} state=directory owner=turnserver
|
||||||
|
with_items:
|
||||||
|
- /etc/turnserver
|
||||||
|
- /etc/turnserver/certs
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
|
||||||
|
|
||||||
|
- name: Configure certificate manager
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
- name: Configure coturn
|
- name: Configure coturn
|
||||||
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
template: src={{ item }}.j2 dest=/etc/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
{{ coturn_realm }}:
|
||||||
|
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
|
||||||
|
user: turnserver
|
||||||
|
group: turnserver
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service coturn restart'
|
||||||
|
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
|
||||||
|
user: turnserver
|
||||||
|
group: turnserver
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service coturn restart'
|
|
@ -0,0 +1,2 @@
|
||||||
|
[Service]
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
@ -1,52 +1,60 @@
|
||||||
# Coturn TURN SERVER configuration file
|
# Coturn TURN SERVER configuration file
|
||||||
#
|
#
|
||||||
# Boolean values note: where boolean value is supposed to be used,
|
# Boolean values note: where a boolean value is supposed to be used,
|
||||||
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
|
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
||||||
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
|
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
||||||
# If the value is missed, then it means 'true'.
|
# If the value is missing, then it means 'true' by default.
|
||||||
#
|
#
|
||||||
|
|
||||||
# Listener interface device (optional, Linux only).
|
# Listener interface device (optional, Linux only).
|
||||||
# NOT RECOMMENDED.
|
# NOT RECOMMENDED.
|
||||||
#
|
#
|
||||||
#listening-device=eth0
|
#listening-device=eth0
|
||||||
|
|
||||||
# TURN listener port for UDP and TCP (Default: 3478).
|
# TURN listener port for UDP and TCP (Default: 3478).
|
||||||
# Note: actually, TLS & DTLS sessions can connect to the
|
# Note: actually, TLS & DTLS sessions can connect to the
|
||||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
||||||
#
|
#
|
||||||
#listening-port=3478
|
listening-port=443
|
||||||
|
|
||||||
# TURN listener port for TLS (Default: 5349).
|
# TURN listener port for TLS (Default: 5349).
|
||||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
||||||
# port(s), too - if allowed by configuration. The TURN server
|
# port(s), too - if allowed by configuration. The TURN server
|
||||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
# "automatically" recognizes the type of traffic. Actually, two listening
|
||||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
||||||
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
|
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
||||||
# For secure TCP connections, we currently support SSL version 3 and
|
# For secure TCP connections, Coturn currently supports
|
||||||
# TLS version 1.0, 1.1 and 1.2.
|
# TLS version 1.0, 1.1 and 1.2.
|
||||||
# For secure UDP connections, we support DTLS version 1.
|
# For secure UDP connections, Coturn supports DTLS version 1.
|
||||||
#
|
#
|
||||||
#tls-listening-port=5349
|
tls-listening-port=443
|
||||||
|
|
||||||
# Alternative listening port for UDP and TCP listeners;
|
# Alternative listening port for UDP and TCP listeners;
|
||||||
# default (or zero) value means "listening port plus one".
|
# default (or zero) value means "listening port plus one".
|
||||||
# This is needed for RFC 5780 support
|
# This is needed for RFC 5780 support
|
||||||
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
||||||
# supports RFC 5780 only if it is started with more than one
|
# supports RFC 5780 only if it is started with more than one
|
||||||
# listening IP address of the same family (IPv4 or IPv6).
|
# listening IP address of the same family (IPv4 or IPv6).
|
||||||
# RFC 5780 is supported only by UDP protocol, other protocols
|
# RFC 5780 is supported only by UDP protocol, other protocols
|
||||||
# are listening to that endpoint only for "symmetry".
|
# are listening to that endpoint only for "symmetry".
|
||||||
#
|
#
|
||||||
#alt-listening-port=0
|
#alt-listening-port=0
|
||||||
|
|
||||||
# Alternative listening port for TLS and DTLS protocols.
|
# Alternative listening port for TLS and DTLS protocols.
|
||||||
# Default (or zero) value means "TLS listening port plus one".
|
# Default (or zero) value means "TLS listening port plus one".
|
||||||
#
|
#
|
||||||
#alt-tls-listening-port=0
|
#alt-tls-listening-port=0
|
||||||
|
|
||||||
|
# Some network setups will require using a TCP reverse proxy in front
|
||||||
|
# of the STUN server. If the proxy port option is set a single listener
|
||||||
|
# is started on the given port that accepts connections using the
|
||||||
|
# haproxy proxy protocol v2.
|
||||||
|
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
||||||
|
#
|
||||||
|
#tcp-proxy-port=5555
|
||||||
|
|
||||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
# Listener IP address of relay server. Multiple listeners can be specified.
|
||||||
# If no IP(s) specified in the config file or in the command line options,
|
# If no IP(s) specified in the config file or in the command line options,
|
||||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
# then all IPv4 and IPv6 system IPs will be used for listening.
|
||||||
#
|
#
|
||||||
#listening-ip=172.17.19.101
|
#listening-ip=172.17.19.101
|
||||||
|
@ -61,7 +69,7 @@
|
||||||
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
||||||
#
|
#
|
||||||
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
||||||
#
|
#
|
||||||
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
||||||
#
|
#
|
||||||
# There may be multiple aux-server options, each will be used for listening
|
# There may be multiple aux-server options, each will be used for listening
|
||||||
|
@ -73,7 +81,7 @@
|
||||||
# (recommended for older Linuxes only)
|
# (recommended for older Linuxes only)
|
||||||
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
||||||
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
||||||
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
||||||
# functionality.
|
# functionality.
|
||||||
#
|
#
|
||||||
#udp-self-balance
|
#udp-self-balance
|
||||||
|
@ -83,13 +91,13 @@
|
||||||
#
|
#
|
||||||
#relay-device=eth1
|
#relay-device=eth1
|
||||||
|
|
||||||
# Relay address (the local IP address that will be used to relay the
|
# Relay address (the local IP address that will be used to relay the
|
||||||
# packets to the peer).
|
# packets to the peer).
|
||||||
# Multiple relay addresses may be used.
|
# Multiple relay addresses may be used.
|
||||||
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
||||||
#
|
#
|
||||||
# If no relay IP(s) specified, then the turnserver will apply the default
|
# If no relay IP(s) specified, then the turnserver will apply the default
|
||||||
# policy: it will decide itself which relay addresses to be used, and it
|
# policy: it will decide itself which relay addresses to be used, and it
|
||||||
# will always be using the client socket IP address as the relay IP address
|
# will always be using the client socket IP address as the relay IP address
|
||||||
# of the TURN session (if the requested relay address family is the same
|
# of the TURN session (if the requested relay address family is the same
|
||||||
# as the family of the client socket).
|
# as the family of the client socket).
|
||||||
|
@ -112,12 +120,15 @@
|
||||||
# that option must be used several times, each entry must
|
# that option must be used several times, each entry must
|
||||||
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
||||||
# RFC5780 NAT discovery STUN functionality will work correctly,
|
# RFC5780 NAT discovery STUN functionality will work correctly,
|
||||||
# if the addresses are mapped properly, even when the TURN server itself
|
# if the addresses are mapped properly, even when the TURN server itself
|
||||||
# is behind A NAT.
|
# is behind A NAT.
|
||||||
#
|
#
|
||||||
# By default, this value is empty, and no address mapping is used.
|
# By default, this value is empty, and no address mapping is used.
|
||||||
#
|
#
|
||||||
#external-ip=60.70.80.91
|
external-ip={{ ansible_default_ipv4.address }}
|
||||||
|
{% if ansible_default_ipv6.address is defined %}
|
||||||
|
external-ip={{ ansible_default_ipv6.address }}
|
||||||
|
{% endif %}
|
||||||
#
|
#
|
||||||
#OR:
|
#OR:
|
||||||
#
|
#
|
||||||
|
@ -127,18 +138,18 @@
|
||||||
|
|
||||||
# Number of the relay threads to handle the established connections
|
# Number of the relay threads to handle the established connections
|
||||||
# (in addition to authentication thread and the listener thread).
|
# (in addition to authentication thread and the listener thread).
|
||||||
# If explicitly set to 0 then application runs relay process in a
|
# If explicitly set to 0 then application runs relay process in a
|
||||||
# single thread, in the same thread with the listener process
|
# single thread, in the same thread with the listener process
|
||||||
# (the authentication thread will still be a separate thread).
|
# (the authentication thread will still be a separate thread).
|
||||||
#
|
#
|
||||||
# If this parameter is not set, then the default OS-dependent
|
# If this parameter is not set, then the default OS-dependent
|
||||||
# thread pattern algorithm will be employed. Usually the default
|
# thread pattern algorithm will be employed. Usually the default
|
||||||
# algorithm is the most optimal, so you have to change this option
|
# algorithm is optimal, so you have to change this option
|
||||||
# only if you want to make some fine tweaks.
|
# if you want to make some fine tweaks.
|
||||||
#
|
#
|
||||||
# In the older systems (Linux kernel before 3.9),
|
# In the older systems (Linux kernel before 3.9),
|
||||||
# the number of UDP threads is always one thread per network listening
|
# the number of UDP threads is always one thread per network listening
|
||||||
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
||||||
# 1 (one) value is set.
|
# 1 (one) value is set.
|
||||||
#
|
#
|
||||||
#relay-threads=0
|
#relay-threads=0
|
||||||
|
@ -148,15 +159,15 @@
|
||||||
#
|
#
|
||||||
#min-port=49152
|
#min-port=49152
|
||||||
#max-port=65535
|
#max-port=65535
|
||||||
|
|
||||||
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
||||||
# By default the verbose mode is off.
|
# By default the verbose mode is off.
|
||||||
#verbose
|
#verbose
|
||||||
|
|
||||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
# Uncomment to run TURN server in 'extra' verbose mode.
|
||||||
# This mode is very annoying and produces lots of output.
|
# This mode is very annoying and produces lots of output.
|
||||||
# Not recommended under any normal circumstances.
|
# Not recommended under normal circumstances.
|
||||||
#
|
#
|
||||||
#Verbose
|
#Verbose
|
||||||
|
|
||||||
# Uncomment to use fingerprints in the TURN messages.
|
# Uncomment to use fingerprints in the TURN messages.
|
||||||
|
@ -169,58 +180,69 @@ fingerprint
|
||||||
#
|
#
|
||||||
#lt-cred-mech
|
#lt-cred-mech
|
||||||
|
|
||||||
# This option is opposite to lt-cred-mech.
|
# This option is the opposite of lt-cred-mech.
|
||||||
# (TURN Server with no-auth option allows anonymous access).
|
# (TURN Server with no-auth option allows anonymous access).
|
||||||
# If neither option is defined, and no users are defined,
|
# If neither option is defined, and no users are defined,
|
||||||
# then no-auth is default. If at least one user is defined,
|
# then no-auth is default. If at least one user is defined,
|
||||||
# in this file or in command line or in usersdb file, then
|
# in this file, in command line or in usersdb file, then
|
||||||
# lt-cred-mech is default.
|
# lt-cred-mech is default.
|
||||||
#
|
#
|
||||||
#no-auth
|
#no-auth
|
||||||
|
|
||||||
|
# Enable prometheus exporter
|
||||||
|
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
|
||||||
|
# this endpoint is listening on a different port to not conflict with other configurations.
|
||||||
|
#
|
||||||
|
# You can simply run the turnserver and access the port 9641 and path /metrics
|
||||||
|
#
|
||||||
|
# For mor info on the prometheus exporter and metrics
|
||||||
|
# https://prometheus.io/docs/introduction/overview/
|
||||||
|
# https://prometheus.io/docs/concepts/data_model/
|
||||||
|
#
|
||||||
|
#prometheus
|
||||||
|
|
||||||
# TURN REST API flag.
|
# TURN REST API flag.
|
||||||
# (Time Limited Long Term Credential)
|
# (Time Limited Long Term Credential)
|
||||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
# Flag that sets a special authorization option that is based upon authentication secret.
|
||||||
#
|
#
|
||||||
# This feature's purpose is to support "TURN Server REST API", see
|
# This feature's purpose is to support "TURN Server REST API", see
|
||||||
# "TURN REST API" link in the project's page
|
# "TURN REST API" link in the project's page
|
||||||
# https://github.com/coturn/coturn/
|
# https://github.com/coturn/coturn/
|
||||||
#
|
#
|
||||||
# This option is used with timestamp:
|
# This option is used with timestamp:
|
||||||
#
|
#
|
||||||
# usercombo -> "timestamp:userid"
|
# usercombo -> "timestamp:userid"
|
||||||
# turn user -> usercombo
|
# turn user -> usercombo
|
||||||
# turn password -> base64(hmac(secret key, usercombo))
|
# turn password -> base64(hmac(secret key, usercombo))
|
||||||
#
|
#
|
||||||
# This allows TURN credentials to be accounted for a specific user id.
|
# This allows TURN credentials to be accounted for a specific user id.
|
||||||
# If you don't have a suitable id, the timestamp alone can be used.
|
# If you don't have a suitable id, then the timestamp alone can be used.
|
||||||
# This option is just turning on secret-based authentication.
|
# This option is enabled by turning on secret-based authentication.
|
||||||
# The actual value of the secret is defined either by option static-auth-secret,
|
# The actual value of the secret is defined either by the option static-auth-secret,
|
||||||
# or can be found in the turn_secret table in the database (see below).
|
# or can be found in the turn_secret table in the database (see below).
|
||||||
#
|
#
|
||||||
# Read more about it:
|
# Read more about it:
|
||||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||||
#
|
#
|
||||||
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
|
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
||||||
# Notice that this feature depends internally on lt-cred-mech, so if you set
|
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
||||||
# use-auth-secret then it enables internally automatically lt-cred-mech option
|
# this option then it automatically enables lt-cred-mech internally
|
||||||
# like if you enable both.
|
# as if you had enabled both.
|
||||||
#
|
#
|
||||||
# You can use only one of the to auth mechanisms in the same time because,
|
# Note that you can use only one auth mechanism at the same time! This is because,
|
||||||
# both mechanism use the username and password validation in different way.
|
# both mechanisms conduct username and password validation in different ways.
|
||||||
#
|
#
|
||||||
# This way be aware that you can't use both auth mechnaism in the same time!
|
# Use either lt-cred-mech or use-auth-secret in the conf
|
||||||
# Use in config either the lt-cred-mech or the use-auth-secret
|
|
||||||
# to avoid any confusion.
|
# to avoid any confusion.
|
||||||
#
|
#
|
||||||
use-auth-secret
|
use-auth-secret
|
||||||
|
|
||||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||||
# If not set, then the turn server
|
# If not set, then the turn server
|
||||||
# will try to use the 'dynamic' value in turn_secret table
|
# will try to use the 'dynamic' value in the turn_secret table
|
||||||
# in user database (if present). The database-stored value can be changed on-the-fly
|
# in the user database (if present). The database-stored value can be changed on-the-fly
|
||||||
# by a separate program, so this is why that other mode is 'dynamic'.
|
# by a separate program, so this is why that mode is considered 'dynamic'.
|
||||||
#
|
#
|
||||||
static-auth-secret={{ coturn_secret }}
|
static-auth-secret={{ coturn_secret }}
|
||||||
|
|
||||||
|
@ -234,10 +256,10 @@ static-auth-secret={{ coturn_secret }}
|
||||||
#
|
#
|
||||||
#oauth
|
#oauth
|
||||||
|
|
||||||
# 'Static' user accounts for long term credentials mechanism, only.
|
# 'Static' user accounts for the long term credentials mechanism, only.
|
||||||
# This option cannot be used with TURN REST API.
|
# This option cannot be used with TURN REST API.
|
||||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||||
# so that they can NOT be changed while the turnserver is running.
|
# so they can NOT be changed while the turnserver is running.
|
||||||
#
|
#
|
||||||
#user=username1:key1
|
#user=username1:key1
|
||||||
#user=username2:key2
|
#user=username2:key2
|
||||||
|
@ -255,7 +277,7 @@ static-auth-secret={{ coturn_secret }}
|
||||||
# password. If it has 0x then it is a key, otherwise it is a password).
|
# password. If it has 0x then it is a key, otherwise it is a password).
|
||||||
#
|
#
|
||||||
# The corresponding user account entry in the config file will be:
|
# The corresponding user account entry in the config file will be:
|
||||||
#
|
#
|
||||||
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||||
# Or, equivalently, with open clear password (less secure):
|
# Or, equivalently, with open clear password (less secure):
|
||||||
#user=ninefingers:youhavetoberealistic
|
#user=ninefingers:youhavetoberealistic
|
||||||
|
@ -263,83 +285,83 @@ static-auth-secret={{ coturn_secret }}
|
||||||
|
|
||||||
# SQLite database file name.
|
# SQLite database file name.
|
||||||
#
|
#
|
||||||
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||||
# /var/lib/turn/turndb.
|
# /var/lib/turn/turndb.
|
||||||
#
|
#
|
||||||
#userdb=/var/db/turndb
|
#userdb=/var/db/turndb
|
||||||
|
|
||||||
# PostgreSQL database connection string in the case that we are using PostgreSQL
|
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for long-term credential mechanism
|
# This database can be used for the long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
||||||
# versions connection string format, see
|
# versions connection string format, see
|
||||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
||||||
# for 9.x and newer connection string formats.
|
# for 9.x and newer connection string formats.
|
||||||
#
|
#
|
||||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
||||||
|
|
||||||
# MySQL database connection string in the case that we are using MySQL
|
# MySQL database connection string in the case that you are using MySQL
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for long-term credential mechanism
|
# This database can be used for the long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||||
#
|
#
|
||||||
# Optional connection string parameters for the secure communications (SSL):
|
# Optional connection string parameters for the secure communications (SSL):
|
||||||
# ca, capath, cert, key, cipher
|
# ca, capath, cert, key, cipher
|
||||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||||
# command options description).
|
# command options description).
|
||||||
#
|
#
|
||||||
# Use string format as below (space separated parameters, all optional):
|
# Use the string format below (space separated parameters, all optional):
|
||||||
#
|
#
|
||||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
||||||
|
|
||||||
# If you want to use in the MySQL connection string the password in encrypted format,
|
# If you want to use an encrypted password in the MySQL connection string,
|
||||||
# then set in this option the MySQL password encryption secret key file.
|
# then set the MySQL password encryption secret key file with this option.
|
||||||
#
|
#
|
||||||
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
|
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
||||||
# If you want to use cleartext password then do not set this option!
|
# If you want to use a cleartext password then do not set this option!
|
||||||
#
|
#
|
||||||
# This is the file path which contain secret key of aes encryption while using password encryption.
|
# This is the file path for the aes encrypted secret key used for password encryption.
|
||||||
#
|
#
|
||||||
#secret-key-file=/path/
|
#secret-key-file=/path/
|
||||||
|
|
||||||
# MongoDB database connection string in the case that we are using MongoDB
|
# MongoDB database connection string in the case that you are using MongoDB
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for long-term credential mechanism
|
# This database can be used for long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||||
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||||
#
|
#
|
||||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
||||||
|
|
||||||
# Redis database connection string in the case that we are using Redis
|
# Redis database connection string in the case that you are using Redis
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for long-term credential mechanism
|
# This database can be used for long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||||
# Use string format as below (space separated parameters, all optional):
|
# Use the string format below (space separated parameters, all optional):
|
||||||
#
|
#
|
||||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||||
|
|
||||||
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
||||||
# This database keeps allocations status information, and it can be also used for publishing
|
# This database keeps allocations status information, and it can be also used for publishing
|
||||||
# and delivering traffic and allocation event notifications.
|
# and delivering traffic and allocation event notifications.
|
||||||
# The connection string has the same parameters as redis-userdb connection string.
|
# The connection string has the same parameters as redis-userdb connection string.
|
||||||
# Use string format as below (space separated parameters, all optional):
|
# Use the string format below (space separated parameters, all optional):
|
||||||
#
|
#
|
||||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||||
|
|
||||||
# The default realm to be used for the users when no explicit
|
# The default realm to be used for the users when no explicit
|
||||||
# origin/realm relationship was found in the database, or if the TURN
|
# origin/realm relationship is found in the database, or if the TURN
|
||||||
# server is not using any database (just the commands-line settings
|
# server is not using any database (just the commands-line settings
|
||||||
# and the userdb file). Must be used with long-term credentials
|
# and the userdb file). Must be used with long-term credentials
|
||||||
# mechanism or with TURN REST API.
|
# mechanism or with TURN REST API.
|
||||||
#
|
#
|
||||||
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
|
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
||||||
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
|
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
||||||
#
|
#
|
||||||
realm={{ coturn_realm }}
|
realm={{ coturn_realm }}
|
||||||
|
|
||||||
# The flag that sets the origin consistency
|
# This flag sets the origin consistency
|
||||||
# check: across the session, all requests must have the same
|
# check. Across the session, all requests must have the same
|
||||||
# main ORIGIN attribute value (if the ORIGIN was
|
# main ORIGIN attribute value (if the ORIGIN was
|
||||||
# initially used by the session).
|
# initially used by the session).
|
||||||
#
|
#
|
||||||
|
@ -359,7 +381,7 @@ realm={{ coturn_realm }}
|
||||||
|
|
||||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
||||||
# (input and output network streams are treated separately). Anything above
|
# (input and output network streams are treated separately). Anything above
|
||||||
# that limit will be dropped or temporary suppressed (within
|
# that limit will be dropped or temporarily suppressed (within
|
||||||
# the available buffer limits).
|
# the available buffer limits).
|
||||||
# This option can also be set through the database, for a particular realm.
|
# This option can also be set through the database, for a particular realm.
|
||||||
#
|
#
|
||||||
|
@ -380,17 +402,17 @@ realm={{ coturn_realm }}
|
||||||
# Uncomment if no TCP client listener is desired.
|
# Uncomment if no TCP client listener is desired.
|
||||||
# By default TCP client listener is always started.
|
# By default TCP client listener is always started.
|
||||||
#
|
#
|
||||||
no-tcp
|
#no-tcp
|
||||||
|
|
||||||
# Uncomment if no TLS client listener is desired.
|
# Uncomment if no TLS client listener is desired.
|
||||||
# By default TLS client listener is always started.
|
# By default TLS client listener is always started.
|
||||||
#
|
#
|
||||||
no-tls
|
#no-tls
|
||||||
|
|
||||||
# Uncomment if no DTLS client listener is desired.
|
# Uncomment if no DTLS client listener is desired.
|
||||||
# By default DTLS client listener is always started.
|
# By default DTLS client listener is always started.
|
||||||
#
|
#
|
||||||
no-dtls
|
#no-dtls
|
||||||
|
|
||||||
# Uncomment if no UDP relay endpoints are allowed.
|
# Uncomment if no UDP relay endpoints are allowed.
|
||||||
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
# By default UDP relay endpoints are enabled (like in RFC 5766).
|
||||||
|
@ -403,11 +425,11 @@ no-dtls
|
||||||
#no-tcp-relay
|
#no-tcp-relay
|
||||||
|
|
||||||
# Uncomment if extra security is desired,
|
# Uncomment if extra security is desired,
|
||||||
# with nonce value having limited lifetime.
|
# with nonce value having a limited lifetime.
|
||||||
# By default, the nonce value is unique for a session,
|
# The nonce value is unique for a session.
|
||||||
# and has unlimited lifetime.
|
# Set this option to limit the nonce lifetime.
|
||||||
# Set this option to limit the nonce lifetime.
|
# Set it to 0 for unlimited lifetime.
|
||||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||||
# the client will get 438 error and will have to re-authenticate itself.
|
# the client will get 438 error and will have to re-authenticate itself.
|
||||||
#
|
#
|
||||||
#stale-nonce=600
|
#stale-nonce=600
|
||||||
|
@ -433,13 +455,14 @@ no-dtls
|
||||||
#permission-lifetime=300
|
#permission-lifetime=300
|
||||||
|
|
||||||
# Certificate file.
|
# Certificate file.
|
||||||
# Use an absolute path or path relative to the
|
# Use an absolute path or path relative to the
|
||||||
# configuration file.
|
# configuration file.
|
||||||
|
# Use PEM file format.
|
||||||
#
|
#
|
||||||
#cert=/usr/local/etc/turn_server_cert.pem
|
#cert=/usr/local/etc/turn_server_cert.pem
|
||||||
|
|
||||||
# Private key file.
|
# Private key file.
|
||||||
# Use an absolute path or path relative to the
|
# Use an absolute path or path relative to the
|
||||||
# configuration file.
|
# configuration file.
|
||||||
# Use PEM file format.
|
# Use PEM file format.
|
||||||
#
|
#
|
||||||
|
@ -455,29 +478,29 @@ no-dtls
|
||||||
#
|
#
|
||||||
#cipher-list="DEFAULT"
|
#cipher-list="DEFAULT"
|
||||||
|
|
||||||
# CA file in OpenSSL format.
|
# CA file in OpenSSL format.
|
||||||
# Forces TURN server to verify the client SSL certificates.
|
# Forces TURN server to verify the client SSL certificates.
|
||||||
# By default it is not set: there is no default value and the client
|
# By default this is not set: there is no default value and the client
|
||||||
# certificate is not checked.
|
# certificate is not checked.
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
#CA-file=/etc/ssh/id_rsa.cert
|
#CA-file=/etc/ssh/id_rsa.cert
|
||||||
|
|
||||||
# Curve name for EC ciphers, if supported by OpenSSL
|
# Curve name for EC ciphers, if supported by OpenSSL
|
||||||
# library (TLS and DTLS). The default value is prime256v1,
|
# library (TLS and DTLS). The default value is prime256v1,
|
||||||
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
||||||
# an optimal curve will be automatically calculated, if not defined
|
# an optimal curve will be automatically calculated, if not defined
|
||||||
# by this option.
|
# by this option.
|
||||||
#
|
#
|
||||||
#ec-curve-name=prime256v1
|
#ec-curve-name=prime256v1
|
||||||
|
|
||||||
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
|
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
||||||
#
|
#
|
||||||
#dh566
|
#dh566
|
||||||
|
|
||||||
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
|
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
||||||
#
|
#
|
||||||
#dh2066
|
#dh1066
|
||||||
|
|
||||||
# Use custom DH TLS key, stored in PEM format in the file.
|
# Use custom DH TLS key, stored in PEM format in the file.
|
||||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
||||||
|
@ -485,21 +508,21 @@ no-dtls
|
||||||
#dh-file=<DH-PEM-file-name>
|
#dh-file=<DH-PEM-file-name>
|
||||||
|
|
||||||
# Flag to prevent stdout log messages.
|
# Flag to prevent stdout log messages.
|
||||||
# By default, all log messages are going to both stdout and to
|
# By default, all log messages go to both stdout and to
|
||||||
# the configured log file. With this option everything will be
|
# the configured log file. With this option everything will
|
||||||
# going to the configured log only (unless the log file itself is stdout).
|
# go to the configured log only (unless the log file itself is stdout).
|
||||||
#
|
#
|
||||||
#no-stdout-log
|
#no-stdout-log
|
||||||
|
|
||||||
# Option to set the log file name.
|
# Option to set the log file name.
|
||||||
# By default, the turnserver tries to open a log file in
|
# By default, the turnserver tries to open a log file in
|
||||||
# /var/log, /var/tmp, /tmp and current directories directories
|
# /var/log, /var/tmp, /tmp and the current directory
|
||||||
# (which open operation succeeds first that file will be used).
|
# (Whichever file open operation succeeds first will be used).
|
||||||
# With this option you can set the definite log file name.
|
# With this option you can set the definite log file name.
|
||||||
# The special names are "stdout" and "-" - they will force everything
|
# The special names are "stdout" and "-" - they will force everything
|
||||||
# to the stdout. Also, the "syslog" name will force everything to
|
# to the stdout. Also, the "syslog" name will force everything to
|
||||||
# the system log (syslog).
|
# the system log (syslog).
|
||||||
# In the runtime, the logfile can be reset with the SIGHUP signal
|
# In the runtime, the logfile can be reset with the SIGHUP signal
|
||||||
# to the turnserver process.
|
# to the turnserver process.
|
||||||
#
|
#
|
||||||
#log-file=/var/tmp/turn.log
|
#log-file=/var/tmp/turn.log
|
||||||
|
@ -514,41 +537,51 @@ syslog
|
||||||
#
|
#
|
||||||
#simple-log
|
#simple-log
|
||||||
|
|
||||||
|
# Enable full ISO-8601 timestamp in all logs.
|
||||||
|
#new-log-timestamp
|
||||||
|
|
||||||
|
# Set timestamp format (in strftime(1) format)
|
||||||
|
#new-log-timestamp-format "%FT%T%z"
|
||||||
|
|
||||||
|
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
|
||||||
|
# Enable binding logging and UDP endpoint logs in verbose log mode.
|
||||||
|
#log-binding
|
||||||
|
|
||||||
# Option to set the "redirection" mode. The value of this option
|
# Option to set the "redirection" mode. The value of this option
|
||||||
# will be the address of the alternate server for UDP & TCP service in form of
|
# will be the address of the alternate server for UDP & TCP service in the form of
|
||||||
# <ip>[:<port>]. The server will send this value in the attribute
|
# <ip>[:<port>]. The server will send this value in the attribute
|
||||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
||||||
# Client will receive only values with the same address family
|
# Client will receive only values with the same address family
|
||||||
# as the client network endpoint address family.
|
# as the client network endpoint address family.
|
||||||
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
|
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
||||||
# The client must use the obtained value for subsequent TURN communications.
|
# The client must use the obtained value for subsequent TURN communications.
|
||||||
# If more than one --alternate-server options are provided, then the functionality
|
# If more than one --alternate-server option is provided, then the functionality
|
||||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||||
# If the port number is omitted, then the default port
|
# If the port number is omitted, then the default port
|
||||||
# number 3478 for the UDP/TCP protocols will be used.
|
# number 3478 for the UDP/TCP protocols will be used.
|
||||||
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
||||||
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
||||||
# in square brackets in such resource identifiers, for example:
|
# in square brackets in such resource identifiers, for example:
|
||||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||||
# Multiple alternate servers can be set. They will be used in the
|
# Multiple alternate servers can be set. They will be used in the
|
||||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||||
# the load will be distributed equally. For example, if we have 4 alternate servers,
|
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
||||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||||
# address can be used more than one time with the alternate-server option, so this
|
# address can be used more than one time with the alternate-server option, so this
|
||||||
# can emulate "weighting" of the servers.
|
# can emulate "weighting" of the servers.
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#alternate-server=1.2.3.4:5678
|
#alternate-server=1.2.3.4:5678
|
||||||
#alternate-server=11.22.33.44:56789
|
#alternate-server=11.22.33.44:56789
|
||||||
#alternate-server=5.6.7.8
|
#alternate-server=5.6.7.8
|
||||||
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||||
|
|
||||||
# Option to set alternative server for TLS & DTLS services in form of
|
# Option to set alternative server for TLS & DTLS services in form of
|
||||||
# <ip>:<port>. If the port number is omitted, then the default port
|
# <ip>:<port>. If the port number is omitted, then the default port
|
||||||
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
||||||
# option for the functionality description.
|
# option for the functionality description.
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#tls-alternate-server=1.2.3.4:5678
|
#tls-alternate-server=1.2.3.4:5678
|
||||||
#tls-alternate-server=11.22.33.44:56789
|
#tls-alternate-server=11.22.33.44:56789
|
||||||
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||||
|
@ -559,6 +592,15 @@ syslog
|
||||||
#
|
#
|
||||||
#stun-only
|
#stun-only
|
||||||
|
|
||||||
|
# Option to hide software version. Enhance security when used in production.
|
||||||
|
# Revealing the specific software version of the agent through the
|
||||||
|
# SOFTWARE attribute might allow them to become more vulnerable to
|
||||||
|
# attacks against software that is known to contain security holes.
|
||||||
|
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
||||||
|
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
||||||
|
#
|
||||||
|
#no-software-attribute
|
||||||
|
|
||||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
# Option to suppress STUN functionality, only TURN requests will be processed.
|
||||||
# Run as TURN server only, all STUN requests will be ignored.
|
# Run as TURN server only, all STUN requests will be ignored.
|
||||||
# By default, this option is NOT set.
|
# By default, this option is NOT set.
|
||||||
|
@ -567,7 +609,7 @@ syslog
|
||||||
|
|
||||||
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
||||||
# The default value is ':'.
|
# The default value is ':'.
|
||||||
# rest-api-separator=:
|
# rest-api-separator=:
|
||||||
|
|
||||||
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
||||||
# This is an extra security measure.
|
# This is an extra security measure.
|
||||||
|
@ -575,9 +617,9 @@ syslog
|
||||||
# (To avoid any security issue that allowing loopback access may raise,
|
# (To avoid any security issue that allowing loopback access may raise,
|
||||||
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
||||||
#
|
#
|
||||||
# Allow it only for testing in a development environment!
|
# Allow it only for testing in a development environment!
|
||||||
# In production it adds a possible security vulnerability, so for security reasons
|
# In production it adds a possible security vulnerability, so for security reasons
|
||||||
# it is not allowed using it together with empty cli-password.
|
# it is not allowed using it together with empty cli-password.
|
||||||
#
|
#
|
||||||
#allow-loopback-peers
|
#allow-loopback-peers
|
||||||
|
|
||||||
|
@ -586,18 +628,18 @@ syslog
|
||||||
#
|
#
|
||||||
no-multicast-peers
|
no-multicast-peers
|
||||||
|
|
||||||
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
||||||
# Default is 60 seconds.
|
# Default is 60 seconds.
|
||||||
#
|
#
|
||||||
#max-allocate-timeout=60
|
#max-allocate-timeout=60
|
||||||
|
|
||||||
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
||||||
# If an ip address is specified as both allowed and denied, then the ip address is
|
# If an ip address is specified as both allowed and denied, then the ip address is
|
||||||
# considered to be allowed. This is useful when you wish to ban a range of ip
|
# considered to be allowed. This is useful when you wish to ban a range of ip
|
||||||
# addresses, except for a few specific ips within that range.
|
# addresses, except for a few specific ips within that range.
|
||||||
#
|
#
|
||||||
# This can be used when you do not want users of the turn server to be able to access
|
# This can be used when you do not want users of the turn server to be able to access
|
||||||
# machines reachable by the turn server, but would otherwise be unreachable from the
|
# machines reachable by the turn server, but would otherwise be unreachable from the
|
||||||
# internet (e.g. when the turn server is sitting behind a NAT)
|
# internet (e.g. when the turn server is sitting behind a NAT)
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
|
@ -619,22 +661,22 @@ no-multicast-peers
|
||||||
#
|
#
|
||||||
mobility
|
mobility
|
||||||
|
|
||||||
# Allocate Address Family according
|
# Allocate Address Family according
|
||||||
# If enabled then TURN server allocates address family according the TURN
|
# If enabled then TURN server allocates address family according the TURN
|
||||||
# Client <=> Server communication address family.
|
# Client <=> Server communication address family.
|
||||||
# (By default coTURN works according RFC 6156.)
|
# (By default Coturn works according RFC 6156.)
|
||||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||||||
#
|
#
|
||||||
#keep-address-family
|
#keep-address-family
|
||||||
|
|
||||||
|
|
||||||
# User name to run the process. After the initialization, the turnserver process
|
# User name to run the process. After the initialization, the turnserver process
|
||||||
# will make an attempt to change the current user ID to that user.
|
# will attempt to change the current user ID to that user.
|
||||||
#
|
#
|
||||||
#proc-user=<user-name>
|
#proc-user=<user-name>
|
||||||
|
|
||||||
# Group name to run the process. After the initialization, the turnserver process
|
# Group name to run the process. After the initialization, the turnserver process
|
||||||
# will make an attempt to change the current group ID to that group.
|
# will attempt to change the current group ID to that group.
|
||||||
#
|
#
|
||||||
#proc-group=<group-name>
|
#proc-group=<group-name>
|
||||||
|
|
||||||
|
@ -654,8 +696,8 @@ mobility
|
||||||
#cli-port=5766
|
#cli-port=5766
|
||||||
|
|
||||||
# CLI access password. Default is empty (no password).
|
# CLI access password. Default is empty (no password).
|
||||||
# For the security reasons, it is recommended to use the encrypted
|
# For the security reasons, it is recommended that you use the encrypted
|
||||||
# for of the password (see the -P command in the turnadmin utility).
|
# form of the password (see the -P command in the turnadmin utility).
|
||||||
#
|
#
|
||||||
# Secure form for password 'qwerty':
|
# Secure form for password 'qwerty':
|
||||||
#
|
#
|
||||||
|
@ -684,10 +726,14 @@ mobility
|
||||||
#
|
#
|
||||||
#web-admin-listen-on-workers
|
#web-admin-listen-on-workers
|
||||||
|
|
||||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
|
||||||
# Only for those applications when we want to run
|
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
|
||||||
|
# Default is '', i.e. no special handling for such requests.
|
||||||
|
|
||||||
|
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||||
|
# Only for those applications when you want to run
|
||||||
# server applications on the relay endpoints.
|
# server applications on the relay endpoints.
|
||||||
# This option eliminates the IP permissions check on
|
# This option eliminates the IP permissions check on
|
||||||
# the packets incoming to the relay endpoints.
|
# the packets incoming to the relay endpoints.
|
||||||
#
|
#
|
||||||
#server-relay
|
#server-relay
|
||||||
|
@ -703,6 +749,6 @@ mobility
|
||||||
|
|
||||||
# Do not allow an TLS/DTLS version of protocol
|
# Do not allow an TLS/DTLS version of protocol
|
||||||
#
|
#
|
||||||
no-tlsv1
|
#no-tlsv1
|
||||||
no-tlsv1_1
|
#no-tlsv1_1
|
||||||
no-tlsv1_2
|
#no-tlsv1_2
|
||||||
|
|
|
@ -3,10 +3,12 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||||
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
|
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
||||||
|
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
||||||
|
|
||||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||||
#DHCPD_PID=/var/run/dhcpd.pid
|
#DHCPDv4_PID=/var/run/dhcpd.pid
|
||||||
|
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
||||||
|
|
||||||
# Additional options to start dhcpd with.
|
# Additional options to start dhcpd with.
|
||||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||||
|
@ -14,4 +16,6 @@
|
||||||
|
|
||||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||||
INTERFACES="eth0"
|
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
|
||||||
|
INTERFACESv6=""
|
||||||
|
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
|
||||||
|
|
|
@ -3,13 +3,24 @@
|
||||||
# option definitions common to all supported networks...
|
# option definitions common to all supported networks...
|
||||||
option domain-name "binary.kitchen";
|
option domain-name "binary.kitchen";
|
||||||
option domain-name-servers {{ name_servers | join(', ') }};
|
option domain-name-servers {{ name_servers | join(', ') }};
|
||||||
|
option domain-search "binary.kitchen";
|
||||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||||
|
|
||||||
|
# options related to Mitel SIP-DECT
|
||||||
|
option space sipdect;
|
||||||
|
option local-encapsulation code 43 = encapsulate sipdect;
|
||||||
|
option sipdect.ommip1 code 10 = ip-address;
|
||||||
|
option sipdect.ommip2 code 19 = ip-address;
|
||||||
|
option sipdect.syslogip code 14 = ip-address;
|
||||||
|
option sipdect.syslogport code 15 = integer 16;
|
||||||
|
option magic_str code 224 = text;
|
||||||
|
|
||||||
default-lease-time 7200;
|
default-lease-time 7200;
|
||||||
max-lease-time 28800;
|
max-lease-time 28800;
|
||||||
|
|
||||||
# Use this to enble / disable dynamic dns updates globally.
|
# Use this to enble / disable dynamic dns updates globally.
|
||||||
ddns-update-style none;
|
ddns-update-style interim;
|
||||||
|
ddns-updates on;
|
||||||
|
|
||||||
# If this DHCP server is the official DHCP server for the local
|
# If this DHCP server is the official DHCP server for the local
|
||||||
# network, the authoritative directive should be uncommented.
|
# network, the authoritative directive should be uncommented.
|
||||||
|
@ -61,6 +72,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
|
||||||
# Users
|
# Users
|
||||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||||
option routers 172.23.3.1;
|
option routers 172.23.3.1;
|
||||||
|
ddns-domainname "users.binary.kitchen";
|
||||||
|
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||||
pool {
|
pool {
|
||||||
{% if dhcpd_failover == true %}
|
{% if dhcpd_failover == true %}
|
||||||
failover peer "failover-partner";
|
failover peer "failover-partner";
|
||||||
|
@ -80,6 +93,46 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Management Auweg
|
||||||
|
subnet 172.23.12.0 netmask 255.255.255.0 {
|
||||||
|
option routers 172.23.12.1;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Services Auweg
|
||||||
|
subnet 172.23.13.0 netmask 255.255.255.0 {
|
||||||
|
allow bootp;
|
||||||
|
option routers 172.23.13.1;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Users Auweg
|
||||||
|
subnet 172.23.14.0 netmask 255.255.255.0 {
|
||||||
|
option routers 172.23.14.1;
|
||||||
|
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||||
|
pool {
|
||||||
|
{% if dhcpd_failover == true %}
|
||||||
|
failover peer "failover-partner";
|
||||||
|
{% endif %}
|
||||||
|
range 172.23.14.10 172.23.14.230;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# MQTT Auweg
|
||||||
|
subnet 172.23.15.0 netmask 255.255.255.0 {
|
||||||
|
option routers 172.23.15.1;
|
||||||
|
pool {
|
||||||
|
{% if dhcpd_failover == true %}
|
||||||
|
failover peer "failover-partner";
|
||||||
|
{% endif %}
|
||||||
|
range 172.23.15.10 172.23.15.240;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# DDNS zones
|
||||||
|
|
||||||
|
zone users.binary.kitchen {
|
||||||
|
primary {{ dns_primary }};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Fixed IPs
|
# Fixed IPs
|
||||||
|
|
||||||
|
@ -89,7 +142,7 @@ host ap01 {
|
||||||
}
|
}
|
||||||
|
|
||||||
host ap04 {
|
host ap04 {
|
||||||
hardware ethernet 44:48:c1:ce:90:06;
|
hardware ethernet 74:9e:75:ce:93:54;
|
||||||
fixed-address ap04.binary.kitchen;
|
fixed-address ap04.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -98,34 +151,44 @@ host ap05 {
|
||||||
fixed-address ap05.binary.kitchen;
|
fixed-address ap05.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
host ap06 {
|
||||||
|
hardware ethernet 94:b4:0f:c0:1d:a0;
|
||||||
|
fixed-address ap06.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
|
host ap11 {
|
||||||
|
hardware ethernet 18:64:72:c6:c2:0c;
|
||||||
|
fixed-address ap11.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
|
host ap12 {
|
||||||
|
hardware ethernet 18:64:72:c6:c4:98;
|
||||||
|
fixed-address ap12.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
host bowle {
|
host bowle {
|
||||||
hardware ethernet ac:1f:6b:25:16:b6;
|
hardware ethernet ac:1f:6b:25:16:b6;
|
||||||
fixed-address bowle.binary.kitchen;
|
fixed-address bowle.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host cannelloni {
|
host cannelloni {
|
||||||
hardware ethernet 00:10:f3:15:88:ac;
|
hardware ethernet b8:27:eb:18:5c:11;
|
||||||
fixed-address cannelloni.binary.kitchen;
|
fixed-address cannelloni.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host cashdesk {
|
|
||||||
hardware ethernet 00:0b:ca:94:13:f1;
|
|
||||||
fixed-address cashdesk.binary.kitchen;
|
|
||||||
}
|
|
||||||
|
|
||||||
host fusilli {
|
host fusilli {
|
||||||
hardware ethernet b8:27:eb:1d:b9:bf;
|
hardware ethernet b8:27:eb:1d:b9:bf;
|
||||||
fixed-address fusilli.binary.kitchen;
|
fixed-address fusilli.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host garlic {
|
host habdisplay1 {
|
||||||
hardware ethernet b8:27:eb:56:2b:7c;
|
hardware ethernet b8:27:eb:b6:62:be;
|
||||||
fixed-address garlic.binary.kitchen;
|
fixed-address habdisplay1.mqtt.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host homer {
|
host habdisplay2 {
|
||||||
hardware ethernet b8:27:eb:24:b2:12;
|
hardware ethernet b8:27:eb:df:0b:7b;
|
||||||
fixed-address homer.binary.kitchen;
|
fixed-address habdisplay2.mqtt.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host klopi {
|
host klopi {
|
||||||
|
@ -139,7 +202,7 @@ host lock {
|
||||||
}
|
}
|
||||||
|
|
||||||
host maccaroni {
|
host maccaroni {
|
||||||
hardware ethernet b8:27:eb:18:5c:11;
|
hardware ethernet b8:27:eb:f5:9e:a1;
|
||||||
fixed-address maccaroni.binary.kitchen;
|
fixed-address maccaroni.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -159,22 +222,22 @@ host mpcnc {
|
||||||
}
|
}
|
||||||
|
|
||||||
host noodlehub {
|
host noodlehub {
|
||||||
hardware ethernet b8:27:eb:eb:e5:88;
|
hardware ethernet b8:27:eb:56:2b:7c;
|
||||||
fixed-address noodlehub.binary.kitchen;
|
fixed-address noodlehub.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
host openhabgw1 {
|
||||||
|
hardware ethernet dc:a6:32:bf:e2:3e;
|
||||||
|
fixed-address openhabgw1.mqtt.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
host pizza {
|
host pizza {
|
||||||
hardware ethernet 52:54:00:17:02:21;
|
hardware ethernet 52:54:00:17:02:21;
|
||||||
fixed-address pizza.binary.kitchen;
|
fixed-address pizza.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host punsch {
|
|
||||||
hardware ethernet 00:21:85:1b:7f:3d;
|
|
||||||
fixed-address punsch.binary.kitchen;
|
|
||||||
}
|
|
||||||
|
|
||||||
host spaghetti {
|
host spaghetti {
|
||||||
hardware ethernet b8:27:eb:e3:e9:f1;
|
hardware ethernet b8:27:eb:eb:e5:88;
|
||||||
fixed-address spaghetti.binary.kitchen;
|
fixed-address spaghetti.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -217,6 +280,34 @@ host voip04 {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Mitel SIP-DECT
|
||||||
|
|
||||||
|
host rfp01 {
|
||||||
|
hardware ethernet 00:30:42:1B:73:5A;
|
||||||
|
fixed-address 172.23.1.111;
|
||||||
|
option host-name "rfp01";
|
||||||
|
option sipdect.ommip1 172.23.2.35;
|
||||||
|
option magic_str = "OpenMobilitySIP-DECT";
|
||||||
|
}
|
||||||
|
|
||||||
|
host rfp02 {
|
||||||
|
hardware ethernet 00:30:42:21:D4:D5;
|
||||||
|
fixed-address 172.23.1.112;
|
||||||
|
option host-name "rfp02";
|
||||||
|
option sipdect.ommip1 172.23.2.35;
|
||||||
|
option magic_str = "OpenMobilitySIP-DECT";
|
||||||
|
}
|
||||||
|
|
||||||
|
host rfp11 {
|
||||||
|
hardware ethernet 00:30:42:1B:8B:9B;
|
||||||
|
fixed-address 172.23.12.111;
|
||||||
|
option host-name "rfp11";
|
||||||
|
option sipdect.ommip1 172.23.2.35;
|
||||||
|
option magic_str = "OpenMobilitySIP-DECT";
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# OMAPI
|
# OMAPI
|
||||||
|
|
||||||
omapi-port 7911;
|
omapi-port 7911;
|
||||||
|
|
|
@ -5,11 +5,21 @@
|
||||||
name:
|
name:
|
||||||
- pdns-server
|
- pdns-server
|
||||||
- pdns-backend-sqlite3
|
- pdns-backend-sqlite3
|
||||||
|
- sqlite3
|
||||||
|
|
||||||
- name: Configure powerdns
|
- name: Configure powerdns
|
||||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||||
notify: Restart powerdns
|
notify: Restart powerdns
|
||||||
|
|
||||||
|
- name: Initialize database
|
||||||
|
command:
|
||||||
|
cmd: >
|
||||||
|
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||||
|
/var/lib/powerdns/powerdns.sqlite3
|
||||||
|
creates: /var/lib/powerdns/powerdns.sqlite3
|
||||||
|
become: true
|
||||||
|
become_user: pdns
|
||||||
|
|
||||||
- name: Copy update policy script
|
- name: Copy update policy script
|
||||||
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
||||||
notify: Restart powerdns
|
notify: Restart powerdns
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
local-address=0.0.0.0
|
local-address=0.0.0.0, ::
|
||||||
local-ipv6=::
|
|
||||||
launch=gsqlite3
|
launch=gsqlite3
|
||||||
gsqlite3-dnssec
|
gsqlite3-dnssec
|
||||||
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
|
||||||
|
@ -11,3 +10,4 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
|
||||||
{% endif %}
|
{% endif %}
|
||||||
allow-dnsupdate-from=0.0.0.0/0,::/0
|
allow-dnsupdate-from=0.0.0.0/0,::/0
|
||||||
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
||||||
|
security-poll-suffix=
|
||||||
|
|
|
@ -5,3 +5,6 @@
|
||||||
with_items:
|
with_items:
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
||||||
|
- name: Restart dnsdist
|
||||||
|
service: name=dnsdist state=restarted
|
||||||
|
|
|
@ -3,8 +3,11 @@
|
||||||
- name: Install powerdns
|
- name: Install powerdns
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
|
- dnsdist
|
||||||
|
- pdns-backend-sqlite3
|
||||||
- pdns-server
|
- pdns-server
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
- sqlite3
|
||||||
|
|
||||||
- name: Create zone directory
|
- name: Create zone directory
|
||||||
file: path=/etc/powerdns/bind/ state=directory
|
file: path=/etc/powerdns/bind/ state=directory
|
||||||
|
@ -19,8 +22,28 @@
|
||||||
- bind/23.172.in-addr.arpa.zone
|
- bind/23.172.in-addr.arpa.zone
|
||||||
- bind/binary.kitchen.zone
|
- bind/binary.kitchen.zone
|
||||||
|
|
||||||
|
- name: Initialize database
|
||||||
|
command:
|
||||||
|
cmd: >
|
||||||
|
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||||
|
/var/lib/powerdns/pdns.sqlite3
|
||||||
|
creates: /var/lib/powerdns/pdns.sqlite3
|
||||||
|
become: true
|
||||||
|
become_user: pdns
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
|
||||||
|
|
||||||
|
- name: Configure dnsdist
|
||||||
|
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||||
|
notify: Restart dnsdist
|
||||||
|
|
||||||
- name: Start the powerdns services
|
- name: Start the powerdns services
|
||||||
service: name={{ item }} state=started enabled=yes
|
service: name={{ item }} state=started enabled=yes
|
||||||
with_items:
|
with_items:
|
||||||
|
- dnsdist
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
|
@ -1,52 +1,57 @@
|
||||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2020051101; serial
|
2024051300; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
1h; minimum time-to-live
|
1h; minimum time-to-live
|
||||||
)
|
)
|
||||||
IN NS ns.binary.kitchen.
|
IN NS ns1.binary.kitchen.
|
||||||
|
IN NS ns2.binary.kitchen.
|
||||||
; Loopback
|
; Loopback
|
||||||
1.0 IN PTR core.binary.kitchen.
|
1.0 IN PTR core.binary.kitchen.
|
||||||
2.0 IN PTR erx-bk.binary.kitchen.
|
2.0 IN PTR rt-w13b.binary.kitchen.
|
||||||
3.0 IN PTR erx-rz.binary.kitchen.
|
3.0 IN PTR erx-rz.binary.kitchen.
|
||||||
4.0 IN PTR pf-bk.binary.kitchen.
|
4.0 IN PTR erx-auweg.binary.kitchen.
|
||||||
5.0 IN PTR pf-rz.binary.kitchen.
|
|
||||||
; Management
|
; Management
|
||||||
1.1 IN PTR v2301.core.binary.kitchen.
|
1.1 IN PTR v2301.core.binary.kitchen.
|
||||||
11.1 IN PTR ups1.binary.kitchen.
|
11.1 IN PTR ups1.binary.kitchen.
|
||||||
21.1 IN PTR pdu1.binary.kitchen.
|
21.1 IN PTR pdu1.binary.kitchen.
|
||||||
22.1 IN PTR pdu2.binary.kitchen.
|
22.1 IN PTR pdu2.binary.kitchen.
|
||||||
23.1 IN PTR pdu3.binary.kitchen.
|
23.1 IN PTR pdu3.binary.kitchen.
|
||||||
31.1 IN PTR sw01.binary.kitchen.
|
31.1 IN PTR sw-butchery.binary.kitchen.
|
||||||
32.1 IN PTR sw02.binary.kitchen.
|
32.1 IN PTR sw-mini.binary.kitchen.
|
||||||
33.1 IN PTR sw03.binary.kitchen.
|
33.1 IN PTR sw-rack.binary.kitchen.
|
||||||
41.1 IN PTR ap01.binary.kitchen.
|
41.1 IN PTR ap01.binary.kitchen.
|
||||||
42.1 IN PTR ap02.binary.kitchen.
|
42.1 IN PTR ap02.binary.kitchen.
|
||||||
43.1 IN PTR ap03.binary.kitchen.
|
|
||||||
44.1 IN PTR ap04.binary.kitchen.
|
44.1 IN PTR ap04.binary.kitchen.
|
||||||
45.1 IN PTR ap05.binary.kitchen.
|
45.1 IN PTR ap05.binary.kitchen.
|
||||||
|
46.1 IN PTR ap06.binary.kitchen.
|
||||||
51.1 IN PTR modem.binary.kitchen.
|
51.1 IN PTR modem.binary.kitchen.
|
||||||
60.1 IN PTR wurst.binary.kitchen.
|
60.1 IN PTR wurst.binary.kitchen.
|
||||||
80.1 IN PTR wurst-bmc.binary.kitchen.
|
80.1 IN PTR wurst-bmc.binary.kitchen.
|
||||||
82.1 IN PTR bowle-bmc.binary.kitchen.
|
82.1 IN PTR bowle-bmc.binary.kitchen.
|
||||||
101.1 IN PTR nbe-w13b.binary.kitchen.
|
101.1 IN PTR nbe-w13b.binary.kitchen.
|
||||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||||
|
111.1 IN PTR rfp01.binary.kitchen.
|
||||||
|
112.1 IN PTR rfp02.binary.kitchen.
|
||||||
; Services
|
; Services
|
||||||
1.2 IN PTR v2302.core.binary.kitchen.
|
1.2 IN PTR v2302.core.binary.kitchen.
|
||||||
2.2 IN PTR ns.binary.kitchen.
|
|
||||||
3.2 IN PTR bacon.binary.kitchen.
|
3.2 IN PTR bacon.binary.kitchen.
|
||||||
4.2 IN PTR aveta.binary.kitchen.
|
4.2 IN PTR aveta.binary.kitchen.
|
||||||
5.2 IN PTR sulis.binary.kitchen.
|
5.2 IN PTR sulis.binary.kitchen.
|
||||||
6.2 IN PTR nabia.binary.kitchen.
|
6.2 IN PTR nabia.binary.kitchen.
|
||||||
11.2 IN PTR homer.binary.kitchen.
|
7.2 IN PTR epona.binary.kitchen.
|
||||||
12.2 IN PTR lock.binary.kitchen.
|
12.2 IN PTR lock.binary.kitchen.
|
||||||
13.2 IN PTR matrix.binary.kitchen.
|
13.2 IN PTR matrix.binary.kitchen.
|
||||||
33.2 IN PTR pizza.binary.kitchen.
|
33.2 IN PTR pizza.binary.kitchen.
|
||||||
|
34.2 IN PTR pancake.binary.kitchen.
|
||||||
|
35.2 IN PTR knoedel.binary.kitchen.
|
||||||
36.2 IN PTR schweinshaxn.binary.kitchen.
|
36.2 IN PTR schweinshaxn.binary.kitchen.
|
||||||
44.2 IN PTR cashdesk.binary.kitchen.
|
37.2 IN PTR bob.binary.kitchen.
|
||||||
|
38.2 IN PTR lasagne.binary.kitchen.
|
||||||
|
39.2 IN PTR tschunk.binary.kitchen.
|
||||||
62.2 IN PTR bowle.binary.kitchen.
|
62.2 IN PTR bowle.binary.kitchen.
|
||||||
91.2 IN PTR strammermax.binary.kitchen.
|
91.2 IN PTR strammermax.binary.kitchen.
|
||||||
92.2 IN PTR obatzda.binary.kitchen.
|
92.2 IN PTR obatzda.binary.kitchen.
|
||||||
|
@ -56,32 +61,48 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
||||||
240.3 IN PTR fusilli.binary.kitchen.
|
240.3 IN PTR fusilli.binary.kitchen.
|
||||||
241.3 IN PTR klopi.binary.kitchen.
|
241.3 IN PTR klopi.binary.kitchen.
|
||||||
242.3 IN PTR mpcnc.binary.kitchen.
|
242.3 IN PTR mpcnc.binary.kitchen.
|
||||||
243.3 IN PTR garlic.binary.kitchen.
|
|
||||||
244.3 IN PTR mirror.binary.kitchen.
|
244.3 IN PTR mirror.binary.kitchen.
|
||||||
245.3 IN PTR spaghetti.binary.kitchen.
|
245.3 IN PTR spaghetti.binary.kitchen.
|
||||||
246.3 IN PTR maccaroni.binary.kitchen.
|
246.3 IN PTR maccaroni.binary.kitchen.
|
||||||
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
|
|
||||||
248.3 IN PTR pve02.tmp.binary.kitchen.
|
|
||||||
249.3 IN PTR ffrgb.binary.kitchen.
|
|
||||||
250.3 IN PTR cannelloni.binary.kitchen.
|
250.3 IN PTR cannelloni.binary.kitchen.
|
||||||
251.3 IN PTR noodlehub.binary.kitchen.
|
251.3 IN PTR noodlehub.binary.kitchen.
|
||||||
; MQTT
|
; MQTT
|
||||||
1.4 IN PTR v2304.core.binary.kitchen.
|
1.4 IN PTR v2304.core.binary.kitchen.
|
||||||
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
||||||
|
7.4 IN PTR lasagne.mqtt.binary.kitchen.
|
||||||
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||||
|
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
||||||
|
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
||||||
|
245.4 IN PTR logo1.mqtt.binary.kitchen.
|
||||||
|
246.4 IN PTR logo2.mqtt.binary.kitchen.
|
||||||
|
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
|
||||||
|
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
|
||||||
|
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
|
||||||
; Management RZ
|
; Management RZ
|
||||||
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
||||||
61.9 IN PTR salat.binary.kitchen.
|
61.9 IN PTR salat.binary.kitchen.
|
||||||
81.9 IN PTR salat-bmc.binary.kitchen.
|
81.9 IN PTR salat-bmc.binary.kitchen.
|
||||||
; Services RZ
|
; Services RZ
|
||||||
23.8 IN PTR cernunnos.binary.kitchen.
|
|
||||||
; VPN RZ (ER-X)
|
; VPN RZ (ER-X)
|
||||||
1.10 IN PTR wg1.erx-rz.binary.kitchen.
|
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
||||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||||
; VPN RZ (pf)
|
; Management Auweg
|
||||||
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
|
31.12 IN PTR sw-auweg.binary.kitchen.
|
||||||
|
41.12 IN PTR ap11.binary.kitchen.
|
||||||
|
42.12 IN PTR ap12.binary.kitchen.
|
||||||
|
61.12 IN PTR weizen.binary.kitchen.
|
||||||
|
111.12 IN PTR rfp11.binary.kitchen.
|
||||||
|
; Services Auweg
|
||||||
|
3.13 IN PTR aeron.binary.kitchen.
|
||||||
|
12.13 IN PTR lock-auweg.binary.kitchen.
|
||||||
|
; Clients Auweg
|
||||||
|
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
||||||
|
; MQTT
|
||||||
|
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
|
||||||
; Point-to-Point
|
; Point-to-Point
|
||||||
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
||||||
2.96 IN PTR v400.core.binary.kitchen.
|
2.96 IN PTR v400.core.binary.kitchen.
|
||||||
1.97 IN PTR wg0.erx-rz.binary.kitchen.
|
1.97 IN PTR wg1.erx-rz.binary.kitchen.
|
||||||
2.97 IN PTR wg0.erx-bk.binary.kitchen.
|
2.97 IN PTR wg1.erx-bk.binary.kitchen.
|
||||||
|
5.97 IN PTR wg2.erx-rz.binary.kitchen.
|
||||||
|
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
|
||||||
|
|
|
@ -1,67 +1,80 @@
|
||||||
$ORIGIN binary.kitchen ; base for unqualified names
|
$ORIGIN binary.kitchen ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2020051101; serial
|
2024051300; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
1h; minimum time-to-live
|
1h; minimum time-to-live
|
||||||
)
|
)
|
||||||
IN NS ns.binary.kitchen.
|
IN NS ns1.binary.kitchen.
|
||||||
|
IN NS ns2.binary.kitchen.
|
||||||
|
; Subdomains
|
||||||
|
users IN NS ns1.binary.kitchen.
|
||||||
|
users IN NS ns2.binary.kitchen.
|
||||||
; External
|
; External
|
||||||
IN A 213.166.246.4
|
IN A 213.166.246.4
|
||||||
www IN A 213.166.246.4
|
www IN A 213.166.246.4
|
||||||
; Aliases
|
; Aliases
|
||||||
3dprinter IN A 172.23.3.251
|
3dprinter IN A 172.23.3.251
|
||||||
|
icinga IN A 172.23.2.6
|
||||||
ldap IN A 172.23.2.3
|
ldap IN A 172.23.2.3
|
||||||
ldap IN A 172.23.2.4
|
ldap IN A 172.23.2.4
|
||||||
ldap IN A 213.166.246.2
|
ldap IN A 213.166.246.2
|
||||||
ldap1 IN A 172.23.2.3
|
ldap1 IN A 172.23.2.3
|
||||||
ldap2 IN A 172.23.2.4
|
ldap2 IN A 172.23.2.4
|
||||||
|
ldap3 IN A 172.23.13.3
|
||||||
ldapm IN A 213.166.246.2
|
ldapm IN A 213.166.246.2
|
||||||
librenms IN A 172.23.2.6
|
librenms IN A 172.23.2.6
|
||||||
racktables IN A 172.23.2.6
|
netbox IN A 172.23.2.7
|
||||||
|
ns1 IN A 172.23.2.3
|
||||||
|
ns2 IN A 172.23.2.4
|
||||||
|
omm IN A 172.23.2.35
|
||||||
radius IN A 172.23.2.3
|
radius IN A 172.23.2.3
|
||||||
radius IN A 172.23.2.4
|
radius IN A 172.23.2.4
|
||||||
; Loopback
|
; Loopback
|
||||||
core IN A 172.23.0.1
|
core IN A 172.23.0.1
|
||||||
erx-bk IN A 172.23.0.2
|
rt-w13b IN A 172.23.0.2
|
||||||
erx-rz IN A 172.23.0.3
|
erx-rz IN A 172.23.0.3
|
||||||
pf-bk IN A 172.23.0.4
|
erx-auweg IN A 172.23.0.4
|
||||||
pf-rz IN A 172.23.0.5
|
|
||||||
; Management
|
; Management
|
||||||
v2301.core IN A 172.23.1.1
|
v2301.core IN A 172.23.1.1
|
||||||
ups1 IN A 172.23.1.11
|
ups1 IN A 172.23.1.11
|
||||||
pdu1 IN A 172.23.1.21
|
pdu1 IN A 172.23.1.21
|
||||||
pdu2 IN A 172.23.1.22
|
pdu2 IN A 172.23.1.22
|
||||||
pdu3 IN A 172.23.1.23
|
pdu3 IN A 172.23.1.23
|
||||||
sw01 IN A 172.23.1.31
|
sw-butchery IN A 172.23.1.31
|
||||||
sw02 IN A 172.23.1.32
|
sw-mini IN A 172.23.1.32
|
||||||
sw03 IN A 172.23.1.33
|
sw-rack IN A 172.23.1.33
|
||||||
ap01 IN A 172.23.1.41
|
ap01 IN A 172.23.1.41
|
||||||
ap02 IN A 172.23.1.42
|
ap02 IN A 172.23.1.42
|
||||||
ap03 IN A 172.23.1.43
|
|
||||||
ap04 IN A 172.23.1.44
|
ap04 IN A 172.23.1.44
|
||||||
ap05 IN A 172.23.1.45
|
ap05 IN A 172.23.1.45
|
||||||
|
ap06 IN A 172.23.1.46
|
||||||
modem IN A 172.23.1.51
|
modem IN A 172.23.1.51
|
||||||
wurst IN A 172.23.1.60
|
wurst IN A 172.23.1.60
|
||||||
wurst-bmc IN A 172.23.1.80
|
wurst-bmc IN A 172.23.1.80
|
||||||
bowle-bmc IN A 172.23.1.82
|
bowle-bmc IN A 172.23.1.82
|
||||||
nbe-w13b IN A 172.23.1.101
|
nbe-w13b IN A 172.23.1.101
|
||||||
nbe-tr8 IN A 172.23.1.102
|
nbe-tr8 IN A 172.23.1.102
|
||||||
|
rfp01 IN A 172.23.1.111
|
||||||
|
rfp02 IN A 172.23.1.112
|
||||||
; Services
|
; Services
|
||||||
v2302.core IN A 172.23.2.1
|
v2302.core IN A 172.23.2.1
|
||||||
ns IN A 172.23.2.2
|
|
||||||
bacon IN A 172.23.2.3
|
bacon IN A 172.23.2.3
|
||||||
aveta IN A 172.23.2.4
|
aveta IN A 172.23.2.4
|
||||||
sulis IN A 172.23.2.5
|
sulis IN A 172.23.2.5
|
||||||
nabia IN A 172.23.2.6
|
nabia IN A 172.23.2.6
|
||||||
homer IN A 172.23.2.11
|
epona IN A 172.23.2.7
|
||||||
lock IN A 172.23.2.12
|
lock IN A 172.23.2.12
|
||||||
matrix IN A 172.23.2.13
|
matrix IN A 172.23.2.13
|
||||||
pizza IN A 172.23.2.33
|
pizza IN A 172.23.2.33
|
||||||
|
pancake IN A 172.23.2.34
|
||||||
|
knoedel IN A 172.23.2.35
|
||||||
schweinshaxn IN A 172.23.2.36
|
schweinshaxn IN A 172.23.2.36
|
||||||
cashdesk IN A 172.23.2.44
|
bob IN A 172.23.2.37
|
||||||
|
lasagne IN A 172.23.2.38
|
||||||
|
tschunk IN A 172.23.2.39
|
||||||
bowle IN A 172.23.2.62
|
bowle IN A 172.23.2.62
|
||||||
strammermax IN A 172.23.2.91
|
strammermax IN A 172.23.2.91
|
||||||
obatzda IN A 172.23.2.92
|
obatzda IN A 172.23.2.92
|
||||||
|
@ -71,32 +84,48 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
|
||||||
fusilli IN A 172.23.3.240
|
fusilli IN A 172.23.3.240
|
||||||
klopi IN A 172.23.3.241
|
klopi IN A 172.23.3.241
|
||||||
mpcnc IN A 172.23.3.242
|
mpcnc IN A 172.23.3.242
|
||||||
garlic IN A 172.23.3.243
|
|
||||||
mirror IN A 172.23.3.244
|
mirror IN A 172.23.3.244
|
||||||
spaghetti IN A 172.23.3.245
|
spaghetti IN A 172.23.3.245
|
||||||
maccaroni IN A 172.23.3.246
|
maccaroni IN A 172.23.3.246
|
||||||
pve02-bmc.tmp IN A 172.23.3.247
|
|
||||||
pve02.tmp IN A 172.23.3.248
|
|
||||||
ffrgb IN A 172.23.3.249
|
|
||||||
cannelloni IN A 172.23.3.250
|
cannelloni IN A 172.23.3.250
|
||||||
noodlehub IN A 172.23.3.251
|
noodlehub IN A 172.23.3.251
|
||||||
; MQTT
|
; MQTT
|
||||||
v2304.core IN A 172.23.4.1
|
v2304.core IN A 172.23.4.1
|
||||||
pizza.mqtt IN A 172.23.4.6
|
pizza.mqtt IN A 172.23.4.6
|
||||||
|
lasagne.mqtt IN A 172.23.4.7
|
||||||
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
||||||
|
habdisplay1.mqtt IN A 172.23.4.241
|
||||||
|
habdisplay2.mqtt IN A 172.23.4.242
|
||||||
|
logo1.mqtt IN A 172.23.4.245
|
||||||
|
logo2.mqtt IN A 172.23.4.246
|
||||||
|
moodlights1.mqtt IN A 172.23.4.250
|
||||||
|
openhabgw1.mqtt IN A 172.23.4.251
|
||||||
|
homematic-ccu2.mqtt IN A 172.23.4.252
|
||||||
; Management RZ
|
; Management RZ
|
||||||
switch0.erx-rz IN A 172.23.9.1
|
switch0.erx-rz IN A 172.23.9.1
|
||||||
salat IN A 172.23.9.61
|
salat IN A 172.23.9.61
|
||||||
salat-bmc IN A 172.23.9.81
|
salat-bmc IN A 172.23.9.81
|
||||||
; Services RZ
|
; Services RZ
|
||||||
cernunnos IN A 172.23.8.23
|
; Management Auweg
|
||||||
|
sw-auweg IN A 172.23.12.31
|
||||||
|
ap11 IN A 172.23.12.41
|
||||||
|
ap12 IN A 172.23.12.42
|
||||||
|
weizen IN A 172.23.12.61
|
||||||
|
rfp11 IN A 172.23.12.111
|
||||||
|
; Services Auweg
|
||||||
|
aeron IN A 172.23.13.3
|
||||||
|
lock-auweg IN A 172.23.13.12
|
||||||
|
; Clients Auweg
|
||||||
|
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
||||||
|
; MQTT Auweg
|
||||||
|
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
|
||||||
; VPN RZ (ER-X)
|
; VPN RZ (ER-X)
|
||||||
wg1.erx-rz IN A 172.23.10.1
|
wg0.erx-rz IN A 172.23.10.1
|
||||||
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
||||||
; VPN RZ (pf)
|
|
||||||
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
|
|
||||||
; Point-to-Point
|
; Point-to-Point
|
||||||
v400.erx-bk IN A 172.23.96.1
|
v400.erx-bk IN A 172.23.96.1
|
||||||
v400.core IN A 172.23.96.2
|
v400.core IN A 172.23.96.2
|
||||||
wg0.erx-rz IN A 172.23.97.1
|
wg1.erx-rz IN A 172.23.97.1
|
||||||
wg0.erx-bk IN A 172.23.97.2
|
wg1.erx-bk IN A 172.23.97.2
|
||||||
|
wg2.erx-rz IN A 172.23.97.5
|
||||||
|
wg2.erx-auweg IN A 172.23.97.6
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
-- {{ ansible_managed }}
|
||||||
|
|
||||||
|
setLocal('127.0.0.1')
|
||||||
|
addLocal('::1')
|
||||||
|
addLocal('{{ ansible_default_ipv4.address }}')
|
||||||
|
|
||||||
|
-- define downstream servers/pools
|
||||||
|
newServer({address='127.0.0.1:5300', pool='authdns'})
|
||||||
|
newServer({address='127.0.0.1:5353', pool='resolve'})
|
||||||
|
|
||||||
|
{% if dns_secondary is defined %}
|
||||||
|
-- allow AXFR/IXFR only from slaves
|
||||||
|
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
-- allow NOTIFY only from master
|
||||||
|
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
|
||||||
|
|
||||||
|
-- use auth servers for own zones
|
||||||
|
addAction('binary.kitchen', PoolAction('authdns'))
|
||||||
|
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
|
||||||
|
|
||||||
|
-- use resolver for anything else
|
||||||
|
addAction(AllRule(), PoolAction('resolve'))
|
||||||
|
|
||||||
|
-- disable security status polling via DNS
|
||||||
|
setSecurityPollSuffix('')
|
|
@ -1,46 +1,90 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% if ansible_default_ipv4.address == dns_primary %}
|
||||||
#################################
|
#################################
|
||||||
# launch Which backends to launch and order to query them in
|
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
|
||||||
#
|
#
|
||||||
# launch=
|
# allow-dnsupdate-from=127.0.0.0/8,::1
|
||||||
launch=bind
|
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address Local IP addresses to which we bind
|
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
|
||||||
|
#
|
||||||
|
# dnsupdate=no
|
||||||
|
dnsupdate=yes
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# launch Which backends to launch and order to query them in
|
||||||
|
#
|
||||||
|
# launch=
|
||||||
|
launch=bind,gsqlite3
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# local-address Local IP addresses to which we bind
|
||||||
#
|
#
|
||||||
# local-address=0.0.0.0
|
# local-address=0.0.0.0
|
||||||
local-address=127.0.0.1
|
local-address=127.0.0.1
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-ipv6 Local IP address to which we bind
|
# local-port The port on which we listen
|
||||||
#
|
|
||||||
# local-ipv6=::
|
|
||||||
local-ipv6=
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# local-port The port on which we listen
|
|
||||||
#
|
#
|
||||||
# local-port=53
|
# local-port=53
|
||||||
local-port=5300
|
local-port=5300
|
||||||
|
|
||||||
|
{% if ansible_default_ipv4.address == dns_primary %}
|
||||||
#################################
|
#################################
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
# master Act as a master
|
||||||
|
#
|
||||||
|
# master=no
|
||||||
|
master=yes
|
||||||
|
|
||||||
|
{% if dns_secondary is defined %}
|
||||||
|
#################################
|
||||||
|
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||||
|
#
|
||||||
|
# only-notify=0.0.0.0/0,::/0
|
||||||
|
only-notify={{ dns_secondary }}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# security-poll-suffix Domain name from which to query security update notifications
|
||||||
#
|
#
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
# security-poll-suffix=secpoll.powerdns.com.
|
||||||
security-poll-suffix=
|
security-poll-suffix=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setgid If set, change group id to this gid for more security
|
# setgid If set, change group id to this gid for more security
|
||||||
#
|
#
|
||||||
setgid=pdns
|
setgid=pdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setuid If set, change user id to this uid for more security
|
# setuid If set, change user id to this uid for more security
|
||||||
#
|
#
|
||||||
setuid=pdns
|
setuid=pdns
|
||||||
|
|
||||||
|
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
|
||||||
#################################
|
#################################
|
||||||
# bind-config Location of the Bind configuration file to parse.
|
# slave Act as a slave
|
||||||
|
#
|
||||||
|
# slave=no
|
||||||
|
slave=yes
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# trusted-notification-proxy IP address of incoming notification proxy
|
||||||
|
#
|
||||||
|
# trusted-notification-proxy=
|
||||||
|
trusted-notification-proxy=127.0.0.1,::1
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# bind-config Location of named.conf
|
||||||
#
|
#
|
||||||
bind-config=/etc/powerdns/bindbackend.conf
|
bind-config=/etc/powerdns/bindbackend.conf
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# gsqlite3-database Filename of the SQLite3 database
|
||||||
|
#
|
||||||
|
# gsqlite3-database=
|
||||||
|
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
||||||
|
|
|
@ -1,61 +1,55 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||||
#
|
#
|
||||||
#allow-from=127.0.0.0/8
|
# allow-from=127.0.0.0/8
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# config-dir Location of configuration directory (recursor.conf)
|
# config-dir Location of configuration directory (recursor.conf)
|
||||||
#
|
#
|
||||||
config-dir=/etc/powerdns
|
config-dir=/etc/powerdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
|
||||||
#
|
#
|
||||||
# dnssec=process-no-validate
|
# dnssec=process
|
||||||
dnssec=off
|
dnssec=off
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||||
#
|
#
|
||||||
# forward-zones=
|
local-address=127.0.0.1
|
||||||
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
|
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
# local-port port to listen on
|
||||||
#
|
#
|
||||||
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
|
local-port=5353
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port port to listen on
|
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
|
||||||
#
|
|
||||||
local-port=53
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
|
||||||
#
|
#
|
||||||
{% if global_ipv6 is defined %}
|
{% if global_ipv6 is defined %}
|
||||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# quiet Suppress logging of questions and answers
|
# quiet Suppress logging of questions and answers
|
||||||
#
|
#
|
||||||
quiet=yes
|
quiet=yes
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
# security-poll-suffix Domain name from which to query security update notifications
|
||||||
#
|
#
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
# security-poll-suffix=secpoll.powerdns.com.
|
||||||
security-poll-suffix=
|
security-poll-suffix=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setgid If set, change group id to this gid for more security
|
# setgid If set, change group id to this gid for more security
|
||||||
#
|
#
|
||||||
setgid=pdns
|
setgid=pdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setuid If set, change user id to this uid for more security
|
# setuid If set, change user id to this uid for more security
|
||||||
#
|
#
|
||||||
setuid=pdns
|
setuid=pdns
|
||||||
|
|
|
@ -1,17 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Enable docker apt-key
|
|
||||||
apt_key: url='https://download.docker.com/linux/debian/gpg'
|
|
||||||
|
|
||||||
- name: Enable docker repository
|
|
||||||
apt_repository:
|
|
||||||
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
|
||||||
filename: docker
|
|
||||||
|
|
||||||
- name: Install docker
|
- name: Install docker
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- docker-ce
|
- docker.io
|
||||||
- docker-ce-cli
|
- python3-docker
|
||||||
- containerd.io
|
|
||||||
- python-docker
|
- name: Enable docker
|
||||||
|
service: name=docker state=started enabled=yes
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Run acertmgr
|
||||||
|
command: /usr/bin/acertmgr
|
||||||
|
|
||||||
|
- name: Restart nginx
|
||||||
|
service: name=nginx state=restarted
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command:
|
||||||
|
cmd: >
|
||||||
|
openssl req -x509 -nodes -newkey rsa:2048
|
||||||
|
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
||||||
|
-days 730 -subj "/CN={{ doorlock_domain }}"
|
||||||
|
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Request nsupdate key for certificate
|
||||||
|
include_role: name=acme-dnskey-generate
|
||||||
|
vars:
|
||||||
|
acme_dnskey_san_domains:
|
||||||
|
- "{{ doorlock_domain }}"
|
||||||
|
|
||||||
|
- name: Configure certificate manager for doorlock
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
{{ doorlock_domain }}:
|
||||||
|
- mode: dns.nsupdate
|
||||||
|
nsupdate_server: {{ acme_dnskey_server }}
|
||||||
|
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||||
|
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
||||||
|
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
|
@ -1,14 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=drone.io server
|
|
||||||
After=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
User=drone
|
|
||||||
EnvironmentFile=/etc/default/drone
|
|
||||||
ExecStart=/opt/drone/bin/drone-server
|
|
||||||
Restart=always
|
|
||||||
RestartSec=5s
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,52 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Create user
|
|
||||||
user: name=drone
|
|
||||||
|
|
||||||
# TODO install drone to /opt/drone/bin
|
|
||||||
# currently it is manually compiled
|
|
||||||
|
|
||||||
- name: Configure drone
|
|
||||||
template: src=drone.j2 dest=/etc/default/drone
|
|
||||||
notify: Restart drone
|
|
||||||
|
|
||||||
- name: Install PostgreSQL
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postgresql
|
|
||||||
- python-psycopg2
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
|
||||||
postgresql_db: name={{ drone_dbname }}
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
|
||||||
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Configure certificate manager for drone
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Install systemd unit
|
|
||||||
copy: src=drone.service dest=/lib/systemd/system/drone.service
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart drone
|
|
||||||
|
|
||||||
- name: Enable drone
|
|
||||||
service: name=drone enabled=yes
|
|
|
@ -1,10 +0,0 @@
|
||||||
DRONE_AGENTS_ENABLED=true
|
|
||||||
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
|
|
||||||
DRONE_DATABASE_DRIVER=postgres
|
|
||||||
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
|
|
||||||
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
|
|
||||||
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
|
|
||||||
DRONE_RPC_SECRET={{ drone_secret }}
|
|
||||||
DRONE_SERVER_HOST={{ drone_domain }}
|
|
||||||
DRONE_SERVER_PROTO=https
|
|
||||||
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true
|
|
|
@ -1,31 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name {{ drone_domain }};
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ drone_domain }}$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ drone_domain }};
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
client_max_body_size 128M;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_pass http://localhost:8080;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,20 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Run runner container
|
|
||||||
docker_container:
|
|
||||||
name: runner
|
|
||||||
image: drone/drone-runner-docker:1
|
|
||||||
env:
|
|
||||||
DRONE_RPC_PROTO: "https"
|
|
||||||
DRONE_RPC_HOST: "{{ drone_domain }}"
|
|
||||||
DRONE_RPC_SECRET: "{{ drone_secret }}"
|
|
||||||
DRONE_RUNNER_CAPACITY: "2"
|
|
||||||
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
|
|
||||||
DRONE_UI_USERNAME: "admin"
|
|
||||||
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
|
||||||
ports:
|
|
||||||
- "3000:3000"
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
state: started
|
|
||||||
volumes:
|
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
|
||||||
|
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
||||||
|
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
|
@ -0,0 +1,68 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name eh21.easterhegg.eu;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://eh21.easterhegg.eu$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name eh21.easterhegg.eu;
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
|
||||||
|
|
||||||
|
root /var/www/eh21;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name engel.eh21.easterhegg.eu;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://engel.eh21.easterhegg.eu$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name engel.eh21.easterhegg.eu;
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
|
||||||
|
|
||||||
|
root /var/www/engel/public;
|
||||||
|
|
||||||
|
index index.php;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: acertmgr }
|
||||||
|
- { role: nginx, nginx_ssl: True }
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue