README.md

@@ -1,69 +1,11 @@
 # Binary Kitchen Ansible Playbooks
 
-This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen.
+This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
 
-## Usage
+## Using
 
-To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname`
+TBA
 
-It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed
+## Style / Contributing
 
-
+TBA/TBD
-## Current setup
-
-Currently the following hosts are installed:
-
-### Internal Servers
-
-| Hostname                  | OS        | Purpose                 |
-| ------------------------- | --------- | ----------------------- |
-| wurst.binary.kitchen      | Proxmox 8 | VM Host                 |
-| salat.binary.kitchen      | Proxmox 8 | VM Host                 |
-| weizen.binary.kitchen     | Proxmox 8 | VM Host                 |
-| bacon.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
-| aveta.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
-| aeron.binary.kitchen      | Debian 12 | DNS, DHCP, LDAP, RADIUS |
-| sulis.binary.kitchen      | Debian 12 | Shell                   |
-| nabia.binary.kitchen      | Debian 12 | Monitoring              |
-| epona.binary.kitchen      | Debian 12 | NetBox                  |
-| pizza.binary.kitchen      | Debian 11 | OpenHAB *               |
-| pancake.binary.kitchen    | Debian 12 | XRDP                    |
-| knoedel.binary.kitchen    | Debian 12 | SIP-DECT OMM            |
-| bob.binary.kitchen        | Debian 12 | Gitea Actions           |
-| lasagne.binary.kitchen    | Debian 12 | Home Assistant *        |
-| tschunk.binary.kitchen    | Debian 12 | Strichliste             |
-| bowle.binary.kitchen      | Debian 12 | Files                   |
-| lock-auweg.binary.kitchen | Debian 12 | Doorlock                |
-
-\*: The main application is not managed by ansible but manually installed
-
-### External Servers
-
-| Hostname                      | OS        | Purpose                 |
-| ----------------------------- | --------- | ----------------------- |
-| helium.binary-kitchen.net     | Debian 12 | LDAP Master             |
-| lithium.binary-kitchen.net    | Debian 12 | Mail                    |
-| beryllium.binary-kitchen.net  | Debian 12 | Web *                   |
-| boron.binary-kitchen.net      | Debian 12 | Gitea                   |
-| carbon.binary-kitchen.net     | Debian 12 | Jabber                  |
-| nitrogen.binary-kitchen.net   | Debian 12 | NextCloud               |
-| oxygen.binary-kitchen.net     | Debian 12 | Shell                   |
-| fluorine.binary-kitchen.net   | Debian 12 | Web (div. via Docker)   |
-| neon.binary-kitchen.net       | Debian 12 | Auth. DNS               |
-| sodium.binary-kitchen.net     | Debian 12 | Mattrix                 |
-| magnesium.binary-kitchen.net  | Debian 12 | TURN                    |
-| aluminium.binary-kitchen.net  | Debian 12 | Web (div. via Docker)   |
-| krypton.binary-kitchen.net    | Debian 12 | PartDB *                |
-| yttrium.binary-kitchen.net    | Debian 12 | Hintervvoidler *        |
-| zirconium.binary-kitchen.net  | Debian 12 | Jitsi                   |
-| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle *          |
-| technetium.binary-kitchen.net | Debian 12 | Event CTFd *            |
-| ruthenium.binary-kitchen.net  | Debian 12 | Minecraft *             |
-| rhodium.binary-kitchen.net    | Debian 12 | Event pretix            |
-| palladium.binary-kitchen.net  | Debian 12 | Event pretalx           |
-| argentum.binary-kitchen.net   | Debian 12 | Event Web *             |
-| cadmium.binary-kitchen.net    | Debian 12 | Event NetBox *          |
-| indium.binary-kitchen.net     | Debian 12 | Igel CAM *              |
-| barium.binary-kitchen.net     | Debian 12 | Workadventure           |
-
-\*: The main application is not managed by ansible but manually installed

ansible.cfg

@@ -1,6 +1,5 @@
 [defaults]
 ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
-interpreter_python = auto
 inventory       = ./hosts
 nocows          = 1
 remote_user     = root

group_vars/all/vars.yml

@@ -5,14 +5,6 @@ acertmgr_mode: webdir
 acme_dnskey_file: /etc/acertmgr/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 
-authentik_domain: auth.binary-kitchen.de
-authentik_dbname: authentik
-authentik_dbuser: authentik
-authentik_dbpass: "{{ vault_authentik_dbpass }}"
-authentik_secret: "{{ vault_authentik_secret }}"
-
-bk23b_domain: 23b.binary-kitchen.de
-
 coturn_realm: turn.binary-kitchen.de
 coturn_secret: "{{ vault_coturn_secret }}"
 
@@ -22,12 +14,19 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
+drone_admin: moepman
+drone_domain: drone.binary-kitchen.de
+drone_dbname: drone
+drone_dbuser: drone
+drone_dbpass: "{{ vault_drone_dbpass }}"
+drone_uipass: "{{ vault_drone_uipass }}"
+drone_secret: "{{ vault_drone_secret }}"
+drone_gitea_client: "{{ vault_drone_gitea_client }}"
+drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
+
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
-fpm_status_user: admin
-fpm_status_pass: "{{ vault_fpm_status_pass }}"
-
 gitea_domain: git.binary-kitchen.de
 gitea_dbname: gogs
 gitea_dbuser: gogs
@@ -35,20 +34,11 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
 gitea_secret: "{{ vault_gitea_secret }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
 
-hedgedoc_domain: pad.binary-kitchen.de
+hackmd_domain: pad.binary-kitchen.de
-hedgedoc_dbname: hedgedoc
+hackmd_dbname: hackmd
-hedgedoc_dbuser: hedgedoc
+hackmd_dbuser: hackmd
-hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
+hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
-hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
+hackmd_secret: "{{ vault_hackmd_secret }}"
-
-icinga_domain: icinga.binary.kitchen
-icinga_dbname: icinga
-icinga_dbuser: icinga
-icinga_dbpass: "{{ vault_icinga_dbpass }}"
-icinga_server: nabia.binary.kitchen
-icingaweb_dbname: icingaweb
-icingaweb_dbuser: icingaweb
-icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
 
 jitsi_domain: jitsi.binary-kitchen.de
 jitsi_admin_email: exxess@binary-kitchen.de
@@ -68,29 +58,16 @@ mail_domain: binary-kitchen.de
 mail_domains:
 - ccc-r.de
 - ccc-regensburg.de
-- eh21.easterhegg.eu
 - makerspace-regensburg.de
 mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
 mail_server: mail.binary-kitchen.de
 mailman_domain: lists.binary-kitchen.de
 mail_trusted:
 - 213.166.246.0/28
-- 213.166.246.37/32
-- 213.166.246.45/32
-- 213.166.246.46/32
-- 213.166.246.47/32
 - 213.166.246.250/32
 - 2a02:958:0:f6::/124
-- 2a02:958:0:f6::37/128
-- 2a02:958:0:f6::45/128
-- 2a02:958:0:f6::46/128
-- 2a02:958:0:f6::47/128
 mail_aliases:
-- "auweg@binary-kitchen.de	venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
-- "bbb@binary-kitchen.de	boehm.johannes@gmail.com"
-- "dasfilament@binary-kitchen.de	taxx@binary-kitchen.de"
 - "epvpn@binary-kitchen.de	noby@binary-kitchen.de"
-- "google@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "info@binary-kitchen.de	vorstand@binary-kitchen.de"
 - "lebercast@binary-kitchen.de	anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
 - "loetworkshop@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
@@ -98,15 +75,12 @@ mail_aliases:
 - "openhab@binary-kitchen.de	noby@binary-kitchen.de"
 - "orga@ccc-r.de	orga@ccc-regensburg.de"
 - "orga@ccc-regensburg.de	anti@binary-kitchen.de"
-- "paypal@binary-kitchen.de	ralf@binary-kitchen.de"
+- "paypal@binary-kitchen.de	timo.schindler@binary-kitchen.de"
 - "post@makerspace-regensburg.de	vorstand@binary-kitchen.de"
-- "pretalx@binary-kitchen.de	moepman@binary-kitchen.de"
-- "pretix@binary-kitchen.de	moepman@binary-kitchen.de"
 - "root@binary-kitchen.de	moepman@binary-kitchen.de,kishi@binary-kitchen.de"
 - "seife@binary-kitchen.de	anke@binary-kitchen.de"
 - "siebdruck@binary-kitchen.de	anke@binary-kitchen.de"
-- "therapy-jetzt@binary-kitchen.de	darthrain@binary-kitchen.de"
+- "vorstand@binary-kitchen.de	anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
-- "vorstand@binary-kitchen.de	anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
 - "voucher1@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher2@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher3@binary-kitchen.de	exxess@binary-kitchen.de"
@@ -119,45 +93,26 @@ mail_aliases:
 - "voucher10@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher11@binary-kitchen.de	exxess@binary-kitchen.de"
 - "voucher12@binary-kitchen.de	exxess@binary-kitchen.de"
-- "voucher13@binary-kitchen.de	exxess@binary-kitchen.de"
-- "voucher14@binary-kitchen.de	exxess@binary-kitchen.de"
-- "voucher15@binary-kitchen.de	exxess@binary-kitchen.de"
 - "workshops@binary-kitchen.de	timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
-- "tickets@eh21.easterhegg.eu	orga@eh21.easterhegg.eu"
-- "hackzuck@eh21.easterhegg.eu	kekskruemml@binary-kitchen.de"
 
 matrix_domain: matrix.binary-kitchen.de
 matrix_dbname: matrix
 matrix_dbuser: matrix
 matrix_dbpass: "{{ vault_matrix_dbpass }}"
 
-mc_domain: minecraft.binary-kitchen.de
+nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
-
+nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
-netbox_domain: netbox.binary.kitchen
+nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
-netbox_dbname: netbox
-netbox_dbuser: netbox
-netbox_dbpass: "{{ vault_netbox_dbpass }}"
-netbox_secret: "{{ vault_netbox_secret }}"
 
 nextcloud_domain: oc.binary-kitchen.de
 nextcloud_dbname: owncloud
 nextcloud_dbuser: owncloud
 nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
-omm_domain: omm.binary.kitchen
+plk_domain: plk-regensburg.de
-
+plk_dbuser: plkdbuser
-pretalx_domain: fahrplan.eh21.easterhegg.eu
+plk_dbname: plkdb
-pretalx_dbname: pretalx
+plk_dbpass: "{{ vault_plk_dbpass }}"
-pretalx_dbuser: pretalx
-pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
-pretalx_mail: pretalx@binary-kitchen.de
-
-pretix_domain: pretix.events.binary-kitchen.de
-pretix_domainx: tickets.eh21.easterhegg.eu
-pretix_dbname: pretix
-pretix_dbuser: pretix
-pretix_dbpass: "{{ vault_pretix_dbpass }}"
-pretix_mail: pretix@binary-kitchen.de
 
 prometheus_pve_user: prometheus@pve
 prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@@ -171,6 +126,8 @@ pve_targets:
 
 radius_secret: "{{ vault_radius_secret }}"
 
+rocketchat_domain: chat.binary-kitchen.de
+
 root_keys:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
@@ -178,25 +135,3 @@ root_keys:
 slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
-
-sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
-sssd_base_user: ou=people,dc=binary-kitchen,dc=de
-
-strichliste_domain: tschunk.binary.kitchen
-strichliste_dbname: strichliste
-strichliste_dbuser: strichliste
-strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
-
-therapy_domain: therapy.jetzt
-therapy_secret: "{{ vault_therapy_secret }}"
-
-vaultwarden_domain: vault.binary-kitchen.de
-vaultwarden_dbname: vaultwarden
-vaultwarden_dbuser: vaultwarden
-vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
-vaultwarden_token: "{{ vault_vaultwarden_token }}"
-vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
-
-workadventure_domain: wa.binary-kitchen.de
-
-zammad_domain: requests.binary-kitchen.de

group_vars/all/vault.yml

@@ -1,110 +1,59 @@
 $ANSIBLE_VAULT;1.1;AES256
-35346137343735356637663033653465666664363730663138663936636632306566313836643132
+37303932343462623335393066643531373533636435356462326537373532613534353266396435
-6633663564393937323035363563326465366364373961310a643132653066323938333863626264
+3636666364306637306266393933383963633032383265650a656563303332303134323135353239
-66656663646164633538396132363231373430636134313632333834633435336331396338623933
+34633863333930316564633632313939643664373163373833636139366537646530383736343130
-3832343264356539390a313937393535623838356465313530303836346164313261613537366430
+6239373931306234620a353966346262646538306631656461613431636230333430663931643933
-64393533613662376466363462643262643433663839393166613938616462663732346234363436
+31316362353439393838363666613932313635313864333135636530653238653162353033356437
-66663837333861303530373036363536376239633764356461303534626233343861343135353234
+33353063363639346266313631393463623864636133623264613865336536613536343365386230
-61356362353635343737356430666536636339306630613263613933356330366132356661343566
+65396263393862626139396430623134316632313637623631623762656139623664356331623066
-33306437666461656339653131633537643931333164396463623433633263633139366565636362
+30323430613963313162616135303164663364336634326533346438373635366238356531613461
-35306339333631623036386134373839303739373230636164653137393439633530366163613636
+30333736633965333163616437303566666239313962353531393530613265363833396136646262
-65326635396135313530366161373438623365356437353234343537393033356135623862393033
+62633662666532396535316361303934613138373365633161393664313234663533363736323335
-62643033656331373435316665313933653835653663376432366461363261303131623237623663
+38613762376234663564333333386265633138613839636132346638313430653639636339336239
-33363238663963363963326531386137613564633338653466393436663438313231313466323433
+38633564333831326331326166666362353364303933393532643936313564386565643162623435
-32323934343462333264646137366461303333363165303433663130326437353236653336623266
+36356437356631666137323039316430656566613436623062656562666139383635653039636463
-30653930616465313930303961383538376662386331663430613064306366323035663431656461
+35393438323765303431333737356339343730303531333834306239366533393537626239376163
-61623735336162636662616232346637653566306433316237613762623133323236353533623833
+31663332343136323264376234363264343136623365383833666638656531306362663462383033
-61306630376231643266663732343565386465373066643339633136643961656161393738373862
+31633838643562613762363634653865353361303666363139636337386439626235336462653036
-33353162656331363563343234303538383763303736393661333831366436633533656265343930
+30376461643839313665383430386534656265626139313034646438323861653530383637316139
-38616462363238613464386439663830663264646133633631646166346130663464633333333730
+35313539636137303561646564616362313435666262343137616263396465356434363862323137
-33653231303636653638323136663066666465353532383331663163626237656265656463393139
+38626464383039386139343665363538326539613837366437623362336639336133323463666235
-64363465663732343930613931313363336633363335383564626366383537376634363461616163
+36346333356434363838363634343233323363333762653264333062656133623434666162356433
-39393630343531313638363230656634623836396366326530616637363334313961366233306233
+37623862653862643335333931663063623166353534636430323230663838653532356335306632
-35633961303661376663643339613835633563336361646137353466366436373263363138663563
+33646265343834363839653565326538353930663061376461646534386637376234646264343933
-62356365616664353131663764303730643361613038663833373834336132306265376436616464
+65653763343236653630396238333232633461663333646531323337626235396231383931663264
-38383937626439303362636432363936313930313339366565353034313339663536373138376438
+34363564366134663036643332346238373639646336396261316133326235636265323636663335
-34366637363838623064633765653134383230656565373263356164326661326133353634636536
+35363537346466396432396162383131306438396431336138666663633132646662316165643333
-31383961343066306437623031386461643430326134646537613366623131353161353335313664
+64633434623166343262623038623431343631333962663566303566393761653536303638643037
-61633834656438366331653966373131656634303135373630363762313765316364343837663431
+63363963306139336235363537396432383131303763643966313937353537333739393031616439
-32373438616561333634343436366638353439363563656331333263653061613231303733633134
+35343361646234663062633631323238656137373464386561656439313636613630323632616332
-66386563346535646339303039353962363762663164386436626632623465363833323434343066
+39346239666266623038363066643865373762633532323431373431373165643662663661633365
-63626466653162616164323831336165646136613530383063353232333464333234316435386266
+35353361383339623535336362313430616139396561623934346264323462663663383566393165
-62333535373131666434626261333335663762346663313630643136383835376663636136363933
+35366637313861386465333530613530623832643333616538336436356134313832306139336361
-33623237666537613164623362396537396163373437633537376435356638653533613939663734
+32393162373235356236343332363038393631626534643237383232323735633265333562633231
-66626564633435663164616365313339386232386562636461653262363332393536353138393730
+61613164363962323236666365353830346664643263393532343562383736336535353364343638
-33323464376666663236366134366436313237666635356565346235363630363265343535356233
+62386465323331653565306234646664393164666334383765336630346438633636353264636138
-35653163663962316336323931356436366439653835346138623966366436373066303932346637
+31316231326236313839353465353230353935363330393035373234393039386134366534653636
-31393932343136633239663238363337626266623163316165646533333363393038383038316664
+63323730383931353763383739393330316335373563393039366166313031373664636335363363
-34363739613234666466353163643236356238353831636163393763336261353831313136653963
+38363131363565326431636361316562313037373664306333313366646336333162663664306539
-33636265383634393332373031306261363764303730633466616432316433656166393035653737
+64636530363561393037373766383937616435313333653836363835383231633130396133663635
-30643231616334366231333761633461653338653633663564643938616163663532333639353830
+36613531323732623264646666656139333766656562623430313964366236373663626135383437
-64383761306138303736643962386235353366333832616138306237393738396230303633333132
+31643663663637613762313465656636396264623362643538323166356636303430613133383664
-31373362323261303362613336333130626364646561653335373639333262663735376437376433
+66383332326437333638663562376665386237313533303437623765353661393561373338636130
-36386236343233373631303633626363336665656131633862633363326233636636373832353937
+30383665333366643331366536646330633133643566393962633164643563613536363434393234
-39303237393632363337396362323936646333376439373031626330343139373636333062383138
+66323931316535353632356432373262623962616264383430623436303637616165386433326231
-33333137623066303961376137613361313831636631663865343863633735366433643165643035
+38633730636633643634343833313964653530663034333063313334636134646634363437346161
-39373565396561326362376435666539386263666635363664633833336536366466613163323134
+32613061363032383732323263303830363532326239316538393739313730383530633862313039
-39653239653935346262656333306635646535626563323130663838313564383165393961346161
+37653865303932313635656332663039376331393161623731623039653865623436363061626538
-39616439376435613535336434343364343066353863626363613765303862306663373730346539
+32383934613335363534666461343135303235373262343634306130633536323839393139346662
-39363136393463333538323266633235643963363663323265313738633037303862633265353236
+31623265323138353963623938616665383765366230656461383835346230346261623866366630
-64343361316437623732366163326633346462343332333735333936633266623832633939626362
+65303965353432386136373562306434623739666262356663656266346439356435613362333563
-32333035613963666530663335656562393465323063336330383535326565346536393731333165
+34366539353366346636376662363837303332373866323434366261326164633033353930383038
-30373733343136306532636666313338626434313334303933636238643034386438386364663932
+36666433656365366663326163343034306439653262353733323232373133386436333637346563
-35313134633532373466363132623632376666396161333064376538616137656163663633653064
+32626533336530633731336631333334353366306538663936643637346335303965626631316562
-66623633343939306638643132386139303761646364656163326263313066616535623234323361
+33333061656234393661363766663630316662613764333231326434383465666234653238393965
-37396366663734373334386131663161346461383938313263346537353836366264616164636262
+31636561396665383063613433653837363634623337623330666466353532633434383864343464
-64376535373431376465386165613765653732303461356565623965346334376564343439386164
+38303436306165353433356536326466306530373635616531393462666336666435633235613937
-30393664353461623965303265393338353366616164633739383434623834306166376631643330
+37343832333864643636366632623062363234633365326635386663376439383332306333653161
-31303866306561366132333532396135653261613935623537366562313433396436343666386535
+34353830396165366534313334616161323461613066383561343563393330613464373862623062
-37323861343462396163333431663137643232393865643238316338323735366637643666343735
+3536303066343262636636393861313539616636643339353562
-30663334326332616361623662653133383536326635626434383830633434366330313731356531
-30366562613532643334613430313737633266343237373765366238313833656463646462613666
-32393734356638633966643133383961613332623331633634646439353338303266393366323564
-36353032383030623163323065653833656330363466336466656562373034653061346163366238
-33346534313633333134356665656462346234393230323132626661666362373566383036653937
-66366266333934343263326433326163373730383361653262633966333135316437633835303665
-66663430363039633464636531326135616563636131656265356438313633306236653431656664
-30343733313638363237343131626538643932373931623136323862646366623362306365616131
-37303966343562313730653763633564336435336362656262363735393966633135376236616163
-39626637393865643338623863346666333764616430383038303434626164653861346433333764
-61386131303764383137616334363866363363313165366339636530393362396135306265303464
-63333030306338346633633863306238333334393562373662663562313733643432396462313131
-65333661343031656263623230346230353266303261646131303731636466303863323466356232
-63383835316161306431663962343966366338323138383632326533646461326232356133356265
-39636434376436363439376230633237366536653561616264613665656635636532623330353466
-65366132646536316131323038313263333961656430343661303664366266313861343463303364
-32303662393433353462346464393931393637316537623061343635353938663765646234323431
-38643531653132633763666663623637373431653731383037346262646332393864643431363338
-32343963623364613538656338336365343265383262656139643934333037383930376564343636
-33623835663035313839656333613833396635646537616464376138663262346564383834643933
-30383039633164353730656339616436343330333134323136646664393764343163313536373261
-31646164656166376232653034363864623161326564303337636534653762336337346335373238
-64373062306165616162666362326531643964656366653037663163363964653462346633666434
-35303638623239353934636332373562343962393531346132303032623334333335373734643034
-64646361373066316134613635666435306235313632633633643864373261643065303937323639
-65383663626338303134613532623763626430623864313930366463663632313130383033633831
-66613531623534336461393764623237383231333133336638313637306439633361353039613938
-30613562393635646235336330633933336233363735346534633266633730346236353265333464
-39613132306232653639326336643662353461356439623233316465316232396366616531396464
-63626462383639353434316364363164376639363264646530323038373439643132343264643231
-32656465366265383630626332613636336632656136333330643937633630396663626632333930
-61623661633666316630616632633832613231386235653434663964316533306233383539343637
-38663431666230653736326531353934396562656161616462383466353637363732616636373033
-39643438356632306431386235333532326463646161616466646634633163366233363362343563
-34393631343733326363363737623638383939353266343262633232336633386233346436393333
-31646161613464623137353939613437623835316531343336323833653437363563363462633536
-36313230363131373233623731636363313034366665633737346134366666393634386637626563
-36376135373330396664616435353539333439306434313933333235646363313262336163386263
-65353361363066363234353336623466393331326332316530356636343865663137313737313830
-35633563343064333565373463343234393732333735363963333336646561393764316462643466
-36653162343239373038336134393532386363333638383831333834373030633138633530353336
-63376334666632323130633136613230306135336231666635363036633066323863346138643330
-33623462653638656237646634623431313664336636366330626135653730323239323462383262
-39326431386235363034386138653665353136356536373838636336626430623164353761636662
-32623363663163633433623833633665313662636264656662373061356336383965303731313431
-34373332616336303062363564656137383463353836303134363434356265393361346365343630
-32613933633139643637363136623863663962356166336134656464613362363130333930356230
-63626365353266383137643263636163613932343333363632333936613831616465646437656465
-35636534363461336332626134346239656238643561313935363366343462333639633937303664
-64323739643562343234333739353334663834626438386432663737653366633466666362643138
-64313536306363653562623536646261313639333266643336613932363835356665

group_vars/auweg

@@ -1,16 +0,0 @@
----
-
-dhcpd_failover: false
-dhcpd_primary: 172.23.13.3
-
-dns_primary: 172.23.13.3
-
-doorlock_domain: lock-auweg.binary.kitchen
-
-name_servers:
-- 172.23.13.3
-
-ntp_servers:
-- 172.23.12.61
-
-radius_cn: radius.binary.kitchen

group_vars/kitchen

@@ -4,9 +4,6 @@ dhcpd_failover: true
 dhcpd_primary: 172.23.2.3
 dhcpd_secondary: 172.23.2.4
 
-dns_primary: 172.23.2.3
-dns_secondary: 172.23.2.4
-
 name_servers:
 - 172.23.2.3
 - 172.23.2.4

host_vars/aeron.binary.kitchen

@@ -1,9 +0,0 @@
----
-
-radius_hostname: radius3.binary.kitchen
-
-slapd_hostname: ldap3.binary.kitchen
-slapd_replica_id: 3
-slapd_role: slave
-
-uau_reboot: "false"

host_vars/argentum.binary-kitchen.net

@@ -1,6 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

host_vars/aveta.binary.kitchen

@@ -3,5 +3,4 @@
 radius_hostname: radius2.binary.kitchen
 
 slapd_hostname: ldap2.binary.kitchen
-slapd_replica_id: 2
 slapd_role: slave

host_vars/bacon.binary.kitchen

@@ -1,11 +1,9 @@
 ---
 
-ntp_server: true
-
 ntp_servers:
 - ptbtime2.ptb.de
 - ntp1.rrze.uni-erlangen.de
-- rustime01.rus.uni-stuttgart.de
+- ntps1-0.cs.tu-berlin.de
 
 ntp_peers:
 - 172.23.1.60
@@ -13,7 +11,4 @@ ntp_peers:
 radius_hostname: radius1.binary.kitchen
 
 slapd_hostname: ldap1.binary.kitchen
-slapd_replica_id: 1
 slapd_role: slave
-
-uau_reboot: "false"

host_vars/barium.binary-kitchen.net

@@ -1,2 +0,0 @@
-root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/beryllium.binary-kitchen.net

@@ -1,5 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/bowle.binary.kitchen

@@ -1,8 +0,0 @@
----
-
-nfs_exports:
-- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
-- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
-- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
-
-uau_reboot: "false"

host_vars/fluorine.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

host_vars/indium.binary-kitchen.net

@@ -1,5 +0,0 @@
----
-
-root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/knoedel.binary.kitchen

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/krypton.binary-kitchen.net

@@ -2,4 +2,3 @@
 
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/lasagne.binary.kitchen

@@ -1,11 +0,0 @@
----
-
-root_keys_host:
-- "# Thomas Basler"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
-- "# Ralf Ramsauer"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
-- "# Thomas Schmid"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
-
-uau_reboot: "false"

host_vars/lock-auweg.binary.kitchen

@@ -1,5 +0,0 @@
----
-
-root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/magnesium.binary-kitchen.net

@@ -1,3 +0,0 @@
----
-
-acertmgr_mode: standalone

host_vars/molybdenum.binary-kitchen.net

@@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

host_vars/nitrogen.binary-kitchen.net

@@ -3,5 +3,3 @@
 root_keys_host:
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
-
-nginx_anonymize: True

host_vars/oxygen.binary-kitchen.net

@@ -1,4 +1,3 @@
 ---
 
-sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
+uau_reboot: "false"
-sshd_password_authentication: "yes"

host_vars/pancake.binary.kitchen

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

host_vars/pizza.binary.kitchen

@@ -4,7 +4,8 @@ root_keys_host:
 - "# Thomas Basler"
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
 - "# Ralf Ramsauer"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
 - "# Thomas Schmid"
 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
 

host_vars/rhodium.binary-kitchen.net

@@ -1,4 +0,0 @@
----
-
-root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

host_vars/ruthenium.binary-kitchen.net

@@ -2,6 +2,6 @@
 
 root_keys_host:
 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
 
 uau_reboot: "false"

host_vars/strontium.binary-kitchen.net

@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

host_vars/sulis.binary.kitchen

@@ -1,4 +0,0 @@
----
-
-sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
-sshd_password_authentication: "yes"

host_vars/technetium.binary-kitchen.net

@@ -1,5 +1,4 @@
 ---
 
 root_keys_host:
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

host_vars/tschunk.binary.kitchen

@@ -1,7 +0,0 @@
----
-
-root_keys_host:
-- "# Thomas Schmid"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
-
-uau_reboot: "true"

host_vars/weizen.binary.kitchen

@@ -1,8 +0,0 @@
----
-
-ntp_server: true
-
-ntp_servers:
-- ptbtime1.ptb.de
-- ntp1.rrze.uni-erlangen.de
-- rustime01.rus.uni-stuttgart.de

host_vars/wurst.binary.kitchen

@@ -1,11 +1,9 @@
 ---
 
-ntp_server: true
-
 ntp_servers:
 - ptbtime1.ptb.de
 - ntp1.rrze.uni-erlangen.de
-- rustime01.rus.uni-stuttgart.de
+- ntps1-0.cs.tu-berlin.de
 
 ntp_peers:
 - 172.23.2.3

host_vars/yttrium.binary-kitchen.net

@@ -1,6 +1,5 @@
 ---
 
 root_keys_host:
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
-- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
+- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
-- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

hosts

@@ -4,19 +4,10 @@ bacon.binary.kitchen ansible_host=172.23.2.3
 aveta.binary.kitchen ansible_host=172.23.2.4
 sulis.binary.kitchen ansible_host=172.23.2.5
 nabia.binary.kitchen ansible_host=172.23.2.6
-epona.binary.kitchen ansible_host=172.23.2.7
 pizza.binary.kitchen ansible_host=172.23.2.33
-pancake.binary.kitchen ansible_host=172.23.2.34
-knoedel.binary.kitchen ansible_host=172.23.2.35
 bob.binary.kitchen ansible_host=172.23.2.37
-lasagne.binary.kitchen ansible_host=172.23.2.38
+bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
-tschunk.binary.kitchen ansible_host=172.23.2.39
-bowle.binary.kitchen ansible_host=172.23.2.62
 salat.binary.kitchen ansible_host=172.23.9.61
-[auweg]
-weizen.binary.kitchen ansible_host=172.23.12.61
-aeron.binary.kitchen ansible_host=172.23.13.3
-lock-auweg.binary.kitchen ansible_host=172.23.13.12
 [fan_rz]
 helium.binary-kitchen.net
 lithium.binary-kitchen.net
@@ -28,16 +19,9 @@ oxygen.binary-kitchen.net
 fluorine.binary-kitchen.net
 neon.binary-kitchen.net
 sodium.binary-kitchen.net
-magnesium.binary-kitchen.net
-aluminium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
 molybdenum.binary-kitchen.net
+technetium.binary-kitchen.net
 ruthenium.binary-kitchen.net
-rhodium.binary-kitchen.net
-palladium.binary-kitchen.net
-argentum.binary-kitchen.net
-cadmium.binary-kitchen.net
-indium.binary-kitchen.net
-barium.binary-kitchen.net

roles/23b/tasks/main.yml

@@ -1,49 +0,0 @@
----
-
-- name: Install packages
-  apt:
-    name:
-    - docker-compose
-
-- name: Create 23b group
-  group: name=23b
-
-- name: Create 23b user
-  user:
-    name: 23b
-    home: /opt/23b
-    shell: /bin/bash
-    group: 23b
-    groups: docker
-
-# docker-compolse.yml is managed outside ansible
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for 23b
-  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
-  notify: Restart nginx
-
-- name: Systemd unit for 23b
-  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
-  notify:
-  - Reload systemd
-  - Restart 23b
-
-- name: Start the 23b service
-  service: name=23b state=started enabled=yes
-
-- name: Enable monitoring
-  include_role: name=icinga-monitor tasks_from=http
-  vars:
-    vhost: "{{ bk23b_domain }}"

roles/23b/templates/23b.service.j2

@@ -1,28 +0,0 @@
-[Unit]
-Description=23b service using docker compose
-Requires=docker.service
-After=docker.service
-Before=nginx.service
-
-[Service]
-Type=simple
-
-User=23b
-Group=23b
-
-Restart=always
-TimeoutStartSec=1200
-
-WorkingDirectory=/opt/23b/23b/23b
-
-# Make sure no old containers are running
-ExecStartPre=/usr/bin/docker-compose down -v
-
-# Compose up
-ExecStart=/usr/bin/docker-compose up
-
-# Compose down, remove containers and volumes
-ExecStop=/usr/bin/docker-compose down -v
-
-[Install]
-WantedBy=multi-user.target

roles/act_runner/defaults/main.yml

@@ -1,7 +0,0 @@
----
-
-actrunner_user: act_runner
-actrunner_group: act_runner
-
-actrunner_version: 0.2.10
-actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

roles/act_runner/handlers/main.yml

@@ -1,7 +0,0 @@
----
-
-- name: Reload systemd
-  systemd: daemon_reload=yes
-
-- name: Restart act_runner
-  service: name=act_runner state=restarted

roles/act_runner/tasks/main.yml

@@ -1,35 +0,0 @@
----
-
-- name: Create group
-  group: name={{ actrunner_group }}
-
-- name: Create user
-  user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
-
-- name: Create directories
-  file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
-  with_items:
-  - /etc/act_runner
-  - /var/lib/act_runner
-
-- name: Download act_runner binary
-  get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
-  register: runner_download
-
-- name: Symlink act_runner binary
-  file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
-  when: runner_download.changed
-  notify: Restart act_runner
-
-- name: Configure act_runner
-  template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
-  notify: Restart act_runner
-
-- name: Install systemd unit
-  template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
-  notify:
-  - Reload systemd
-  - Restart act_runner
-
-- name: Enable act_runner
-  service: name=act_runner state=started enabled=yes

roles/act_runner/templates/act_runner.service.j2

@@ -1,16 +0,0 @@
-[Unit]
-Description=Gitea Actions runner
-Documentation=https://gitea.com/gitea/act_runner
-After=docker.service
-
-[Service]
-ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
-ExecReload=/bin/kill -s HUP $MAINPID
-WorkingDirectory=/var/lib/act_runner
-TimeoutSec=0
-RestartSec=10
-Restart=always
-User={{ actrunner_user }}
-
-[Install]
-WantedBy=multi-user.target

roles/act_runner/templates/config.yaml.j2

@@ -1,86 +0,0 @@
-log:
-  # The level of logging, can be trace, debug, info, warn, error, fatal
-  level: warn
-
-runner:
-  # Where to store the registration result.
-  file: .runner
-  # Execute how many tasks concurrently at the same time.
-  capacity: 4
-  # Extra environment variables to run jobs.
-  envs:
-  # Extra environment variables to run jobs from a file.
-  # It will be ignored if it's empty or the file doesn't exist.
-  env_file: .env
-  # The timeout for a job to be finished.
-  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
-  timeout: 3h
-  # Whether skip verifying the TLS certificate of the Gitea instance.
-  insecure: false
-  # The timeout for fetching the job from the Gitea instance.
-  fetch_timeout: 5s
-  # The interval for fetching the job from the Gitea instance.
-  fetch_interval: 2s
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `deamon`, will use labels in `.runner` file.
-  labels: [
-    "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
-    "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
-    "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
-  ]
-
-cache:
-  # Enable cache server to use actions/cache.
-  enabled: true
-  # The directory to store the cache data.
-  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
-  dir: ""
-  # The host of the cache server.
-  # It's not for the address to listen, but the address to connect from job containers.
-  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-  host: ""
-  # The port of the cache server.
-  # 0 means to use a random available port.
-  port: 0
-  # The external cache server URL. Valid only when enable is true.
-  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-  # The URL should generally end with "/".
-  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, act_runner will create a network automatically.
-  network: ""
-  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
-  workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: ""
-  # Pull docker image(s) even if already present
-  force_pull: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
-  workdir_parent:

roles/authentik/defaults/main.yml

@@ -1,3 +0,0 @@
----
-
-authentik_version: 2024.8.3

roles/authentik/handlers/main.yml

@@ -1,13 +0,0 @@
----
-
-- name: Reload systemd
-  systemd: daemon_reload=yes
-
-- name: Restart authentik
-  service: name=authentik state=restarted
-
-- name: Restart nginx
-  service: name=nginx state=restarted
-
-- name: Run acertmgr
-  command: /usr/bin/acertmgr

roles/authentik/tasks/main.yml

@@ -1,51 +0,0 @@
----
-
-- name: Install packages
-  apt:
-    name:
-    - docker-compose
-
-- name: Create authentik group
-  group: name=authentik
-
-- name: Create authentik user
-  user:
-    name: authentik
-    home: /opt/authentik
-    shell: /bin/bash
-    group: authentik
-    groups: docker
-
-- name: Configure authentik container
-  template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
-  notify: Restart authentik
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
-  notify: Restart nginx
-
-- name: Configure certificate manager for authentik
-  template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
-  notify: Run acertmgr
-
-- name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
-  notify: Restart nginx
-
-- name: Enable vhost
-  file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
-  notify: Restart nginx
-
-- name: Systemd unit for authentik
-  template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
-  notify:
-  - Reload systemd
-  - Restart authentik
-
-- name: Start the authentik service
-  service: name=authentik state=started enabled=yes
-
-- name: Enable monitoring
-  include_role: name=icinga-monitor tasks_from=http
-  vars:
-    vhost: "{{ authentik_domain }}"

roles/authentik/templates/authentik.service.j2

@@ -1,28 +0,0 @@
-[Unit]
-Description=authentik service using docker compose
-Requires=docker.service
-After=docker.service
-Before=nginx.service
-
-[Service]
-Type=simple
-
-User=authentik
-Group=authentik
-
-Restart=always
-TimeoutStartSec=1200
-
-WorkingDirectory=/opt/authentik
-
-# Make sure no old containers are running
-ExecStartPre=/usr/bin/docker-compose down -v
-
-# Compose up
-ExecStart=/usr/bin/docker-compose up
-
-# Compose down, remove containers and volumes
-ExecStop=/usr/bin/docker-compose down -v
-
-[Install]
-WantedBy=multi-user.target

roles/authentik/templates/certs.j2

@@ -1,15 +0,0 @@
----
-
-{{ authentik_domain }}:
-- path: /etc/nginx/ssl/{{ authentik_domain }}.key
-  user: root
-  group: root
-  perm: '400'
-  format: key
-  action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
-  user: root
-  group: root
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service nginx restart'

roles/authentik/templates/docker-compose.yml.j2

@@ -1,75 +0,0 @@
----
-version: "3.4"
-services:
-  postgresql:
-    image: docker.io/library/postgres:16-alpine
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 5s
-    volumes:
-      - ./database:/var/lib/postgresql/data
-    environment:
-      POSTGRES_PASSWORD: {{ authentik_dbpass }}
-      POSTGRES_USER: {{ authentik_dbuser }}
-      POSTGRES_DB: {{ authentik_dbname }}
-  redis:
-    image: docker.io/library/redis:alpine
-    command: --save 60 1 --loglevel warning
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 3s
-    volumes:
-      - ./redis:/data
-  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
-    restart: unless-stopped
-    command: server
-    environment:
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_POSTGRESQL__HOST: postgresql
-      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
-      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
-      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
-      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
-    volumes:
-      - ./media:/media
-      - ./custom-templates:/templates
-    ports:
-      - "127.0.0.1:9000:9000"
-    depends_on:
-      - postgresql
-      - redis
-  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
-    restart: unless-stopped
-    command: worker
-    environment:
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_POSTGRESQL__HOST: postgresql
-      AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
-      AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
-      AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
-      AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
-    # `user: root` and the docker socket volume are optional.
-    # See more for the docker socket integration here:
-    # https://goauthentik.io/docs/outposts/integrations/docker
-    # Removing `user: root` also prevents the worker from fixing the permissions
-    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
-    # (1000:1000 by default)
-    user: root
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./media:/media
-      - ./certs:/certs
-      - ./custom-templates:/templates
-    depends_on:
-      - postgresql
-      - redis

roles/authentik/templates/vhost.j2

@@ -1,41 +0,0 @@
-map $http_upgrade $connection_upgrade {
-	default	upgrade;
-	''	close;
-}
-
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ authentik_domain }};
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://{{ authentik_domain }}$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name {{ authentik_domain }};
-
-	ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
-
-	location / {
-		proxy_pass http://localhost:9000;
-		proxy_http_version 1.1;
-		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection $connection_upgrade;
-	}
-}

roles/bk_dss/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 
 dss_uwsgi_port: 5001
-dss_version: 0.8.5
+dss_version: 0.8.4

roles/bk_dss/tasks/main.yml

@@ -44,8 +44,3 @@
 - name: Enable vhosts
   file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
   notify: Restart nginx
-
-- name: Enable monitoring
-  include_role: name=icinga-monitor tasks_from=http
-  vars:
-    vhost: "{{ dss_domain }}"

roles/bk_dss/templates/config.cfg.j2

@@ -1,14 +1,12 @@
 DEBUG = True
-REMEMBER_COOKIE_SECURE = True
 SECRET_KEY = "{{ dss_secret }}"
-SESSION_COOKIE_SECURE = True
 SESSION_TIMEOUT = 3600
 
 LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
 LDAP_URI = "{{ ldap_uri }}"
 LDAP_BASE = "{{ ldap_base }}"
 
-ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
+ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
 
 USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
 
@@ -30,7 +28,7 @@ USER_ATTRS = {
 	'userPassword' : '{pass}'
 }
 
-GROUP_FILTER = "(objectClass=posixGroup)"
+GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
 
 REDIS_HOST = "127.0.0.1"
 REDIS_PASSWD = None

roles/common/defaults/main.yml

@@ -6,6 +6,3 @@ logrotate_excludes:
 - "/etc/logrotate.d/dbconfig-common"
 - "/etc/logrotate.d/btmp"
 - "/etc/logrotate.d/wtmp"
-
-sshd_password_authentication: "no"
-sshd_permit_root_login: "prohibit-password"

roles/common/files/50-virtio-kernel-names.link

@@ -0,0 +1,10 @@
+# udev 226 introduced predictable interface names for virtio;
+# disable this for upgrades. You can remove this file if you update your
+# network configuration to move to the ens* names instead.
+# See /usr/share/doc/udev/README.Debian.gz for details about predictable
+# network interface names.
+[Match]
+Driver=virtio_net
+
+[Link]
+NamePolicy=onboard kernel

roles/common/files/99-default.link

@@ -0,0 +1,6 @@
+# This machine is most likely a virtualized guest, where the old persistent
+# network interface mechanism (75-persistent-net-generator.rules) did not work.
+# This file disables /lib/systemd/network/99-default.link to avoid
+# changing network interface names on upgrade. Please read
+# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
+# supported mechanism.

roles/common/handlers/main.yml

@@ -1,16 +1,7 @@
 ---
 
-- name: Restart chrony
-  service: name=chrony state=restarted
-
 - name: Restart journald
   service: name=systemd-journald state=restarted
 
-- name: Restart sshd
-  service: name=sshd state=restarted
-
-- name: update-grub
-  command: update-grub
-
 - name: update-initramfs
   command: update-initramfs -u -k all

roles/common/tasks/Debian.yml

@@ -3,10 +3,7 @@
 - name: Install misc software
   apt:
     name:
-    - apt-transport-https
     - dnsutils
-    - fdisk
-    - gnupg2
     - htop
     - less
     - net-tools
@@ -16,7 +13,6 @@
     - rsync
     - sudo
     - vim-nox
-    - wget
     - zsh
 
 - name: Install software on KVM VMs
@@ -30,32 +26,35 @@
   copy: src={{ item.src }} dest={{ item.dest }}
   diff: no
   with_items:
-  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: "motd", dest: "/etc/motd" }
+  - { src: 'motd', dest: '/etc/motd' }
-  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
+  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
 
+- name: Create LDAP client config
+  template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
+
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
   notify: update-initramfs
 
-- name: Enable serial console on KVM VMs
+# TODO template /etc/network/interfaces
-  lineinfile:
+
-    path: "/etc/default/grub"
+- name: Fix network interface names
-    state: "present"
+  copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
-    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
+  with_items:
-    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
+  - 50-virtio-kernel-names.link
-  notify: update-grub
+  - 99-default.link
-  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
+  notify: update-initramfs
 
 - name: Prevent normal users from running su
   lineinfile:
     path: /etc/pam.d/su
-    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    regexp: '^.*auth\s+required\s+pam_wheel.so$'
-    line: "auth       required   pam_wheel.so"
+    line: 'auth       required   pam_wheel.so'
 
 - name: Configure journald retention
   lineinfile:
@@ -90,25 +89,16 @@
   set_fact:
     logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
 
-- name: "Set logrotate.d/* to daily"
+- name: 'Set logrotate.d/* to daily'
   replace:
     path: "{{ item }}"
     regexp: "(?:weekly|monthly)"
     replace: "daily"
   loop: "{{ logrotateconfigpaths }}"
 
-- name: "Set /etc/logrotate.d/* rotation to 7"
+- name: 'Set /etc/logrotate.d/* rotation to 7'
   replace:
     path: "{{ item }}"
     regexp: "rotate [0-9]+"
     replace: "rotate 7"
   loop: "{{ logrotateconfigpaths }}"
-
-- name: Configure sshd
-  template:
-    src: sshd_config.j2
-    dest: /etc/ssh/sshd_config
-    owner: root
-    group: root
-    mode: '0644'
-  notify: Restart sshd

roles/common/tasks/FreeBSD.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Install misc software
+  pkgng:
+    name:
+    - vim-lite
+    - htop
+    - zsh
+
+- name: Configure misc software
+  copy: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+  - { src: '.zshrc', dest: '/root/.zshrc' }
+  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }

roles/common/tasks/Proxmox.yml

@@ -13,12 +13,11 @@
 
 - name: Configure misc software
   copy: src={{ item.src }} dest={{ item.dest }}
-  diff: no
   with_items:
-  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: '.zshrc', dest: '/root/.zshrc' }
-  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
-  - { src: "motd", dest: "/etc/motd" }
+  - { src: 'motd', dest: '/etc/motd' }
-  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
+  - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
 
 - name: Set shell for root user
   user: name=root shell=/bin/zsh

roles/common/tasks/chrony.yml

@@ -1,8 +0,0 @@
----
-
-- name: Install chrony
-  apt: name=chrony
-
-- name: Configure chrony
-  template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
-  notify: Restart chrony

roles/common/tasks/main.yml

@@ -2,20 +2,21 @@
 
 - name: Cleanup
   apt: autoclean=yes
-  when: ansible_os_family == "Debian"
+  when: ansible_os_family == 'Debian'
 
 - name: Gather package facts
   package_facts:
     manager: apt
-  when: ansible_os_family == "Debian"
+  when: ansible_os_family == 'Debian'
 
 - name: Proxmox
   include: Proxmox.yml
-  when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
+  when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
 
 - name: Debian
   include: Debian.yml
-  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
+  when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
 
-- name: Setup chrony
+- name: FreeBSD
-  include: chrony.yml
+  include: FreeBSD.yml
+  when: ansible_distribution == 'FreeBSD'

roles/common/templates/chrony.conf.j2

@@ -1,52 +0,0 @@
-# Welcome to the chrony configuration file. See chrony.conf(5) for more
-# information about usable directives.
-
-# Include configuration files found in /etc/chrony/conf.d.
-confdir /etc/chrony/conf.d
-
-{% for srv in ntp_servers %}
-server {{ srv }} iburst
-{% endfor %}
-{% if ntp_peers is defined %}
-
-{% for peer in ntp_peers %}
-peer {{ peer }}
-{% endfor %}
-{% endif %}
-
-{% if ntp_server is defined and ntp_server is true %}
-allow 172.23.0.0/16
-{% endif -%}
-
-# This directive specify the location of the file containing ID/key pairs for
-# NTP authentication.
-keyfile /etc/chrony/chrony.keys
-
-# This directive specify the file into which chronyd will store the rate
-# information.
-driftfile /var/lib/chrony/chrony.drift
-
-# Save NTS keys and cookies.
-ntsdumpdir /var/lib/chrony
-
-# Uncomment the following line to turn logging on.
-#log tracking measurements statistics
-
-# Log files location.
-logdir /var/log/chrony
-
-# Stop bad estimates upsetting machine clock.
-maxupdateskew 100.0
-
-# This directive enables kernel synchronisation (every 11 minutes) of the
-# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
-rtcsync
-
-# Step the system clock instead of slewing it if the adjustment is larger than
-# one second, but only in the first three clock updates.
-makestep 1 3
-
-# Get TAI-UTC offset and leap seconds from the system tz database.
-# This directive must be commented out when using time sources serving
-# leap-smeared time.
-leapsectz right/UTC

roles/common/templates/ldap.conf.j2

@@ -0,0 +1,19 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	{{ ldap_base }}
+URI	{{ ldap_uri }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_REQCERT demand
+TLS_CACERTDIR /etc/ssl/certs
+TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+

roles/common/templates/sshd_config.j2

@@ -1,131 +0,0 @@
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin {{ sshd_permit_root_login }}
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
-
-#AuthorizedPrincipalsFile none
-
-{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
-AuthorizedKeysCommand {{ sshd_authkeys_command }}
-{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
-AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
-{%   else %}
-AuthorizedKeysCommandUser nobody
-{%   endif %}
-{% else %}
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-{% endif %}
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication {{ sshd_password_authentication }}
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-KbdInteractiveAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin prohibit-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server

roles/coturn/handlers/main.yml

@@ -1,10 +1,4 @@
 ---
 
-- name: Reload systemd
-  systemd: daemon_reload=yes
-
 - name: Restart coturn
   service: name=coturn state=restarted
-
-- name: Run acertmgr
-  command: /usr/bin/acertmgr

roles/coturn/meta/main.yml

@@ -1,4 +0,0 @@
----
-
-dependencies:
-- { role: acertmgr }

roles/coturn/tasks/main.yml

@@ -3,28 +3,6 @@
 - name: Install coturn
   apt: name=coturn
 
-- name: Create coturn service override directory
-  file: path=/etc/systemd/system/coturn.service.d state=directory
-
-- name: Configure coturn service override
-  template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
-  notify:
-  - Reload systemd
-  - Restart coturn
-
-- name: Create gitea directories
-  file: path={{ item }} state=directory owner=turnserver
-  with_items:
-  - /etc/turnserver
-  - /etc/turnserver/certs
-
-- name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
-
-- name: Configure certificate manager
-  template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
-  notify: Run acertmgr
-
 - name: Configure coturn
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:

roles/coturn/templates/certs.j2

@@ -1,15 +0,0 @@
----
-
-{{ coturn_realm }}:
-- path: /etc/turnserver/certs/{{ coturn_realm }}.key
-  user: turnserver
-  group: turnserver
-  perm: '400'
-  format: key
-  action: '/usr/sbin/service coturn restart'
-- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
-  user: turnserver
-  group: turnserver
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service coturn restart'

roles/coturn/templates/coturn.override.j2

@@ -1,2 +0,0 @@
-[Service]
-AmbientCapabilities=CAP_NET_BIND_SERVICE

roles/coturn/templates/turnserver.conf.j2

@@ -1,9 +1,9 @@
 # Coturn TURN SERVER configuration file
 #
-# Boolean values note: where a boolean value is supposed to be used,
+# Boolean values note: where boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
-# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
-# If the value is missing, then it means 'true' by default.
+# If the value is missed, then it means 'true'.
 #
 
 # Listener interface device (optional, Linux only).
@@ -15,19 +15,19 @@
 # Note: actually, TLS & DTLS sessions can connect to the 
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-listening-port=443
+#listening-port=3478
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
 # port(s), too - if allowed by configuration. The TURN server 
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, Coturn currently supports
+# For secure TCP connections, we currently support SSL version 3 and 
 # TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, Coturn supports DTLS version 1.
+# For secure UDP connections, we support DTLS version 1.
 #
-tls-listening-port=443
+#tls-listening-port=5349
 
 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one". 
@@ -45,14 +45,6 @@ tls-listening-port=443
 #
 #alt-tls-listening-port=0
 	
-# Some network setups will require using a TCP reverse proxy in front
-# of the STUN server. If the proxy port option is set a single listener
-# is started on the given port that accepts connections using the
-# haproxy proxy protocol v2.
-# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
-#
-#tcp-proxy-port=5555
-
 # Listener IP address of relay server. Multiple listeners can be specified.
 # If no IP(s) specified in the config file or in the command line options, 
 # then all IPv4 and IPv6 system IPs will be used for listening.
@@ -125,10 +117,7 @@ tls-listening-port=443
 #
 # By default, this value is empty, and no address mapping is used.
 #
-external-ip={{ ansible_default_ipv4.address }}
+#external-ip=60.70.80.91
-{% if ansible_default_ipv6.address is defined %}
-external-ip={{ ansible_default_ipv6.address }}
-{% endif %}
 #
 #OR:
 #
@@ -144,8 +133,8 @@ external-ip={{ ansible_default_ipv6.address }}
 #
 # If this parameter is not set, then the default OS-dependent 
 # thread pattern algorithm will be employed. Usually the default
-# algorithm is optimal, so you have to change this option
+# algorithm is the most optimal, so you have to change this option
-# if you want to make some fine tweaks.
+# only if you want to make some fine tweaks. 
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
@@ -166,7 +155,7 @@ external-ip={{ ansible_default_ipv6.address }}
 	
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
-# Not recommended under normal circumstances.
+# Not recommended under any normal circumstances.
 #	
 #Verbose
 
@@ -180,27 +169,15 @@ fingerprint
 #
 #lt-cred-mech
 
-# This option is the opposite of lt-cred-mech.
+# This option is opposite to lt-cred-mech. 
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
 # then no-auth is default. If at least one user is defined, 
-# in this file, in command line or in usersdb file, then
+# in this file or in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
 
-# Enable prometheus exporter
-# If enabled the turnserver will expose an endpoint with stats on a prometheus format
-# this endpoint is listening on a different port to not conflict with other configurations.
-#
-# You can simply run the turnserver and access the port 9641 and path /metrics
-#
-# For mor info on the prometheus exporter and metrics
-# https://prometheus.io/docs/introduction/overview/
-# https://prometheus.io/docs/concepts/data_model/
-#
-#prometheus
-
 # TURN REST API flag.
 # (Time Limited Long Term Credential)
 # Flag that sets a special authorization option that is based upon authentication secret.
@@ -216,33 +193,34 @@ fingerprint
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, then the timestamp alone can be used.
+# If you don't have a suitable id, the timestamp alone can be used.
-# This option is enabled by turning on secret-based authentication.
+# This option is just turning on secret-based authentication.
-# The actual value of the secret is defined either by the option static-auth-secret,
+# The actual value of the secret is defined either by option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
 # 
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
-# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# Be aware that use-auth-secret overrides some part of lt-cred-mech.
-# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# Notice that this feature depends internally on lt-cred-mech, so if you set
-# this option then it automatically enables lt-cred-mech internally
+# use-auth-secret then it enables internally automatically lt-cred-mech option
-# as if you had enabled both.
+# like if you enable both.
 #
-# Note that you can use only one auth mechanism at the same time! This is because,
+# You can use only one of the to auth mechanisms in the same time because,
-# both mechanisms conduct username and password validation in different ways.
+# both mechanism use the username and password validation in different way.
 #
-# Use either lt-cred-mech or use-auth-secret in the conf
+# This way be aware that you can't use both auth mechnaism in the same time!
+# Use in config either the lt-cred-mech or the use-auth-secret
 # to avoid any confusion.
 #
 use-auth-secret
 
 # 'Static' authentication secret value (a string) for TURN REST API only. 
 # If not set, then the turn server
-# will try to use the 'dynamic' value in the turn_secret table
+# will try to use the 'dynamic' value in turn_secret table
-# in the user database (if present). The database-stored  value can be changed on-the-fly
+# in user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that mode is considered 'dynamic'.
+# by a separate program, so this is why that other mode is 'dynamic'.
 #
 static-auth-secret={{ coturn_secret }}
 
@@ -256,10 +234,10 @@ static-auth-secret={{ coturn_secret }}
 #
 #oauth
 
-# 'Static' user accounts for the long term credentials mechanism, only.
+# 'Static' user accounts for long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
 # 'Static' user accounts are NOT dynamically checked by the turnserver process, 
-# so they can NOT be changed while the turnserver is running.
+# so that they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
@@ -285,15 +263,15 @@ static-auth-secret={{ coturn_secret }}
 
 # SQLite database file name.
 #
-# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
 # 
 #userdb=/var/db/turndb
 
-# PostgreSQL database connection string in the case that you are using PostgreSQL
+# PostgreSQL database connection string in the case that we are using PostgreSQL
 # as the user database.
-# This database can be used for the long-term credential mechanism
+# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 # versions connection string format, see 
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
@@ -301,43 +279,43 @@ static-auth-secret={{ coturn_secret }}
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 
-# MySQL database connection string in the case that you are using MySQL
+# MySQL database connection string in the case that we are using MySQL
 # as the user database.
-# This database can be used for the long-term credential mechanism
+# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# and it can store the secret value for secret-based timed authentication in TURN RESP API.
 #
 # Optional connection string parameters for the secure communications (SSL): 
 # ca, capath, cert, key, cipher 
 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
 # command options description).
 #
-# Use the string format below (space separated parameters, all optional):
+# Use string format as below (space separated parameters, all optional):
 #
 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
 
-# If you want to use an encrypted password in the MySQL connection string,
+# If you want to use in the MySQL connection string the password in encrypted format,
-# then set the MySQL password encryption secret key file with this option.
+# then set in this option the MySQL password encryption secret key file.
 #
-# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format! 
-# If you want to use a cleartext password then do not set this option!
+# If you want to use cleartext password then do not set this option!
 #
-# This is the file path for the aes encrypted secret key used for password encryption.
+# This is the file path which contain secret key of aes encryption while using password encryption.
 #
 #secret-key-file=/path/
 
-# MongoDB database connection string in the case that you are using MongoDB
+# MongoDB database connection string in the case that we are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 
-# Redis database connection string in the case that you are using Redis
+# Redis database connection string in the case that we are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use the string format below (space separated parameters, all optional):
+# Use string format as below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
@@ -345,23 +323,23 @@ static-auth-secret={{ coturn_secret }}
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
 # The connection string has the same parameters as redis-userdb connection string. 
-# Use the string format below (space separated parameters, all optional):
+# Use string format as below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
 # The default realm to be used for the users when no explicit 
-# origin/realm relationship is found in the database, or if the TURN
+# origin/realm relationship was found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
 # and the userdb file). Must be used with long-term credentials 
 # mechanism or with TURN REST API.
 #
-# Note: If the default realm is not specified, then realm falls back to the host domain name.
+# Note: If default realm is not specified at all, then realm falls back to the host domain name.
-#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
+#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
 #
 realm={{ coturn_realm }}
 
-# This flag sets the origin consistency
+# The flag that sets the origin consistency 
-# check. Across the session, all requests must have the same
+# check: across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
@@ -381,7 +359,7 @@ realm={{ coturn_realm }}
 
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporarily suppressed (within
+# that limit will be dropped or temporary suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
@@ -402,17 +380,17 @@ realm={{ coturn_realm }}
 # Uncomment if no TCP client listener is desired.
 # By default TCP client listener is always started.
 #
-#no-tcp
+no-tcp
 
 # Uncomment if no TLS client listener is desired.
 # By default TLS client listener is always started.
 #
-#no-tls
+no-tls
 
 # Uncomment if no DTLS client listener is desired.
 # By default DTLS client listener is always started.
 #
-#no-dtls
+no-dtls
 
 # Uncomment if no UDP relay endpoints are allowed.
 # By default UDP relay endpoints are enabled (like in RFC 5766).
@@ -425,10 +403,10 @@ realm={{ coturn_realm }}
 #no-tcp-relay
 
 # Uncomment if extra security is desired,
-# with nonce value having a limited lifetime.
+# with nonce value having limited lifetime.
-# The nonce value is unique for a session.
+# By default, the nonce value is unique for a session,
+# and has unlimited lifetime. 
 # Set this option to limit the nonce lifetime. 
-# Set it to 0 for unlimited lifetime.
 # It defaults to 600 secs (10 min) if no value is provided. After that delay, 
 # the client will get 438 error and will have to re-authenticate itself.
 #
@@ -457,7 +435,6 @@ realm={{ coturn_realm }}
 # Certificate file.
 # Use an absolute path or path relative to the 
 # configuration file.
-# Use PEM file format.
 #
 #cert=/usr/local/etc/turn_server_cert.pem
 
@@ -480,7 +457,7 @@ realm={{ coturn_realm }}
 
 # CA file in OpenSSL format. 
 # Forces TURN server to verify the client SSL certificates.
-# By default this is not set: there is no default value and the client
+# By default it is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
@@ -494,13 +471,13 @@ realm={{ coturn_realm }}
 #
 #ec-curve-name=prime256v1
 
-# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
+# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
 #
 #dh566
 
-# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
+# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 #
-#dh1066
+#dh2066
 
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
@@ -508,16 +485,16 @@ realm={{ coturn_realm }}
 #dh-file=<DH-PEM-file-name>
 
 # Flag to prevent stdout log messages.
-# By default, all log messages go to both stdout and to
+# By default, all log messages are going to both stdout and to 
-# the configured log file. With this option everything will
+# the configured log file. With this option everything will be 
-# go to the configured log only (unless the log file itself is stdout).
+# going to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 
 # Option to set the log file name.
 # By default, the turnserver tries to open a log file in 
-# /var/log, /var/tmp, /tmp and the current directory
+# /var/log, /var/tmp, /tmp and current directories directories
-# (Whichever file open operation succeeds first will be used).
+# (which open operation succeeds first that file will be used).
 # With this option you can set the definite log file name.
 # The special names are "stdout" and "-" - they will force everything 
 # to the stdout. Also, the "syslog" name will force everything to
@@ -537,25 +514,15 @@ syslog
 #
 #simple-log
 
-# Enable full ISO-8601 timestamp in all logs.
-#new-log-timestamp
-
-# Set timestamp format (in strftime(1) format)
-#new-log-timestamp-format "%FT%T%z"
-
-# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
-# Enable binding logging and UDP endpoint logs in verbose log mode.
-#log-binding
-
 # Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in the form of
+# will be the address of the alternate server for UDP & TCP service in form of 
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
 # as the client network endpoint address family. 
-# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
+# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. 
 # The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server option is provided, then the functionality
+# If more than one --alternate-server options are provided, then the functionality
 # can be more accurately described as "load-balancing" than a mere "redirection". 
 # If the port number is omitted, then the default port 
 # number 3478 for the UDP/TCP protocols will be used.
@@ -565,7 +532,7 @@ syslog
 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
 # Multiple alternate servers can be set. They will be used in the
 # round-robin manner. All servers in the pool are considered of equal weight and 
-# the load will be distributed equally. For example, if you have 4 alternate servers,
+# the load will be distributed equally. For example, if we have 4 alternate servers, 
 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server 
 # address can be used more than one time with the alternate-server option, so this 
 # can emulate "weighting" of the servers.
@@ -592,15 +559,6 @@ syslog
 #
 #stun-only
 
-# Option to hide software version. Enhance security when used in production.
-# Revealing the specific software version of the agent through the
-# SOFTWARE attribute might allow them to become more vulnerable to
-# attacks against software that is known to contain security holes.
-# Implementers SHOULD make usage of the SOFTWARE attribute a
-# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
-#
-#no-software-attribute
-
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
@@ -664,19 +622,19 @@ mobility
 # Allocate Address Family according 
 # If enabled then TURN server allocates address family according  the TURN 
 # Client <=> Server communication address family.
-# (By default Coturn works according RFC 6156.)
+# (By default coTURN works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 
 
 # User name to run the process. After the initialization, the turnserver process
-# will attempt to change the current user ID to that user.
+# will make an attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 
 # Group name to run the process. After the initialization, the turnserver process
-# will attempt to change the current group ID to that group.
+# will make an attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 
@@ -696,8 +654,8 @@ mobility
 #cli-port=5766
 
 # CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended that you use the encrypted
+# For the security reasons, it is recommended to use the encrypted
-# form of the password (see the -P command in the turnadmin utility).
+# for of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
@@ -726,12 +684,8 @@ mobility
 #
 #web-admin-listen-on-workers
 
-#acme-redirect=http://redirectserver/.well-known/acme-challenge/
-# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
-# Default is '', i.e. no special handling for such requests.
-
 # Server relay. NON-STANDARD AND DANGEROUS OPTION. 
-# Only for those applications when you want to run
+# Only for those applications when we want to run 
 # server applications on the relay endpoints.
 # This option eliminates the IP permissions check on 
 # the packets incoming to the relay endpoints.
@@ -749,6 +703,6 @@ mobility
 
 # Do not allow an TLS/DTLS version of protocol
 #
-#no-tlsv1
+no-tlsv1
-#no-tlsv1_1
+no-tlsv1_1
-#no-tlsv1_2
+no-tlsv1_2

roles/dhcpd/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Restart isc-dhcp-server
+  service: name=isc-dhcp-server state=restarted

roles/dhcpd/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Install dhcp server
+  apt: name=isc-dhcp-server
+
+- name: Configure dhcp server
+  template: src={{ item }}.j2 dest=/etc/{{ item }}
+  with_items:
+  - default/isc-dhcp-server
+  - dhcp/dhcpd.conf
+  notify: Restart isc-dhcp-server
+
+- name: Start the dhcp server
+  service: name=isc-dhcp-server state=started enabled=yes

roles/dhcpd/templates/default/isc-dhcp-server.j2

@@ -0,0 +1,17 @@
+#
+# This is a POSIX shell fragment
+#
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPD_CONF=/etc/dhcp/dhcpd.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPD_PID=/var/run/dhcpd.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACES="eth0"

roles/dhcpd/templates/dhcp/dhcpd.conf.j2

@@ -0,0 +1,228 @@
+# dhcpd.conf
+
+# option definitions common to all supported networks...
+option domain-name "binary.kitchen";
+option domain-name-servers {{ name_servers | join(', ') }};
+option ntp-servers 172.23.1.60, 172.23.2.3;
+
+default-lease-time 7200;
+max-lease-time 28800;
+
+# Use this to enble / disable dynamic dns updates globally.
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+{% if dhcpd_failover == true %}
+
+# Failover
+
+failover peer "failover-partner" {
+{% if ansible_default_ipv4.address == dhcpd_primary %}
+  primary;
+  address {{ dhcpd_primary }};
+  peer address {{ dhcpd_secondary }};
+{% elif ansible_default_ipv4.address == dhcpd_secondary %}
+  secondary;
+  address {{ dhcpd_secondary }};
+  peer address {{ dhcpd_primary }};
+{% endif %}
+  port 520;
+  peer port 520;
+  max-response-delay 60;
+  max-unacked-updates 10;
+{% if ansible_default_ipv4.address == dhcpd_primary %}
+  mclt 600;
+  split 255;
+{% endif %}
+  load balance max seconds 3;
+}
+{% endif %}
+
+# Binary Kitchen subnets
+
+# Management
+subnet 172.23.1.0 netmask 255.255.255.0 {
+  option routers 172.23.1.1;
+}
+
+# Services
+subnet 172.23.2.0 netmask 255.255.255.0 {
+  allow bootp;
+  option routers 172.23.2.1;
+}
+
+# Users
+subnet 172.23.3.0 netmask 255.255.255.0 {
+  option routers 172.23.3.1;
+  pool {
+{% if dhcpd_failover == true %}
+    failover peer "failover-partner";
+{% endif %}
+    range 172.23.3.10 172.23.3.230;
+  }
+}
+
+# MQTT
+subnet 172.23.4.0 netmask 255.255.255.0 {
+  option routers 172.23.4.1;
+  pool {
+{% if dhcpd_failover == true %}
+    failover peer "failover-partner";
+{% endif %}
+    range 172.23.4.10 172.23.4.240;
+  }
+}
+
+
+# Fixed IPs
+
+host ap01 {
+  hardware ethernet 44:48:c1:ce:a9:00;
+  fixed-address ap01.binary.kitchen;
+}
+
+host ap04 {
+  hardware ethernet 44:48:c1:ce:90:06;
+  fixed-address ap04.binary.kitchen;
+}
+
+host ap05 {
+  hardware ethernet bc:9f:e4:c3:6f:aa;
+  fixed-address ap05.binary.kitchen;
+}
+
+host bowle {
+  hardware ethernet ac:1f:6b:25:16:b6;
+  fixed-address bowle.binary.kitchen;
+}
+
+host cannelloni {
+  hardware ethernet 00:10:f3:15:88:ac;
+  fixed-address cannelloni.binary.kitchen;
+}
+
+host cashdesk {
+  hardware ethernet 00:0b:ca:94:13:f1;
+  fixed-address cashdesk.binary.kitchen;
+}
+
+host fusilli {
+  hardware ethernet b8:27:eb:1d:b9:bf;
+  fixed-address fusilli.binary.kitchen;
+}
+
+host garlic {
+  hardware ethernet b8:27:eb:56:2b:7c;
+  fixed-address garlic.binary.kitchen;
+}
+
+host homer {
+  hardware ethernet b8:27:eb:24:b2:12;
+  fixed-address homer.binary.kitchen;
+}
+
+host klopi {
+  hardware ethernet 74:da:38:6e:e6:9d;
+  fixed-address klopi.binary.kitchen;
+}
+
+host lock {
+  hardware ethernet b8:27:eb:d8:b9:ad;
+  fixed-address lock.binary.kitchen;
+}
+
+host maccaroni {
+  hardware ethernet b8:27:eb:18:5c:11;
+  fixed-address maccaroni.binary.kitchen;
+}
+
+host matrix {
+  hardware ethernet b8:27:eb:ed:22:58;
+  fixed-address matrix.binary.kitchen;
+}
+
+host mirror {
+  hardware ethernet 74:da:38:7d:ed:84;
+  fixed-address mirror.binary.kitchen;
+}
+
+host mpcnc {
+  hardware ethernet b8:27:eb:0f:d3:8b;
+  fixed-address mpcnc.binary.kitchen;
+}
+
+host noodlehub {
+  hardware ethernet b8:27:eb:eb:e5:88;
+  fixed-address noodlehub.binary.kitchen;
+}
+
+host pizza {
+  hardware ethernet 52:54:00:17:02:21;
+  fixed-address pizza.binary.kitchen;
+}
+
+host punsch {
+  hardware ethernet 00:21:85:1b:7f:3d;
+  fixed-address punsch.binary.kitchen;
+}
+
+host spaghetti {
+  hardware ethernet b8:27:eb:e3:e9:f1;
+  fixed-address spaghetti.binary.kitchen;
+}
+
+host schweinshaxn {
+  hardware ethernet 52:54:00:17:02:24;
+  fixed-address schweinshaxn.binary.kitchen;
+}
+
+host strammermax {
+  hardware ethernet 08:00:37:B8:55:44;
+  fixed-address strammermax.binary.kitchen;
+}
+
+host obatzda {
+  hardware ethernet ec:9a:74:35:35:cf;
+  fixed-address obatzda.binary.kitchen;
+}
+
+
+# VoIP Phones
+
+host voip01 {
+  hardware ethernet 00:1D:45:B6:99:2F;
+  option tftp-server-name "172.23.2.36";
+}
+
+host voip02 {
+  hardware ethernet 00:1D:A2:66:B8:3E;
+  option tftp-server-name "172.23.2.36";
+}
+
+host voip03 {
+  hardware ethernet 00:1E:BE:90:FB:DB;
+  option tftp-server-name "172.23.2.36";
+}
+
+host voip04 {
+  hardware ethernet 00:1E:BE:90:FF:06;
+  option tftp-server-name "172.23.2.36";
+}
+
+
+# OMAPI
+
+omapi-port 7911;
+omapi-key omapi_key;
+
+key omapi_key {
+  algorithm hmac-md5;
+  secret {{ dhcp_omapi_key }};
+}

roles/dns_extern/tasks/main.yml

@@ -5,21 +5,11 @@
     name:
     - pdns-server
     - pdns-backend-sqlite3
-    - sqlite3
 
 - name: Configure powerdns
   template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
   notify: Restart powerdns
 
-- name: Initialize database
-  command:
-    cmd: >
-      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
-      /var/lib/powerdns/powerdns.sqlite3
-    creates: /var/lib/powerdns/powerdns.sqlite3
-  become: true
-  become_user: pdns
-
 - name: Copy update policy script
   copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
   notify: Restart powerdns

roles/dns_extern/templates/pdns.conf.j2

@@ -1,4 +1,5 @@
-local-address=0.0.0.0, ::
+local-address=0.0.0.0
+local-ipv6=::
 launch=gsqlite3
 gsqlite3-dnssec
 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
@@ -10,4 +11,3 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
 {% endif %}
 allow-dnsupdate-from=0.0.0.0/0,::/0
 lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
-security-poll-suffix=

roles/dns_intern/handlers/main.yml

@@ -5,6 +5,3 @@
   with_items:
    - pdns
    - pdns-recursor
-
-- name: Restart dnsdist
-  service: name=dnsdist state=restarted

roles/dns_intern/tasks/main.yml

@@ -3,11 +3,8 @@
 - name: Install powerdns
   apt:
     name:
-    - dnsdist
-    - pdns-backend-sqlite3
     - pdns-server
     - pdns-recursor
-    - sqlite3
 
 - name: Create zone directory
   file: path=/etc/powerdns/bind/ state=directory
@@ -22,28 +19,8 @@
   - bind/23.172.in-addr.arpa.zone
   - bind/binary.kitchen.zone
 
-- name: Initialize database
-  command:
-    cmd: >
-      sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
-      /var/lib/powerdns/pdns.sqlite3
-    creates: /var/lib/powerdns/pdns.sqlite3
-  become: true
-  become_user: pdns
-
-# TODO
-# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
-
-# TODO
-# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
-
-- name: Configure dnsdist
-  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
-  notify: Restart dnsdist
-
 - name: Start the powerdns services
   service: name={{ item }} state=started enabled=yes
   with_items:
-  - dnsdist
   - pdns
   - pdns-recursor

roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2

@@ -1,57 +1,52 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2024100600; serial
+					2020051101; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns.binary.kitchen.
-				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
-2.0				IN	PTR	rt-w13b.binary.kitchen.
+2.0				IN	PTR	erx-bk.binary.kitchen.
 3.0				IN	PTR	erx-rz.binary.kitchen.
-4.0				IN	PTR	rt-auweg.binary.kitchen.
+4.0				IN	PTR	pf-bk.binary.kitchen.
+5.0				IN	PTR	pf-rz.binary.kitchen.
 ; Management
 1.1				IN	PTR	v2301.core.binary.kitchen.
 11.1				IN	PTR	ups1.binary.kitchen.
 21.1				IN	PTR	pdu1.binary.kitchen.
 22.1				IN	PTR	pdu2.binary.kitchen.
 23.1				IN	PTR	pdu3.binary.kitchen.
-31.1				IN	PTR	sw-butchery.binary.kitchen.
+31.1				IN	PTR	sw01.binary.kitchen.
-32.1				IN	PTR	sw-mini.binary.kitchen.
+32.1				IN	PTR	sw02.binary.kitchen.
-33.1				IN	PTR	sw-rack.binary.kitchen.
+33.1				IN	PTR	sw03.binary.kitchen.
 41.1				IN	PTR	ap01.binary.kitchen.
 42.1				IN	PTR	ap02.binary.kitchen.
+43.1				IN	PTR	ap03.binary.kitchen.
 44.1				IN	PTR	ap04.binary.kitchen.
 45.1				IN	PTR	ap05.binary.kitchen.
-46.1				IN	PTR	ap06.binary.kitchen.
 51.1				IN	PTR	modem.binary.kitchen.
 60.1				IN	PTR	wurst.binary.kitchen.
 80.1				IN	PTR	wurst-bmc.binary.kitchen.
 82.1				IN	PTR	bowle-bmc.binary.kitchen.
 101.1				IN	PTR	nbe-w13b.binary.kitchen.
 102.1				IN	PTR	nbe-tr8.binary.kitchen.
-111.1				IN	PTR	rfp01.binary.kitchen.
-112.1				IN	PTR	rfp02.binary.kitchen.
 ; Services
 1.2				IN	PTR	v2302.core.binary.kitchen.
+2.2				IN	PTR	ns.binary.kitchen.
 3.2				IN	PTR	bacon.binary.kitchen.
 4.2				IN	PTR	aveta.binary.kitchen.
 5.2				IN	PTR	sulis.binary.kitchen.
 6.2				IN	PTR	nabia.binary.kitchen.
-7.2				IN	PTR	epona.binary.kitchen.
+11.2				IN	PTR	homer.binary.kitchen.
 12.2				IN	PTR	lock.binary.kitchen.
 13.2				IN	PTR	matrix.binary.kitchen.
 33.2				IN	PTR	pizza.binary.kitchen.
-34.2				IN	PTR	pancake.binary.kitchen.
-35.2				IN	PTR	knoedel.binary.kitchen.
 36.2				IN	PTR	schweinshaxn.binary.kitchen.
-37.2				IN	PTR	bob.binary.kitchen.
+44.2				IN	PTR	cashdesk.binary.kitchen.
-38.2				IN	PTR	lasagne.binary.kitchen.
-39.2				IN	PTR	tschunk.binary.kitchen.
 62.2				IN	PTR	bowle.binary.kitchen.
 91.2				IN	PTR	strammermax.binary.kitchen.
 92.2				IN	PTR	obatzda.binary.kitchen.
@@ -61,52 +56,32 @@ $GENERATE 10-230 $.3		IN	PTR	dhcp-${0,3,d}-03.binary.kitchen.
 240.3				IN	PTR	fusilli.binary.kitchen.
 241.3				IN	PTR	klopi.binary.kitchen.
 242.3				IN	PTR	mpcnc.binary.kitchen.
+243.3				IN	PTR	garlic.binary.kitchen.
 244.3				IN	PTR	mirror.binary.kitchen.
 245.3				IN	PTR	spaghetti.binary.kitchen.
 246.3				IN	PTR	maccaroni.binary.kitchen.
+247.3				IN	PTR	pve02-bmc.tmp.binary.kitchen.
+248.3				IN	PTR	pve02.tmp.binary.kitchen.
+249.3				IN	PTR	ffrgb.binary.kitchen.
 250.3				IN	PTR	cannelloni.binary.kitchen.
 251.3				IN	PTR	noodlehub.binary.kitchen.
 ; MQTT
 1.4				IN	PTR	v2304.core.binary.kitchen.
 6.4				IN	PTR	pizza.mqtt.binary.kitchen.
-7.4				IN	PTR	lasagne.mqtt.binary.kitchen.
 $GENERATE 10-240 $.4		IN	PTR	dhcp-${0,3,d}-04.binary.kitchen.
-241.4				IN	PTR	habdisplay1.mqtt.binary.kitchen.
-242.4				IN	PTR	habdisplay2.mqtt.binary.kitchen.
-245.4				IN	PTR	logo1.mqtt.binary.kitchen.
-246.4				IN	PTR	logo2.mqtt.binary.kitchen.
-250.4				IN	PTR	moodlights1.mqtt.binary.kitchen.
-251.4				IN	PTR	openhabgw1.mqtt.binary.kitchen.
-252.4				IN	PTR	homematic-ccu2.mqtt.binary.kitchen.
 ; Management RZ
 1.9				IN	PTR	switch0.erx-rz.binary.kitchen.
 61.9				IN	PTR	salat.binary.kitchen.
 81.9				IN	PTR	salat-bmc.binary.kitchen.
 ; Services RZ
+23.8				IN	PTR	cernunnos.binary.kitchen.
 ; VPN RZ (ER-X)
-1.10				IN	PTR	wg0.erx-rz.binary.kitchen.
+1.10				IN	PTR	wg1.erx-rz.binary.kitchen.
 $GENERATE 2-254 $.10		IN	PTR	vpn-${0,3,d}-10.binary.kitchen.
-; Management Auweg
+; VPN RZ (pf)
-1.12				IN	PTR	v2312.rt-auweg.binary.kitchen.
+$GENERATE 2-254 $.11		IN	PTR	vpn-${0,3,d}-11.binary.kitchen.
-31.12				IN	PTR	sw-auweg.binary.kitchen.
-41.12				IN	PTR	ap11.binary.kitchen.
-42.12				IN	PTR	ap12.binary.kitchen.
-61.12				IN	PTR	weizen.binary.kitchen.
-111.12				IN	PTR	rfp11.binary.kitchen.
-; Services Auweg
-1.13				IN	PTR	v2313.rt-auweg.binary.kitchen.
-3.13				IN	PTR	aeron.binary.kitchen.
-12.13				IN	PTR	lock-auweg.binary.kitchen.
-; Clients Auweg
-1.14				IN	PTR	v2314.rt-auweg.binary.kitchen.
-$GENERATE 10-230 $.14		IN	PTR	dhcp-${0,3,d}-14.binary.kitchen.
-; MQTT
-1.15				IN	PTR	v2315.rt-auweg.binary.kitchen.
-$GENERATE 10-240 $.15		IN	PTR	dhcp-${0,3,d}-15.binary.kitchen.
 ; Point-to-Point
-1.96				IN	PTR	v400.rt-w13b.binary.kitchen.
+1.96				IN	PTR	v400.erx-bk.binary.kitchen.
 2.96				IN	PTR	v400.core.binary.kitchen.
-1.97				IN	PTR	wg1.erx-rz.binary.kitchen.
+1.97				IN	PTR	wg0.erx-rz.binary.kitchen.
-2.97				IN	PTR	wg1.rt-w13b.binary.kitchen.
+2.97				IN	PTR	wg0.erx-bk.binary.kitchen.
-5.97				IN	PTR	wg2.erx-rz.binary.kitchen.
-6.97				IN	PTR	wg2.rt-auweg.binary.kitchen.

roles/dns_intern/templates/bind/binary.kitchen.zone.j2

@@ -1,80 +1,67 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2024100600; serial
+					2020051101; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns.binary.kitchen.
-				IN	NS	ns2.binary.kitchen.
-; Subdomains
-users				IN	NS	ns1.binary.kitchen.
-users				IN	NS	ns2.binary.kitchen.
 ; External
 				IN	A	213.166.246.4
 www				IN	A	213.166.246.4
 ; Aliases
 3dprinter			IN	A	172.23.3.251
-icinga				IN	A	172.23.2.6
 ldap				IN	A	172.23.2.3
 ldap				IN	A	172.23.2.4
 ldap				IN	A	213.166.246.2
 ldap1				IN	A	172.23.2.3
 ldap2				IN	A	172.23.2.4
-ldap3				IN	A	172.23.13.3
 ldapm				IN	A	213.166.246.2
 librenms			IN	A	172.23.2.6
-netbox				IN	A	172.23.2.7
+racktables			IN	A	172.23.2.6
-ns1				IN	A	172.23.2.3
-ns2				IN	A	172.23.2.4
-omm				IN	A	172.23.2.35
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
 ; Loopback
 core				IN	A	172.23.0.1
-rt-w13b				IN	A	172.23.0.2
+erx-bk				IN	A	172.23.0.2
 erx-rz				IN	A	172.23.0.3
-rt-auweg			IN	A	172.23.0.4
+pf-bk				IN	A	172.23.0.4
+pf-rz				IN	A	172.23.0.5
 ; Management
 v2301.core			IN	A	172.23.1.1
 ups1				IN	A	172.23.1.11
 pdu1				IN	A	172.23.1.21
 pdu2				IN	A	172.23.1.22
 pdu3				IN	A	172.23.1.23
-sw-butchery			IN	A	172.23.1.31
+sw01				IN	A	172.23.1.31
-sw-mini				IN	A	172.23.1.32
+sw02				IN	A	172.23.1.32
-sw-rack				IN	A	172.23.1.33
+sw03				IN	A	172.23.1.33
 ap01				IN	A	172.23.1.41
 ap02				IN	A	172.23.1.42
+ap03				IN	A	172.23.1.43
 ap04				IN	A	172.23.1.44
 ap05				IN	A	172.23.1.45
-ap06				IN	A	172.23.1.46
 modem				IN	A	172.23.1.51
 wurst				IN	A	172.23.1.60
 wurst-bmc			IN	A	172.23.1.80
 bowle-bmc			IN	A	172.23.1.82
 nbe-w13b			IN	A	172.23.1.101
 nbe-tr8				IN	A	172.23.1.102
-rfp01				IN	A	172.23.1.111
-rfp02				IN	A	172.23.1.112
 ; Services
 v2302.core			IN	A	172.23.2.1
+ns				IN	A	172.23.2.2
 bacon				IN	A	172.23.2.3
 aveta				IN	A	172.23.2.4
 sulis				IN	A	172.23.2.5
 nabia				IN	A	172.23.2.6
-epona				IN	A	172.23.2.7
+homer				IN	A	172.23.2.11
 lock				IN	A	172.23.2.12
 matrix				IN	A	172.23.2.13
 pizza				IN	A	172.23.2.33
-pancake				IN	A	172.23.2.34
-knoedel				IN	A	172.23.2.35
 schweinshaxn			IN	A	172.23.2.36
-bob				IN	A	172.23.2.37
+cashdesk			IN	A	172.23.2.44
-lasagne				IN	A	172.23.2.38
-tschunk				IN	A	172.23.2.39
 bowle				IN	A	172.23.2.62
 strammermax			IN	A	172.23.2.91
 obatzda				IN	A	172.23.2.92
@@ -84,52 +71,32 @@ $GENERATE 10-230 dhcp-${0,3,d}-03	IN	A	172.23.3.$
 fusilli				IN	A	172.23.3.240
 klopi				IN	A	172.23.3.241
 mpcnc				IN	A	172.23.3.242
+garlic				IN	A	172.23.3.243
 mirror				IN	A	172.23.3.244
 spaghetti			IN	A	172.23.3.245
 maccaroni			IN	A	172.23.3.246
+pve02-bmc.tmp			IN	A	172.23.3.247
+pve02.tmp			IN	A	172.23.3.248
+ffrgb				IN	A	172.23.3.249
 cannelloni			IN	A	172.23.3.250
 noodlehub			IN	A	172.23.3.251
 ; MQTT
 v2304.core			IN	A	172.23.4.1
 pizza.mqtt			IN	A	172.23.4.6
-lasagne.mqtt			IN	A	172.23.4.7
 $GENERATE 10-240 dhcp-${0,3,d}-04	IN	A	172.23.4.$
-habdisplay1.mqtt		IN	A	172.23.4.241
-habdisplay2.mqtt		IN	A	172.23.4.242
-logo1.mqtt			IN	A	172.23.4.245
-logo2.mqtt			IN	A	172.23.4.246
-moodlights1.mqtt		IN	A	172.23.4.250
-openhabgw1.mqtt			IN	A	172.23.4.251
-homematic-ccu2.mqtt		IN	A	172.23.4.252
 ; Management RZ
 switch0.erx-rz			IN	A	172.23.9.1
 salat				IN	A	172.23.9.61
 salat-bmc			IN	A	172.23.9.81
 ; Services RZ
-; Management Auweg
+cernunnos			IN	A	172.23.8.23
-v2312.rt-auweg			IN	A	172.23.12.1
-sw-auweg			IN	A	172.23.12.31
-ap11				IN	A	172.23.12.41
-ap12				IN	A	172.23.12.42
-weizen				IN	A	172.23.12.61
-rfp11				IN	A	172.23.12.111
-; Services Auweg
-v2313.rt-auweg			IN	A	172.23.13.1
-aeron				IN	A	172.23.13.3
-lock-auweg			IN	A	172.23.13.12
-; Clients Auweg
-v2314.rt-auweg			IN	A	172.23.14.1
-$GENERATE 10-230 dhcp-${0,3,d}-14	IN	A	172.23.14.$
-; MQTT Auweg
-v2315.rt-auweg			IN	A	172.23.15.1
-$GENERATE 10-240 dhcp-${0,3,d}-15	IN	A	172.23.15.$
 ; VPN RZ (ER-X)
-wg0.erx-rz			IN	A	172.23.10.1
+wg1.erx-rz			IN	A	172.23.10.1
 $GENERATE 2-254 vpn-${0,3,d}-10	IN	A	172.23.10.$
+; VPN RZ (pf)
+$GENERATE 2-254 vpn-${0,3,d}-11	IN	A	172.23.11.$
 ; Point-to-Point
-v400.rt-w13b			IN	A	172.23.96.1
+v400.erx-bk			IN	A	172.23.96.1
 v400.core			IN	A	172.23.96.2
-wg1.erx-rz			IN	A	172.23.97.1
+wg0.erx-rz			IN	A	172.23.97.1
-wg1.rt-w13b			IN	A	172.23.97.2
+wg0.erx-bk			IN	A	172.23.97.2
-wg2.erx-rz			IN	A	172.23.97.5
-wg2.rt-auweg			IN	A	172.23.97.6

roles/dns_intern/templates/dnsdist.conf.j2

@@ -1,27 +0,0 @@
--- {{ ansible_managed }}
-
-setLocal('127.0.0.1')
-addLocal('::1')
-addLocal('{{ ansible_default_ipv4.address }}')
-
--- define downstream servers/pools
-newServer({address='127.0.0.1:5300', pool='authdns'})
-newServer({address='127.0.0.1:5353', pool='resolve'})
-
-{% if dns_secondary is defined %}
--- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
-{% endif %}
-
--- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-
--- use auth servers for own zones
-addAction('binary.kitchen', PoolAction('authdns'))
-addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-
--- use resolver for anything else
-addAction(AllRule(), PoolAction('resolve'))
-
--- disable security status polling via DNS
-setSecurityPollSuffix('')

roles/dns_intern/templates/pdns.conf.j2

@@ -1,24 +1,10 @@
 # {{ ansible_managed }}
 
-{% if ansible_default_ipv4.address == dns_primary %}
-#################################
-# allow-dnsupdate-from  A global setting to allow DNS updates from these IP ranges.
-#
-# allow-dnsupdate-from=127.0.0.0/8,::1
-allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
-
-#################################
-# dnsupdate	Enable/Disable DNS update (RFC2136) support.  Default is no.
-#
-# dnsupdate=no
-dnsupdate=yes
-{% endif %}
-
 #################################
 # launch        Which backends to launch and order to query them in
 #
 # launch=
-launch=bind,gsqlite3
+launch=bind
 
 #################################
 # local-address Local IP addresses to which we bind
@@ -26,28 +12,18 @@ launch=bind,gsqlite3
 # local-address=0.0.0.0
 local-address=127.0.0.1
 
+#################################
+# local-ipv6    Local IP address to which we bind
+#
+# local-ipv6=::
+local-ipv6=
+
 #################################
 # local-port    The port on which we listen
 #
 # local-port=53
 local-port=5300
 
-{% if ansible_default_ipv4.address == dns_primary %}
-#################################
-# master	Act as a master
-#
-# master=no
-master=yes
-
-{% if dns_secondary is defined %}
-#################################
-# only-notify   Only send AXFR NOTIFY to these IP addresses or netmasks
-#
-# only-notify=0.0.0.0/0,::/0
-only-notify={{ dns_secondary }}
-{% endif %}
-{% endif %}
-
 #################################
 # security-poll-suffix  Domain name from which to query security update notifications
 #
@@ -64,27 +40,7 @@ setgid=pdns
 #
 setuid=pdns
 
-{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
 #################################
-# slave	Act as a slave
+# bind-config   Location of the Bind configuration file to parse.
-#
-# slave=no
-slave=yes
-
-#################################
-# trusted-notification-proxy	IP address of incoming notification proxy
-#
-# trusted-notification-proxy=
-trusted-notification-proxy=127.0.0.1,::1
-{% endif %}
-
-#################################
-# bind-config	Location of named.conf
 #
 bind-config=/etc/powerdns/bindbackend.conf
-
-#################################
-# gsqlite3-database	Filename of the SQLite3 database
-#
-# gsqlite3-database=
-gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

roles/dns_intern/templates/recursor.conf.j2

@@ -3,7 +3,7 @@
 #################################
 # allow-from    If set, only allow these comma separated netmasks to recurse
 #
-# allow-from=127.0.0.0/8
+#allow-from=127.0.0.0/8
 
 #################################
 # config-dir    Location of configuration directory (recursor.conf)
@@ -11,23 +11,29 @@
 config-dir=/etc/powerdns
 
 #################################
-# dnssec	DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate
+# dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
 #
-# dnssec=process
+# dnssec=process-no-validate
 dnssec=off
 
+#################################
+# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
+#
+# forward-zones=
+forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
+
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-local-address=127.0.0.1
+local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
 
 #################################
 # local-port    port to listen on
 #
-local-port=5353
+local-port=53
 
 #################################
-# query-local-address6	Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
 #
 {% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}

roles/docker/tasks/main.yml

@@ -1,10 +1,17 @@
 ---
 
+- name: Enable docker apt-key
+  apt_key: url='https://download.docker.com/linux/debian/gpg'
+
+- name: Enable docker repository
+  apt_repository:
+    repo: 'deb https://download.docker.com/linux/debian buster stable'
+    filename: docker
+
 - name: Install docker
   apt:
     name:
-    - docker.io
+    - docker-ce
-    - python3-docker
+    - docker-ce-cli
-
+    - containerd.io
-- name: Enable docker
+    - python-docker
-  service: name=docker state=started enabled=yes

roles/doorlock/handlers/main.yml

@@ -1,7 +0,0 @@
----
-
-- name: Run acertmgr
-  command: /usr/bin/acertmgr
-
-- name: Restart nginx
-  service: name=nginx state=restarted

roles/doorlock/tasks/main.yml

@@ -1,20 +0,0 @@
----
-
-- name: Ensure certificates are available
-  command:
-    cmd: >
-      openssl req -x509 -nodes -newkey rsa:2048
-      -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-      -days 730 -subj "/CN={{ doorlock_domain }}"
-    creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
-  notify: Restart nginx
-
-- name: Request nsupdate key for certificate
-  include_role: name=acme-dnskey-generate
-  vars:
-    acme_dnskey_san_domains:
-    - "{{ doorlock_domain }}"
-
-- name: Configure certificate manager for doorlock
-  template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
-  notify: Run acertmgr

roles/doorlock/templates/certs.j2

@@ -1,18 +0,0 @@
----
-
-{{ doorlock_domain }}:
-- mode: dns.nsupdate
-  nsupdate_server: {{ acme_dnskey_server }}
-  nsupdate_keyfile: {{ acme_dnskey_file }}
-- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
-  user: root
-  group: root
-  perm: '400'
-  format: key
-  action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
-  user: root
-  group: root
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service nginx restart'

roles/drone/files/drone.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=drone.io server
+After=network-online.target
+
+[Service]
+Type=simple
+User=drone
+EnvironmentFile=/etc/default/drone
+ExecStart=/opt/drone/bin/drone-server
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

roles/drone/handlers/main.yml

@@ -3,11 +3,11 @@
 - name: Reload systemd
   systemd: daemon_reload=yes
 
-- name: Restart 23b
+- name: Run acertmgr
-  service: name=23b state=restarted
+  command: /usr/bin/acertmgr
+
+- name: Restart drone
+  service: name=drone state=restarted
 
 - name: Restart nginx
   service: name=nginx state=restarted
-
-- name: Run acertmgr
-  command: /usr/bin/acertmgr

roles/drone/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+
+- name: Create user
+  user: name=drone
+
+# TODO install drone to /opt/drone/bin
+# currently it is manually compiled
+
+- name: Configure drone
+  template: src=drone.j2 dest=/etc/default/drone
+  notify: Restart drone
+
+- name: Install PostgreSQL
+  apt:
+    name:
+    - postgresql
+    - python-psycopg2
+
+- name: Configure PostgreSQL database
+  postgresql_db: name={{ drone_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for drone
+  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
+  notify: Restart nginx
+
+- name: Install systemd unit
+  copy: src=drone.service dest=/lib/systemd/system/drone.service
+  notify:
+  - Reload systemd
+  - Restart drone
+
+- name: Enable drone
+  service: name=drone enabled=yes

roles/drone/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ bk23b_domain }}:
+{{ drone_domain }}:
-- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
+- path: /etc/nginx/ssl/{{ drone_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
+- path: /etc/nginx/ssl/{{ drone_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/drone/templates/drone.j2

@@ -0,0 +1,10 @@
+DRONE_AGENTS_ENABLED=true
+DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
+DRONE_DATABASE_DRIVER=postgres
+DRONE_GITEA_SERVER=https://{{ gitea_domain }}
+DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
+DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
+DRONE_RPC_SECRET={{ drone_secret }}
+DRONE_SERVER_HOST={{ drone_domain }}
+DRONE_SERVER_PROTO=https
+DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

roles/drone/templates/vhost.j2

@@ -0,0 +1,31 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ drone_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ drone_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ drone_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
+
+	location / {
+		client_max_body_size 128M;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://localhost:8080;
+	}
+}

roles/drone_runner/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Run runner container
+  docker_container:
+    name: runner
+    image: drone/drone-runner-docker:1
+    env:
+      DRONE_RPC_PROTO: "https"
+      DRONE_RPC_HOST: "{{ drone_domain }}"
+      DRONE_RPC_SECRET: "{{ drone_secret }}"
+      DRONE_RUNNER_CAPACITY: "2"
+      DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
+      DRONE_UI_USERNAME: "admin"
+      DRONE_UI_PASSWORD: "{{ drone_uipass }}"
+    ports:
+    - "3000:3000"
+    restart_policy: unless-stopped
+    state: started
+    volumes:
+    - "/var/run/docker.sock:/var/run/docker.sock"

roles/event_web/files/certs

@@ -1,15 +0,0 @@
----
-
-eh21.easterhegg.eu engel.eh21.easterhegg.eu:
-- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
-  user: root
-  group: root
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
-  user: root
-  group: root
-  perm: '400'
-  format: key
-  action: '/usr/sbin/service nginx restart'

roles/event_web/files/vhost

@@ -1,68 +0,0 @@
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name eh21.easterhegg.eu;
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://eh21.easterhegg.eu$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name eh21.easterhegg.eu;
-
-	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
-	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
-
-	root /var/www/eh21;
-}
-
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name engel.eh21.easterhegg.eu;
-
-	location /.well-known/acme-challenge {
-		default_type "text/plain";
-		alias /var/www/acme-challenge;
-	}
-
-	location / {
-		return 301 https://engel.eh21.easterhegg.eu$request_uri;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name engel.eh21.easterhegg.eu;
-
-	ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
-	ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
-
-	root /var/www/engel/public;
-
-	index index.php;
-
-	location / {
-		try_files $uri $uri/ /index.php?$args;
-	}
-
-	location ~ \.php$ {
-		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
-		fastcgi_index index.php;
-		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-		include fastcgi_params;
-	}
-}

roles/event_web/meta/main.yml

@@ -1,5 +0,0 @@
----
-
-dependencies:
-- { role: acertmgr }
-- { role: nginx, nginx_ssl: True }