Compare commits

..

No commits in common. "master" and "master" have entirely different histories.

320 changed files with 3935 additions and 12596 deletions

View File

@ -1,69 +1,11 @@
# Binary Kitchen Ansible Playbooks # Binary Kitchen Ansible Playbooks
This repository contains the roles to setup most of the infrastructure related to the hackspace Binary Kitchen. This repository contains the roles to setup most of the infrastructure related to the hackerspace Binary Kitchen.
## Usage ## Using
To apply the current set of roles to a single host you can type: `ansible-playbook site.yml -l $hostname` TBA
It is recommenced to alway run in check mode (`--check`) first and use `--diff` to see what has been (or would be) changed ## Style / Contributing
TBA/TBD
## Current setup
Currently the following hosts are installed:
### Internal Servers
| Hostname | OS | Purpose |
| ------------------------- | --------- | ----------------------- |
| wurst.binary.kitchen | Proxmox 8 | VM Host |
| salat.binary.kitchen | Proxmox 8 | VM Host |
| weizen.binary.kitchen | Proxmox 8 | VM Host |
| bacon.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aveta.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| aeron.binary.kitchen | Debian 12 | DNS, DHCP, LDAP, RADIUS |
| sulis.binary.kitchen | Debian 12 | Shell |
| nabia.binary.kitchen | Debian 12 | Monitoring |
| epona.binary.kitchen | Debian 12 | NetBox |
| pizza.binary.kitchen | Debian 11 | OpenHAB * |
| pancake.binary.kitchen | Debian 12 | XRDP |
| knoedel.binary.kitchen | Debian 12 | SIP-DECT OMM |
| bob.binary.kitchen | Debian 12 | Gitea Actions |
| lasagne.binary.kitchen | Debian 12 | Home Assistant * |
| tschunk.binary.kitchen | Debian 12 | Strichliste |
| bowle.binary.kitchen | Debian 12 | Files |
| lock-auweg.binary.kitchen | Debian 12 | Doorlock |
\*: The main application is not managed by ansible but manually installed
### External Servers
| Hostname | OS | Purpose |
| ----------------------------- | --------- | ----------------------- |
| helium.binary-kitchen.net | Debian 12 | LDAP Master |
| lithium.binary-kitchen.net | Debian 12 | Mail |
| beryllium.binary-kitchen.net | Debian 12 | Web * |
| boron.binary-kitchen.net | Debian 12 | Gitea |
| carbon.binary-kitchen.net | Debian 12 | Jabber |
| nitrogen.binary-kitchen.net | Debian 12 | NextCloud |
| oxygen.binary-kitchen.net | Debian 12 | Shell |
| fluorine.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| neon.binary-kitchen.net | Debian 12 | Auth. DNS |
| sodium.binary-kitchen.net | Debian 12 | Mattrix |
| magnesium.binary-kitchen.net | Debian 12 | TURN |
| aluminium.binary-kitchen.net | Debian 12 | Web (div. via Docker) |
| krypton.binary-kitchen.net | Debian 12 | PartDB * |
| yttrium.binary-kitchen.net | Debian 12 | Hintervvoidler * |
| zirconium.binary-kitchen.net | Debian 12 | Jitsi |
| molybdenum.binary-kitchen.net | Debian 12 | Telefonzelle * |
| technetium.binary-kitchen.net | Debian 12 | Event CTFd * |
| ruthenium.binary-kitchen.net | Debian 12 | Minecraft * |
| rhodium.binary-kitchen.net | Debian 12 | Event pretix |
| palladium.binary-kitchen.net | Debian 12 | Event pretalx |
| argentum.binary-kitchen.net | Debian 12 | Event Web * |
| cadmium.binary-kitchen.net | Debian 12 | Event NetBox * |
| indium.binary-kitchen.net | Debian 12 | Igel CAM * |
| barium.binary-kitchen.net | Debian 12 | Workadventure |
\*: The main application is not managed by ansible but manually installed

View File

@ -1,6 +1,5 @@
[defaults] [defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time. ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts inventory = ./hosts
nocows = 1 nocows = 1
remote_user = root remote_user = root

View File

@ -5,14 +5,6 @@ acertmgr_mode: webdir
acme_dnskey_file: /etc/acertmgr/nsupdate.key acme_dnskey_file: /etc/acertmgr/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net acme_dnskey_server: neon.binary-kitchen.net
authentik_domain: auth.binary-kitchen.de
authentik_dbname: authentik
authentik_dbuser: authentik
authentik_dbpass: "{{ vault_authentik_dbpass }}"
authentik_secret: "{{ vault_authentik_secret }}"
bk23b_domain: 23b.binary-kitchen.de
coturn_realm: turn.binary-kitchen.de coturn_realm: turn.binary-kitchen.de
coturn_secret: "{{ vault_coturn_secret }}" coturn_secret: "{{ vault_coturn_secret }}"
@ -22,12 +14,19 @@ dns_axfr_ips:
dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}" dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
drone_admin: moepman
drone_domain: drone.binary-kitchen.de
drone_dbname: drone
drone_dbuser: drone
drone_dbpass: "{{ vault_drone_dbpass }}"
drone_uipass: "{{ vault_drone_uipass }}"
drone_secret: "{{ vault_drone_secret }}"
drone_gitea_client: "{{ vault_drone_gitea_client }}"
drone_gitea_secret: "{{ vault_drone_gitea_secret }}"
dss_domain: dss.binary-kitchen.de dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}" dss_secret: "{{ vault_dss_secret }}"
fpm_status_user: admin
fpm_status_pass: "{{ vault_fpm_status_pass }}"
gitea_domain: git.binary-kitchen.de gitea_domain: git.binary-kitchen.de
gitea_dbname: gogs gitea_dbname: gogs
gitea_dbuser: gogs gitea_dbuser: gogs
@ -35,20 +34,11 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
gitea_secret: "{{ vault_gitea_secret }}" gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}" gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de hackmd_domain: pad.binary-kitchen.de
hedgedoc_dbname: hedgedoc hackmd_dbname: hackmd
hedgedoc_dbuser: hedgedoc hackmd_dbuser: hackmd
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}" hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}" hackmd_secret: "{{ vault_hackmd_secret }}"
icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
jitsi_domain: jitsi.binary-kitchen.de jitsi_domain: jitsi.binary-kitchen.de
jitsi_admin_email: exxess@binary-kitchen.de jitsi_admin_email: exxess@binary-kitchen.de
@ -68,29 +58,16 @@ mail_domain: binary-kitchen.de
mail_domains: mail_domains:
- ccc-r.de - ccc-r.de
- ccc-regensburg.de - ccc-regensburg.de
- eh21.easterhegg.eu
- makerspace-regensburg.de - makerspace-regensburg.de
mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}" mail_postsrsd_secret: "{{ vault_mail_postsrsd_secret }}"
mail_server: mail.binary-kitchen.de mail_server: mail.binary-kitchen.de
mailman_domain: lists.binary-kitchen.de mailman_domain: lists.binary-kitchen.de
mail_trusted: mail_trusted:
- 213.166.246.0/28 - 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.46/32
- 213.166.246.47/32
- 213.166.246.250/32 - 213.166.246.250/32
- 2a02:958:0:f6::/124 - 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
- 2a02:958:0:f6::46/128
- 2a02:958:0:f6::47/128
mail_aliases: mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de boehm.johannes@gmail.com"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de" - "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
- "info@binary-kitchen.de vorstand@binary-kitchen.de" - "info@binary-kitchen.de vorstand@binary-kitchen.de"
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de" - "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de" - "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
@ -98,15 +75,12 @@ mail_aliases:
- "openhab@binary-kitchen.de noby@binary-kitchen.de" - "openhab@binary-kitchen.de noby@binary-kitchen.de"
- "orga@ccc-r.de orga@ccc-regensburg.de" - "orga@ccc-r.de orga@ccc-regensburg.de"
- "orga@ccc-regensburg.de anti@binary-kitchen.de" - "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de" - "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de" - "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretalx@binary-kitchen.de moepman@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de" - "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de" - "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de" - "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "therapy-jetzt@binary-kitchen.de darthrain@binary-kitchen.de" - "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
- "vorstand@binary-kitchen.de anke@binary-kitchen.de,christoph@schindlbeck.eu,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de" - "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de" - "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de" - "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -119,45 +93,26 @@ mail_aliases:
- "voucher10@binary-kitchen.de exxess@binary-kitchen.de" - "voucher10@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher11@binary-kitchen.de exxess@binary-kitchen.de" - "voucher11@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de" - "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher13@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher14@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher15@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de" - "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
- "tickets@eh21.easterhegg.eu orga@eh21.easterhegg.eu"
- "hackzuck@eh21.easterhegg.eu kekskruemml@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix matrix_dbname: matrix
matrix_dbuser: matrix matrix_dbuser: matrix
matrix_dbpass: "{{ vault_matrix_dbpass }}" matrix_dbpass: "{{ vault_matrix_dbpass }}"
mc_domain: minecraft.binary-kitchen.de nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
netbox_domain: netbox.binary.kitchen nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
nextcloud_domain: oc.binary-kitchen.de nextcloud_domain: oc.binary-kitchen.de
nextcloud_dbname: owncloud nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}" nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
omm_domain: omm.binary.kitchen plk_domain: plk-regensburg.de
plk_dbuser: plkdbuser
pretalx_domain: fahrplan.eh21.easterhegg.eu plk_dbname: plkdb
pretalx_dbname: pretalx plk_dbpass: "{{ vault_plk_dbpass }}"
pretalx_dbuser: pretalx
pretalx_dbpass: "{{ vault_pretalx_dbpass }}"
pretalx_mail: pretalx@binary-kitchen.de
pretix_domain: pretix.events.binary-kitchen.de
pretix_domainx: tickets.eh21.easterhegg.eu
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
prometheus_pve_user: prometheus@pve prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}" prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -171,6 +126,8 @@ pve_targets:
radius_secret: "{{ vault_radius_secret }}" radius_secret: "{{ vault_radius_secret }}"
rocketchat_domain: chat.binary-kitchen.de
root_keys: root_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
@ -178,25 +135,3 @@ root_keys:
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+" slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}" slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen slapd_san: ldap.binary.kitchen
sssd_base_group: ou=groups,dc=binary-kitchen,dc=de
sssd_base_user: ou=people,dc=binary-kitchen,dc=de
strichliste_domain: tschunk.binary.kitchen
strichliste_dbname: strichliste
strichliste_dbuser: strichliste
strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
therapy_domain: therapy.jetzt
therapy_secret: "{{ vault_therapy_secret }}"
vaultwarden_domain: vault.binary-kitchen.de
vaultwarden_dbname: vaultwarden
vaultwarden_dbuser: vaultwarden
vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
vaultwarden_token: "{{ vault_vaultwarden_token }}"
vaultwarden_yubico_secret: "{{ vault_vaultwarden_yubico_secret }}"
workadventure_domain: wa.binary-kitchen.de
zammad_domain: requests.binary-kitchen.de

View File

@ -1,110 +1,59 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35346137343735356637663033653465666664363730663138663936636632306566313836643132 37303932343462623335393066643531373533636435356462326537373532613534353266396435
6633663564393937323035363563326465366364373961310a643132653066323938333863626264 3636666364306637306266393933383963633032383265650a656563303332303134323135353239
66656663646164633538396132363231373430636134313632333834633435336331396338623933 34633863333930316564633632313939643664373163373833636139366537646530383736343130
3832343264356539390a313937393535623838356465313530303836346164313261613537366430 6239373931306234620a353966346262646538306631656461613431636230333430663931643933
64393533613662376466363462643262643433663839393166613938616462663732346234363436 31316362353439393838363666613932313635313864333135636530653238653162353033356437
66663837333861303530373036363536376239633764356461303534626233343861343135353234 33353063363639346266313631393463623864636133623264613865336536613536343365386230
61356362353635343737356430666536636339306630613263613933356330366132356661343566 65396263393862626139396430623134316632313637623631623762656139623664356331623066
33306437666461656339653131633537643931333164396463623433633263633139366565636362 30323430613963313162616135303164663364336634326533346438373635366238356531613461
35306339333631623036386134373839303739373230636164653137393439633530366163613636 30333736633965333163616437303566666239313962353531393530613265363833396136646262
65326635396135313530366161373438623365356437353234343537393033356135623862393033 62633662666532396535316361303934613138373365633161393664313234663533363736323335
62643033656331373435316665313933653835653663376432366461363261303131623237623663 38613762376234663564333333386265633138613839636132346638313430653639636339336239
33363238663963363963326531386137613564633338653466393436663438313231313466323433 38633564333831326331326166666362353364303933393532643936313564386565643162623435
32323934343462333264646137366461303333363165303433663130326437353236653336623266 36356437356631666137323039316430656566613436623062656562666139383635653039636463
30653930616465313930303961383538376662386331663430613064306366323035663431656461 35393438323765303431333737356339343730303531333834306239366533393537626239376163
61623735336162636662616232346637653566306433316237613762623133323236353533623833 31663332343136323264376234363264343136623365383833666638656531306362663462383033
61306630376231643266663732343565386465373066643339633136643961656161393738373862 31633838643562613762363634653865353361303666363139636337386439626235336462653036
33353162656331363563343234303538383763303736393661333831366436633533656265343930 30376461643839313665383430386534656265626139313034646438323861653530383637316139
38616462363238613464386439663830663264646133633631646166346130663464633333333730 35313539636137303561646564616362313435666262343137616263396465356434363862323137
33653231303636653638323136663066666465353532383331663163626237656265656463393139 38626464383039386139343665363538326539613837366437623362336639336133323463666235
64363465663732343930613931313363336633363335383564626366383537376634363461616163 36346333356434363838363634343233323363333762653264333062656133623434666162356433
39393630343531313638363230656634623836396366326530616637363334313961366233306233 37623862653862643335333931663063623166353534636430323230663838653532356335306632
35633961303661376663643339613835633563336361646137353466366436373263363138663563 33646265343834363839653565326538353930663061376461646534386637376234646264343933
62356365616664353131663764303730643361613038663833373834336132306265376436616464 65653763343236653630396238333232633461663333646531323337626235396231383931663264
38383937626439303362636432363936313930313339366565353034313339663536373138376438 34363564366134663036643332346238373639646336396261316133326235636265323636663335
34366637363838623064633765653134383230656565373263356164326661326133353634636536 35363537346466396432396162383131306438396431336138666663633132646662316165643333
31383961343066306437623031386461643430326134646537613366623131353161353335313664 64633434623166343262623038623431343631333962663566303566393761653536303638643037
61633834656438366331653966373131656634303135373630363762313765316364343837663431 63363963306139336235363537396432383131303763643966313937353537333739393031616439
32373438616561333634343436366638353439363563656331333263653061613231303733633134 35343361646234663062633631323238656137373464386561656439313636613630323632616332
66386563346535646339303039353962363762663164386436626632623465363833323434343066 39346239666266623038363066643865373762633532323431373431373165643662663661633365
63626466653162616164323831336165646136613530383063353232333464333234316435386266 35353361383339623535336362313430616139396561623934346264323462663663383566393165
62333535373131666434626261333335663762346663313630643136383835376663636136363933 35366637313861386465333530613530623832643333616538336436356134313832306139336361
33623237666537613164623362396537396163373437633537376435356638653533613939663734 32393162373235356236343332363038393631626534643237383232323735633265333562633231
66626564633435663164616365313339386232386562636461653262363332393536353138393730 61613164363962323236666365353830346664643263393532343562383736336535353364343638
33323464376666663236366134366436313237666635356565346235363630363265343535356233 62386465323331653565306234646664393164666334383765336630346438633636353264636138
35653163663962316336323931356436366439653835346138623966366436373066303932346637 31316231326236313839353465353230353935363330393035373234393039386134366534653636
31393932343136633239663238363337626266623163316165646533333363393038383038316664 63323730383931353763383739393330316335373563393039366166313031373664636335363363
34363739613234666466353163643236356238353831636163393763336261353831313136653963 38363131363565326431636361316562313037373664306333313366646336333162663664306539
33636265383634393332373031306261363764303730633466616432316433656166393035653737 64636530363561393037373766383937616435313333653836363835383231633130396133663635
30643231616334366231333761633461653338653633663564643938616163663532333639353830 36613531323732623264646666656139333766656562623430313964366236373663626135383437
64383761306138303736643962386235353366333832616138306237393738396230303633333132 31643663663637613762313465656636396264623362643538323166356636303430613133383664
31373362323261303362613336333130626364646561653335373639333262663735376437376433 66383332326437333638663562376665386237313533303437623765353661393561373338636130
36386236343233373631303633626363336665656131633862633363326233636636373832353937 30383665333366643331366536646330633133643566393962633164643563613536363434393234
39303237393632363337396362323936646333376439373031626330343139373636333062383138 66323931316535353632356432373262623962616264383430623436303637616165386433326231
33333137623066303961376137613361313831636631663865343863633735366433643165643035 38633730636633643634343833313964653530663034333063313334636134646634363437346161
39373565396561326362376435666539386263666635363664633833336536366466613163323134 32613061363032383732323263303830363532326239316538393739313730383530633862313039
39653239653935346262656333306635646535626563323130663838313564383165393961346161 37653865303932313635656332663039376331393161623731623039653865623436363061626538
39616439376435613535336434343364343066353863626363613765303862306663373730346539 32383934613335363534666461343135303235373262343634306130633536323839393139346662
39363136393463333538323266633235643963363663323265313738633037303862633265353236 31623265323138353963623938616665383765366230656461383835346230346261623866366630
64343361316437623732366163326633346462343332333735333936633266623832633939626362 65303965353432386136373562306434623739666262356663656266346439356435613362333563
32333035613963666530663335656562393465323063336330383535326565346536393731333165 34366539353366346636376662363837303332373866323434366261326164633033353930383038
30373733343136306532636666313338626434313334303933636238643034386438386364663932 36666433656365366663326163343034306439653262353733323232373133386436333637346563
35313134633532373466363132623632376666396161333064376538616137656163663633653064 32626533336530633731336631333334353366306538663936643637346335303965626631316562
66623633343939306638643132386139303761646364656163326263313066616535623234323361 33333061656234393661363766663630316662613764333231326434383465666234653238393965
37396366663734373334386131663161346461383938313263346537353836366264616164636262 31636561396665383063613433653837363634623337623330666466353532633434383864343464
64376535373431376465386165613765653732303461356565623965346334376564343439386164 38303436306165353433356536326466306530373635616531393462666336666435633235613937
30393664353461623965303265393338353366616164633739383434623834306166376631643330 37343832333864643636366632623062363234633365326635386663376439383332306333653161
31303866306561366132333532396135653261613935623537366562313433396436343666386535 34353830396165366534313334616161323461613066383561343563393330613464373862623062
37323861343462396163333431663137643232393865643238316338323735366637643666343735 3536303066343262636636393861313539616636643339353562
30663334326332616361623662653133383536326635626434383830633434366330313731356531
30366562613532643334613430313737633266343237373765366238313833656463646462613666
32393734356638633966643133383961613332623331633634646439353338303266393366323564
36353032383030623163323065653833656330363466336466656562373034653061346163366238
33346534313633333134356665656462346234393230323132626661666362373566383036653937
66366266333934343263326433326163373730383361653262633966333135316437633835303665
66663430363039633464636531326135616563636131656265356438313633306236653431656664
30343733313638363237343131626538643932373931623136323862646366623362306365616131
37303966343562313730653763633564336435336362656262363735393966633135376236616163
39626637393865643338623863346666333764616430383038303434626164653861346433333764
61386131303764383137616334363866363363313165366339636530393362396135306265303464
63333030306338346633633863306238333334393562373662663562313733643432396462313131
65333661343031656263623230346230353266303261646131303731636466303863323466356232
63383835316161306431663962343966366338323138383632326533646461326232356133356265
39636434376436363439376230633237366536653561616264613665656635636532623330353466
65366132646536316131323038313263333961656430343661303664366266313861343463303364
32303662393433353462346464393931393637316537623061343635353938663765646234323431
38643531653132633763666663623637373431653731383037346262646332393864643431363338
32343963623364613538656338336365343265383262656139643934333037383930376564343636
33623835663035313839656333613833396635646537616464376138663262346564383834643933
30383039633164353730656339616436343330333134323136646664393764343163313536373261
31646164656166376232653034363864623161326564303337636534653762336337346335373238
64373062306165616162666362326531643964656366653037663163363964653462346633666434
35303638623239353934636332373562343962393531346132303032623334333335373734643034
64646361373066316134613635666435306235313632633633643864373261643065303937323639
65383663626338303134613532623763626430623864313930366463663632313130383033633831
66613531623534336461393764623237383231333133336638313637306439633361353039613938
30613562393635646235336330633933336233363735346534633266633730346236353265333464
39613132306232653639326336643662353461356439623233316465316232396366616531396464
63626462383639353434316364363164376639363264646530323038373439643132343264643231
32656465366265383630626332613636336632656136333330643937633630396663626632333930
61623661633666316630616632633832613231386235653434663964316533306233383539343637
38663431666230653736326531353934396562656161616462383466353637363732616636373033
39643438356632306431386235333532326463646161616466646634633163366233363362343563
34393631343733326363363737623638383939353266343262633232336633386233346436393333
31646161613464623137353939613437623835316531343336323833653437363563363462633536
36313230363131373233623731636363313034366665633737346134366666393634386637626563
36376135373330396664616435353539333439306434313933333235646363313262336163386263
65353361363066363234353336623466393331326332316530356636343865663137313737313830
35633563343064333565373463343234393732333735363963333336646561393764316462643466
36653162343239373038336134393532386363333638383831333834373030633138633530353336
63376334666632323130633136613230306135336231666635363036633066323863346138643330
33623462653638656237646634623431313664336636366330626135653730323239323462383262
39326431386235363034386138653665353136356536373838636336626430623164353761636662
32623363663163633433623833633665313662636264656662373061356336383965303731313431
34373332616336303062363564656137383463353836303134363434356265393361346365343630
32613933633139643637363136623863663962356166336134656464613362363130333930356230
63626365353266383137643263636163613932343333363632333936613831616465646437656465
35636534363461336332626134346239656238643561313935363366343462333639633937303664
64323739643562343234333739353334663834626438386432663737653366633466666362643138
64313536306363653562623536646261313639333266643336613932363835356665

View File

@ -1,16 +0,0 @@
---
dhcpd_failover: false
dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers:
- 172.23.13.3
ntp_servers:
- 172.23.12.61
radius_cn: radius.binary.kitchen

View File

@ -4,9 +4,6 @@ dhcpd_failover: true
dhcpd_primary: 172.23.2.3 dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4 dhcpd_secondary: 172.23.2.4
dns_primary: 172.23.2.3
dns_secondary: 172.23.2.4
name_servers: name_servers:
- 172.23.2.3 - 172.23.2.3
- 172.23.2.4 - 172.23.2.4

View File

@ -1,9 +0,0 @@
---
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_replica_id: 3
slapd_role: slave
uau_reboot: "false"

View File

@ -1,6 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyGAePGA47K+VNFcKdvcQG3xM3ywcnrVtUD7wPrIin1 christoph"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINIhrQu5sf9LYoQ6ll1ShqDMX8xpsV9RUiaSw95JGafH flo@io3"

View File

@ -3,5 +3,4 @@
radius_hostname: radius2.binary.kitchen radius_hostname: radius2.binary.kitchen
slapd_hostname: ldap2.binary.kitchen slapd_hostname: ldap2.binary.kitchen
slapd_replica_id: 2
slapd_role: slave slapd_role: slave

View File

@ -1,11 +1,9 @@
--- ---
ntp_server: true
ntp_servers: ntp_servers:
- ptbtime2.ptb.de - ptbtime2.ptb.de
- ntp1.rrze.uni-erlangen.de - ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de - ntps1-0.cs.tu-berlin.de
ntp_peers: ntp_peers:
- 172.23.1.60 - 172.23.1.60
@ -13,7 +11,4 @@ ntp_peers:
radius_hostname: radius1.binary.kitchen radius_hostname: radius1.binary.kitchen
slapd_hostname: ldap1.binary.kitchen slapd_hostname: ldap1.binary.kitchen
slapd_replica_id: 1
slapd_role: slave slapd_role: slave
uau_reboot: "false"

View File

@ -1,2 +0,0 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -1,5 +1,5 @@
--- ---
root_keys_host: root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -1,8 +0,0 @@
---
nfs_exports:
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
uau_reboot: "false"

View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"

View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCNBY95YcFFBeiHM3IDzqKT/X/U09bpAWXwkCWIg6KlZumZg891apx6a0HLDannoBt7YCyYFgl3c1eJ36D08tRcy5c5k/+8Xhq0hq/HWo3EV5sd6Y+8xeTRST6Um8nyxHoSI7xw79yRoteOUDIzPnmDtbLQ2z3vWkA/H1EZQ4IjeQgFhl9vl4EyuAJ47Cdlv1D870BDspgAEoxSbipQEEnPsIctdyySp1R/sNC5tuP6qaoQ6nIDFdgv5rcY8SmgJQ2otlGex18RSBObBjdfyepV71mluqfs6HtVsM9zDvRUwY/FX4wmVc4QPdPLh/2kzEZi0YzefB10tpsuvhaOFI8JqXBDuSFZh3xCzRmKRlmqn50jrvGkYGUWg/GNYNF2rLCltCzg3BJHGaFh9sOtjaKLW+hTJwDtz4LIqNZb6w/2586hzjGCrrZgN24eLEcdp7iTPnkCul+kgOZaa62ytdKjza6/tgKCeUaEwmJTBuKMp/hor/LdLeibYgTtqUoFB7j1Ti2ey7oHly1oiSaKcR/hChgx0sniltRmzJI7KLuUiF+xkpv5Kf4rGl7UjvVxyf3glNh5DL87CfeWkGF3dgsjJdfYIHVJz/Bf6x0aB2TyybF8Exm0R05dhMT6ahZqMqa5d/aUZN+S3MaXw2amHWbMe8VcFpu/AztqrQM8sM+Mw== sprinterfreak"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -2,4 +2,3 @@
root_keys_host: root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -1,11 +0,0 @@
---
root_keys_host:
- "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"

View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host: root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti" - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

View File

@ -3,5 +3,3 @@
root_keys_host: root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
nginx_anonymize: True

View File

@ -1,4 +1,3 @@
--- ---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys" uau_reboot: "false"
sshd_password_authentication: "yes"

View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

View File

@ -4,7 +4,8 @@ root_keys_host:
- "# Thomas Basler" - "# Thomas Basler"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q==" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q=="
- "# Ralf Ramsauer" - "# Ralf Ramsauer"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bKOm2jd2QsPaJPE4V3bHBLjXB3pnpggkdEhf03aFvB08C72vKQcHpIYNhp8DLBr4N5epA0JP1cXdRSdKhQgzYbqL8CQgOJoNwf0OeOhFyXdThu1OqmaRMrRGlB/Q+sqBEXaknHqcXzq+24zkR+ID7sGkq7WaIKPln0qNY5RxWYrPE98ZhU5fZh1Qorcv34UBHYhVP4y8vM43LHcbkLgr0gg9tb2vItF6YvyIxgtz6KCODObzBZfkLLnVhVcb9VWbDh72rIz4OXI1fl+mCCH2l7XlqKP1vhF5LVsUjPcGY3Go0fw2vHIyxWe479OJ/9elFnKRIUY/f1Xz+YikLTmj ralf@YUBIKEY"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
- "# Thomas Schmid" - "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

View File

@ -2,6 +2,6 @@
root_keys_host: root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay"
uau_reboot: "false" uau_reboot: "false"

View File

@ -0,0 +1,4 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkN1eqP1Mv29z0npVznVJ4Cumyf4EoqS44xHKl0ms0e timo@charon"

View File

@ -1,4 +0,0 @@
---
sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
sshd_password_authentication: "yes"

View File

@ -1,5 +1,4 @@
--- ---
root_keys_host: root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMLLlnlzbf5GTes2QrxuOTAR0BWTtbqQS80yPfI0mbh timo@styx" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcoIXTF0RtzM2vDir8axegFpLKNxGJyYNLj2triQm59GIvNRPHG/nBoaDcUwRT5b6Ew91KMw6iT1eI0n9oKbTMHZHvdSLLUmNmZT4z4JQOQm0n415ZW9m1r3R3S8sAxiLQ+5U91xnbHlzfuBKvpI56RLZNbkhAcqw9kS/UasO0UAFpdGL5CBnbJt0KPb4C9cYUM6H4clZFpWVDdK3+6gh+/Jx9QPmpPv0wfWI7z0fvQYUcXDFLjPh8CFK7BOcPZcv4V4bl5Tq1dTURMLaueTD0F5Ygn7cxKaDNvql4EIPDZaRCEz3cIvFB7435emRgZC54YmhWIYC+oJrLTlMCrYKhISLtWg92EcE/aCUNL0V+n1EK5dkds+AY/eDiyP58ArAHNsopXmcHiko3goyZyEK5Y0tJ5sA9L4Q0mgLz/rW1CsZHcpiYU9yKpDRscbf3DDlFMzMYG8O9JufgcyF+GFhxIhXesfjJ4gDNepaYhd/qutwThip027cKtoczLAMR2xbT6bUYr7KKmxvXVlP7Epkfi3N2cj/Wx9gAm1qIs1yjcWCe71k1QMC+dTNTV+T9Ch5d1lji7lGOKDl70rB/WytdISVlEJr8TviBk27oldCuC1WCPGjRxWeGv5uVxE9O7nQh0dxox+HFssa7ENuDR9LEd9O6Zvuf09pzDASB0PjFyw== bedah@binary-kitchen.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7oyUa65KoSuv9l8tH/zVgZZ5mg5P45RIhlRZSt/amL x70b1"

View File

@ -1,7 +0,0 @@
---
root_keys_host:
- "# Thomas Schmid"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "true"

View File

@ -1,8 +0,0 @@
---
ntp_server: true
ntp_servers:
- ptbtime1.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de

View File

@ -1,11 +1,9 @@
--- ---
ntp_server: true
ntp_servers: ntp_servers:
- ptbtime1.ptb.de - ptbtime1.ptb.de
- ntp1.rrze.uni-erlangen.de - ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de - ntps1-0.cs.tu-berlin.de
ntp_peers: ntp_peers:
- 172.23.2.3 - 172.23.2.3

View File

@ -1,6 +1,5 @@
--- ---
root_keys_host: root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtTJqeSsB+aRiQ2WeFLVA5dz5YfCuv2TZmsyFqZ8NefJH/ZP3+gud3DwBq4l9HbDJUbfvApLQ9qbwaX0VhBv67mM6f4sWNG8uUW+9MYd6ZTeP3KUwZIHM52nqMFe5XScADL4s8Jsnb08gVp9xdcdufsbiLNYfuNFk+wcwRYtD5eqXZi3oaqshlq61LfBeC958vzvceDrZ2obfCJJ2pvmhUyORvgb6jXfx3kZku5qgk6m9NfyY95UZvSweDZPiN5YqLYekz+jxrYDyeA0DPgwlTcyGn8JI9/HkAD/odTpTAH+T6sbf0OkUi7ufNElAXvxDOJZN8NhxPFfUAW9naTYwGoPd4OJw0AOVLzKcVIjEXKtrxeQ0NOZVoucLFgnXO4iDZGrVHohPVj1UbrVpF00lokBLz1Xh4egrNw0g2Gt28HmZ9lg5Ymv8jJWAy87r5wV0O6aIuseGkSr/V6+92AGK/Yy1tKhZujtv5+CvVVBrLvoOnJJh8vFoVuRM+ucLBhqpewDY2yHZHzQ3J5SZKJ30mBUSYAKHBqVI4VmC/n235VMumIEsqnZvzk96G5TXWyZb0qzkXcct1H8MyQgG0SR0G4Ylm5skCZppEE7udV/wb8lRZv+2YrqBueKZ+Wu6IT3HJbUkor7CcbORjhwL4ETziPm4g4BrTPGUTjyeZ4nSDPQ== exxess" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDetxImx0c/Fald9Y2wIHNJCi356rfskVUBT/SGH64N1HVZGBZhlWkeKJkCCufm3jLXdjJrlFDFlP0EjbohR6SP3VVf8Z7zAoazCtxWq0dyjPDvOjUrIuBeILbXZu0Q+qmFHPwvp5vR2wWFUwNLl1Te3CNSzQnn2KxOXfeZ56cDogzonlxh5JXDd0JWpINAuLp7uR6IshfmEMKsyCGjqzMUJ9YCztzkI9TJYDc4xitmQTvea44hRhyeIRf2ip8YlHnEIpJ9i712CQ5UEHBZUfy2gZwoLW0yYy9HJucF2A5gzvoUQ1wjA9/irlGiabKq6rOyT4ezBSoZZLEBIa6GU4qKMc1rE4Hnifi0AUnQ+4MqrCCu2QTJGNvyYzNt2XtkjakN3gtlz5xCsYV08PEB4VjAFVIa1yku66UblAW5KqixfE4mU7Z29b8faF5Ld7XO1tlNgiuHih7+JoQiwJ+auULYwRX1C2v6fAEU3PGU73VT3TZJTa5IS+fkTWzn643atxklP6Lmo8hrZIS0NXIr22OP1zYuCZm5/JLDhe0qOCYd8YQU2dNww4OUZ1uMLNOM+0UJvCHbWdjw8amR58yO5W83xp0qLHGUFjDpgvuP4ius4gvwjlhFdSVYRGwr2intLitXvOf3btjBJKUDIN0VM4MFzkvyUyCOgBgEkdCBvI7g4w== philmacfly"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8MB80WTE9ZW/mGRdPWjkpiupvoSGVnmK9wvOqm6xpwDwZkD52RGfiWQW2IbJObCLGJxoigSi4lVvrJD6MWjXAsj5Foq1H3Ok+xJET2zfWMf4s/0uStSS9kaJ/gI6Qd5jMsnz1xATTInWAHIK7u3I4trt81FWkXQdfRSNC0mPh/PYBsXzwgx/m5s3o1nUtcIBXFZUeGNnhSSf1As0Wi0Bsv3GXIIDH4b4cIi7aGHqGuaes2cTUW1r0RspUVI139Gx2O4mgv4JE/n61t/4AzfYGoaszoqPCHQt5LR8Wd/XIaPLwnM1kzo4QVqNgqkY/awryt9IPoAFqJBbIvP0Bt3irGOPrdl7e7KcV55a9gPpCmz+bVaQO2oBmQ34AsZFg9tCP26OmViQu0Lx14vWWYDFkxzCxCDDngo6+f+e5AsyAjO2pHz/ZKv/VE5P3y8CnadHG88cO0qeoI6VH4jjGk5GYYrVD4BHf8StlvAg8unwMlYchuvaKLtQyQXFW40ww4VDdPo6KSv5T5a6SozEzRtN2QKRLyxIz68xVnKYq4TanR2lsm6wecUSriV48qscglokcTKJspWD29DQ62dMt5xFDtM8i9dE8W3SUePB8qPTBK9LUrO8PkGjb0X/RgMZB5bCWBmz4I1G1X+9Y8OLpr4NKGP9UFntYtJ3tpMCHtPgf4Q== philmacfly"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"

20
hosts
View File

@ -4,19 +4,10 @@ bacon.binary.kitchen ansible_host=172.23.2.3
aveta.binary.kitchen ansible_host=172.23.2.4 aveta.binary.kitchen ansible_host=172.23.2.4
sulis.binary.kitchen ansible_host=172.23.2.5 sulis.binary.kitchen ansible_host=172.23.2.5
nabia.binary.kitchen ansible_host=172.23.2.6 nabia.binary.kitchen ansible_host=172.23.2.6
epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33 pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
bob.binary.kitchen ansible_host=172.23.2.37 bob.binary.kitchen ansible_host=172.23.2.37
lasagne.binary.kitchen ansible_host=172.23.2.38 bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
tschunk.binary.kitchen ansible_host=172.23.2.39
bowle.binary.kitchen ansible_host=172.23.2.62
salat.binary.kitchen ansible_host=172.23.9.61 salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
[fan_rz] [fan_rz]
helium.binary-kitchen.net helium.binary-kitchen.net
lithium.binary-kitchen.net lithium.binary-kitchen.net
@ -28,16 +19,9 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net fluorine.binary-kitchen.net
neon.binary-kitchen.net neon.binary-kitchen.net
sodium.binary-kitchen.net sodium.binary-kitchen.net
magnesium.binary-kitchen.net
aluminium.binary-kitchen.net
krypton.binary-kitchen.net krypton.binary-kitchen.net
yttrium.binary-kitchen.net yttrium.binary-kitchen.net
zirconium.binary-kitchen.net zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net molybdenum.binary-kitchen.net
technetium.binary-kitchen.net
ruthenium.binary-kitchen.net ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
palladium.binary-kitchen.net
argentum.binary-kitchen.net
cadmium.binary-kitchen.net
indium.binary-kitchen.net
barium.binary-kitchen.net

View File

@ -1,49 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create 23b group
group: name=23b
- name: Create 23b user
user:
name: 23b
home: /opt/23b
shell: /bin/bash
group: 23b
groups: docker
# docker-compolse.yml is managed outside ansible
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for 23b
template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
notify: Restart nginx
- name: Systemd unit for 23b
template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
notify:
- Reload systemd
- Restart 23b
- name: Start the 23b service
service: name=23b state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ bk23b_domain }}"

View File

@ -1,28 +0,0 @@
[Unit]
Description=23b service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=23b
Group=23b
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/23b/23b/23b
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

View File

@ -1,7 +0,0 @@
---
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

View File

@ -1,7 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart act_runner
service: name=act_runner state=restarted

View File

@ -1,35 +0,0 @@
---
- name: Create group
group: name={{ actrunner_group }}
- name: Create user
user: name={{ actrunner_user }} home=/var/lib/act_runner group={{ actrunner_group }} groups=docker
- name: Create directories
file: path={{ item }} state=directory owner={{ actrunner_user }} group={{ actrunner_group }}
with_items:
- /etc/act_runner
- /var/lib/act_runner
- name: Download act_runner binary
get_url: url={{ actrunner_url }} dest=/usr/local/bin/act_runner-{{ actrunner_version }} mode=0755
register: runner_download
- name: Symlink act_runner binary
file: src=/usr/local/bin/act_runner-{{ actrunner_version }} dest=/usr/local/bin/act_runner state=link
when: runner_download.changed
notify: Restart act_runner
- name: Configure act_runner
template: src=config.yaml.j2 dest=/etc/act_runner/config.yaml owner={{ actrunner_user }} group={{ actrunner_group }}
notify: Restart act_runner
- name: Install systemd unit
template: src=act_runner.service.j2 dest=/lib/systemd/system/act_runner.service
notify:
- Reload systemd
- Restart act_runner
- name: Enable act_runner
service: name=act_runner state=started enabled=yes

View File

@ -1,16 +0,0 @@
[Unit]
Description=Gitea Actions runner
Documentation=https://gitea.com/gitea/act_runner
After=docker.service
[Service]
ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
ExecReload=/bin/kill -s HUP $MAINPID
WorkingDirectory=/var/lib/act_runner
TimeoutSec=0
RestartSec=10
Restart=always
User={{ actrunner_user }}
[Install]
WantedBy=multi-user.target

View File

@ -1,86 +0,0 @@
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: warn
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 4
# Extra environment variables to run jobs.
envs:
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels: [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest",
"ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04",
"ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04",
]
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

View File

@ -1,3 +0,0 @@
---
authentik_version: 2024.8.3

View File

@ -1,13 +0,0 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart authentik
service: name=authentik state=restarted
- name: Restart nginx
service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -1,51 +0,0 @@
---
- name: Install packages
apt:
name:
- docker-compose
- name: Create authentik group
group: name=authentik
- name: Create authentik user
user:
name: authentik
home: /opt/authentik
shell: /bin/bash
group: authentik
groups: docker
- name: Configure authentik container
template: src=docker-compose.yml.j2 dest=/opt/authentik/docker-compose.yml
notify: Restart authentik
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ authentik_domain }}.key -out /etc/nginx/ssl/{{ authentik_domain }}.crt -days 730 -subj "/CN={{ authentik_domain }}" creates=/etc/nginx/ssl/{{ authentik_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for authentik
template: src=certs.j2 dest=/etc/acertmgr/{{ authentik_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/authentik
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/authentik dest=/etc/nginx/sites-enabled/authentik state=link
notify: Restart nginx
- name: Systemd unit for authentik
template: src=authentik.service.j2 dest=/etc/systemd/system/authentik.service
notify:
- Reload systemd
- Restart authentik
- name: Start the authentik service
service: name=authentik state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ authentik_domain }}"

View File

@ -1,28 +0,0 @@
[Unit]
Description=authentik service using docker compose
Requires=docker.service
After=docker.service
Before=nginx.service
[Service]
Type=simple
User=authentik
Group=authentik
Restart=always
TimeoutStartSec=1200
WorkingDirectory=/opt/authentik
# Make sure no old containers are running
ExecStartPre=/usr/bin/docker-compose down -v
# Compose up
ExecStart=/usr/bin/docker-compose up
# Compose down, remove containers and volumes
ExecStop=/usr/bin/docker-compose down -v
[Install]
WantedBy=multi-user.target

View File

@ -1,15 +0,0 @@
---
{{ authentik_domain }}:
- path: /etc/nginx/ssl/{{ authentik_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ authentik_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -1,75 +0,0 @@
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: {{ authentik_dbpass }}
POSTGRES_USER: {{ authentik_dbuser }}
POSTGRES_DB: {{ authentik_dbname }}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "127.0.0.1:9000:9000"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:{{ authentik_version }}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: {{ authentik_dbuser }}
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_dbname }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_dbpass }}
AUTHENTIK_SECRET_KEY: {{ authentik_secret }}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
- postgresql
- redis

View File

@ -1,41 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ authentik_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ authentik_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ authentik_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ authentik_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ authentik_domain }}.crt;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

View File

@ -1,4 +1,4 @@
--- ---
dss_uwsgi_port: 5001 dss_uwsgi_port: 5001
dss_version: 0.8.5 dss_version: 0.8.4

View File

@ -44,8 +44,3 @@
- name: Enable vhosts - name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

View File

@ -1,14 +1,12 @@
DEBUG = True DEBUG = True
REMEMBER_COOKIE_SECURE = True
SECRET_KEY = "{{ dss_secret }}" SECRET_KEY = "{{ dss_secret }}"
SESSION_COOKIE_SECURE = True
SESSION_TIMEOUT = 3600 SESSION_TIMEOUT = 3600
LDAP_CA = "/etc/ssl/certs/ca-certificates.crt" LDAP_CA = "/etc/ssl/certs/ca-certificates.crt"
LDAP_URI = "{{ ldap_uri }}" LDAP_URI = "{{ ldap_uri }}"
LDAP_BASE = "{{ ldap_base }}" LDAP_BASE = "{{ ldap_base }}"
ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=anke,ou=people,dc=binary-kitchen,dc=de", "cn=toffy,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ] ADMINS = [ "cn=moepman,ou=people,dc=binary-kitchen,dc=de", "cn=marove,ou=people,dc=binary-kitchen,dc=de", "cn=zaesa,ou=people,dc=binary-kitchen,dc=de", "cn=Manager,dc=binary-kitchen,dc=de" ]
USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de" USER_DN = "cn={user},ou=people,dc=binary-kitchen,dc=de"
@ -30,7 +28,7 @@ USER_ATTRS = {
'userPassword' : '{pass}' 'userPassword' : '{pass}'
} }
GROUP_FILTER = "(objectClass=posixGroup)" GROUP_DN = 'cn=members,ou=groups,dc=binary-kitchen,dc=de'
REDIS_HOST = "127.0.0.1" REDIS_HOST = "127.0.0.1"
REDIS_PASSWD = None REDIS_PASSWD = None

View File

@ -6,6 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common" - "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp" - "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp" - "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,10 @@
# udev 226 introduced predictable interface names for virtio;
# disable this for upgrades. You can remove this file if you update your
# network configuration to move to the ens* names instead.
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
# network interface names.
[Match]
Driver=virtio_net
[Link]
NamePolicy=onboard kernel

View File

@ -0,0 +1,6 @@
# This machine is most likely a virtualized guest, where the old persistent
# network interface mechanism (75-persistent-net-generator.rules) did not work.
# This file disables /lib/systemd/network/99-default.link to avoid
# changing network interface names on upgrade. Please read
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
# supported mechanism.

View File

@ -1,16 +1,7 @@
--- ---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald - name: Restart journald
service: name=systemd-journald state=restarted service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs - name: update-initramfs
command: update-initramfs -u -k all command: update-initramfs -u -k all

View File

@ -3,10 +3,7 @@
- name: Install misc software - name: Install misc software
apt: apt:
name: name:
- apt-transport-https
- dnsutils - dnsutils
- fdisk
- gnupg2
- htop - htop
- less - less
- net-tools - net-tools
@ -16,7 +13,6 @@
- rsync - rsync
- sudo - sudo
- vim-nox - vim-nox
- wget
- zsh - zsh
- name: Install software on KVM VMs - name: Install software on KVM VMs
@ -30,32 +26,35 @@
copy: src={{ item.src }} dest={{ item.dest }} copy: src={{ item.src }} dest={{ item.dest }}
diff: no diff: no
with_items: with_items:
- { src: ".zshrc", dest: "/root/.zshrc" } - { src: '.zshrc', dest: '/root/.zshrc' }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" } - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: "motd", dest: "/etc/motd" } - { src: 'motd', dest: '/etc/motd' }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" } - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user - name: Set shell for root user
user: name=root shell=/bin/zsh user: name=root shell=/bin/zsh
- name: Create LDAP client config
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
- name: Disable hibernation/resume - name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs notify: update-initramfs
- name: Enable serial console on KVM VMs # TODO template /etc/network/interfaces
lineinfile:
path: "/etc/default/grub" - name: Fix network interface names
state: "present" copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
regexp: "^#?GRUB_CMDLINE_LINUX=.*" with_items:
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\"" - 50-virtio-kernel-names.link
notify: update-grub - 99-default.link
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm" notify: update-initramfs
- name: Prevent normal users from running su - name: Prevent normal users from running su
lineinfile: lineinfile:
path: /etc/pam.d/su path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$" regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: "auth required pam_wheel.so" line: 'auth required pam_wheel.so'
- name: Configure journald retention - name: Configure journald retention
lineinfile: lineinfile:
@ -90,25 +89,16 @@
set_fact: set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}" logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily" - name: 'Set logrotate.d/* to daily'
replace: replace:
path: "{{ item }}" path: "{{ item }}"
regexp: "(?:weekly|monthly)" regexp: "(?:weekly|monthly)"
replace: "daily" replace: "daily"
loop: "{{ logrotateconfigpaths }}" loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7" - name: 'Set /etc/logrotate.d/* rotation to 7'
replace: replace:
path: "{{ item }}" path: "{{ item }}"
regexp: "rotate [0-9]+" regexp: "rotate [0-9]+"
replace: "rotate 7" replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}" loop: "{{ logrotateconfigpaths }}"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

View File

@ -0,0 +1,14 @@
---
- name: Install misc software
pkgng:
name:
- vim-lite
- htop
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }

View File

@ -13,12 +13,11 @@
- name: Configure misc software - name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }} copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items: with_items:
- { src: ".zshrc", dest: "/root/.zshrc" } - { src: '.zshrc', dest: '/root/.zshrc' }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" } - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: "motd", dest: "/etc/motd" } - { src: 'motd', dest: '/etc/motd' }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" } - { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user - name: Set shell for root user
user: name=root shell=/bin/zsh user: name=root shell=/bin/zsh

View File

@ -1,8 +0,0 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony

View File

@ -2,20 +2,21 @@
- name: Cleanup - name: Cleanup
apt: autoclean=yes apt: autoclean=yes
when: ansible_os_family == "Debian" when: ansible_os_family == 'Debian'
- name: Gather package facts - name: Gather package facts
package_facts: package_facts:
manager: apt manager: apt
when: ansible_os_family == "Debian" when: ansible_os_family == 'Debian'
- name: Proxmox - name: Proxmox
include: Proxmox.yml include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
- name: Debian - name: Debian
include: Debian.yml include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
- name: Setup chrony - name: FreeBSD
include: chrony.yml include: FreeBSD.yml
when: ansible_distribution == 'FreeBSD'

View File

@ -1,52 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 172.23.0.0/16
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Save NTS keys and cookies.
ntsdumpdir /var/lib/chrony
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can't be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

View File

@ -0,0 +1,19 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE {{ ldap_base }}
URI {{ ldap_uri }}
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_REQCERT demand
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

View File

@ -1,131 +0,0 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
AuthorizedKeysCommand {{ sshd_authkeys_command }}
{% if sshd_authkeys_user is defined and sshd_authkeys_user %}
AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
{% else %}
AuthorizedKeysCommandUser nobody
{% endif %}
{% else %}
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
{% endif %}
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

View File

@ -1,10 +1,4 @@
--- ---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn - name: Restart coturn
service: name=coturn state=restarted service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: acertmgr }

View File

@ -3,28 +3,6 @@
- name: Install coturn - name: Install coturn
apt: name=coturn apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn - name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }} template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items: with_items:

View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

View File

@ -1,60 +1,52 @@
# Coturn TURN SERVER configuration file # Coturn TURN SERVER configuration file
# #
# Boolean values note: where a boolean value is supposed to be used, # Boolean values note: where boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', or 'f' as 'false, # you can use '0', 'off', 'no', 'false', 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true' # and you can use '1', 'on', 'yes', 'true', 't' as 'true'
# If the value is missing, then it means 'true' by default. # If the value is missed, then it means 'true'.
# #
# Listener interface device (optional, Linux only). # Listener interface device (optional, Linux only).
# NOT RECOMMENDED. # NOT RECOMMENDED.
# #
#listening-device=eth0 #listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478). # TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the # Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration. # "plain" TCP & UDP port(s), too - if allowed by configuration.
# #
listening-port=443 #listening-port=3478
# TURN listener port for TLS (Default: 5349). # TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server # port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening # "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs. # functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, Coturn currently supports # For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2. # TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1. # For secure UDP connections, we support DTLS version 1.
# #
tls-listening-port=443 #tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners; # Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one". # default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support # This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server # (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one # supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6). # listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols # RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry". # are listening to that endpoint only for "symmetry".
# #
#alt-listening-port=0 #alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols. # Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one". # Default (or zero) value means "TLS listening port plus one".
# #
#alt-tls-listening-port=0 #alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified. # Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options, # If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening. # then all IPv4 and IPv6 system IPs will be used for listening.
# #
#listening-ip=172.17.19.101 #listening-ip=172.17.19.101
@ -69,7 +61,7 @@ tls-listening-port=443
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST). # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
# #
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply. # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
# #
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6. # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
# #
# There may be multiple aux-server options, each will be used for listening # There may be multiple aux-server options, each will be used for listening
@ -81,7 +73,7 @@ tls-listening-port=443
# (recommended for older Linuxes only) # (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured). # Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism. # The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this # The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality. # functionality.
# #
#udp-self-balance #udp-self-balance
@ -91,13 +83,13 @@ tls-listening-port=443
# #
#relay-device=eth1 #relay-device=eth1
# Relay address (the local IP address that will be used to relay the # Relay address (the local IP address that will be used to relay the
# packets to the peer). # packets to the peer).
# Multiple relay addresses may be used. # Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s). # The same IP(s) can be used as both listening IP(s) and relay IP(s).
# #
# If no relay IP(s) specified, then the turnserver will apply the default # If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it # policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address # will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same # of the TURN session (if the requested relay address family is the same
# as the family of the client socket). # as the family of the client socket).
@ -120,15 +112,12 @@ tls-listening-port=443
# that option must be used several times, each entry must # that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses. # have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly, # RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself # if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT. # is behind A NAT.
# #
# By default, this value is empty, and no address mapping is used. # By default, this value is empty, and no address mapping is used.
# #
external-ip={{ ansible_default_ipv4.address }} #external-ip=60.70.80.91
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
# #
#OR: #OR:
# #
@ -138,18 +127,18 @@ external-ip={{ ansible_default_ipv6.address }}
# Number of the relay threads to handle the established connections # Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread). # (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a # If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process # single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread). # (the authentication thread will still be a separate thread).
# #
# If this parameter is not set, then the default OS-dependent # If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default # thread pattern algorithm will be employed. Usually the default
# algorithm is optimal, so you have to change this option # algorithm is the most optimal, so you have to change this option
# if you want to make some fine tweaks. # only if you want to make some fine tweaks.
# #
# In the older systems (Linux kernel before 3.9), # In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening # the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or # endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set. # 1 (one) value is set.
# #
#relay-threads=0 #relay-threads=0
@ -159,15 +148,15 @@ external-ip={{ ansible_default_ipv6.address }}
# #
#min-port=49152 #min-port=49152
#max-port=65535 #max-port=65535
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode. # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off. # By default the verbose mode is off.
#verbose #verbose
# Uncomment to run TURN server in 'extra' verbose mode. # Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output. # This mode is very annoying and produces lots of output.
# Not recommended under normal circumstances. # Not recommended under any normal circumstances.
# #
#Verbose #Verbose
# Uncomment to use fingerprints in the TURN messages. # Uncomment to use fingerprints in the TURN messages.
@ -180,69 +169,58 @@ fingerprint
# #
#lt-cred-mech #lt-cred-mech
# This option is the opposite of lt-cred-mech. # This option is opposite to lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access). # (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined, # If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined, # then no-auth is default. If at least one user is defined,
# in this file, in command line or in usersdb file, then # in this file or in command line or in usersdb file, then
# lt-cred-mech is default. # lt-cred-mech is default.
# #
#no-auth #no-auth
# Enable prometheus exporter
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
# this endpoint is listening on a different port to not conflict with other configurations.
#
# You can simply run the turnserver and access the port 9641 and path /metrics
#
# For mor info on the prometheus exporter and metrics
# https://prometheus.io/docs/introduction/overview/
# https://prometheus.io/docs/concepts/data_model/
#
#prometheus
# TURN REST API flag. # TURN REST API flag.
# (Time Limited Long Term Credential) # (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret. # Flag that sets a special authorization option that is based upon authentication secret.
# #
# This feature's purpose is to support "TURN Server REST API", see # This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page # "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/ # https://github.com/coturn/coturn/
# #
# This option is used with timestamp: # This option is used with timestamp:
# #
# usercombo -> "timestamp:userid" # usercombo -> "timestamp:userid"
# turn user -> usercombo # turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo)) # turn password -> base64(hmac(secret key, usercombo))
# #
# This allows TURN credentials to be accounted for a specific user id. # This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, then the timestamp alone can be used. # If you don't have a suitable id, the timestamp alone can be used.
# This option is enabled by turning on secret-based authentication. # This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by the option static-auth-secret, # The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below). # or can be found in the turn_secret table in the database (see below).
# #
# Read more about it: # Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 # - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf # - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
# #
# Be aware that use-auth-secret overrides some parts of lt-cred-mech. # Be aware that use-auth-secret overrides some part of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set # Notice that this feature depends internally on lt-cred-mech, so if you set
# this option then it automatically enables lt-cred-mech internally # use-auth-secret then it enables internally automatically lt-cred-mech option
# as if you had enabled both. # like if you enable both.
# #
# Note that you can use only one auth mechanism at the same time! This is because, # You can use only one of the to auth mechanisms in the same time because,
# both mechanisms conduct username and password validation in different ways. # both mechanism use the username and password validation in different way.
# #
# Use either lt-cred-mech or use-auth-secret in the conf # This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion. # to avoid any confusion.
# #
use-auth-secret use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only. # 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server # If not set, then the turn server
# will try to use the 'dynamic' value in the turn_secret table # will try to use the 'dynamic' value in turn_secret table
# in the user database (if present). The database-stored value can be changed on-the-fly # in user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'. # by a separate program, so this is why that other mode is 'dynamic'.
# #
static-auth-secret={{ coturn_secret }} static-auth-secret={{ coturn_secret }}
@ -256,10 +234,10 @@ static-auth-secret={{ coturn_secret }}
# #
#oauth #oauth
# 'Static' user accounts for the long term credentials mechanism, only. # 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API. # This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process, # 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so they can NOT be changed while the turnserver is running. # so that they can NOT be changed while the turnserver is running.
# #
#user=username1:key1 #user=username1:key1
#user=username2:key2 #user=username2:key2
@ -277,7 +255,7 @@ static-auth-secret={{ coturn_secret }}
# password. If it has 0x then it is a key, otherwise it is a password). # password. If it has 0x then it is a key, otherwise it is a password).
# #
# The corresponding user account entry in the config file will be: # The corresponding user account entry in the config file will be:
# #
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure): # Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic #user=ninefingers:youhavetoberealistic
@ -285,83 +263,83 @@ static-auth-secret={{ coturn_secret }}
# SQLite database file name. # SQLite database file name.
# #
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or # Default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb. # /var/lib/turn/turndb.
# #
#userdb=/var/db/turndb #userdb=/var/db/turndb
# PostgreSQL database connection string in the case that you are using PostgreSQL # PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database. # as the user database.
# This database can be used for the long-term credential mechanism # This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see # versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats. # for 9.x and newer connection string formats.
# #
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30" #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that you are using MySQL # MySQL database connection string in the case that we are using MySQL
# as the user database. # as the user database.
# This database can be used for the long-term credential mechanism # This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
# #
# Optional connection string parameters for the secure communications (SSL): # Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher # ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description). # command options description).
# #
# Use the string format below (space separated parameters, all optional): # Use string format as below (space separated parameters, all optional):
# #
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>" #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use an encrypted password in the MySQL connection string, # If you want to use in the MySQL connection string the password in encrypted format,
# then set the MySQL password encryption secret key file with this option. # then set in this option the MySQL password encryption secret key file.
# #
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format! # Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
# If you want to use a cleartext password then do not set this option! # If you want to use cleartext password then do not set this option!
# #
# This is the file path for the aes encrypted secret key used for password encryption. # This is the file path which contain secret key of aes encryption while using password encryption.
# #
#secret-key-file=/path/ #secret-key-file=/path/
# MongoDB database connection string in the case that you are using MongoDB # MongoDB database connection string in the case that we are using MongoDB
# as the user database. # as the user database.
# This database can be used for long-term credential mechanism # This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html # Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
# #
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]" #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that you are using Redis # Redis database connection string in the case that we are using Redis
# as the user database. # as the user database.
# This database can be used for long-term credential mechanism # This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API. # and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use the string format below (space separated parameters, all optional): # Use string format as below (space separated parameters, all optional):
# #
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>" #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used). # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing # This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications. # and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string. # The connection string has the same parameters as redis-userdb connection string.
# Use the string format below (space separated parameters, all optional): # Use string format as below (space separated parameters, all optional):
# #
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>" #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit # The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN # origin/realm relationship was found in the database, or if the TURN
# server is not using any database (just the commands-line settings # server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials # and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API. # mechanism or with TURN REST API.
# #
# Note: If the default realm is not specified, then realm falls back to the host domain name. # Note: If default realm is not specified at all, then realm falls back to the host domain name.
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string. # If domain name is empty string, or '(None)', then it is initialized to am empty string.
# #
realm={{ coturn_realm }} realm={{ coturn_realm }}
# This flag sets the origin consistency # The flag that sets the origin consistency
# check. Across the session, all requests must have the same # check: across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was # main ORIGIN attribute value (if the ORIGIN was
# initially used by the session). # initially used by the session).
# #
@ -381,7 +359,7 @@ realm={{ coturn_realm }}
# Max bytes-per-second bandwidth a TURN session is allowed to handle # Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above # (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporarily suppressed (within # that limit will be dropped or temporary suppressed (within
# the available buffer limits). # the available buffer limits).
# This option can also be set through the database, for a particular realm. # This option can also be set through the database, for a particular realm.
# #
@ -402,17 +380,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired. # Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started. # By default TCP client listener is always started.
# #
#no-tcp no-tcp
# Uncomment if no TLS client listener is desired. # Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started. # By default TLS client listener is always started.
# #
#no-tls no-tls
# Uncomment if no DTLS client listener is desired. # Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started. # By default DTLS client listener is always started.
# #
#no-dtls no-dtls
# Uncomment if no UDP relay endpoints are allowed. # Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766). # By default UDP relay endpoints are enabled (like in RFC 5766).
@ -425,11 +403,11 @@ realm={{ coturn_realm }}
#no-tcp-relay #no-tcp-relay
# Uncomment if extra security is desired, # Uncomment if extra security is desired,
# with nonce value having a limited lifetime. # with nonce value having limited lifetime.
# The nonce value is unique for a session. # By default, the nonce value is unique for a session,
# Set this option to limit the nonce lifetime. # and has unlimited lifetime.
# Set it to 0 for unlimited lifetime. # Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay, # It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself. # the client will get 438 error and will have to re-authenticate itself.
# #
#stale-nonce=600 #stale-nonce=600
@ -455,14 +433,13 @@ realm={{ coturn_realm }}
#permission-lifetime=300 #permission-lifetime=300
# Certificate file. # Certificate file.
# Use an absolute path or path relative to the # Use an absolute path or path relative to the
# configuration file. # configuration file.
# Use PEM file format.
# #
#cert=/usr/local/etc/turn_server_cert.pem #cert=/usr/local/etc/turn_server_cert.pem
# Private key file. # Private key file.
# Use an absolute path or path relative to the # Use an absolute path or path relative to the
# configuration file. # configuration file.
# Use PEM file format. # Use PEM file format.
# #
@ -478,29 +455,29 @@ realm={{ coturn_realm }}
# #
#cipher-list="DEFAULT" #cipher-list="DEFAULT"
# CA file in OpenSSL format. # CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates. # Forces TURN server to verify the client SSL certificates.
# By default this is not set: there is no default value and the client # By default it is not set: there is no default value and the client
# certificate is not checked. # certificate is not checked.
# #
# Example: # Example:
#CA-file=/etc/ssh/id_rsa.cert #CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL # Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1, # library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+, # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined # an optimal curve will be automatically calculated, if not defined
# by this option. # by this option.
# #
#ec-curve-name=prime256v1 #ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 2066. # Use 566 bits predefined DH TLS key. Default size of the key is 1066.
# #
#dh566 #dh566
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066. # Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
# #
#dh1066 #dh2066
# Use custom DH TLS key, stored in PEM format in the file. # Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file. # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
@ -508,21 +485,21 @@ realm={{ coturn_realm }}
#dh-file=<DH-PEM-file-name> #dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages. # Flag to prevent stdout log messages.
# By default, all log messages go to both stdout and to # By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will # the configured log file. With this option everything will be
# go to the configured log only (unless the log file itself is stdout). # going to the configured log only (unless the log file itself is stdout).
# #
#no-stdout-log #no-stdout-log
# Option to set the log file name. # Option to set the log file name.
# By default, the turnserver tries to open a log file in # By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and the current directory # /var/log, /var/tmp, /tmp and current directories directories
# (Whichever file open operation succeeds first will be used). # (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name. # With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything # The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to # to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog). # the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal # In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process. # to the turnserver process.
# #
#log-file=/var/tmp/turn.log #log-file=/var/tmp/turn.log
@ -537,51 +514,41 @@ syslog
# #
#simple-log #simple-log
# Enable full ISO-8601 timestamp in all logs.
#new-log-timestamp
# Set timestamp format (in strftime(1) format)
#new-log-timestamp-format "%FT%T%z"
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
# Enable binding logging and UDP endpoint logs in verbose log mode.
#log-binding
# Option to set the "redirection" mode. The value of this option # Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in the form of # will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute # <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client. # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family # Client will receive only values with the same address family
# as the client network endpoint address family. # as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality. # See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications. # The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server option is provided, then the functionality # If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection". # can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port # If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used. # number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of # Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed # the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example: # in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the # Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and # round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if you have 4 alternate servers, # the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server # then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this # address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers. # can emulate "weighting" of the servers.
# #
# Examples: # Examples:
#alternate-server=1.2.3.4:5678 #alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789 #alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8 #alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of # Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port # <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous # number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description. # option for the functionality description.
# #
# Examples: # Examples:
#tls-alternate-server=1.2.3.4:5678 #tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789 #tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
@ -592,15 +559,6 @@ syslog
# #
#stun-only #stun-only
# Option to hide software version. Enhance security when used in production.
# Revealing the specific software version of the agent through the
# SOFTWARE attribute might allow them to become more vulnerable to
# attacks against software that is known to contain security holes.
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed. # Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored. # Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set. # By default, this option is NOT set.
@ -609,7 +567,7 @@ syslog
# This is the timestamp/username separator symbol (character) in TURN REST API. # This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'. # The default value is ':'.
# rest-api-separator=: # rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1). # Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure. # This is an extra security measure.
@ -617,9 +575,9 @@ syslog
# (To avoid any security issue that allowing loopback access may raise, # (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.) # the no-loopback-peers option is replaced by allow-loopback-peers.)
# #
# Allow it only for testing in a development environment! # Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons # In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password. # it is not allowed using it together with empty cli-password.
# #
#allow-loopback-peers #allow-loopback-peers
@ -628,18 +586,18 @@ syslog
# #
no-multicast-peers no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment. # Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds. # Default is 60 seconds.
# #
#max-allocate-timeout=60 #max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses. # Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is # If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip # considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range. # addresses, except for a few specific ips within that range.
# #
# This can be used when you do not want users of the turn server to be able to access # This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the # machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT) # internet (e.g. when the turn server is sitting behind a NAT)
# #
# Examples: # Examples:
@ -661,22 +619,22 @@ no-multicast-peers
# #
mobility mobility
# Allocate Address Family according # Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN # If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family. # Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.) # (By default coTURN works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
# #
#keep-address-family #keep-address-family
# User name to run the process. After the initialization, the turnserver process # User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user. # will make an attempt to change the current user ID to that user.
# #
#proc-user=<user-name> #proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process # Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group. # will make an attempt to change the current group ID to that group.
# #
#proc-group=<group-name> #proc-group=<group-name>
@ -696,8 +654,8 @@ mobility
#cli-port=5766 #cli-port=5766
# CLI access password. Default is empty (no password). # CLI access password. Default is empty (no password).
# For the security reasons, it is recommended that you use the encrypted # For the security reasons, it is recommended to use the encrypted
# form of the password (see the -P command in the turnadmin utility). # for of the password (see the -P command in the turnadmin utility).
# #
# Secure form for password 'qwerty': # Secure form for password 'qwerty':
# #
@ -726,14 +684,10 @@ mobility
# #
#web-admin-listen-on-workers #web-admin-listen-on-workers
#acme-redirect=http://redirectserver/.well-known/acme-challenge/ # Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'. # Only for those applications when we want to run
# Default is '', i.e. no special handling for such requests.
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when you want to run
# server applications on the relay endpoints. # server applications on the relay endpoints.
# This option eliminates the IP permissions check on # This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints. # the packets incoming to the relay endpoints.
# #
#server-relay #server-relay
@ -749,6 +703,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol # Do not allow an TLS/DTLS version of protocol
# #
#no-tlsv1 no-tlsv1
#no-tlsv1_1 no-tlsv1_1
#no-tlsv1_2 no-tlsv1_2

View File

@ -0,0 +1,4 @@
---
- name: Restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

View File

@ -0,0 +1,14 @@
---
- name: Install dhcp server
apt: name=isc-dhcp-server
- name: Configure dhcp server
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- default/isc-dhcp-server
- dhcp/dhcpd.conf
notify: Restart isc-dhcp-server
- name: Start the dhcp server
service: name=isc-dhcp-server state=started enabled=yes

View File

@ -0,0 +1,17 @@
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="eth0"

View File

@ -0,0 +1,228 @@
# dhcpd.conf
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option ntp-servers 172.23.1.60, 172.23.2.3;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
{% if dhcpd_failover == true %}
# Failover
failover peer "failover-partner" {
{% if ansible_default_ipv4.address == dhcpd_primary %}
primary;
address {{ dhcpd_primary }};
peer address {{ dhcpd_secondary }};
{% elif ansible_default_ipv4.address == dhcpd_secondary %}
secondary;
address {{ dhcpd_secondary }};
peer address {{ dhcpd_primary }};
{% endif %}
port 520;
peer port 520;
max-response-delay 60;
max-unacked-updates 10;
{% if ansible_default_ipv4.address == dhcpd_primary %}
mclt 600;
split 255;
{% endif %}
load balance max seconds 3;
}
{% endif %}
# Binary Kitchen subnets
# Management
subnet 172.23.1.0 netmask 255.255.255.0 {
option routers 172.23.1.1;
}
# Services
subnet 172.23.2.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.2.1;
}
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.3.10 172.23.3.230;
}
}
# MQTT
subnet 172.23.4.0 netmask 255.255.255.0 {
option routers 172.23.4.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.4.10 172.23.4.240;
}
}
# Fixed IPs
host ap01 {
hardware ethernet 44:48:c1:ce:a9:00;
fixed-address ap01.binary.kitchen;
}
host ap04 {
hardware ethernet 44:48:c1:ce:90:06;
fixed-address ap04.binary.kitchen;
}
host ap05 {
hardware ethernet bc:9f:e4:c3:6f:aa;
fixed-address ap05.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet 00:10:f3:15:88:ac;
fixed-address cannelloni.binary.kitchen;
}
host cashdesk {
hardware ethernet 00:0b:ca:94:13:f1;
fixed-address cashdesk.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host garlic {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address garlic.binary.kitchen;
}
host homer {
hardware ethernet b8:27:eb:24:b2:12;
fixed-address homer.binary.kitchen;
}
host klopi {
hardware ethernet 74:da:38:6e:e6:9d;
fixed-address klopi.binary.kitchen;
}
host lock {
hardware ethernet b8:27:eb:d8:b9:ad;
fixed-address lock.binary.kitchen;
}
host maccaroni {
hardware ethernet b8:27:eb:18:5c:11;
fixed-address maccaroni.binary.kitchen;
}
host matrix {
hardware ethernet b8:27:eb:ed:22:58;
fixed-address matrix.binary.kitchen;
}
host mirror {
hardware ethernet 74:da:38:7d:ed:84;
fixed-address mirror.binary.kitchen;
}
host mpcnc {
hardware ethernet b8:27:eb:0f:d3:8b;
fixed-address mpcnc.binary.kitchen;
}
host noodlehub {
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address noodlehub.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host punsch {
hardware ethernet 00:21:85:1b:7f:3d;
fixed-address punsch.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:e3:e9:f1;
fixed-address spaghetti.binary.kitchen;
}
host schweinshaxn {
hardware ethernet 52:54:00:17:02:24;
fixed-address schweinshaxn.binary.kitchen;
}
host strammermax {
hardware ethernet 08:00:37:B8:55:44;
fixed-address strammermax.binary.kitchen;
}
host obatzda {
hardware ethernet ec:9a:74:35:35:cf;
fixed-address obatzda.binary.kitchen;
}
# VoIP Phones
host voip01 {
hardware ethernet 00:1D:45:B6:99:2F;
option tftp-server-name "172.23.2.36";
}
host voip02 {
hardware ethernet 00:1D:A2:66:B8:3E;
option tftp-server-name "172.23.2.36";
}
host voip03 {
hardware ethernet 00:1E:BE:90:FB:DB;
option tftp-server-name "172.23.2.36";
}
host voip04 {
hardware ethernet 00:1E:BE:90:FF:06;
option tftp-server-name "172.23.2.36";
}
# OMAPI
omapi-port 7911;
omapi-key omapi_key;
key omapi_key {
algorithm hmac-md5;
secret {{ dhcp_omapi_key }};
}

View File

@ -5,21 +5,11 @@
name: name:
- pdns-server - pdns-server
- pdns-backend-sqlite3 - pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns - name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
become: true
become_user: pdns
- name: Copy update policy script - name: Copy update policy script
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
notify: Restart powerdns notify: Restart powerdns

View File

@ -1,4 +1,5 @@
local-address=0.0.0.0, :: local-address=0.0.0.0
local-ipv6=::
launch=gsqlite3 launch=gsqlite3
gsqlite3-dnssec gsqlite3-dnssec
gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3 gsqlite3-database=/var/lib/powerdns/powerdns.sqlite3
@ -10,4 +11,3 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
{% endif %} {% endif %}
allow-dnsupdate-from=0.0.0.0/0,::/0 allow-dnsupdate-from=0.0.0.0/0,::/0
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
security-poll-suffix=

View File

@ -5,6 +5,3 @@
with_items: with_items:
- pdns - pdns
- pdns-recursor - pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

View File

@ -3,11 +3,8 @@
- name: Install powerdns - name: Install powerdns
apt: apt:
name: name:
- dnsdist
- pdns-backend-sqlite3
- pdns-server - pdns-server
- pdns-recursor - pdns-recursor
- sqlite3
- name: Create zone directory - name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory file: path=/etc/powerdns/bind/ state=directory
@ -22,28 +19,8 @@
- bind/23.172.in-addr.arpa.zone - bind/23.172.in-addr.arpa.zone
- bind/binary.kitchen.zone - bind/binary.kitchen.zone
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/pdns.sqlite3
creates: /var/lib/powerdns/pdns.sqlite3
become: true
become_user: pdns
# TODO
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
# TODO
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the powerdns services - name: Start the powerdns services
service: name={{ item }} state=started enabled=yes service: name={{ item }} state=started enabled=yes
with_items: with_items:
- dnsdist
- pdns - pdns
- pdns-recursor - pdns-recursor

View File

@ -1,57 +1,52 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names $ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live $TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( @ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial 2020051101; serial
1d; refresh 1d; refresh
2h; retry 2h; retry
4w; expire 4w; expire
1h; minimum time-to-live 1h; minimum time-to-live
) )
IN NS ns1.binary.kitchen. IN NS ns.binary.kitchen.
IN NS ns2.binary.kitchen.
; Loopback ; Loopback
1.0 IN PTR core.binary.kitchen. 1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen. 2.0 IN PTR erx-bk.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen. 3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR rt-auweg.binary.kitchen. 4.0 IN PTR pf-bk.binary.kitchen.
5.0 IN PTR pf-rz.binary.kitchen.
; Management ; Management
1.1 IN PTR v2301.core.binary.kitchen. 1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen. 11.1 IN PTR ups1.binary.kitchen.
21.1 IN PTR pdu1.binary.kitchen. 21.1 IN PTR pdu1.binary.kitchen.
22.1 IN PTR pdu2.binary.kitchen. 22.1 IN PTR pdu2.binary.kitchen.
23.1 IN PTR pdu3.binary.kitchen. 23.1 IN PTR pdu3.binary.kitchen.
31.1 IN PTR sw-butchery.binary.kitchen. 31.1 IN PTR sw01.binary.kitchen.
32.1 IN PTR sw-mini.binary.kitchen. 32.1 IN PTR sw02.binary.kitchen.
33.1 IN PTR sw-rack.binary.kitchen. 33.1 IN PTR sw03.binary.kitchen.
41.1 IN PTR ap01.binary.kitchen. 41.1 IN PTR ap01.binary.kitchen.
42.1 IN PTR ap02.binary.kitchen. 42.1 IN PTR ap02.binary.kitchen.
43.1 IN PTR ap03.binary.kitchen.
44.1 IN PTR ap04.binary.kitchen. 44.1 IN PTR ap04.binary.kitchen.
45.1 IN PTR ap05.binary.kitchen. 45.1 IN PTR ap05.binary.kitchen.
46.1 IN PTR ap06.binary.kitchen.
51.1 IN PTR modem.binary.kitchen. 51.1 IN PTR modem.binary.kitchen.
60.1 IN PTR wurst.binary.kitchen. 60.1 IN PTR wurst.binary.kitchen.
80.1 IN PTR wurst-bmc.binary.kitchen. 80.1 IN PTR wurst-bmc.binary.kitchen.
82.1 IN PTR bowle-bmc.binary.kitchen. 82.1 IN PTR bowle-bmc.binary.kitchen.
101.1 IN PTR nbe-w13b.binary.kitchen. 101.1 IN PTR nbe-w13b.binary.kitchen.
102.1 IN PTR nbe-tr8.binary.kitchen. 102.1 IN PTR nbe-tr8.binary.kitchen.
111.1 IN PTR rfp01.binary.kitchen.
112.1 IN PTR rfp02.binary.kitchen.
; Services ; Services
1.2 IN PTR v2302.core.binary.kitchen. 1.2 IN PTR v2302.core.binary.kitchen.
2.2 IN PTR ns.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen. 3.2 IN PTR bacon.binary.kitchen.
4.2 IN PTR aveta.binary.kitchen. 4.2 IN PTR aveta.binary.kitchen.
5.2 IN PTR sulis.binary.kitchen. 5.2 IN PTR sulis.binary.kitchen.
6.2 IN PTR nabia.binary.kitchen. 6.2 IN PTR nabia.binary.kitchen.
7.2 IN PTR epona.binary.kitchen. 11.2 IN PTR homer.binary.kitchen.
12.2 IN PTR lock.binary.kitchen. 12.2 IN PTR lock.binary.kitchen.
13.2 IN PTR matrix.binary.kitchen. 13.2 IN PTR matrix.binary.kitchen.
33.2 IN PTR pizza.binary.kitchen. 33.2 IN PTR pizza.binary.kitchen.
34.2 IN PTR pancake.binary.kitchen.
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen. 36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen. 44.2 IN PTR cashdesk.binary.kitchen.
38.2 IN PTR lasagne.binary.kitchen.
39.2 IN PTR tschunk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen. 62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen. 91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen. 92.2 IN PTR obatzda.binary.kitchen.
@ -61,52 +56,32 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
240.3 IN PTR fusilli.binary.kitchen. 240.3 IN PTR fusilli.binary.kitchen.
241.3 IN PTR klopi.binary.kitchen. 241.3 IN PTR klopi.binary.kitchen.
242.3 IN PTR mpcnc.binary.kitchen. 242.3 IN PTR mpcnc.binary.kitchen.
243.3 IN PTR garlic.binary.kitchen.
244.3 IN PTR mirror.binary.kitchen. 244.3 IN PTR mirror.binary.kitchen.
245.3 IN PTR spaghetti.binary.kitchen. 245.3 IN PTR spaghetti.binary.kitchen.
246.3 IN PTR maccaroni.binary.kitchen. 246.3 IN PTR maccaroni.binary.kitchen.
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
248.3 IN PTR pve02.tmp.binary.kitchen.
249.3 IN PTR ffrgb.binary.kitchen.
250.3 IN PTR cannelloni.binary.kitchen. 250.3 IN PTR cannelloni.binary.kitchen.
251.3 IN PTR noodlehub.binary.kitchen. 251.3 IN PTR noodlehub.binary.kitchen.
; MQTT ; MQTT
1.4 IN PTR v2304.core.binary.kitchen. 1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen. 6.4 IN PTR pizza.mqtt.binary.kitchen.
7.4 IN PTR lasagne.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen. $GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
245.4 IN PTR logo1.mqtt.binary.kitchen.
246.4 IN PTR logo2.mqtt.binary.kitchen.
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
; Management RZ ; Management RZ
1.9 IN PTR switch0.erx-rz.binary.kitchen. 1.9 IN PTR switch0.erx-rz.binary.kitchen.
61.9 IN PTR salat.binary.kitchen. 61.9 IN PTR salat.binary.kitchen.
81.9 IN PTR salat-bmc.binary.kitchen. 81.9 IN PTR salat-bmc.binary.kitchen.
; Services RZ ; Services RZ
23.8 IN PTR cernunnos.binary.kitchen.
; VPN RZ (ER-X) ; VPN RZ (ER-X)
1.10 IN PTR wg0.erx-rz.binary.kitchen. 1.10 IN PTR wg1.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen. $GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg ; VPN RZ (pf)
1.12 IN PTR v2312.rt-auweg.binary.kitchen. $GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
1.13 IN PTR v2313.rt-auweg.binary.kitchen.
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
1.14 IN PTR v2314.rt-auweg.binary.kitchen.
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
1.15 IN PTR v2315.rt-auweg.binary.kitchen.
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; Point-to-Point ; Point-to-Point
1.96 IN PTR v400.rt-w13b.binary.kitchen. 1.96 IN PTR v400.erx-bk.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen. 2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen. 1.97 IN PTR wg0.erx-rz.binary.kitchen.
2.97 IN PTR wg1.rt-w13b.binary.kitchen. 2.97 IN PTR wg0.erx-bk.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.rt-auweg.binary.kitchen.

View File

@ -1,80 +1,67 @@
$ORIGIN binary.kitchen ; base for unqualified names $ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live $TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( @ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2024100600; serial 2020051101; serial
1d; refresh 1d; refresh
2h; retry 2h; retry
4w; expire 4w; expire
1h; minimum time-to-live 1h; minimum time-to-live
) )
IN NS ns1.binary.kitchen. IN NS ns.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
; External ; External
IN A 213.166.246.4 IN A 213.166.246.4
www IN A 213.166.246.4 www IN A 213.166.246.4
; Aliases ; Aliases
3dprinter IN A 172.23.3.251 3dprinter IN A 172.23.3.251
icinga IN A 172.23.2.6
ldap IN A 172.23.2.3 ldap IN A 172.23.2.3
ldap IN A 172.23.2.4 ldap IN A 172.23.2.4
ldap IN A 213.166.246.2 ldap IN A 213.166.246.2
ldap1 IN A 172.23.2.3 ldap1 IN A 172.23.2.3
ldap2 IN A 172.23.2.4 ldap2 IN A 172.23.2.4
ldap3 IN A 172.23.13.3
ldapm IN A 213.166.246.2 ldapm IN A 213.166.246.2
librenms IN A 172.23.2.6 librenms IN A 172.23.2.6
netbox IN A 172.23.2.7 racktables IN A 172.23.2.6
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
radius IN A 172.23.2.3 radius IN A 172.23.2.3
radius IN A 172.23.2.4 radius IN A 172.23.2.4
; Loopback ; Loopback
core IN A 172.23.0.1 core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2 erx-bk IN A 172.23.0.2
erx-rz IN A 172.23.0.3 erx-rz IN A 172.23.0.3
rt-auweg IN A 172.23.0.4 pf-bk IN A 172.23.0.4
pf-rz IN A 172.23.0.5
; Management ; Management
v2301.core IN A 172.23.1.1 v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11 ups1 IN A 172.23.1.11
pdu1 IN A 172.23.1.21 pdu1 IN A 172.23.1.21
pdu2 IN A 172.23.1.22 pdu2 IN A 172.23.1.22
pdu3 IN A 172.23.1.23 pdu3 IN A 172.23.1.23
sw-butchery IN A 172.23.1.31 sw01 IN A 172.23.1.31
sw-mini IN A 172.23.1.32 sw02 IN A 172.23.1.32
sw-rack IN A 172.23.1.33 sw03 IN A 172.23.1.33
ap01 IN A 172.23.1.41 ap01 IN A 172.23.1.41
ap02 IN A 172.23.1.42 ap02 IN A 172.23.1.42
ap03 IN A 172.23.1.43
ap04 IN A 172.23.1.44 ap04 IN A 172.23.1.44
ap05 IN A 172.23.1.45 ap05 IN A 172.23.1.45
ap06 IN A 172.23.1.46
modem IN A 172.23.1.51 modem IN A 172.23.1.51
wurst IN A 172.23.1.60 wurst IN A 172.23.1.60
wurst-bmc IN A 172.23.1.80 wurst-bmc IN A 172.23.1.80
bowle-bmc IN A 172.23.1.82 bowle-bmc IN A 172.23.1.82
nbe-w13b IN A 172.23.1.101 nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102 nbe-tr8 IN A 172.23.1.102
rfp01 IN A 172.23.1.111
rfp02 IN A 172.23.1.112
; Services ; Services
v2302.core IN A 172.23.2.1 v2302.core IN A 172.23.2.1
ns IN A 172.23.2.2
bacon IN A 172.23.2.3 bacon IN A 172.23.2.3
aveta IN A 172.23.2.4 aveta IN A 172.23.2.4
sulis IN A 172.23.2.5 sulis IN A 172.23.2.5
nabia IN A 172.23.2.6 nabia IN A 172.23.2.6
epona IN A 172.23.2.7 homer IN A 172.23.2.11
lock IN A 172.23.2.12 lock IN A 172.23.2.12
matrix IN A 172.23.2.13 matrix IN A 172.23.2.13
pizza IN A 172.23.2.33 pizza IN A 172.23.2.33
pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36 schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37 cashdesk IN A 172.23.2.44
lasagne IN A 172.23.2.38
tschunk IN A 172.23.2.39
bowle IN A 172.23.2.62 bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91 strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92 obatzda IN A 172.23.2.92
@ -84,52 +71,32 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
fusilli IN A 172.23.3.240 fusilli IN A 172.23.3.240
klopi IN A 172.23.3.241 klopi IN A 172.23.3.241
mpcnc IN A 172.23.3.242 mpcnc IN A 172.23.3.242
garlic IN A 172.23.3.243
mirror IN A 172.23.3.244 mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245 spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246 maccaroni IN A 172.23.3.246
pve02-bmc.tmp IN A 172.23.3.247
pve02.tmp IN A 172.23.3.248
ffrgb IN A 172.23.3.249
cannelloni IN A 172.23.3.250 cannelloni IN A 172.23.3.250
noodlehub IN A 172.23.3.251 noodlehub IN A 172.23.3.251
; MQTT ; MQTT
v2304.core IN A 172.23.4.1 v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6 pizza.mqtt IN A 172.23.4.6
lasagne.mqtt IN A 172.23.4.7
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$ $GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
logo1.mqtt IN A 172.23.4.245
logo2.mqtt IN A 172.23.4.246
moodlights1.mqtt IN A 172.23.4.250
openhabgw1.mqtt IN A 172.23.4.251
homematic-ccu2.mqtt IN A 172.23.4.252
; Management RZ ; Management RZ
switch0.erx-rz IN A 172.23.9.1 switch0.erx-rz IN A 172.23.9.1
salat IN A 172.23.9.61 salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81 salat-bmc IN A 172.23.9.81
; Services RZ ; Services RZ
; Management Auweg cernunnos IN A 172.23.8.23
v2312.rt-auweg IN A 172.23.12.1
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
v2313.rt-auweg IN A 172.23.13.1
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
v2314.rt-auweg IN A 172.23.14.1
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
v2315.rt-auweg IN A 172.23.15.1
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
; VPN RZ (ER-X) ; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1 wg1.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$ $GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; VPN RZ (pf)
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
; Point-to-Point ; Point-to-Point
v400.rt-w13b IN A 172.23.96.1 v400.erx-bk IN A 172.23.96.1
v400.core IN A 172.23.96.2 v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1 wg0.erx-rz IN A 172.23.97.1
wg1.rt-w13b IN A 172.23.97.2 wg0.erx-bk IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.rt-auweg IN A 172.23.97.6

View File

@ -1,27 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
-- define downstream servers/pools
newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
{% endif %}
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -1,90 +1,46 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% if ansible_default_ipv4.address == dns_primary %}
################################# #################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # launch Which backends to launch and order to query them in
#
# allow-dnsupdate-from=127.0.0.0/8,::1
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
#################################
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# dnsupdate=no
dnsupdate=yes
{% endif %}
#################################
# launch Which backends to launch and order to query them in
# #
# launch= # launch=
launch=bind,gsqlite3 launch=bind
################################# #################################
# local-address Local IP addresses to which we bind # local-address Local IP addresses to which we bind
# #
# local-address=0.0.0.0 # local-address=0.0.0.0
local-address=127.0.0.1 local-address=127.0.0.1
################################# #################################
# local-port The port on which we listen # local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
# #
# local-port=53 # local-port=53
local-port=5300 local-port=5300
{% if ansible_default_ipv4.address == dns_primary %}
################################# #################################
# master Act as a master # security-poll-suffix Domain name from which to query security update notifications
#
# master=no
master=yes
{% if dns_secondary is defined %}
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify={{ dns_secondary }}
{% endif %}
{% endif %}
#################################
# security-poll-suffix Domain name from which to query security update notifications
# #
# security-poll-suffix=secpoll.powerdns.com. # security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix= security-poll-suffix=
################################# #################################
# setgid If set, change group id to this gid for more security # setgid If set, change group id to this gid for more security
# #
setgid=pdns setgid=pdns
################################# #################################
# setuid If set, change user id to this uid for more security # setuid If set, change user id to this uid for more security
# #
setuid=pdns setuid=pdns
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
################################# #################################
# slave Act as a slave # bind-config Location of the Bind configuration file to parse.
#
# slave=no
slave=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
trusted-notification-proxy=127.0.0.1,::1
{% endif %}
#################################
# bind-config Location of named.conf
# #
bind-config=/etc/powerdns/bindbackend.conf bind-config=/etc/powerdns/bindbackend.conf
#################################
# gsqlite3-database Filename of the SQLite3 database
#
# gsqlite3-database=
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

View File

@ -1,55 +1,61 @@
# {{ ansible_managed }} # {{ ansible_managed }}
################################# #################################
# allow-from If set, only allow these comma separated netmasks to recurse # allow-from If set, only allow these comma separated netmasks to recurse
# #
# allow-from=127.0.0.0/8 #allow-from=127.0.0.0/8
################################# #################################
# config-dir Location of configuration directory (recursor.conf) # config-dir Location of configuration directory (recursor.conf)
# #
config-dir=/etc/powerdns config-dir=/etc/powerdns
################################# #################################
# dnssec DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate # dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
# #
# dnssec=process # dnssec=process-no-validate
dnssec=off dnssec=off
################################# #################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. # forward-zones Zones for which we forward queries, comma separated domain=ip pairs
# #
local-address=127.0.0.1 # forward-zones=
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
################################# #################################
# local-port port to listen on # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
# #
local-port=5353 local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
################################# #################################
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES # local-port port to listen on
#
local-port=53
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
# #
{% if global_ipv6 is defined %} {% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }} query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %} {% endif %}
################################# #################################
# quiet Suppress logging of questions and answers # quiet Suppress logging of questions and answers
# #
quiet=yes quiet=yes
################################# #################################
# security-poll-suffix Domain name from which to query security update notifications # security-poll-suffix Domain name from which to query security update notifications
# #
# security-poll-suffix=secpoll.powerdns.com. # security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix= security-poll-suffix=
################################# #################################
# setgid If set, change group id to this gid for more security # setgid If set, change group id to this gid for more security
# #
setgid=pdns setgid=pdns
################################# #################################
# setuid If set, change user id to this uid for more security # setuid If set, change user id to this uid for more security
# #
setuid=pdns setuid=pdns

View File

@ -1,10 +1,17 @@
--- ---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker - name: Install docker
apt: apt:
name: name:
- docker.io - docker-ce
- python3-docker - docker-ce-cli
- containerd.io
- name: Enable docker - python-docker
service: name=docker state=started enabled=yes

View File

@ -1,7 +0,0 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -1,20 +0,0 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

View File

@ -1,18 +0,0 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -0,0 +1,14 @@
[Unit]
Description=drone.io server
After=network-online.target
[Service]
Type=simple
User=drone
EnvironmentFile=/etc/default/drone
ExecStart=/opt/drone/bin/drone-server
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

View File

@ -3,11 +3,11 @@
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=yes systemd: daemon_reload=yes
- name: Restart 23b - name: Run acertmgr
service: name=23b state=restarted command: /usr/bin/acertmgr
- name: Restart drone
service: name=drone state=restarted
- name: Restart nginx - name: Restart nginx
service: name=nginx state=restarted service: name=nginx state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

View File

@ -0,0 +1,52 @@
---
- name: Create user
user: name=drone
# TODO install drone to /opt/drone/bin
# currently it is manually compiled
- name: Configure drone
template: src=drone.j2 dest=/etc/default/drone
notify: Restart drone
- name: Install PostgreSQL
apt:
name:
- postgresql
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for drone
template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
notify: Restart nginx
- name: Install systemd unit
copy: src=drone.service dest=/lib/systemd/system/drone.service
notify:
- Reload systemd
- Restart drone
- name: Enable drone
service: name=drone enabled=yes

View File

@ -1,13 +1,13 @@
--- ---
{{ bk23b_domain }}: {{ drone_domain }}:
- path: /etc/nginx/ssl/{{ bk23b_domain }}.key - path: /etc/nginx/ssl/{{ drone_domain }}.key
user: root user: root
group: root group: root
perm: '400' perm: '400'
format: key format: key
action: '/usr/sbin/service nginx restart' action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt - path: /etc/nginx/ssl/{{ drone_domain }}.crt
user: root user: root
group: root group: root
perm: '400' perm: '400'

View File

@ -0,0 +1,10 @@
DRONE_AGENTS_ENABLED=true
DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
DRONE_DATABASE_DRIVER=postgres
DRONE_GITEA_SERVER=https://{{ gitea_domain }}
DRONE_GITEA_CLIENT_ID={{ drone_gitea_client }}
DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_secret }}
DRONE_RPC_SECRET={{ drone_secret }}
DRONE_SERVER_HOST={{ drone_domain }}
DRONE_SERVER_PROTO=https
DRONE_USER_CREATE=username:{{ drone_admin }},admin:true

View File

@ -0,0 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name {{ drone_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ drone_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ drone_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}

View File

@ -0,0 +1,20 @@
---
- name: Run runner container
docker_container:
name: runner
image: drone/drone-runner-docker:1
env:
DRONE_RPC_PROTO: "https"
DRONE_RPC_HOST: "{{ drone_domain }}"
DRONE_RPC_SECRET: "{{ drone_secret }}"
DRONE_RUNNER_CAPACITY: "2"
DRONE_RUNNER_NAME: "{{ ansible_fqdn }}"
DRONE_UI_USERNAME: "admin"
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
restart_policy: unless-stopped
state: started
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

View File

@ -1,15 +0,0 @@
---
eh21.easterhegg.eu engel.eh21.easterhegg.eu:
- path: /etc/nginx/ssl/eh21.easterhegg.eu.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/eh21.easterhegg.eu.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'

View File

@ -1,68 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/eh21;
}
server {
listen 80;
listen [::]:80;
server_name engel.eh21.easterhegg.eu;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://engel.eh21.easterhegg.eu$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name engel.eh21.easterhegg.eu;
ssl_certificate_key /etc/nginx/ssl/eh21.easterhegg.eu.key;
ssl_certificate /etc/nginx/ssl/eh21.easterhegg.eu.crt;
root /var/www/engel/public;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

View File

@ -1,5 +0,0 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

Some files were not shown because too many files have changed in this diff Show More